2Exploring fraud and fraud management Through the lens of a Financial Institution (FI)What are the threats, emerging channels and evolving risks?How to respond?Through the lens of a technologistHow can technology help?What lies ahead?
4… but can you pick out the fraudster here? Amy Lynette Sanders Grand Rapids, MichiganRay Van NormanOmaha, NebraskaJane WolffYarmouth, MassachusettsBranch Manager. Transferred funds from customer accounts into her own – for over 3½ years.Chairman and CEO.Stole $5.7 million by creating fictitious lines of credit over a 10-year period.Husband and wife pair Benjamin Wolff (79) and Jane (72) wrote fraudulent checks for hotels, inns, and stores in Concord, Newburyport, Rockport, and Andover..
5Sobering bank fraud statistics 5As much as 35% of operational loss in financial services is fraud – that’s $20B annuallyA mid-size US bank loses $50M to check fraud annuallyA top 10 credit card issuer loses $ M to first party credit card fraud annually60% of bank fraud involves an insiderIdentity theft cost the US $48B in 200840% of ID theft is committed by collusive criminal networksSources:KPMG, Celent, ABA, Tower Group, Javelin Research, CIMIP
6Is Fraud A Trillion Dollar Problem Globally? 6Banking$20BHealthcare$125BBrokerage/Securities$150B$502 billionUS fraud lossesMortgage$10BInsurance$100BRetail$42BTelecom$55BSources: TowerGroup, Stanford Law School, Cornerstone Research, The Prieston Group , U.S. Dept. of Health & Human Services, U.S. Dept. of Justice, National Retail Federation, FIINA
7Why does bank fraud continue to be a problem? New products and channels expose new schemesDefenses usually come long after new schemes are hatchedFraud is a businessHighly leveraged schemesIncreased role of organized crimeWeak defensesLow efficiency, increasing costComplex problem, disconnected data and systems, limited innovationFailure to comprehensively monitor accounts, account touch points
8Top 5 fraud threats (2012) Source: 2012 Faces of Fraud survey Banks were asked to list their top 5 threatsCredit and Debit Fraud: % rank card fraud as their top threatCheck Fraud : Despite declines in the volume of checks processed annually, 76% say check fraud remains an issuePhishing and Vishing (Socially Engineered Schemes): 50% rank these schemes among the top five threatsACH and Wire Fraud (Account Takeover): 43% ranked ACH and wire fraud among the top threatsATM Fraud (Skimming and Ram Raids): 35% rank ATM fraud as a top threatSource: Faces of Fraud surveySponsored by Authentify, Guardian Analytics, i2, RSA Security, Wolters Kluwer Financial Svcs
9Payments trends that affect fraud Emerging technologies and rapid innovationIncrease in # of players involved in the payments supply chainIncrease in # of payment options for consumersShift from Credit/Debit to ACH via Payment ServicesEvolving fraudCross channel fraudInternational organized crime ringsIncreased speed of use from compromise to fraudShift in targetFrom mega data breaches to smaller merchantsFiltering down to rural areasChanging consumer viewsMore open to alternative paymentsMore conscious of security, yet willing to share personal information with “friends”
12Why do banks care about fraud? Fraud losses go straight to the bottom linePerceptions of insecurity leads toReputational riskCustomer retention challengesOperational expenseRegulatory oversight/finesCalls for more regulation
13“Stop them from stealing” How do banks respond?“Keep the bad guys out”IT/network securityOnline authenticationApplicant screeningFocused on protecting the perimeter“Stop them from stealing”Transaction monitoringEmployee monitoringList checkingFocused on protecting customer accounts“Break the cycle”Investigate casesProsecute criminalsReport to FINCenFocused on preventing future attacksTowerGroup estimates that for each $1 spent on fraud management, fraud losses will be reduced by $8
14Implement comprehensive approach across all channels and products Deposit AccountCheckACH(Origination)WireDebitOn-Us (incl. ACH Conversions)KitingDepositOnlineATMCall CenterBranch
15Regulation also drives FI action Layered Security FFIEC Guidance2005: The Federal Financial Institutions Examination Council (FFIEC) issued guidance to banks on standards for Internet banking2007: Banks responsible for complianceOf 200+ respondents:58% say their institutions will increase fraud spend in 2012Only 11% believe the guidance will significantly reduce fraud
18Enterprise Fraud Management Systems Case ManagementWorkflow and reportingAlerts and incidentsProactive Monitoring & AnalyticsIdentify suspicious behaviorBusiness user controlForensic Research & InvestigationsQueries and analysisCollaborative researchData Aggregation & ManagementMultiple sourcesDifferent data types
19Enterprise Fraud Management Data Single enterprise data store for financial crime and ops risk mgtRich repository of cross-channel transaction & reference dataSource system agnosticCustomer DataName, address, phone, …Employee Dataname, ID, branch, job code, contact info …Account DataStatus, open date, balance …Transaction Datacheck, deposits, ACH, wire, other debits, RDI, returns …Maintenance/Inquiry Datacontact info changes, service changes, balance lookups …Analytics Outputprofiles, risk scores, alerts …3rd Party Listsblack lists, white lists, OFAC …Other Detection Systemsalerts , other data as required…
20Multiple Approaches to Fraud Analytics Patterns/RulesAdvanced business rules and statistical techniquesProfilingContextual history of customer, employee and peer group behaviorAdaptive AnalyticsFraud is discovered through a combination of risk indicatorsLink AnalysisUncover risky relationships between people, accounts, alerts, etc.
21Example: Employee Fraud Detection Fraud TypeExample ScenariosTheft from institutionSelf-dealing (e.g., fee reversals increasing overdraft limits)Inappropriate account maintenance on own or close associate account (e.g. check hold policy override)Incentive compensation schemesGL theft (debit to cash offset to employee acct)Theft from customerDebits from dormant, elder, out-of-region, high net worth acctsInappropriate acct maintenance (e.g., changing phone #, , address); followed by unauthorized or unusual transactionsInappropriate acct inquiries, often out-of-region or business unitInappropriate access to reportsScreen capture, print screen
22Example: ACH Fraud Detection Combine Advanced Analytics and Business RulesFraud Indicators: Unusual access (IP, device ID, time of day, etc.), account maintenance, fund consolidation, negative balance, unusual amount, routing, timing, known bad receiverBusiness Rules: White/black lists, institution defined rulesCustomer and Account ProfileTransaction DetailsAmountTimingReceiversTypeChannelsCreditsDebitsRoutingCustomer and Account DataName, address, phone, acct status, daily balance…+Originator InformationContact details, funding account, …Maintenance / Inquiry ActivityAddress or service changes, balance lookups …ACH ActivityHistorical activity across all channelsStatistically-driven risk score for every transaction
23Example: Check Fraud Detection Multi-dimensional pattern analysisCheck serial number sequencesBook detection, distance out of sequenceAmountsQuasi-periodic amounts, non-quasi periodic amountsLikely amounts, intimate amountsVelocity analysisAccount velocity (balances), book velocityAccount relationshipsSerial #VelocityMultiple checkbooksTimingAcct Profile$ AmountAcct Intimacy
25Emerging and enabling technologies Big DataCloud ComputingMobile
26Cloud computing Reduced costs Risks: Some aspects of payments are moving to the cloudRisks:Assuring proper data protection and compliance with security and privacy regulationsInadequate controls at third party service providersAuthentication and reliance on passwords
27The mobile revolutionNearly half (46%) of American adults are smartphone owners as of February 2012, an increase of 11% over last MaySource: Pew Research Center’s Internet & American Life Project, March 2012Use of mobile banking expected to grow rapidly: expanding to 38M households by 2015Source: FDIC Supervisory Insights - Winter 2011
28Mobile financial services 4 usage patterns expected:Mobile Banking – Mobilization of existing online capabilities (e.g., balance checks, transfers of funds between customer accounts, bill payment to pre-authorized recipients)Alerting – Providing a convenient channel to alert customers of account activityServices Replacement – Replacement of select services that require physical customer presence (e.g., remote deposit capture)Mobile Payments – Including contactless payments, person-to-person payments, and substitution of mobile device for credit card, debit card or checks
32Parting words…Fraud attempts and fraud losses continue to grow. Yet, there is opportunity to fight back harder and smarter.Customer educationNew tools and new technologiesInformation protectionFraud detection and managementIncreased collaborationEngage customers in fraud managementShare information across banksCollaborate with regulators, government, employees and third parties