Fraud-Fighters Prevail

By Chris Costanzo and Chuck Ross

Bankers pull no punches — external/internal diligence, advanced technologies and customer outreach — to control losses.

In a year characterized by sensational reports about the ubiquity and insidiousness of fraud — including Banking Strategies' July/August "Fraud Looms Large" — there is optimism nonetheless about the industry's ability to keep fraud at bay.

"Most institutions feel that the fraud losses they incur every year are generally manageable at four to 10 basis points of net income on average," says Sophie Louvel, an analyst with Financial Insights, Inc., Framingham, Mass. The emergence this year of phishing, identity theft, ACH and other types of fraud are no doubt taking their toll, Louvel says. Yet if these losses are offset against the progress the industry is making in effectively fighting more traditional types of fraud, such as counterfeit/ stolen cards and altered checks, Louvel looks for a barely perceptible hike in overall losses. And after 2005, "Fraud losses are likely to drop unless another major technological innovation similar to the advent of the Internet channel and e-mail technology takes hold," she says.

Experts credit the industry for its diligent application of fraud solutions. Going forward, best practice fraud-fighters are expected to rely on increasingly advanced technologies. Success, experts say, will depend on banks' ability to look at their data as a resource to be shared across their own operations, across the industry as a whole and, to some extent, across industries.

Institutions tend to track fraud incidents by account or product type, which can provide a basis for understanding attack patterns. But for effective planning of responses, Financial Insights suggests an approach that organizes fraudulent practices — and potential solutions — into three large categories: point-of-service fraud, transaction fraud and internal fraud.

More Than Manpower

The industry has millions invested in systems and strategies to prevent fraud. Charlotte, N.C.-based Wachovia Corp., for example, employs a bank-wide fraud prevention group of more than 500 people, while also running 22 systems and 30 strategies aimed at knocking out fraud. The level of investment is appropriate, says Brian McGinley, the bank's director of loss management. The minimum payback on Wachovia's fraud-prevention efforts is eight to one, he says, and in some cases is as high as 16 to one — meaning that every one dollar invested yields benefits worth as much as $8 to $16. "That's how prevalent fraud has become," he says.

Successful programs like Wachovia's aren't built by simply boosting a fraud department's headcount, say those studying today's attacks. Increasingly, experts recommend a holistic approach that works across a bank's operations and customer relationships. Such a strategy can more easily adapt to evolving fraud challenges, and it can also help address requirements posed by new regulations, including Check 21 and the Patriot Act's reporting requirements.

Many fraud-solution vendors urge banks to take an organizational approach to the problem.

"Up until the last few years, fraud management had been a very siloed process," says Jodi Pratt, senior vice president for risk consulting at Carreker Corp., Dallas, a leading provider of fraud-prevention software and consulting services. "If you had a problem with checks drawn on your bank, you picked a solution for on-us checks."

Now, Pratt notes, fraudsters' attacks are more complex. Schemes often cross over multiple fraud categories and more frequently involve inside assistance. As a result, she adds, many banks are moving toward an enterprise approach that looks at transaction activity holistically. And, she says, they're looking for ways to track fraudulent activity beyond typical first- and second-day activities, using intelligent systems that can sort through mountains of data to identify patterns of illegal behavior.

Enterprise-wide and fraud-specific approaches are increasingly intertwined, according to Ted Crooks, vice president at Minneapolis-based Fair Isaac Corp., producer of the Falcon line of fraud-solution software. "Over the last 14 years, there's been increased categorization that's tended toward more specific solutions. But the countervailing issue is that fraud evolves rapidly. As a result, you can get into a rat race where you're getting a bunch of separate solutions."

The blend of these two strategies that Crooks advocates is based on an underlying technology infrastructure that can connect to data resources throughout the enterprise. This approach allows for rapid deployment of specific solutions to meet new attacks as they arise so, Crooks says, "it becomes kind of a routine production process."

Driven by Data

Data and its authentication are central to the success of any effort to address fraud — whether enterprise-wide or problem-specific. Take, for example, the industry's work to combat identity theft.

The root cause of identity theft is a failure to authenticate customers, whether they are opening new accounts, ordering checks or reporting address changes, says Dick Clausen, senior vice president, liability risk management at Bank of America Corp., Charlotte. Cognizant of the risks, Bank of America requires two forms of identification from account-opening customers, including one government-issued document with a photo. BofA's initial screening process also includes checking applicants against a database of people who have perpetrated fraud or mismanaged their finances in the past. The bank also checks the credit scores of applicants, taking note of low scores or the absence of a score, which would indicate a false ID.

But efforts don't stop there. A second line of defensive due diligence is performed the next day, an acknowledgement of the tradeoff between convenience and security. "You can't take an hour to open an account," Clausen explains. BofA's tools in this phase are typical of those used by many banks. It employs a database service that checks for inconsistencies in application information. For example, if the area code of a phone number on an application does not align with the zip code of that area, a red flag is raised.

Data, however, is useful only if it's available and accessible. For example, Carreker's Pratt says that ATM transactions are a data-capture opportunity many banks miss out on because they lack adequate storage capacity. Often, she says, useful information identifying the machine, its location and the time of the transaction is stripped away.

"The more data you collect, the more use you can make of it," she says. "Find a way to save all you have, in a way you can use it downstream."

A Broader Approach

Data across industries can be helpful, notes Avivah Litan, vice president and research director at Stamford, Conn.-based Gartner Inc. As an example, Litan cites the work of a software product from San Diego, Calif.-based ID Analytics, which tracks the footprints fraudsters leave as they move across industries. Crooks may, for example, establish legitimacy by applying for a cell phone and paying the first few bills. They then open a checking account and ultimately apply for a credit card. ID Analytics has uncovered "thousands of patterns of identity fraud" across industries, some of which are "highly predictive," says Steve Gal, the company's vice president of corporate development.

Cooperative efforts within the banking industry to share data among participants are also underway. Fifty banks have become founding members of the Identity Theft Assistance Center (ITAC), an effort to aid victims of identity theft that is expected to go live before year-end. The center, being piloted by the non-profit, Washington D.C.-based consortium BITS, aims to alleviate for victims the hassle of contacting multiple financial institutions when accounts may have been compromised. Customers would need to contact only their primary institution to report a crime. The center will also share fraud data with law enforcement officials in an attempt to reduce the incidence of ID theft.

Observers say cooperation like this, between banks that are otherwise competitors, helps strengthen the entire industry.

"Banks, historically, have always been loathe to share," says Pratt. "When the fraud-control effort began in earnest, it became obvious that, in this aspect, we're not competitors. Within the fraud community there are still ways that we must work together to solve this problem."

Legislative Push

Adding to the pressure to invest in ways to combat identity theft is new legislation. The Fair and Accurate Credit Transactions Act of 2003, or FACT Act, signed into law by President Bush in December, requires financial institutions to respond to any customer's identity theft case within 30 days. While the ITAC will go a long way toward helping banks meet that requirement, some institutions are going even further.

Bank of America, for example, has become the first customer of an identity theft case-management system offered by Innovative Software Solutions of Charlotte, N.C. The system will both help BofA comply with the FACT Act and support guidelines established by BITS, Clausen says. BITS advises institutions to have a single point of contact for identity theft victims, rather than make these customers contact multiple departments within an organization.

Regaining Trust

Data authentication of another sort can be seen as crucial to fighting "phishers" — fraudsters who use fake e-mails to trick bank customers into divulging account numbers and passwords. Many of these e-mails incorporate logos and typefaces to approximate the look of other bank communications customers have received.

Tools for fighting phishing by helping customers authenticate bank communications are being introduced. None, however, is foolproof. In a June report, Gartner identified the pros and cons of various approaches. One is to rely on a trusted third party (a bank association, for example) to vouch for the identities of a provider and consumer. But this approach is applicable only between parties that have registered with the third party, not for ad hoc relationships.

Another solution uses secure e-mail to authenticate senders and receivers, as well as to encrypt and decrypt messages. Like the trusted third-party approach, this method tends to work well in closed networks. ABN AMRO Bank N.V., for example, uses secure e-mail to communicate with its corporate clients, which is an appropriate audience since the technology requires a high level of user education and training. It also requires infrastructure changes at the provider's server and may require plug-ins for end users' e-mail.

Many banks hope to head off future phishing attacks by employing services that scan the Internet looking for inappropriate uses of their brand names or logos. But Gartner warns that this approach detects most attacks only after they begin. This may be changing, however. MasterCard International Inc. announced in June that it had teamed up with NameProtect, a fraud detection service based in Madison, Wisc., to identify and shut down scam sites before they can inflict harm. "Bad guys take one to eight days from the moment they establish a site to do phishing attacks," says Sergio Pinon, senior vice president of security risk services for MasterCard. With the expertise of NameProtect, Purchase, N.Y.-based MasterCard expects to be able to shut down sham sites within a day or two. Already, the partnership has identified hundreds of phishers, he says.

Another approach is to mimic the Caller ID function of the telephone. Such a system would display the legitimate domain of an e-mail's sender, much like Caller ID displays a phone caller's number. This is not a quick fix — it may take years before Internet service providers agree on a standard to support the process. In addition, end users will have to update their browsers and e-mail systems. "It's a long-term solution. It's not for today," says Litan, one of the Gartner report's authors.

Much more promising in the short term is the notion of shared secrets, according to Gartner. With shared secrets, service providers know what to ask, thereby authenticating themselves to users, and users know the answers. The shared secret would ideally be a pre-registered question that no phisher would ever know the answer to, such as "What's your pet's name?" Since they do not require major infrastructure changes, shared secrets are a practical, affordable solution, Gartner says.

PassMark Security LLC of Woodside, Calif., is advocating the use of photos as shared secrets. Users would be prompted to input their passwords only after receiving an image — of their favorite honeymoon spot, for instance — that had been previously uploaded to the bank. Presentation of the image gives individuals confidence they are dealing with the right Web site, "plus it's kind of fun," says Mark Goines, PassMark's chief marketing officer.

PassMark, which officially launched in February, had not yet signed up any financial institutions for its service by August, though it had run a number of pilots. Goines acknowledges that changing the log-in procedure is "a fairly daunting decision" for a bank.

Protecting Banking Systems

While most identity theft and phishing attacks fall into Financial Insights' "point-of-service" category, efforts targeting the automated clearinghouse (ACH) spread across into the transaction category, as well. One example of such activity centers on recently developed "e-checks," which allow ACH payments to be made over the telephone and the Internet. These products have proven enormously popular, but they also have introduced a new wave of fraud into what had been a stable system for processing direct deposits and recurring debits.

Banks are taking action individually and collectively to combat ACH fraud. San Francisco-based Wells Fargo & Co. two years ago introduced an ACH fraud detection service that works much like positive-pay services in the check world, according to Keith Theisen, senior vice president of electronic payment products. The ACH Fraud Filter lets corporate customers review unusual activity on accounts — for example, a higher than expected payment — and then decide whether to allow such transactions. Last year, Wells disclosed that the average transaction stopped by the filter ranges from $28,000 to more than $100,000 in a typical month.

Wells was also a leader in monitoring suspicious telephone-based ACH transactions and reporting them to NACHA for investigation, a role that has now been taken over by the private-sector ACH operator, Electronic Payments Network, and the Federal Reserve. Of the three reports EPN has produced since April 2003, the first acknowledges that there is no way to validate that a person initiating a transaction over the telephone or Web is authorized to do so. As a result, any return that signals a business account was accessed inappropriately triggers a report to the originating bank.

The second report identifies telemarketers with questionable business practices. A certain number of customers claiming that ACH debits related to a particular originating company are unauthorized — in this case 50 a day, 80 a week, or 200 a month — will set off alarms. "A good company doesn't get this level of unauthorized complaints, even if they do a million transactions a month," says George Thomas, president of EPN. "So either your business practices are not right, or you're ripping people off." A third report highlights the use of invalid account numbers to identify originators who have tried to guess account numbers. One hundred a day, 200 a week or 500 a month will trigger a report.

As further defense against ACH fraud, Theisen advises banks to know their customers, particularly if ACH originations are coming through third-party processors. "We also do a lot of education for our clients to make sure they're aware of the potential for fraud and what to do about it," he says.

Investing in Implementation

Of course, implementing any new fraud-fighting programs requires both time and money. The determination of how much an organization is willing to ante up requires a full understanding of both current — and potential future — fraud losses. One way to look at it, offers Tom Lekan, senior vice president and chief security officer for Cleveland-based KeyCorp: "If you're a public company, how much is fraud costing you per share?"

Experts say many bankers are thinking beyond traditional return-on-investment measures, as well as rethinking their current loss-categorization processes.

"The first thing we do is sit down with a bank and ask them what their losses are," says Carreker's Pratt. The conversation may lead to the finding that overdrawn checking accounts that have been charged off as lending losses may indicate check fraud, and that returned-deposit issues may be a sign of a fraudulent new account. At the conclusion of the session, she reports, "Very often, the losses wind up being something else."

Industry consolidation adds to the complexity of analyzing and implementing new technology solutions. Even mid-size banks that have grown by acquisition may be working with a patchwork of legacy systems and architectures that all need to be addressed. As a result, says Fair Isaac's Crooks, availability of a bank's information technology resources can be a larger consideration than would the cost of a fraud detection solution.

"The question usually is, 'What else should we be doing with our IT resources?'" Crooks says. In fact, he says, resource scarcity is an argument in support of developing a strong infrastructure. Upfront efforts may be significant, he says, but subsequent system additions and upgrades should be much easier with a solid foundation in place.

Finding the Right Balance

Along with determining bottom-line costs and benefits of any selected fraud solutions, banks also consider the impact every option has on customer relations.

BofA's Clausen notes the struggle of developing fraud-detection policies that are able to be tolerated by customers yet are still potent enough to be able to detect fraudulent activity. "We certainly could decrease fraud tremendously, but no one would want to bank with a bank with such stringent procedures," says Clausen. "Convenience versus security is a challenge."

And meeting that challenge will require more than simply choosing the latest technology bells and whistles, say others. Future fraud-fighting will need to incorporate employees and customers in order to be successful.

"I don't think any one technology is a silver bullet," says Wachovia Corp's McGinley. "It's a combination of technology and developing the right policies, procedures and skills."

Many security experts predict consumers will have to take on greater responsibility for their own security — and that they will willingly accept that obligation. Santiago of ABN Amro says he believes many of the security methods now used for corporate customers, such as smart card-like tokens, will filter down to the consumer world. In the Netherlands, he points out, all retail purchasing over the Internet requires a token for access.

Lekan agrees. "Banks have done everything they can to secure their environment from intrusions," he says. "At this point, the burden has now shifted to the consumer."

According to Gartner, consumers appear ready to accept the burden. Gartner found that 45% of respondents to its June survey say that sharing a secret message with a service provider would be extremely desirable. "Banks always think they can't inconvenience their customer at all, and it's just not true," Litan says. "It's come out loud and clear that consumers are willing to do more. They want to feel protected."

Ms. Costanzo is a freelance writer based in Maplewood, N.J. Mr. Ross is a freelance writer based in Chicago.

Copyright © 2004 by Banking Strategies, published by BAI.

back to top