COMMUNITY
BANKING SPECIAL REPORT
Familiar
Faces - or Shadowy Figures?
BY KAREN EPPER
HOFFMAN
New
threats, including new account fraud
and identity theft, added to check fraud
challenges make smaller institutions
more vulnerable to fraud losses. Experts
urge more vigilance.
|
SYNOPSIS | As
the country’s largest banks implement
better protections against fraud, crooks
are moving their game down to smaller
institutions, which they believe are
less prepared to fend them off. New
account fraud and identity theft are
becoming more pervasive, and one analyst
estimates that phishing incidents will
triple in 2005, due in part to thieves
targeting smaller institutions. In
response, vendors are beginning to
offer community and mid-size institutions
and their customers a range of cost-effective
software and services to help them
better vet their new customers, winnow
out potential identity thieves and
keep tabs on their accounts over time.
At the same time, banks are being urged
to tighten policies to prevent fraud,
and communicate potential risks to
consumers and front-line employees.
Things are not always
what they seem. From a fraudster’s
point of view, a big target isn’t
necessarily a better target. And, a community
bank may or may not recognize the criminal
element in its midst.
Foiled by increasingly
better detection techniques at the larger
banks, many crooks are said to be moving
their game down to mid-size and community
banks. “If the road is blocked at
the bigger banks, the next natural step
is to look for holes somewhere else,” says
Tom Townsend, senior vice president and
director of risk management, $3 billion-asset
Sun National Bank of Vineland, N.J.
Smaller institutions
are believed to be easier targets because
they generally lack the resources and the
sophisticated fraud mitigation tools of
their large bank counterparts. Additionally,
financial institutions and customers in
small towns may not be as wary as they
need to be.
| Related
Chart |
|
|
| Related
Sidebars |
|
|
While more conventional
forms of check fraud are the main threats
to community banks, community banks also
are falling prey to the newer schemes involving
phishing and identity theft. Institutions
are being urged to adopt improved techniques
for customer authentication and account
monitoring.
Increasingly, management
is realizing that more needs to be said
and done to encourage customers to protect
their accounts. In response, many vendors
are tailoring fraud detection and authentication
products originally designed for larger
banks to the smaller institutions. These
solutions include software and services
focused on better verifying the identity
and often the financial and criminal background
of new potential customers, authenticating
online users and protecting the bank’s
Web site, and detecting suspicious activity
throughout the life cycles of an account.
Changes
Needed
The effective fighting
of fraud in 2005 requires several changes
to be implemented at the average community
bank, experts say. Perhaps the first change
is to acknowledge that community banking
no longer involves just familiar faces.
With a more transient
population and with more accounts being
opened online, community banks need to
do more than just check a new customer’s
driver’s license, says Bruce Lowthers,
vice president in charge of the mass market
for Scottsdale, Ariz.-based eFunds Corp. “Many
community bankers are still clinging to
the idea that it’s a small community
and [identity theft] can’t happen
here,” Lowthers says.
Senior managers at small
banks are not unaware of the growing threat
fraud poses to their institutions, says
Jodi Pratt, principal for Jodi Pratt & Associates,
a financial industry consultancy based
in Aptos, Calif. But, she says bank managements
historically have viewed fraud losses as
a component of their routine operating
loss and not as something that needs to
be aggressively confronted.
“Senior management
needs to understand that this is an area
where they need to spend money in order
not to lose money,” Pratt says.
Sophie Louvel, a research
analyst with Financial Insights of Framingham,
Mass., agrees. Since regulators “don’t
have the capacity to perform the same level
of due diligence with smaller banks” that
they do with big banks, she says, community
banks have traditionally felt less pressure
to take a strong and consistent stance
on fraud prevention. At smaller banks,
according to Louvel, the “policies
and procedures for dealing with fraud are
often written in a more ad hoc fashion.”
“Smaller banks
often have one or two people with a wealth
of internal knowledge that is not well
codified,” Louvel says. “You
hear, ‘Sandy is the one we turn to.
She has 20 years of experience in fraud
management.’”
While fraud is taking
multiple forms, from check kiting to forgery
to phishing to new account fraud, most
experts and bankers agree that the biggest
threat to small banks still lies with more
traditional problems, such as old-fashioned
check fraud. Nessa Feddis, a senior federal
counsel for the American Bankers Association,
says more mid-size and community banks
are reporting an increased volume of counterfeit
checks and fake identities. In terms of “scams
with the greatest potential dollar impact,
it’s still the check fraud that we’re
seeing, ” confirms Townsend of Sun
National Bank.
Likewise, Charlie Cross,
president of $98 million-asset Bank of
Eureka Springs in Arkansas, says his institution
has not been hit by “phishing schemes
or high-tech fraud,” but he has seen “more
brazen cases of fraud on the traditional
side.” For example, Bank of Eureka
Springs was one of a string of southeastern
and Texas banks hit last summer by a pair
of thieves who placed a fake night dropbox
over the bank’s real one to dupe
customers and collect night-time deposits.
As simple as the ploy sounds, the thieves
scored thousands of dollars at several
banks before being captured earlier this
year by federal agents.
One vulnerability for
some community banks may be their location.
Many crooks may “try to hit banks
in smaller communities because they feel
there’s less likelihood of being
exposed in a smaller area,” Cross
says. “They feel the scrutiny from
those banks might not be as heavy.”
Online
Threat
Community banks that
try to transcend their location by maintaining
an online presence run the risk of letting
themselves in for what their larger counterparts
have experienced in the last year or so.
The number of phishing
attacks is forecast by Needham, Mass.-based
TowerGroup Inc. to nearly triple in 2005.
(Phishing involves con artists using fake
e-mails and Web sites that imitate a real
bank or financial service provider to lure
legitimate customers to convey personal
financial information.) Tower says the
expected rise from 31,300 phishing attacks
in 2004 to more than 86,000 this year will
be due in part to thieves moving to smaller
institutions.
Originally, according
to TowerGroup senior analyst George Tubin,
phishers would almost always imitate big
banks because they didn’t usually
know if the consumers they were contacting
were indeed customers of a particular bank.
Since Charlotte-based Bank of America Corp.,
for example, has 10% of all the nation’s
demand deposit accounts, it made more sense
for the crooks to imitate BoA’s Web
site than that of a tiny community bank.
Also, since many attacks
were perpetrated by crime rings outside
of the United States, the crooks were more
apt to latch on to familiar names, which
happened to be the mega banks, Tubin says.
But as the big banks improved their defenses
against phishing, the fraudsters “figured
they would go after people who didn’t
know as much” and weren’t as
prepared for the attack, i.e., the community
banker, says Tubin.
Jim Maloney, chief security
executive at Corillian, the Hillsboro,
Ore.-based online banking software maker,
agrees that smaller institutions are “a
little bit naïve about how safe the
Internet is.”
Many crooks, bent on
using the favorable credit history of legitimate
citizens to perpetrate fraud, are realizing
they may find easier marks among these
small towns and their banks. Maloney says
the move down market is as much about the
theft of identities as it is about the
theft of money.
Since the victim is
more likely to be taken unawares, “the
identity of that small-town farmer is more
valuable than a big lawyer in New York,” says
Maloney.
The pronounced migration
of fraud to the community bank is believed
to have started only in the last 12 to
18 months. As early as the ABA’s
2004 Deposit Account Fraud Survey based
on activity in 2003, however, identity
theft was reported to be a greater problem
for small banks. ID theft accounted for
just 6% of fraud losses at superregional
or money center banks, compared to a whopping
85% of losses at community banks. New account
fraud, which is often linked to identity
theft, grew substantially for community
banks over that same period.
Fraud detection and
prevention, of course, typically involves
the application of technology, and many
believe that smaller banks are underinvesting.
Experts say the issue has been both the
availability and affordability of appropriate
fraud-fighting tools and management’s
interest in them.
For many years, Louvel
says, vendors didn’t offer a wide
range of screening tools and other fraud-detection
software at a price smaller institutions,
or their service bureaus, could afford.
“With the exception
of a couple of major players like Fiserv and Metavante, most small-bank service
providers have not been proactive in providing
fraud-detecting services — which,
given this market’s reliance on service
bureaus, has limited the banks’ alternatives
greatly,” Pratt adds.
And there’s been
a concern about the efficacy of what has
been invested in. The anti-fraud measures
that have been taken by community banks
are not paying off, according to Louvel.
Smaller banks are getting hit with $1 of
fraud loss for every dollar they avoid,
while big banks are sparing themselves
$9 in attempted fraud for every dollar
they actually lose, she says.
One recent driver of
fraud solutions has been anti-money laundering
and know-your-customer compliance concerns.
Bob Cofod, president and CEO of BankDetect,
a fraud detection software vendor based
in Annapolis, Md., says his firm has just
completed a proposal to a $2.5 billion-asset
bank. The bank would not be investing in
a robust risk mitigation system “were
it not for the need for AML compliance,” Cofod
says.
Fighting
Back
Even as community banks
seek new technology to fight fraud, experts
on the topic say it’s ultimately
not the technology you put in place, but
the policies and the communication you
have to back it up that really makes the
difference.
Ariana-Michele Moore,
senior analyst with Celent, says community
banks could avoid a lot of pain simply
by imparting to customers the need for
them to monitor their own accounts. “There’s
a misconception that if you try to educate
your customers about fraud, you’ll
scare them away,” Moore says.
Security experts urge
community banks to combat fraud by using
the close ties they have to customers and
employees to their advantage. Banks are
advised to communicate regularly to customers
through brochures, newsletters or mailings
all news about relevant fraud crimes that
may be affecting their region, and also
convey the best tactics for preventing
fraudsters from stealing their identity
or having criminals access their legitimate
accounts. A key defense is believed to
be the education of front-line employees
about the overarching issues and tell-tale
signs of potential fraud both as part of
their early training and via ongoing seminars,
workshops or bulletins.
To combat online fraud,
George Tubin, senior analyst with TowerGroup
Inc. of Needham, Mass., suggests that banks
tell customers they will never send out
an e-mail asking them to follow a link
back to the bank or ask for their user
name or password, since these are the most
common tactics employed by phishers to
gain access to consumers’ accounts.
Mikko Hypponen, chief
research officer for F-Secure Corp., believes
U.S. banks, large and small, should be
promoting the use of one-time personal
identification codes or passwords for their
online users. The popular use of one constant
password, which could be more easily determined
by wily fraudsters online and off, “is
unsafe and, frankly, stupid,” he
says.
To protect their brand
names, Tubin says even the smallest banks
might take a proactive stance by regularly “scanning
the Web, to see if your brand and name
are being used somewhere else.”
In fact, many banks
are heeding the advice. Townsend of Sun
National Bank says that his bank and its
peers are doing more to communicate how
customers and employees can protect themselves
and the bank from fraud. Through its state
banking association and other trade groups,
Townsend says Sun National also shares
information with other banks.
Cross of Bank of Eureka
Springs says that his bank also has provided
internal training to employees and has
tried to educate its customers, and the
larger community, on various fraud-related
schemes. “We might be behind the
curve of a Washington Mutual or a Bank
of America,” he says, “but
we’re always looking for ways to
protect our customers.”
Questions
or comments about this article? Post
them at the Banking
Strategies blog.
|
