BAI Publications
 
Wednesday, December 3, 2008   
 E-mail This Page   
 Contents
COVER STORY
What Do Your Employees Need To Learn And What Will It Cost?
.......................................
FEATURE ARTICLES
Online Lending: Not Quite 4 Easy Steps
Where’s The Vision For Banks In Payments?
Leveraging The Knowledge Of The Float Manager
Fraud Fighting 2006-Style: Real-Time And Enterprise-Wide
.......................................
DEPARTMENTS
On Retail Banking
Guest Spot
Index to Advertisers
.......................................
BAI Online
About Banking Strategies
January/February 2006 Table of Contents
ACCESS PAST ISSUES

Search archived issues of BAI Banking Strategies.
Search now. >>

 

 

Fraud Fighting 2006-style Real-time and Enterprise-wide

BY PAT ALLEN

If they can prep the frontlines, monitor transactions, share information and apply state-of-the-art technologies, our roundtable likes its chances.

| SYNOPSIS | The best prospects for the banking industry?s success in fighting fraud involves management of technology deployments across an enterprise, according to a panel of three executives. Check, card, debit, loan and internal fraud all are most effectively combatted by sharing, whether by business units or across the industry. Operational risk and data security are described as specific issues commanding the attention of senior management.

Despite being known as, as Lisa Zarzycki says, “the people who always say ‘No’,” three fraud executives said “Yes” repeatedly in a recent Banking Strategies roundtable.
 
Related Sidebar
Our Panel

Yes, fraud at their institutions large and small is commanding the attention of senior management in a way not seen previously. Taking an enterprise view of risk enables management to break silos down and develop a perspective that spans check, card, debit, loan and internal fraud, says Zarzycki, Vice President and Risk Manager of Detroit-based Comerica Bank.

Yes, it is possible to prove a payback. In addition to the need to invest in a robust structure that multiple business lines can benefit from, there can be a strong return on investment in the mining of data, says Brian D. Parker, Senior Vice President, Risk Management, for Seattle-based Washington Mutual. The banking industry differs from others in its volume of daily transactions, Parker notes. The ability to manage and learn from the data “is how you end up really winning.”

And Yes, as cunning and organized as fraudsters worldwide have become, a continually collaborating financial services industry can mount an effective defense. All three roundtable participants expressed pride in their fraternity of financial institution fraud-fighters. Still, says Lloyd H. Lamm, Senior Vice President, First National Bank of Pennsylvania, more sharing and communication is needed.

“When there was a fraud previously, it affected a 100-mile region,” Lamm says. “Now when a check comes back, a check from one of our customers gets sent to Canada, the next day it is being cashed in Texas. How do we communicate faster? How do we communicate better as banks?”


Q How has the scope of your work changed in the last couple of years?

Parker: Fraud has become such a huge topic recently that it has entity level exposure and executive level-type exposure now. In a big bank like us that’s grown through acquisitions, we break up into silos by business line. One of the things that we’ve done to change scope is to create an entity-level oversight over the fraud programs. In the past, there was a lot of autonomy within the business lines, and they operated on their own. Now, there is an oversight level, and a steering committee that is comprised of senior leaders across the organization, that steers and looks out after the capital investment across the bank in ways so we can use that capital investment across the enterprise rather than in just a specific silo. That has been a huge scope change for us.

The other thing we are really working on as an institution—and any large bank is, too—is much more robust data capture. In the operational risk area, fraud is it; fraud is one of the big operational risks out there, so we have to have a much more robust system for capturing fraud data losses across the enterprise.

Zarzycki: Our operational risk focus also has caused fraud to come to the forefront. We have looked at our fraud from an enterprise level as well. Another thing that we have really tried to springboard off is our aml (anti-money laundering) piece. We have found that there is quite a lot of synergy between our AML review process and our fraud prevention review processes. The bank has taken a step to move those under one director now. We are looking at an enterprise-wide case management system to bring our fraud prevention systems into one workflow management piece. I am hearing and seeing that across the industry.

We are looking at workflow management, we are looking at risk from an enterprise view—not just check, card, debit, loans, internal fraud... bringing it all into one perspective, looking at some things real time. Dashboarding is a big thing right now, and it is very exciting to see these silos breaking down, and that we are addressing fraud at a higher level.

Lamm: It has changed for us in a lot of ways. One of the things banks never really did well in the past was focus internally and externally on theft and fraud. As banks, we have typically gone out and worried about people who are going to pass bad checks; we were worried about people who are going to do kiting, and those things still all exist.

In today’s world, coming in robbing is not where you make money if you are a bad guy. You get $1,500, $2,000, maybe a little more if you get in the vault. Beyond that, you can do a whole lot more damage with a pen and a whole lot more with a computer. That is where we really focus today. Our focus really is in real time, and that is absolutely true. We need to come as close to real-time capture of what the bad guys are doing as possible.

The electronic side is the debit cards, the electronic side is Internet banking, that is the first piece. The second piece for us is trying to continue to get our frontline staff to take fraud seriously on a daily basis. What do they get judged on? They get judged on sales, so their focus is to bring customers in, sell them the product and move on. And we need to do that; that is how we survive.

But the fact is, we need to do a better job of making them consistently aware that the person in front of them may or may not be committing fraud. With the new fraud schemes, even our best customers are now bringing in fraudulent checks that they get from somebody on the Internet. So, you can’t tell the bad guys anymore, because sometimes they are our own customers, who are being duped by somebody else.

Q You all have such passion for what you describe as an exciting role to be playing today and you’ve mentioned the tools you have invested in. Can you say that you are more effective today?

Parker: This industry has become so dynamic, especially with the advent of the Internet. We went through a situation earlier this year, where we had a tremendous number of phishing attacks directed at us. We did some good forensics, went in and handled it, but the network among the fraudsters is much more robust than it used to be. So, I think you have got to be that much more dynamic and keep up with the changes that are going on out there. You asked if we are more effective. I think we are more effective in a lot of areas, but we are less effective in others, as well. So, you constantly have to be out there reinventing yourself, and investing in new technology, because if you do not, you can really fall behind quickly.

Zarzycki: And it goes back to watching the trend shift, to where are we seeing some fraud. In some areas, we are seeing a decrease or no change; in other areas, we are seeing dramatic increases. If you are in the mortgage business right now, your mortgage fraud losses are increasing; reflecting the highest level we have ever seen. Your check card losses might be staying stagnant, and your debit card losses are going up, because we are migrating to a new channel. So, we’ve seen our fraud losses go down. But, we are seeing them turn back up again because of the Monster.com situations, the Nigerian scams that are taking on a new twist. Our customers are being victimized by this.

Q How confident are you that you are going to be able to prevent, to mitigate, to control fraud?

Lamm: I feel good about what we are able to do. You said “prevent.” We will never be able to prevent it entirely; it just cannot happen. The fraudsters have nothing else to do. Their full-time mission in life is to figure out how to beat us out of some money. That is going to happen. The issue is to recognize it, control it and stop it as quickly as possible.

The statistics I have seen show that one in 10,000 people who commit fraud ends up in jail, so it is a very lucrative business for them. We have got to be faster, we have got to be covered quicker, and we need to prosecute them. We need to make them high profile prosecutions; it needs to hit the paper; it needs to hit the news that when we get defrauded, the banks come down on you with both feet.

Parker: The problem that we find, especially in our larger fraud markets—Southern California, Florida, Georgia and New York—law enforcement is so focused on terrorism activities and things like that, that to get a prosecution is very, very difficult. They are stretched so thin.

The one in 10,000 statistic is probably accurate. In certain markets, it is victimless because the law enforcement community does not have the resources to go after them. Then, they view the bank as probably somebody that is well-heeled and can absorb it.

Zarzycki: Right, and that is where it becomes so important that our fraud prevention tools, our fraud detection tools and our training is so focused, because we have to do those things. I am really pleased with what the vendors have brought to the market. They listen to us, they are nimble and they are providing us the tools to be able to detect that type of fraud. We did not have that three years ago.

Q Specifically, what technologies are you the most optimistic about or feel are the most effective in reinforcing your institution?

Zarzycki: I think your historical check fraud technologies. They keep saying that check fraud is going away; it is not, it is always going to be here, it is always going to be something that we need to do. So, your check fraud technologies, your workflow and case management technologies. I’m very excited about what we are seeing in those areas. I’m excited about the Web banking technologies, looking at multiple hits and IP addresses, things like monitoring for phishing and pharming. There are technologies out there that are actually proactively going out and looking for our name, trademarks, things like that. That is helping in those areas.

Lamm: I look at pattern recognition. All of the pattern recognition tools that are out there, and all of those types of tools are instrumental in really identifying fraud as close to real-time as you can get. What I have seen is, a lot of those tools and a lot of those vendors had primarily been credit vendors, and they played around in the credit space, providing verification of all of the background pieces for credit, for name, address, Social Security number, all those pieces.

You can use those same models to not only develop pattern recognition for transactions, but also to look at an individual customer from multiple elements, to figure out just how likely it would be that a certain transaction is fraudulent.

Q Who all gets involved in the investment, in making the case for an investment at your institution?

Lamm: I’ll start with a smaller bank perspective. It is a fascinating process to go through to get a significant dollar amount approved to prevent fraud. I said in a meeting yesterday, and I think it is absolutely true, the toughest thing to do is to get senior management to spend money to prevent losses that have not occurred yet. That is very difficult. That is a true outlay of cash based upon several of us saying this is going to happen.

If you have lost money, then it is easy to build a case. You can say, on PIN fraud, we have lost $120,000 this year, there is a system that will prevent it for $30,000 a year. That is a no-brainer.

Where we have to be more creative on the security side is we have to sharpen our presentation skills. We have to be able to show senior management that there really is a return on that investment, because we all budget, or should be budgeting, for losses. The key is how much you can minimize that budget number for losses, compared to what the outlay of the capital is. So, it can be done, it just needs to be done very professionally. The days of, “I need to spend $50,000 to fix this” and somebody says okay, those days are gone.

Zarzycki: We have a very stringent RFP (request for proposal) process that we go through, and we have a business case analysis that we have to do. We look at historical numbers, we look at trending and it goes through several committees. We try to get the support of our business lines by tying our losses to product types—is it a corporate loss or is it a retail loss? We build a pretty strong business case.

We also do talk about trying to say, “Well, we think this loss is going to happen.” How would we have said last year to the bank, “We think phishing is going to be big thing”? We didn’t even know what phishing was. So, sometimes we just have to use anecdotal information but we do try to tie it as closely as possible to the numbers, and show a return on investment. We need to show what the payback is, and by looking at the losses averted, sometimes people say it is pie in the sky numbers—“how do you know that you really averted $1 million dollars in new account fraud?” Well, we have to go with the industry standards, but they call those soft dollar losses versus your hard dollar.

Parker: What we have developed, again, is an entity-wide, senior management steering committee for our fraud initiatives across the company, so it gets visibility there right away. Everybody kind of collectively looks at the numbers, they look at an ROI, the executive members talk to the president and that’s how we get the buy-in on the whole thing.

These capital investment dollars are significant, they are not cheap. So, what we need to do is to develop a platform where multiple business lines can use the same investment in different ways to detect or prevent fraud. That is really where you get your payback. It won’t just be in debit cards, it will also be within check fraud or maybe on the first mortgage side, or in lines of credit.

Q The conventional wisdom is that the better the large banks are at fighting fraud, the more fraud migrates to smaller and believed-to-be less secured institutions. Have you seen that happen?

Parker: I think it is going to continue to flow downhill. But it will never go away from the large banks because the benefits for the fraudsters are there. The customer base is so large and so pervasive that, when they send spam e-mail out, they are going to reach a lot more customers.

But, in terms of different kinds of fraud, once they move off these folks, because their debit cards are such that they cannot be duplicated from a PIN point of view, they will move from the next bank to the next bank. If those smaller banks, and by smaller banks let’s say $5 billion and below, if those banks do not work every bit as hard as these banks do, they are going to be overcome by fraud, because the fraudsters have Web sites. They go out, they confer, they plan, they say where to go and, once somebody is successful, they tell it to all of the fraudsters everywhere. The communication is so good, that the smaller banks are going to have to get with the program, or they are going to suffer catastrophic losses.

Q What types of fraud are the smaller banks especially vulnerable to?

Lamm: Phishing. It really is. It is surprising. Our bank had a phishing attack recently. You would not have thought that would be the case with a $6 billion bank but it was. Fraudsters are going to continue to move down to smaller banks. They are able to focus on IP addresses within certain areas of the country, so that when they broadcast e-mail, and get people to give their confidential information, they can focus on geographic areas and have a far higher percentage of hit rates.

They can go out on the Internet and search and, in our case, type in First National Bank, and we are going to be one of the first banks that comes up. So, those types of tech fraud are just going to continue, it is not going away.

Electronics is a big deal, but check fraud, fraudulent cashier’s checks, is too. They take our rules and we say that you have to give certain credit in a certain period of time for a cashier’s check. The bad guys know that, so they focus on that, they focus on money orders, they focus on fraudulent treasury checks, they bring all those items together, and if you are not prepared to identify those checks as fraudulent quickly, you can lose $1 million. In certain size banks, that is maybe a penny a share or two pennies a share in a quarter; all of a sudden, you can have a serious problem.

Q All three of you are publicly traded. Has your ability to fight fraud become a competitive advantage? Are you getting any credit for your effectiveness?

Parker: I personally do not think so. Our bank is so large that we earned $850 million last quarter. From a stock price and earnings perspective, the fraud losses are not significant to that kind of earnings power.

If an institution were to possibly gain a competitive advantage it would be more from a customer service perspective—how you treat your customers, how you educate them and how you treat them after something has happened. That’s where the competitive advantage may or may not manifest itself.

Zarzycki: I would hate to see fraud as a competitive advantage, because the banks have worked so well together. We talk about it. We are working together to beat the bad guys.

Q The market would discern that one institution is better than another at detecting fraud and...

Zarzycki: Right, because then we would stop working together, and that would be a travesty.

Parker: I used to play a lot of golf and competitive golf, and the interesting thing about that sport is that you are always trying to help your opponent. You go on the PGA tour and they are always trying to help each other. If somebody is not doing well, they are there to help them if asked, even though 15 minutes later, they are on the course playing against each other for income. With regard to this industry, where we are very competitive at trying our best to get those numbers down, we are right there to help each other as well.

Zarzycki: I want to be able to help Lloyd and I want to learn from Brian. What he sees at Washington Mutual that’s coming east, I want to know about it when it is coming my way. If he thinks what he sees is a competitive advantage, I could not get out and share the information that I share at conferences or talk with you about what we are talking about, or put the tools in place, work with the vendors, the things we need to do to fight them. They are organized, like Lloyd said, they are out there. They are talking to each other, they are working against us. If we do not work together, we cannot stop them.

Lamm: From my perspective, we are not really there yet. It is interesting. Some bankers still have the kite mentality. The first bank out wins, so if you have a kiting, you will call your friends until you have stopped it and do the things you are going to do, because somebody else is going to take the loss and that, for kiting, is an issue.

But what’s changed in this case is, when there was a fraud previously, it affected a 100-mile region. Now when a check comes back, a check from one of our customers gets sent to Canada, the next day it is being cashed in Texas. How do we communicate faster? How do we communicate better as banks?

If you call our bank, you will get me. I never leave home without my cell phone; I have it all the time, so do the other folks who work there. We had three checks that were fraudulent, they had all been accepted, well over $100,000. We were going to take the loss because the rules said the time had passed. Because our staff was able to contact me quickly, and we responded, the loss was averted. But try to get hold of a human being at a very large bank to tell them they have an issue, and you get bounced around, then finally you get to a call center. God bless those folks, they know a lot of things, but they do not know who Lloyd is or who their security people are, and they do not know how to get a call there.

From my perspective, the banks need to work more closely together. I would love to see somebody publish a manual at least with the direct phone numbers of security officers to every bank, and if I have an issue I can get on the phone and call somebody. Because I cannot afford to get lost in a maze. If I can’t get through tomorrow, it is too late; the money is gone.

Q Lloyd, are you the Chief Fraud Officer at your bank?

Lamm: I’m retail operations director and security officer, so the good news of that is that I get to touch the process as it goes throughout the bank, also from a security perspective. We also have a good working relationship, for the size we are, that the CEO recognizes that sales are critical, but we cannot afford to ignore good operating procedures. I get to be included in conversations that help make policy, help implement things that need to be implemented. So, while some good folks call the security “the sales prevention team,” that is not who we are; we are the loss prevention team. We want to facilitate sales but do it safely.

Q We have talked a lot about technologies, we have talked a little bit about process. We have not talked about people or agencies. What about law enforcement, are you happy with the cooperation you’re getting?

Parker: Law enforcement is doing everything they can. The problem is that they are going in a lot of different directions. The real emphasis, since 911, has been in Homeland Security, without question. So, it has been difficult for them to apply the resources to things like check fraud like they may have in the past. It has to be a certain size, especially when you get into those big markets like Los Angeles or New York. They are not going to look at it, unless it is pretty darn significant.

The other side of it is that fraud has changed a lot and it is not the old check fraud. There is some technology involved and there are other aspects to debit card fraud or ACH fraud; we need to continue to build those cases so that law enforcement can take it. They need a readily prosecutable case so that they can move it to the next step or they just do not have the resources to do it. We partner as best we can.

Zarzycki: It is a two-way street for us. We try to work with them, to educate them, they try to educate us. For instance, one of the neat things that Comerica does is a fraud prevention training; it is a three-day training process that’s given for the entire staff. We had people in from the FBI and the DEA. They have been very good about coming in and training our people for us, in talking to us about what is going on. Also, with the industry groups, we worked with the postal inspectors, we’ve worked with the FBI.

They want these bad guys off the street too, but they are limited in resources and we have to understand that, so we try to work together with them. I give them a whole lot of credit. I think they have done a phenomenal job and I think as financial institutions, we are really grateful for that.

Lamm: We have a former law enforcement officer on staff, and they speak police, if you know what I mean. They understand, they use the word perpetrator more times than I probably ever would. The fact is, in some of the smaller communities, Pittsburgh being the largest that we operate in, one of the things we have learned is that, it is not so much the specific case, but how the case is presented. If you get the right documentation and give it to them in the right way, with a nice bow on it, they can take that, move quickly and perhaps get it into the system. Otherwise, if you just bring them in, they write a report, that $5,000 loss is meaningless. A $25,000 loss presented in the right way—they are very willing to go after that, so a lot of times, it is how we present the information.

Zarzycki: And they love it if we are talking to our peers and can tell them that, not only did Lloyd take a loss, but I took a loss and Brian took a loss. Now we do not have a $5,000 case, we have a $50,000 - $500,000 case, whatever it is, and they will run with it.

Q If you had unlimited everything—unlimited staff, unlimited budget, unlimited technology—what is the one thing you could use that would make you more effective?

Parker: The one thing that would really bring us to the next level in fraud detection and fraud prevention is a focus on the data, unlocking the data, and using more sophisticated tools to analyze the data. We have robust tools now, but to take that to the next level, and really use the tools and data to develop pattern recognition so that you have a real-time indicator that a particular transaction is fraud. That is really where you need to get to, and the only way you get there is really robust data capture and robust tools to analyze that data.

The one thing that you see in banking versus other industries like credit cards is the tremendous volume, there are a lot of transactions happening. Almost every day there is a transaction and a new customer account, and so that volume really adds up. Just getting your arms around all that data and the tools to analyze it, that is how you end up really winning in my opinion.

Zarzycki: I would follow along that same line, unlocking, breaking down our silos, unlocking those resources, mining that data and moving it up to a closer and closer real-time environment, because everything is moving faster, faster and faster. Fraud is moving faster, the transactions are moving faster, everything is moving faster, so we have to move faster.

The only way you do that is through unlocking our own data. We have it, we have it stored in different places. We need to bring it all together.

Q Are these achievable visions?

Zarzycki: It really is. There are those of us who have already put the RFPs out there, and some banks have already done it, they have been doing it for years on the check side of the house, and now they are bringing in the credit side of the house and the security side of the house. They are looking at everything in the big picture.

Lamm: I absolutely agree with my colleagues, but I am going to take yours one step further. I am going to assume that, since I have all the money that I need, I am going to have the very best technology there is. One thing that we need to continue to do is, the best line of prevention is our front line, our front of the house, and as you get larger, it is more cumbersome and difficult to train them.

We have 1,800 people; some of that is front of the house, some of it is back of the house. In terms of fraud detection and prevention, and dealing with it, both the back of the house and the front of the house need specific training. Sometimes we say, we train you once a year and by God, you better get it. Well, that is not it; training needs to be continual, ongoing, well done and the larger you get, the more difficult it is.

If I get somebody in the branch that recognizes a kite before I see it electronically, the world is a better place. If somebody sees that somebody is waiting on a customer and a transaction is being compromised, we can deal with it immediately, faster and better.

The front line needs the training. Vince Lombardi used to start out at training camp with the Green Bay Packers and say, “Gentlemen, this is the football...” With all the electronics that we have, all the technology we have in the world, we still have to do the basics well; we still need to recognize things at the front line, we still need to react quickly.

Zarzycki: I would reinforce that. Training is so important. We have one person who specializes in how we are going to go out and train the business lines, how we are going to train our tellers, how we are going to train our assistant managers, our managers. Awareness is critical.

Q Lloyd mentioned fraud awareness is sometimes considered “sales prevention”—who has been able to figure out how to train on both?

Zarzycki: Put it in perspective for them. What we tell them is, if we lose $2,000, you have to go out and sell this many checking accounts to make up that $2,000. If you can put fraud losses into numbers that they understand, I have seen it have an impact on them.

Lamm: And you are helping the customers. I spoke earlier about the fraudsters that are using unsuspecting good customers getting involved in an Internet situation, and they lose $3000, $4000 or $5,000. If somebody recognizes that in time, and the customer does not send money, you have a customer, you have a friend for life. We’re not just denying people things, we’re helping your customers all the way along. It is not sales prevention. Yes, it does prevent losses but you are helping your customer and it is just another form of being a full service bank.

Zarzycki: They always looked at us as the people who said “No,” but we want to say, “OK, let’s do it this way with these controls in place. We understand that we are going to take some losses, and that is OK, we make it a part of the business case, but we’d rather have you working with us on the front end. Let us help you put these controls in so your sales can go up, and our losses do not go up too much.”

Questions or comments about this article? Post them at the Banking Strategies blog.

 Ms. Allen is publisher and editor-in-chief of Banking Strategies.

back to top 

 
© 2008 BAI. All Rights Reserved. Contact Us  |  Site Map  |  Our Terms and Conditions  |  Web Site Specifications  |  Home