Data’s expanding role in protecting against fraud

Banking institutions lose billions of dollars each year to fraud, and every dollar lost comes with a 4X multiplier that jacks up the costs.

Greg Kanevski from LexisNexis Risk Solutions shares his insights on how banks and credit unions can put data to better use to push back on the bad actors and save big money in the process.

A few takeaways from the conversation:

  • Banks and credit unions have upgraded their technology and their operational approach, but the bad actors are also making moves in this cat-and-mouse game.
  • Rising digital transaction volume is overall a welcome trend for institutions, but it creates more opportunities for fraudsters to exploit weaknesses in the system.
  • Better use of data to correlate customer alerts and spot meaningful industrywide patterns in real time can provide better protection for banks and customers.

Subscribe to the BAI Banking Strategies podcast:

Apple Podcasts     Spotify    Google Podcasts    Amazon Music

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

By clicking the Subscribe button, you acknowledge that you have read our Privacy Policy and Terms of Use and agree to be bound by them.

Fraud targeting banking institutions remains high this year, as do their losses as digital banking becomes the default for more and more consumers. In fact, a LexisNexis study from earlier this year found that every dollar lost to fraud costs financial institutions four times that amount – this multiplier is up close to 20% since start of the pandemic.

Greg Kanevski, head of global banking at ServiceNow, is our guest this week. He’s here to talk about how more effective use of data can help banks and credit unions in their fight against fraudsters. Greg, it’s been a while since we’ve chatted, welcome back to the BAI Banking Strategies podcast…

Thank you, Terry. It’s my pleasure to be here.

So Greg, fraud is always a front-of-mind topic for banking institutions because of its growing prevalence and also because of the high dollar losses due to fraud. How are you thinking about the current fraud risk environment, both for banks and credit unions, and from the perspective of their customers?

Fraud, obviously, has been around in the industry for many years, and it’s a traditional cat-and-mouse game. But I’ll be honest with you, it’s the complexity of fraud today that is really the challenge. It’s the complexity in the manner in which the bad actors are engaging, the manners in which they are trying to penetrate the banking environments, but also the complexity of the environment where banks are providing multiple different services today, and all of those channels have to be watched at all times. And they have to be able to distinguish one normal event from a non-normal event. So the complexities of understanding this and processing this, especially considering the volumes, is a profound challenge for them today.

So no doubt, complex, and getting even more so as technology and techniques being used by the fraudsters get better. Within this environment, how would you say banks are doing in meeting the challenges in protecting themselves and their customers from the many bad actors out there?

For the most part, they do fairly well. The technology environments, the systems, the operations and the sharing of intelligence and information among the community has matured greatly, especially over the past five to eight years. And that combination of those together, what I call a village of support, really has provided them with some semblance of control. That said, customer behaviors are changing. Customer behavior changes means more digital transactions, means more exceptions, means more alerts. And as a result, with more and more volumes, it’s becoming harder for that village to keep pace in this cat-and-mouse game, and that’s the challenge that banks are facing today and will be facing here for the next 18 months.

So there are so many fraudsters and would be fraudsters out there, from your small-time scammers to the industrial scale operations being funded by foreign governments. Certainly, this latter group is the most dangerous given their size and how skilled and how well-equipped they are, and they’re also adaptable. When you lock a door, they find a way to pry open a window to get in. So can banks get an upper hand? Can they keep an upper hand in this game of wits, this cat- and-mouse game, as you call it? And if they can, how do they do it?

This flexibility is key for them because, as the bad actors change their routines, which they’re going to continue to do, the banks need to be able to respond. Now, they can get the intelligence on what’s happening and how the bad actors are changing it, but the ability for them to dynamically respond – change their alerts, change their algorithms, change their procedures – they need to do this more and more towards real time. Now, what does real time mean? It means as quickly as humanly possible. But the flexibility of that program, of that ecosystem that supports it, is key regardless of the size of the institution. So if they can’t be flexible, then the fraud numbers are going to go up, the associates are going to work even harder, and the consumers are going to be more and more upset with their response or their ability to respond. And we’ve seen examples of that out in the news, where some institutions have taken a hit to the brand as a result of large-scale fraud situations that they’ve been unable to effectively answer in a timely manner because they didn’t have that flexibility to maintain the dynamic program.

This flexibility, this adaptability that you’re talking about. I hear about that and what I hear is that perhaps data is the answer to that. And the data is more broadly the answer for a wide range of challenges that banks and credit unions face, particularly on the customer experience side. So data, of course, is being used in fraud today. But can data be put to better use? Can it be put to a more effective use and help to reduce financial industry fraud?

Absolutely. And data is the key for institutions’ ability to respond. And, you know, as you put it, to be able to balance between the customer side and the response. And what I mean by that is most people, when I say data, the ones that are listening to this might say, well, yeah, we know the buying patterns of the customer, and we understand that if they live outside of Chicago, that their transaction should be generally near Chicago, and if it’s more than 100 miles, we’re going to create an alert. That’s the data of old. The data of today is correlation of alerts, correlation of these patterns against their peer group, against the industry. And that’s Big Data issues because there’s so much of that. So a manner for institutions to be able to correlate this information as close to real time as possible so that they stay as attuned to what’s happening and be able to generate meaningful alerts that allow them to prevent more fraud and respond to existing fraud is the key.

It seems that when we talk about data, a lot of times the conversation goes to how the data is held and how the data is siloed within a banking institution. I would imagine getting good use out of that data depends on having efficient systems to be able to tap into it, to be able to find the right data and apply it in the right way and be able to interpret it, to be able to analyze it. How does that part work?

These functions grew up historically as individual teams. Example, there’s a fraud detection team, fraud prevention detection. There’s a fraud operations team, there’s investigations, there’s disputes, there’s complaints – all of them running on separate technologies, as separate functions with separate management. Today, organizations are pulling those functions together because the IQ of the customers and their expectations has grown tremendously. It has with the regulators as well, and they’re expecting that to correlate together. So in the last answer, when I said big data creates bigger problems, part of that is as these functions come together, it provides visibility for the organizations, because if I was to call in today on a complaint and call in tomorrow on a dispute, they should be able to tie those together. And that’s the regulatory expectations. Not only is it what management wants because they want a more efficient process, but tying those technologies, that data together – that’s what’s creating the bigger ecosystem of understanding what our touch points are with those customers, what our touch points are with the underlying systems monitoring their activities, and them against a larger peer group. So as these functions come more and more together physically, and their systems come together logically, these siloed functions and technologies have to be co-mingled in order for them to play, for them to get the most out of the data that’s there. And that’s the challenge most of the institutions that are looking at this now, which are a large portion of the industry that I talk to, are really focusing on because they want to take that next step. And this is what’s really driving them towards that end in mind.

Given the imperatives around fraud, how receptive are you finding your client banks and credit unions to the idea that they need to shake things up, that they need to try new things, maybe embrace new ways of thinking about preventing fraud, and are you seeing any clear signs that they are actually moving with a purpose on this issue?

It is the number one area that I am hearing from institutions of varying size in varying regions where they not only want to do this, they’re asking for advice on how to do it. They recognize that customer behaviors have changed. They realize that there’s more transactions going digital. They are pushing us in discussions that I’ve had to say, “How do I solve for this?” Not just for now, but I want to maintain some capability or flexibility into the future because I don’t expect that digital transformation to stop as far as customer behavior goes. So with those numbers coming, and there’s also been some regulatory momentum here recently of changes in how they view the environment, those are all creating a perfect storm of organizations that are saying, “We need to take a look at this, we need to prioritize it.”

Greg, from what I read, it seems like the rules for lodging fraud complaints have been liberalized to some extent, making it easier for the customer to make a claim that they were defrauded and that fraud claims are going up as a result. Does that line up with what you’re seeing? And if it does, how is that impacting banks and credit unions?

So I see multiple factors on the horizon of where the regulators are taking a much more consumer-centric advocacy. 2021 was the highest number of complaints ever in the banking environment for the CFPB. The numbers have come down a little bit since as behaviors in post-COVID have changed, but they’re still high. And the regulators have been very active, to your question. They’ve been active specific to the fees that are generated, and that’s not just fees for balance issues or if someone had a fraud in the account and then they use their card and they have an overdraft – are the institutions compensating them for those fees – but it’s the other fees as well. It’s the fees that the institutions and the payment firms are getting on the actual transactions themselves. There’s some discussions of capping those fees or at least capping the growth to them. So with tight margins as it is, plus regulatory advocacy on the consumer’s behalf – probably more so than we’ve seen in the past recent memory – and the third factor is the additional regulation that’s likely to come here in the next 12 to 18 months, further capping revenue. Those three things are weighing heavily as well on the institutions to say, “We obviously want to be in the best interests of our customers,” but to do so as part of an entire ecosystem, we really need to change to be able to do that because we need that centralized visibility for them, regardless of what channel they want to come in and engage us with, for our own sake, but also to ensure that we are regulatory compliant.

If the stakes are higher for banking institutions when it comes to fraud, and the costs are higher as well, I’d imagine there’s a temptation to try to tighten things up to limit their risk. But on the other side of that is the expectation by customers that they will have a smooth and easy experience interacting with their bank. Always a balancing act, but are we getting to the point where customers should see it in their best interest to perhaps accept a little more friction in their digital banking in exchange for a little more protection?

Balance is probably the right word to it. Obviously, different demographics within the customer base have different expectations. In other words, some of the younger generations are expecting a frictionless experience where some of the older generations of, you know, 40 and over, are a little bit more amenable to some of that friction. That said, the overall theme that I’ve seen from research is consumers are willing to trade off on those experiences, as long as it’s commensurate with what’s happening. In other words, that friction shouldn’t exist for a $25 transaction when there’s never been fraud in the account. But obviously, as the barriers increase to what the financial transaction or the financial situation is, of course, they should expect that and they should want that type of experience. Not to say it’s prohibitive, but that it’s commensurate. It balances with the risk of the actual transaction itself. So the answer overall is, “Yes” – the expectations of customers and the forgiveness of them of that friction. But it has to be commensurate with the risk of the actual transaction or action itself that is created. And for the most part, you’re talking about the exceptions, not the rule.

These issues that we’re talking about here, do they weigh more heavily on smaller banking institutions, given that part of the industry, they don’t have the same level of resources available to deploy for fraud prevention?

The bigger the logo, the bigger the risk, the bigger the threat. That said, the prohibitors here are budget, staff and visibility – the understanding of what’s happening in the environment, real time. The money center banks obviously have a large ecosystem, have large mature programs. Then you have the regional banks that play very well in this space. But the lower end of the regionals, and what I call some of the interstates –that Tier 3 banking environment – they haven’t necessarily been that logo that’s been in the news. They haven’t been that logo that’s had to worry about state actors. They’ve been aware, but they know their customers a little bit differently. Their customer behaviors are a little bit different. But now we’re seeing, there’s been some news in the past year where some of the state actors have really focused on that Tier 3. There was some news recently about how the Tier 3 have faced some check fraud issues where the numbers on a percentage base are higher for them than they are in the larger banks, because it’s a little bit of a different ecosystem for them. It’s a different manner in which they address the market. So it does change the dynamics of the programs and the dynamics of how they respond change based upon the size of the institution and the brand, but it’s still survival for them, just on a different scale, because the smaller institutions do not have the scale to digest any type of fraud like some of the larger banks are, and every dollar for them matters. So they’re dedicating time, they’re dedicating budget, to ensure that they have those protections in place.

And as if there aren’t enough challenges out there already, soon, we’ll be dealing more with open banking as well, customers having more control over their individual data, the push from fintechs and others to get access to those huge data troves now held by banks. How do you see the risks, fraud potential-wise, and the opportunities, fraud prevention-wise, as open banking becomes more prominent in the coming years?

It’s an area that I’m particularly interested in, to be honest, and we’ll be paying close attention to see how this evolves. Obviously, open banking in theory will add some challenges, but I believe it’s also going to provide some unique opportunities for both the consumer and the institution. And what I mean by that is, there are multiple types of protection that consumers will not only own within their data, but within their data protection information as well. As the industry moves away from passwords into, whether it’s biometrics, whether it’s a hybrid of biometrics and personal information, that data as well will be controlled by the consumer. It’ll be their responsibility, and that will become less of a prohibitive and more of an opportunity for institutions to interact more dynamically, because now, if I’m engaging with my institution and I’m trying to transact, in every instance, I may not know how they’re going to authorize that transaction with my information. I know it today. I have to give them a password. But if in the future, I control my own biometric and password information dynamically, and I do not know in which way the bank will interact or will ask me to confirm my identity, that creates an opportunity to compete with the bad actors out there because it provides them with more variability that they cannot predict. Where they can predict it today. They can spear phish me and get my password eventually. In the future, if passwords really don’t exist and open banking really does allow me to manage that data, it’s an opportunity for me to interact with my bank much more openly, but also provide a greater opportunity for me and the bank to create a secure transaction that will make it harder for the fraudsters to be able to predict proactively.

Sounds like that could be a future podcast topic of its own. So Greg Kanevski, global head of banking in ServiceNow, many thanks for coming back to see us on the BAI banking strategies podcast.

Thank you, Terry. It’s been my pleasure.