Fraud activity is increasing – how to protect your institution and customers

Fraud prevention impacts every financial institution in a wide variety of ways.  

Greg Kanevski of ServiceNow joins the BAI Banking Strategies podcast to discuss the impact of increased fraud on financial institutions and how they can better protect themselves and their customers in their fight against fraudsters. 

A few takeaways from the conversation: 

• What’s old is new again with fraud tactics and the impact hits banks of all sizes – not only do financial institutions have to battle newer forms like friendly fraud and other various types of online fraud, but check fraud is also back with a vengeance. And smaller banks as well as credit unions are being targeted in the same way as larger and medium-sized institutions, which means all financial institutions need to be on high alert for fraud attacks. 

• As financial institutions continue to the cat and mouse game with tactics to combat fraud, AI has arisen as a new option to integrate into existing systems. While there can be a significant upside to this, including but not limited to gaining insights into predictability and fraud patterns, bank and credit union leaders must also consider the potential issues with implementing too quickly. AI is only as good as the information is built upon, so it’s important to ensure the strength of the underlying processes, data and workflows. 
• Looking ahead, for many financial institutions, they are examining how to bring together and consolidate platforms and processes in order to provide the best possible, and consistent, customer experience. This can also provide them with the opportunity to have better visibility into timelines for regulatory inquiries and provide scalability for the organization. 

INTERVIEW TRANSCRIPT 

Fraud prevention impacts every financial institution in a variety of ways. And once you think old tactics are out of the way, they sometimes have a way of popping back up again. Greg Kanevski, head of global banking at ServiceNow, is here to discuss the impact of increased fraud on financial institutions and how they can better protect themselves and their customers in their fight against fraud. Greg, welcome to the BAI Banking Strategies podcast. 

Thank you. It’s great to be here. 

We know that fraud can occur in many different forms and sometimes what’s old is new again. At BAI, we’ve heard leaders talk about the resurgence of check fraud. Greg, does that align with what you’re hearing, and can you share any insights into what has caused this resurgence? 

Absolutely. And it’s a great question, and thank you again for having me here today. Check fraud is back and it’s back with a vengeance. Just looking at the Fed statistics, and if we just take from Richmond itself, just one of the Fed banks itself, increase in filings of suspicious activity report for SARs went from 2021 250,000 to 460,000 in 2022. That’s 84%. 

And if you look at the ABA Journal, they talked about 23% in ’21, but nearly doubling in 2022, showing that that statistic is not just based on one regional Fed area, it’s a nationwide issue. And it’s on the volume of SARs. Nearly 700,000 last year were submitted based on just check fraud. And being in the industry well over 30 years, check fraud was one of the biggest items when I first joined. Obviously saw a dip, but with so much focus on online, it’s making a comeback. 

Speaking of online, in addition to check fraud, we know that that’s constant, certainly not a new problem, but it accelerated during the global pandemic. How big is the problem when it comes to online fraud, and what are the costs associated with it? 

So online fraud, given the pandemic change in consumer behaviors, meaning driving the consumers to making it more comfortable for them to complete online transactions, has ballooned online fraud in multiple different types of online fraud. 

We talk about friendly fraud, which relates to chargeback. One statistic we had was 77% of online or chargeback fraud is now friendly fraud. That’s a tremendous statistic. And I was looking at one today that the number they’re estimating is even as high as 86%. 

The ability for an anonymous source to defraud the merchant, generally these merchants are taking the loss, not just the banks, that dispute is now causing changes in behaviors. Anybody here ordered from Amazon recently, they’ve probably seen that a picture was taken when the package is brought to your front step. This is a reason for them trying to offset it, because every time someone calls into this type of friendly fraud, $2.53 is the cost of that dispute. 

Given what margins are today and the issues in supply chain, that friendly fraud, it’s not a viable long-term. So, there’s other ways the institutions are having to address this and really apply the best techniques possible, like what we talked about before, even if it’s the point where the drivers have to take pictures of the delivery itself to assure that it actually did make it to the intended target. 

And Greg, can you share a little bit more about what is considered friendly fraud and why it is so challenging for both the vendors as well as the banks? 

Absolutely. Friendly fraud is you have your credit card, you are utilizing it or someone in your family’s utilizing that charge and you are saying ultimately that that service or product was never received, even if it was. 

My son uses my credit card, orders something, I didn’t give him the authorization, I want that money back. Or I ordered it, and I don’t want to pay for it, so I charge and say it came in damaged. That’s really what friendly fraud is here today. 

And oddly enough, in Q4 of last year, there was a statistic done about friendly fraud. It was anonymous, but they actually asked individuals, have you disputed a charge related to a service or product you received? And 23% of the people admitted. So you obviously understand the statistics much higher, but this type of fraud is on the rise to the point where the cost of the dispute plus the cost of replacing the device, plus the cost of the delivery is really hitting the shrinkage line in these institutions and they’re trying everything they can at this point to try to combat it. 

And looking at the big picture, we know that with big banks, the bigger they are, the bigger the risks and the threats. But what about smaller banks and credit unions? Are they vulnerable to attacks, and what can they do to protect themselves? 

Two years ago there started to be a little bit of an overseas traffic towards the medium-sized institutions, the super regionals, seeing them as one of a softer target. Given the development and the capabilities of these online fraudsters and online bad actors, there really isn’t a safe institution anymore. 

Now, smaller banks have been trying to consolidate as best they can. I know that it’s really not a friendly time as far as regulatory oversight goes, but with the change in legislation in most states for credit unions, allowing them to become much larger, they are becoming larger targets at this point, and they’re seen by the criminal element as a little bit of a softer target. 

So, where it was two years ago for the regionals and super regionals below the money centers, now that’s the smaller banks and the credit unions, and seeing that they are more of a viable target, even though you might have to hit five of them to get the value from one regional or super regional. Okay, well we’ll go after the five because it’s easier to attack them. 

So there really isn’t that safe haven anymore, and there really isn’t the safe haven because it doesn’t matter about the size of the institution. You’re generally providing the same services as the larger institutions anyways, which means online. You’re getting your services either through your own technology program or you’re buying it through credit union services organization or CUSO. You have the same type of vulnerability. And as a result, these institutions, and I talk to these folks tomorrow morning, I’m in front of a group talking just about this topic because it is such a sensitive and real threat to them day in and day out. 

And as we think about tools to help combat fraud, AI is certainly the shiny new object that everyone is anxious to put into action. Greg, from your perspective, what are the pros and cons of integrating AI into existing systems to combat fraud? 

AI is the darling of the industry right now. AI was in every institution’s quarterly release and notes about what are they doing to apply AI. And AI has a tremendous amount of benefits, simply put. Applying AI to your services today, there are just so many pros to it, from better services to predictability to customer interactions, not only the soft and hard dollar value benefit to the organization, just a tremendous amount of capabilities and to really reimagine the experience. 

AI is a very, very powerful tool, but it has to be applied at the right time and under the right process and under the right conditions. Institutions and anyone can research it right to now today, some of the largest banks are using AI for predictability and fraud pattern. Predictability, to they understand the behavior better of you or I as a customer, us against our peer group. But also, when we do something abnormal, integration of that AI into looking at the algorithms really does provide them a whole host of opportunities to stay at least at pace, if not gain some momentum against the bad actors out there. 

However, on the other side of that coin, there are cons to it. And the cons to it, I would draw the correlation to RPA from five years ago. RPA was the darling and everybody went out to install RPA in their processes. And then they realized, well wait a minute, if I have a bot here and one sits on top of the other and then another one sits on top of that, I really didn’t do anything to my process. All I did was insert RPA into it to do a quick band aid fix. And as a result, what I’ve done now is just raise the cost of my process because now I have to have people on staff or the ability or contract to be able to change those RPA algorithms. 

They present risk issues because if I don’t change them, do I really have the controls in place to my processing? RPA was to five years ago in the operations as AI is today. And we’ve heard a lot of customers talk about how do I deploy AI? And I’ve said to them, “Why don’t we talk about your process flows first? Why don’t we talk about where you want to employ AI and how you want to employ it so we can make sure that AI is not employed on top of a bad process, a bad set of data.” 

AI will only give you the benefits you put into it. And if you don’t have those underlying workflows, process flows, data integrity and the ability to look at it holistically, it has the risk of providing you minimal value back. And that’s not really where anybody wants to aim with it because the benefit of AI far exceeds anything that RPA, when it initially came to the marketplace, can far exceed going forward. Just given the growth of this industry and where it’s heading, AI in the future, if institutions line themselves up appropriately, can really capitalize on it long-term. 

Definitely interesting to see how that evolves and takes hold. Let’s talk more about fraud prevention technology from an execution standpoint. We know that moving to the cloud can make technology implementation easier. How have banks progressed in this area and are they where they need to be or is it just an opportunity that’s not being fully leveraged yet? 

Frankly, it depends on the institution. Some institutions are very progressive. Some of them are obviously extremely conservative. But most have made their way into this path. At this point, they have a public and a private cloud. Most of them balance it and are trying to, to use that word again, strike the balance of benefit without increasing their risk to an uncomfortable or unacceptable level. But it really is based on the institutions. 

We go to some institutions today that’s still looking to build, build net new, build the program net new from the ground up. Those are the exceptions to the rule at this point, as most really want to go SaaS-based and want to go to the cloud because they want the nimble nature that it provides. 

Most of the CIOs I talk to are trying to get to 30-day release cycles, repeatability of those release cycles and allowing that release cycle to influence their culture, meaning we take something, we adjust it, get the minimum viable product out into the marketplace, get the benefit to the business and keep that going. 

You can’t do that if you don’t have everything in the cloud. You can’t do that if you don’t at least strike the balance of a private and public cloud. And that opportunity has to be there in order for them to be more nimble and meet the needs of their customers and their regulators and provide the value back, the dollar value. 

As we get into last year, the IT spend as a percentage of expenses exceeded 20% for most institutions and some as high as 24%, so the larger banks. That percentage growth as it relates to expenses is not sustainable for an institution, especially considering what’s happening with fees and expectations. There are pressures on those fees. So as a result, the percentage of that spend has to come down. 

And one of the ways to do it is moving to the cloud and allowing for more flexibility and viability, centralizing the SaaS providers to a handful or so roughly to really concentrate and provide that cumulative value from what you do invest in. So moving to the cloud is really the fundamental to help these institutions start realizing some of the cost savings from their core maintenance budgets. 

And speaking more about execution, organizations often use multiple tools and have fraud prevention teams in different areas of the company. Is there any value in consolidating platforms and departments in this fight against fraud? 

It’s the number one discussion I’m having with institutions related to this space is consolidation. And what I mean by that is if you look at any institution, you have your fraud prevention team, the one, fraud prevention is a large word, it encompasses many different teams and tools, but let’s just take it from the team that’s really got the algorithms and is generating the alerts. 

There’s a handful of players in that marketplace, but once that alert’s generated from that team or is generated from a branch, a person walking into a branch or a phone call to a call center or someone walking into a regional office or coming online or coming in through the app, you now have multiple teams spread across the institution that is not plugged in with all of the different avenues in which someone can report from, whether it’s your proactive systems in the algorithms or someone walking into a branch or a merchant calling. 

And as a result, these different functions, which has grown up over time are all disconnected teams, eventually reporting to a COO, but they run their own tools. They run their own case management platforms, they run their own surveillance and they conduct their own risk activities. And institutions are saying, we can’t keep doing this because the person that came in yesterday with the alert that was generated proactively today and then the call that comes into the merchant tomorrow, now I have three separate events and three different systems. They’re not tied together. When we do speak with the customer, we’re not looking consolidated. When the regulators come in and ask us, we have three different events that we have a tough time pulling together, especially at scale. Therefore, we need to consolidate these platforms not only to get the viability of a reduction in our core maintenance and the cost to serve, but we also, we want to be able to serve our customers better and we want to be able to show to the regulators that we knew day zero, the day it came in. And if it’s a payment issue and we have to respond regulatory within 30 days, we need to know what that day zero was in order to ensure that we met the guidance appropriately. 

The only way to do that is consolidating platforms and giving people a visibility so that they understand, “Oh yes sir, Mr. Kanevski, we saw you come in. We heard that you called yesterday. We actually had alert from our proactive system, your account’s already been restricted. We’re moving the money. Here’s what we’re doing, we’re responding and we’ll let you know proactively if you do call in or come to a branch, everything is under this one event and we’re handling it as a large institution.” 

That’s every single institution I’m talking to about this area, whether it’s a case manager, an event management, fraud management, complaints and disputes are all talking about bundling this together and finding a way of bringing it together, but not just from the platforms but also from the operational departments so that they can realize economies of scale and there’s less chance that the same event is handled differently based on the team that you speak with, based on how you brought the matter to their attention. And they’re really looking to take the next step forward. And that, frankly, given the large customer base of many of these institutions is the right step forward in how to service a customer better long-term. 

And Greg, we’ve talked about a number of hot topics and trends. Open banking is another one on that list for sure. What are some of the challenges and opportunities associated with open banking? 

Yeah, open banking really does relate back to the cloud-based discussion we had before. Open banking is simply, I need access to data, I need to get data back and forth between third parties, and I need integration points that allow me to transition that data, as a risk-based, I need to understand what my risk is to it, but to get that data back and forth so that we can provide the service appropriately. 

That said, open banking was traditionally, kind of like moving to the cloud, was kind of a bad word in the banking sector because it’s a conservative industry, it’s highly regulated and you have to step through it carefully. With open banking now, most people are past the point of worrying about it. They have the controls in place to assess the integration, capability so that if I have spoke with a particular vendor and I need to get that information back and forth to transact a service, I have the integration formulated appropriately, have the controls around it. 

Right now it’s how many can I get in place? How quickly can I get them in place? How can I tie my processes together through these integration points so I truly have a holistic picture with open banking? So hyper automation comes into place, open banking, which is we’re not just talking about a part of a process now, we need to ensure that we have for an entire process, an open banking capable or hyper automation capable workflow that allows us to really scale this and do it quickly. 

This also relates back to that 30-day release cycle. We can’t do this if it’s not in the cloud. We need to move these things faster. With fintechs really pushing the industry further and further because they’re generally private and not regulated, or at least not as heavily, and they’re pushing the envelope as far as capabilities, institutions, it’s really an R&D arm to banking it these days. That’s why you’re seeing so many large banks purchase fintechs. The integration capability for their underlying technology platforms is pivotal to addressing these and to really staying on the cutting edge of what the customers are looking for. 

And let’s talk a little bit about the regulatory environment. We know that with increased fraud comes increased regulatory scrutiny. What are the regulators focused on as it relates to fraud? 

The regulators have been pushing quite heavily in the past couple of years towards focusing on the customer, “protecting the customer,” quote, unquote, ensuring that the institutions look at the customers holistically, address the issues, and they’re looking at them not just via fraud in an individual scope, they’ll look at the fraud, they’ll look at it by class. They’ll look at it by type of customer. 

Are you responding to all of your fraud matters equally? Are you responding to them all in the same timeframe? Do you have the same sense of urgency for them? And the regulators are really pushing forward and want to know, it’s great that you responded to Mr. Kanevski, but did you respond to him timely and did you respond to others in his peer group the same way? And are you doing that across other peer groups? Access to data that allows institutions to be able to tell these stories and make sure that they’re focused on it has been pivotal to responding back to the regulators who are really pushing on fraud. 

The second part of it is not just in the fraud, but the larger fraud scope of fraud disputes and complaints, that kind of trifecta of areas, it’s a lot of pressure right now on fees associated with it. And how are the institutions responding on those fees? Are they really providing the funds back in a timely manner? So, customer advocacy has been really the underlying delta of regulatory focus for the past two years. 

Greg, you’ve shared a lot of really great information with us today. Before we go ahead and wrap up, is there anything else that you want our listeners to walk away with? 

What I would say is most institutions that I’ve been talking to get overwhelmed pretty quickly in, say fraud, AML… stop, let’s separate them. Start simple. Start with one thing. Come up with your plan, engage your right partners. You don’t have to budget for everything. There’s too many things. 

So what I’ve tended to talk to folks is what you’re staring in front of you is an apple tree full of apples, and it’s all related to this one activity. It’s overwhelming. It’s overwhelming to you, it’s overwhelming to your team. It’ll be costly, but just start by picking an apple and then move through it. And as you move through it, and if you do it deliberately, you’re actually utilizing the cultural change of your institution and the investments you’re making to lower your costs to improve. 

Many institutions we’re talking to, it’s not just the customer’s issue any longer, the associates don’t want to work for an institution they don’t get some satisfaction out of. And if they don’t have the right tools and technology and the ability to help these customers, they don’t want to be engaged in it. So because it’s so daunting, most institutions that I’ve talked to talked to have just said, “Greg, I don’t know where to start.” And what we’ve said is start by picking your first apple. In other words, come up with your plan. Start by picking your next apple. Get your C-suite alignment behind it. 

This isn’t just a security or an operations issue. You need HR engaged in this. You need your CRO engaged in it. You need your CIO engaged in it. This should be an executive program that is sponsored by leadership and driven by leadership, the highest levels, and communicated openly and frequently. Then go pick your next apple. Let’s put a small budget together for you in order to start that transition and utilize that investment to drive your savings. 

And if you do by apple by apple, you’re running the program in a sizable chunk that allows you to realize short term benefits, get that momentum, get the win behind your bow, and drive yourself to success. 

Really helpful advice, Greg, and a great way to close out our conversation today. Greg Kanevski, global head of banking from ServiceNow, many thanks again for joining us on the BAI Banking Strategies podcast. 

It’s been my pleasure to be here with you today. Thank you.