Financial services firms and government agencies have done well to invest in meeting growing consumer expectations for timeliness and convenience.
Now they must evolve how they protect themselves from the associated risks. As connectivity trends shift, so do fraud trends.
New threats are always growing. While EMV chip cards make it technically unfeasible to counterfeit credit and debit cards, fraudsters have driven a 130 per cent increase in new credit card account fraud from 2014 to 2015, according to Javelin Strategy & Research.
Similarly, it’s increasingly easier to apply online for food assistance or healthcare. The downside: the faceless nature of those interactions makes them prime to exploit, with help from static information from massive data breaches.
Few organisations are fully prepared for this changing fraud landscape, according to research by Information Security Media Group (ISMG).
In Faces of Fraud: The Analytics Approach to Fraud Prevention, ISMG reported only 34 per cent of survey respondents have high confidence in their organisation’s ability to detect and prevent fraud before it causes serious harm.
Sixteen per cent of respondents said their anti-fraud tools and team just can’t keep pace with evolving fraud schemes. Three-quarters of them rated anti-fraud control as only average or above average. Just 37 per cent said it’s usually customers who detect the fraud, not the agency or institution.
Why have traditional fraud prevention approaches fallen short? According to ISMG survey respondents, it’s because today’s fraud schemes are too sophisticated and evolve too quickly, customers and/or partners fall for socially engineered schemes , and so do employees.
Two rising risk areas
Organisations stuck in the past on fraud defence have felt the pain in several ways. Here are two key examples.
• Increasing monetary losses. According to ISMG, 41 per cent of respondents have seen an increase in fraud incidents and are not very speedy about addressing them. More than half of respondents (52 per cent) say it takes days or weeks to uncover the fraud; 15 per cent don’t even know.
• Reputational damage. “Loss of reputation is a higher priority for many banks than limiting actual losses, but it is the most difficult loss to measure,” a senior fraud and financial crimes executive interviewed by Longitude Research said.
What is the answer?
All three research studies – from Javelin, ISMG and Longitude – found hopeful news in fraud trends as well. Financial institutions and government agencies are fighting back with stronger investigative teams, better analytical tools and more skilled staff.
Step 1: Establish a strong financial crimes investigation unit (FCIU)
Banks are stepping up their investment in FCIUs. In addition to putting more focus on financial crimes, FCIUs enable banks to collect, share and disseminate intelligence across borders, business lines and silos of risk, where ordinarily that intelligence is not shared.
“The FCIU is a relatively new concept that has gained traction since the global financial crisis,” Longitude said in its research.
There’s still work to be done. Just 11 per cent of banks say they have fully established FCIUs across all geographies and divisions. Nearly half (49 per cent) said they will have a fully established FCIU within three years.
Step 2: Invest in advanced analytics
One way leading organisations work to keep pace with fraud schemes is through advanced analytics, such as predictive models, link analysis, machine learning and anomaly detection. These technologies supplement the basic conditional logic and business rules commonly used today.
Few organisations are there yet. While 74 per cent of respondents to the ISMG survey have implemented fraud detection and transaction monitoring systems, a closer look suggests these technologies may be rudimentary.
More than half are not currently deploying advanced data and analytics tools such as behavioural analytics, predictive analytics and social media analysis and 43 per cent said they can’t get a consolidated view of customer activity across the enterprise.
It’s no surprise nearly one-third of respondents say their organisations lack the technology capacity to properly detect and respond to fraud.
On the bright side, 26 per cent say their organisations will invest in big data analytics. Longitude Research confirms this trend; 87 per cent of respondents cited big data analytics as the leading technology tool for their bank’s FCIU.
The Forrester Wave™: Enterprise Fraud Management Q1 2016 says machine learning is a vital factor that “now dictates which providers lead the pack.”
Investments here will undoubtedly help resolve some of the current deficiencies in fraud detection.
Step 3: Build the skills to use the tools
A bright new analytics platform won’t deliver on its promise if users don’t have the training to use them well. Data science is the new, hot discipline, and organisations need to invest in data scientists internally or contract with third-party experts.
Where do you find them? The skills gap is real. In the ISMG study, 42 per cent of respondents said their organisations lack the staff expertise – particularly data scientists who can manage the tools.
“It’s one thing to find quantitative scientists, but it’s difficult to find quantitative scientists who understand a certain government sector or commercial banking,” David Stewart, Director of Financial Crimes Solutions at SAS said.
Sign up for our free weekly newsletterSubscribe
Longitude research confirms it: 71 per cent of respondents report having difficulty hiring specialised talent for their FCIUs – and it’s even more difficult for small or fast-growing banks.
It’s not because they’re not looking. When they seek to hire staff members, 85 per cent of banks look to existing cybersecurity professionals; 84 per cent search software companies; 61 per cent tap universities; and 50 per cent look to the government intelligence community.
They are scouring diverse sources, but demand for analytics talent is so great that good candidates are hard to find and harder to land.
Diversity of attack: the ANZ view
Tamsyn Harris, Head of Fraud Risk Strategy, ANZ
As fraud threats continue to evolve and the delivery of banking services moves digitally, it is not only investments in analytics (although it is important) helping to strengthen collective defences against digital fraud.
Diversity of attack methods (social engineering, malware and business email compromise) also require a diverse approach to managing these risks.
It is often a person targeted through digital fraud rather than the transaction and as such customers must be at the heart of any fraud mitigation strategy. How customers behave, interact and engage in a digital world are key aspects to consider.
Most banks have traditionally invested in fraud detection systems in Australia, designed to alert on suspect transactions or applications but attention is turning towards exploring other ways to integrate fraud mitigation activities into a customer’s everyday interactions with their bank and customers and digital are at the heart of these investments.
It is not just digital innovation driving these changes. Banks are investing in educating customers on how they can protect themselves and finding better ways to communicate with customers when fraud does occur.
Striking the right balance
There are challenges and barriers in the war on fraud. ISMG found two-thirds of respondents still grapple with technical constraints such as controls in different parts of the organisation that don’t talk to one another.
Forty-two per cent don’t want to add anything that might impede the customer experience. Fair enough. Customers might say they want protections, but in practice they take their business where it’s most convenient.
Striking the delicate balance between security and customer convenience will require a resilient and adaptable anti-fraud solution with robust analytics, backed by well-trained personnel in a well-established FCIU.
Ellen Joyner Roberson is CFE, Global Marketing Principal, SAS Security Intelligence Practice
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.