Financial Fraud: Manage the RisksACI Worldwide on Best Practices in Payments Fraud Management
Globally, banking institutions face evolving fraud threats. What are some of the new strategies and solutions they employ to fight back? ACI Worldwide's Patrick Higgins and Andy Morris share insights.
One positive trend: Banking institutions throughout Europe are taking to heart the layered security tenets of the U.S. FFIEC Authentication Guidance.
"Banks in the region do take threats of fraud and cybercrime very seriously," says Morris, Solutions Lead, ACI Worldwide EMEA. "We've witnessed in many countries in the EMEA region, they take a layered approach to wire, online and fraud threats without the necessity of regulatory encouragement."
And the efforts are necessary. Account takeover, wholesale and wire fraud are prevalent in all regions, and fraudsters are only increasing their efforts, says Higgins, Director Solution Consulting, ACI Worldwide Americas.
"One of the biggest challenges is it's such a rewarding environment for the fraudster," Higgins says, discussing wire fraud in particular. "These are typically high-value payments, and settlement is final and irrevocable."
Banks are aggressively addressing fraud in all its forms, but it's an arms race against the fraudsters, Morris says. "Techniques will vary, depending on budgets and banks' fraud risk appetites," he says, but institutions generally are aligned to fight fraud on three levels: Detection, deterrence and identification of the perpetrators. Toward that end, institutions are deploying layered security controls that include anomaly detection, multifactor authentication and sophisticated fraud management solutions.
In an interview about financial fraud, Higgins and Morris discuss:
- Top trends in wire and wholesale fraud;
- How non-U.S. banking institutions can benefit from the FFIEC Authentication Guidance;
- Best practices and solutions in online fraud management.
Higgins joined ACI Worldwide in 2010 and has worked in the financial services sector since 1985. He started his career with Smith Barney before joining Norkom Detica in 2010 as a Senior Sales Executive for their fraud and compliance solutions. Throughout his career, Higgins has focused on Trading, Financial Crime, and compliance monitoring.
Morris joined ACI Worldwide in 2007 and has worked in the financial services sector since 1985. He started his career with Barclays Bank PLC before joining Carreker Limited in 1999 as Manager of their EMEA Risk and Compliance group. Throughout his career, Morris has focused on Financial Crime, Payment and Exception processing.
FIELD: Andy, I realize that the FFIEC Authentication Guidance mandates are a consideration for those in the banking industry in the U.S., but what about in other geographies such as Canada or those in Europe? Can you tell us a bit how financial institutions in EMEA especially can benefit from this online banking fraud management program when FFIEC is not a significant compliance concern there?
ANDY MORRIS: Banks in the region do take the threats to fraud and cybercrime very seriously. As an industry, they have responsibility for protecting and sustaining the stability of the payment mechanisms customers use today. We've witnessed in many countries in the EMEA region that they take a layered approach to wire, online and fraud threats without the necessity of regulatory encouragement. Institutions and banks have adopted authentication, verification and challenge response strategies largely on a voluntary basis without regulatory intervention. Two-factor authentication has largely been adopted based upon the card authentication program, what we know as CAP technology, which piggy-backs the introduction of chip-and-pin. The same technology has provided banks with an out-of-band authentication tool and password tool to log-in and sign their transactions. This has enabled banks in the region to re-purpose both technology investments for card payments in order to utilize payment authentication engines such as ACI's BASE24 system.
Independent of this framework is transaction monitoring, helping to identify abnormal activity. In addition, corporate customers have sign-in and access permissions around the individual corporate employee's role. [It's also good to have] additional authentication techniques to strengthen the communication between the customer and the bank when they're initiating the payment.
However, there are often exceptions to voluntary compliance. Turkey is one example where regulators have asked institutions and banks to apply mandatory standards in respect to authentication and transaction-monitoring techniques.
I would in summary say that there's a collective responsibility to conform and a necessity to adopt best practices amongst the banks. No one wants to be the slowest animal in the jungle.
Top Fraud Concerns
FIELD: Andy, we all know that fraud in general is a huge concern, but what specifically do you find to be the biggest concern for Internet banking fraud?
MORRIS: That's a very good question. There are several different aspects I need to explore here. These include payment initiation. There are multiple choices now in respect to how the customer initiates a transaction. These include any device that has a browser fascia. Banks are now dealing with payment initiation not just from a PC or laptop, but a tablet or mobile device. The device authentication and profiling is a major headache. What we can do today for online to how we were traditionally transacting using a checking account, a checkbook and pen, there really is no comparison. The factor here to consider is social engineering. Customer ignorance and customer education are important. Some customers cannot help themselves and contribute to the loss. I will try and explain this point a little bit further. False URLs basically create the impersonation. The criminal creates the URL and website that closely resembles a bank's own website, tricking the customer into thinking that they were dealing with the bank. Key loggers, Trojans, malware such as Zeus and Sea Lion also help to perpetrate man-in-the-browser attacks.
The point I'm trying to make here is it's really hard to legislate what customers watch and what material they actually download. Anti-virus software offers some level of protection, but again customer education and responsibility are important factors here.
FIELD: Andy, I would like to ask you specifically about wholesale fraud. Why is this a growing challenge for institutions?
MORRIS: We're certainly hearing more and more about cyber crime threats within the news. In April, the New York Times published an article suggesting it was going to rise up to $1 trillion do. We've also seen in the UK the head of one institution for online and fraud security jailed for $2.4 million fraud. In July there was also some articles published in respect to an Iranian fraud that involved $2.6 billion and that the individuals that perpetrated that crime were actually sentenced to death. So they are examples of fraud threats that we have out in the public domain today, but let me come right up-to-date.
The FBI published a bulletin around wire fraud involving transfers between $400-900K. Earlier in the year, they published a bulletin about advanced fraud attempts involving wire transfers to Australia and Malaysia. The activists or hacktivists, such as the group Anonymous, are also making threats to the payments industry, so we definitely have a lot to chatter about. The bottom line is fraud is a growing problem whether you label it fraud, financial crime or cyber crime, which incidentally is defined as traditional fraud used to perpetrate today through a computer, tablet, mobile device or across the Internet.
What are the challenges that we face? It can go back as far as 2000. We've seen some regulatory changes take place. Take Reg E for example, the delivery of new processes that electronified check payments, so they can be captured and processed as ACH transactions. Let's also not fool ourselves; wire fraud is not something new. Wire fraud has always been a fraud threat, but electronification and consumer demands for more speedy and convenient payment methods have made the growth in the volume of payments higher today and have raised the challenges in respect to how we authenticate and verify these payments.
Previously, these types of fraud were mitigated through in-branch initiation, IT verification, signature verification and customer call-back strategies. The fraudster has to diversify and look for new techniques to perpetrate their crime. This includes compromising and extracting customer logon data and passwords through social engineering techniques. What we now describe as phishing, vishing, smishing and pharming, false URLs, Trojans, malware and key-logging software are also making it possible to steal the customer's identity or trick the customer into thinking they're communicating with a bank. Not all banks in all regions have been as quick to educate customers about fraud threats from transacting online. This has made it arguably more difficult because the industry has delivered a recipe of change, while the fraudster has been motivated and quick to exploit it.
FIELD: You've done a good job laying out the challenges, and I like how you brought in some compelling information from events and incidents that we've seen. Let me ask you about these incidents. What has the industry learned about wholesale fraud from everything you've outlined for us?
MORRIS: From my perspective, it's more complex and sophisticated. We've seen advancing fraud, what the industry would refer to as 419 scams and what we're really labeling as "ghost money attempts." Times have actually moved on. We're now looking at boiler-room fraud, so there's an additional dimension here as well. But electronification has made it much simpler and convenient for the customer to transact. This has been circumnavigated by the fraudster. Typically, banks now say the majority of fraud is initiated on the online channel. Authentication has been proven to not be enough. Fraudsters are actually targeting the small or medium-size organizations. We're recognizing that cross-channel fraud is very important, in particular wire and ACH payments. The number of incidents of wholesale fraud is really low. The average loss is significantly high. The amount of time it takes to react is significantly lower. There are reduced opportunities to recover the funds. These involve indemnities, and where payments are made across international borders it becomes more complex and more difficult. We're also recognizing both as an industry and law enforcement that the fraudster does not work within geographical boundaries. Law enforcement is taken advantage of by the fraudster here.
Managing Wire Fraud Risks
FIELD: Patrick, I want to bring you back into the conversation. You've listened to a lot of what we've discussed here. What do you find to be some of the unique challenges of managing fraud, specifically in a wire transfer environment?
PATRICK HIGGINS: To Andy's point on the wire side, especially for both wholesale and retail banking, one of the biggest challenges is it's such a rewarding environment for the fraudster. These are typically high-value payments, and settlement is final and irrevocable, so you take into account that payments is changing. A great example of that is in the UK, the faster payments, which have effectively reduced the settlement time of these payments from three days to almost real-time. While the customer is benefiting from a faster payment and a faster payment to the beneficiary, it's also creating a challenge in terms of detection and recovery for the financial institution.
FIELD: Patrick, can fraud controls be managed through the mechanisms that are used to originate a wire transfer?
HIGGINS: Absolutely. There are some good controls out there, and when you think of wire transfer, there are so many different places where a wire can be originated. That can include a branch or an online banking system, files transferred directly to the financial institution and even phone and IVR initiation. Convenience really has to be there for the client. Now, there are securities in place around all of those initiation mechanisms, but the fraudster still has the capability to find the weakest point within a financial institution. Being able to put in a programmatic-type approach where you can detect expected behavior and expected initiation channels of your clients becomes more and more important, and then layering that detection approach across some of the mechanisms that might already be in place.
Evolution of Fraud Management
FIELD: Andy, I want to go into another direction entirely. Given everything we've talked about here, from your perspective, how has fraud management changed in financial institutions?
MORRIS: Let's face it, from my perspective, it's a bit of an arms race. Banks are proactively trying to address fraud and doing this more aggressively. Techniques will vary depending on budgets and the banks' fraud risk appetite. Some of this is reactive, and some of this proactive, but it's lined with three key principles: detect, deter and distract the criminal. The key to this includes real-time monitoring. Fraud control is another exception in the end-to-end payment processing chain. Near real-time and batch processing are no longer in vogue. Speed is now becoming essential in fighting fraud. Some banks have also partnered with anti-virus software vendors to provide free anti-virus software. Profiling a device and customer are also frequently used. The former is more invasive and seeks to authenticate customers based upon device, operating system and version. Two-factor authentication, out-of-band authentication and challenge response initiatives - something you hold such as a token and something you know - also acts as deterrence available today.
Third-party intelligence is also used to help supplement detection techniques, whether IP address or geo-location, to help further qualify exceptions in or out. Enterprise alert management, or enterprise fraud management, also provides another layer of contribution. Signature is no longer a preferred method of authentication. We're already seeing the emergence of biometric technology at ATM locations. Welcome to the 21st century.
FIELD: Patrick, I want to take up a topic with you, just some context first. Sanction processing has always been a fundamental component of wire transfer processing, correct?
HIGGINS: That's absolutely correct. Whether you call it OFAC screening, filtering, sanctions checking or stop checking, it needs to be a fundamental part of wire processing and has been.
FIELD: That said, what's different in this space, and has it evolved in the same way fraud has?
HIGGINS: It absolutely has. There has been an increased focus on this type of compliance, and if you just look at some recent headlines without mentioning any financial institutions, there have been penalties of over half a billion dollars in individual cases. Similar to fraud, sanctions have become more challenging to manage. The restrictions from a regulatory perspective have increased. They're more stringent. You're seeing larger fines, and the fraudsters and those seeking to gain the system have advanced their methods and are quickly finding the weak leaks in this type of filtering.
FIELD: What does a financial institution do to improve its sanctions management?
HIGGINS: It's a real challenge for financial institutions because it's a real balancing act. It's a matter of managing the need to review these transactions effectively while maintaining a good customer experience and efficient processing environment. One of the key elements is the ability to reduce the number of false positives, and by that I mean those transactions that require special review, but are actually valid transactions.
Financial institutions really need to strike the right balance with the software they put in place to manage the filtering and then they also have to make sure that those solutions meet regulators' expectations in regards to patterns matching the specific entities to whether it's specially designated nations or its other lists that are available. They really need to balance the solutions they use with their processing and with the ability to look at these false positives. You're seeing techniques such as fuzzy logic or fuzzy matching and other types of techniques to support processing in this environment.
The Fraud Fight
FIELD: Andy, I want to bring the conversation back to you. We've talked about so many different types of threats and challenges for financial organizations. How are the institutions actually fighting back? What do you see?
MORRIS: I think it's important that we need to recognize that in order to measure success we need to have certain quotes of metrics around them. In terms of measuring how successful other institutions have been, we've only started measuring online fraud threats since about 2004 - and I'm talking specifically for the UK here - when they stood at 12.2 million. We've seen them rise up in 2009 to just under 60 million and these are starting figures. They now today stand at 35.4 million and we've seen a fall by 24 percent in the previous years also.
As an industry, we're beginning to do a good job in tackling online fraud threats and wire fraud threats. I'm going to put those losses into context. Today, card fraud losses stand at $341 million, but it's important as an industry that we do not remain complacent. Let me be specific here and I'll give you another statistic. The number of phishing attempts continues to rise year-on-year. We had 61,000 reported phishing attempts in 2010. In 2011, we've seen that rise to 111,000. The fight is certainly not over, and I think it's important that we recognize that to be successful we have to employ a variety of different techniques to fight fraud. The proverbial silver bullet isn't there, so defenses from my perspective include customer education, real-time analytics, authentication, tokens, two-factor, transactional limits and controls, IP address, geo-location, challenge response initiatives. The list is pretty endless but certainly it's not one silver bullet, it's a combination of different techniques to mitigate the threat.
FIELD: Patrick, earlier Andy spoke about the FFIEC guidance, and I would like to ask you about it as well. What recommendations has ACI released to your customers in your industry related to FFIEC conformance?
HIGGINS: For ACI customers, we've really stepped back and taken a look at the entire environment, not just the FFIEC mandates. And what I mean by that is we're really in an environment where liability is shifting. Financial institutions are becoming responsible for these online fraud attacks at their client's sites. You're seeing attack protocols change on a daily, or even weekly, basis where some of the original Zbot-type attacks like Zeus and others are quickly morphing into different, targeted types of attacks. What we've done for our clients, and especially in our ACI On Demand environment - which is a hosted online banking environment where we'll host the online banking solution - is we've offered a layered approach that leverages ACI's best practices from across the globe. The idea is to leverage some of the detection and anti-fraud techniques that are within the core payment processing and online banking software and then layer on top of that the ability to profile and write rules and understand expected customer behavior.
The FFIEC mandates mention many different types of techniques, but really when you boil down what they're looking for is to understand and know what your customer's expected behavior may be, and being able to monitor and profile and know that expected behavior and alert on it when it's out of typical behavior. Now within that, we leverage several techniques, whether it's using advanced analytical models, using advanced profiling techniques, looking at items such as some of the session information such as IP, and the idea is to really put a layered approach in place that understands expected behavior and can alert that financial institution when something is out of the norm.
FIELD: Patrick, you brought up some specific products in this answer you just gave me. Drawing from that, what would financial institutions benefit most from with this online fraud management expertise?
HIGGINS: It's really being able to work with a single vendor that's providing both the payment and online banking platform, as well as the fraud solution. And there are advantages to that because the roadmaps are aligned, the data structures are understood, the fraud experience and payment experience of ACI across the globe drives significant advantages, and when you think about detecting fraud, especially in the online or even the wire environment, it really comes down to three concerns. It's about how I get that data into the fraud system. Do I have the techniques and capabilities to detect the types of attacks I'm experiencing, and will the system be able to quickly alert me and let me stop the transaction within its path? Putting seamless protection into your environment is extremely important and the combination of ACI's Enterprise Banker with Proactive Risk Manager allows that to be seamless, allows the response to be in real-time and creates a greater defense against these fraudulent types of activities.
FIELD: Andy, final question for you. We've discussed online best practices. What are some of these that you suggest to financial institutions so that they can better secure their online banking environments?
MORRIS: To understand the threat, you need to measure it. Once you've measured it, then you can actually start to understand how that's hurting your organization. Then you need to carry out the risk assessments. What we're looking for there is to design defenses that distract, detect and deter the criminal, because you don't want to be impacted by financial crime. You want to be driving it away from your organization. The important thing I leave you with is about protecting the customer, protecting the customer's available balance, and you need to work with the right software vendor that you can trust to be able to deliver a better suite of products into your organization.