Fighting Fraud: Banks Can't Do It AloneM&T's Speare Says Banks Face an Uphill Battle
"I think we as institutions should be demanding more from our clearing houses, because none of us process an ACH transaction entirely in our own," Speare says. "Demanding from them more robust fraud-detection technology and processes that can stop fraud mid-stream, versus waiting for it to show up at one of the banks, is something we should focus on going forward. I think that is where we need to push most as an industry, to have them help us."
Larger institutions face challenges, too, especially as they grow. "Every time that an organization does a merger or an acquisition, they are compounding that problem by putting more and more accounts into the system," Speare says, explaining that disparate or siloed systems pose challenges for enterprise-level fraud detection, even within the largest banking institutions. "In some cases, there are institutions that when they do that merger or acquisition, they actually retain the systems of the acquired institution; so they end up multiplying the problem by having multiple siloed channels."
But as results from Information Security Media Group's new The Faces of Fraud Survey prove, financial institutions say they expect in 2011 to invest more heaving in fraud prevention and security. But are they investing in and focusing on the best solutions?
During this interview, Speare shares his thoughts about fraud detection and prevention in 2011. Building on results from The Faces of Fraud Survey, Speare explains:
- Why cross-channel fraud continues to plague the industry;
- ACH fraud and increasing security challenges; and
- Why increased sophistication in online-banking and ACH fraud is likely going to catch many institutions off guard.
Speare oversees security for M & T Bank Corporation, the nation's 17th largest bank holding company, based in Buffalo, New York. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of M & T Bank customers. His responsibilities include information security management, IT compliance and risk management, corporate emergency and incident response, and business continuity management. Matt is also a Major in the Army National Guard, serving as the 42nd Infantry Division Aviation Operations Officer, and is an AH-64 Apache Attack Helicopter pilot.
Fraud Incidents: Higher Than We Think?TRACY KITTEN: Fraud detection is still evolving in many organizations. In fact, for many banking institutions it remains an afterthought, especially where detection of multichannel fraud is concerned. But as results from Information Security Media Group' Faces of fraud survey prove, financial institutions across the board are expected to invest in better fraud prevention and security in 2011. But are they investing and focusing on the best solutions? Matt Speare, who oversees security for Buffalo, N.Y.- based M&T Bank, the nation's 17th largest bank holding company, shares his thoughts about the future of financial fraud.
Matt, ISMG shared some results from its Faces of Fraud Survey, which we conducted this fall. A handful of the survey's findings stood out to you, including results related to cross-channel integration, or the lack there of. According to our survey, 39 percent of respondents believe cross-channel fraud accounts for less that 10 percent of overall fraud incidents that they suffered at their respective institutions over the course of the year. Another 22 percent say cross-channel fraud accounts for between 10 percent and 25 percent of overall fraud incidents. Are these percentages low in your opinion, and if so, why are financial institutions in the dark when it comes to cross-channel fraud management and detection?
MATTHEW SPEARE: Well, Tracy, I certainly I believe that those numbers are low overall. The No. 1 issue is that we can't positively identify fraud or identity theft in one channel and then see it manifest itself as an actual loss or loss in a separate channel. In some ways, it's a case where, since we can't prove it to be true, we have to kind of guess what is true. I actually believe that the number is probably closer to 50 percent overall. Unfortunately, I, like others in this industry, really can't prove it out. So, we're stuck making an educated guess; and that fraud we can detect is such a small percentage of the overall fraud, we tend to put that number lower.
KITTEN: I think financial institutions would probably rather assume that it is lower than higher. Would you agree with that?
SPEARE: I would absolutely agree. And especially in light of not having data to truly point out that it is higher.
A 360 Fraud View Sounds Good in TheoryKITTEN: You've noted from a bank's perceptive that the use of real-time analytics and a 360-degree view of customers and their transactions would be a nice-to-have, and it would also help with the cross-channel fraud view. But it is probably not that realistic for most institutions. Can you explain?
SPEARE: Well, any given customer can have multiple relationships with their financial institution, and the way that they are identified and processed are via systems which are relatively siloed. So, as an individual, I may work for a company and help be part of managing their books, and in that role I have a business relationship with the financial institution. I can also have my personal checking, savings and money-market savings accounts as part of that relationship, but that is only seen through another set of systems. And let's say that I have an insurance relationship with the institution, too. Well, that's through a whole other set of systems. So the problem of being able to pull all of that data together and then be able to do analytics around the transactions that are occurring for a customer and their entire relationship is very different than being able to see what their retail relationship is with the bank. That is manageable, but it's all those ancillary pieces that are very, very difficult to pull together, especially as institutions get larger, because the scale and the complexity of the problem are exponential. Instead of being able to make small incremental investments, it requires very large investments and very cumbersome, long-term projects to be able to make that 360-view a reality. It is very difficult to do.
KITTEN: As you've noted, financial institutions as they grow, as M&T has, through mergers and acquisitions, they often find themselves in more siloed situations. You've touched on this a little bit, but could when we talk about the challenges siloed channels pose, where does that place fraud detection, and how does that pose challenges that are unique?
SPEARE: Well, let's take something relatively simple. Let's say that I have a retail relationship with a financial institution and I've got a checking account and a savings account. Well, generally, those are going to be on a core deposit system that managing the transactions as they go in and out. On the other side, I happen to have a home equity line of credit, which is processed on an entirely different system. The data fields themselves are going to have different formats and they are going to process in their own manner and they don't go to a central repository. They are systems that are designed specifically for a deposit system [for instance]. So, the sharing of information between those two is difficult and the difference is in the formatting. Every time that an organization does a merger or an acquisition, they are compounding that problem by putting more and more accounts into the system. Or, in some cases, there are institutions that when they do that merger or acquisition, they actually retain the systems of the acquired institution; so they end up multiplying the problem by having multiple siloed channels."
Cross Channel Integration: A Far-Fetched RealityKITTEN: For smaller to mid-size institutions, siloed channels remain a problem. But what unique roadblocks stand in the way, as well, where cross-channel fraud detection is concerned, for smaller entities?
SPEARE: Well, the smaller entities are generally not running the systems themselves. They are using some kind of application-service provider, and the big ones in the banking space are Fiserv and Fidelity Information Services. So they're subscribing to a core deposit system, or they are potentially with a Bank of America for their credit card. Now they not only have the siloed channels, but they also are introducing that data doesn't even reside within their organization. It is at these third-party service providers and there are multiple third-party service providers that any given small institution is using. So, to get those competing vendors to provide a holistic solution is probably not something that is going to happen in my lifetime.
KITTEN: Going back to some of the survey results, 51 percent of respondents also said the biggest channel facing their organizations, where fraud prevention is concerned, relates to inadequate fraud-detection tools and technologies. Fifty-six percent said insufficient resources posed the greatest challenge. Are the two responses related, with organizations simply not having the resources to invest in adequate fraud-prevention tools, or are other challenges getting in the way here?
SPEARE: I do believe that they are related, especially given the current economic environment for banking institutions. Because of government mandates and regulatory costs, there is just less to be able to invest both in people, being the resources, and in the technologies. So it comes down to being able to cost-justify the expense of long, expensive projects. And if you are a bank that is not suffering or having your customers suffer any significant losses around fraud, you're probably not going to invest heavily in fraud detection. What happens is that most organizations come to the realization that they need to invest, when they have an incident or a series of incidents happen to them. It tends to be that wake-up call that makes them look more seriously at what do we do to prevent this from occurring in the future.
KITTEN: You've noted that, if nothing else, every banking institution should enlist a task force of some kind or controlled committee that is charged with reviewing fraud and looking at fraud statistics on a regular basis. But is this a common practice among banks and credit unions today?
SPEARE: What you see is that the larger institutions, the top 100 asset-size banks in the country, generally follow this practice. Or, at least they have processes in place where there is a single, authoritative source, whether it's an individual or a committee, that is charged with examining the trends and making recommendations about policy changes as well as protective measures. It is the smaller institutions that definitely have a challenge. When you get below the top 100, there are 8,000 other banks and credit unions within the U.S.; and within the vast majority of those, the CEO is also the IT person, who is also the lending officer, and so they have very limited resources to be able to dedicate to fraud. It's often a very part-time view of the world, and so, because of resource constraints, it's very difficult for them to do.
Measuring the LossesKITTEN: When we look at fraud losses, most institutions measure losses by the dollar losses they suffer when a breech occurs. But what about the so-called "soft losses," such as the loss of customer and member trust and loyalty? How are those losses impacting institutions, from your perspective, and are institutions doing enough to adequately monitor and track customer and member retention?
SPEARE: There is a direct effect when there is an incident at an institution. In 2008, we did a survey, and across the industry what we found is that of customers who were notified that their financial institution lost control of their non-public personal information, 20 percent would walk away from the relationship. The cost of getting a new customer is approximately 10 times more than keeping a customer. And because banking is built around the trust relationship, when you have fraud, you have to directly look at not only the dollars lost but what was the impact to the customer. Then, you have to be very aggressive in your communications with that customer, to attempt to retain them. Additionally, the institution has to think about what is going to be their restitution policy. As an example, we've seen a few lawsuits because of the Zeus malware virus that happened last year, where corporate customers lost hundreds of thousands and in some cases millions of dollars. And while most of the agreements with those commercial customers say that if it is something originates from their environment through no fault of the bank, the loss is charged to the customer, many institutions have been re-looking at that over time to say, "What's the value of losing a long-term customer at some dollar threshold of loss?" versus just making them wholly responsible. So, an institution has to be very aggressive in being able to quickly make the determination on whether they are going to make that customer whole or not, as well as consider the private marketing campaign on how to reassure the customer that the relationship with the financial institution is still solid and secure.
Check Fraud: Still a ProblemKITTEN: I would be remiss if I didn't ask about check fraud, online banking fraud and ACH fraud, which relates to some of the customer and member retention issues that we just discussed. According to our survey, 63 percent of respondents said they suffered losses from check fraud in 2010 -- losses that trail only credit and debit fraud, which came in at 82 percent of respondents. Phishing and vishing attacks, which relate to online banking fraud, were noted by 37 percent; and ACH wire fraud or account takeover was ranked by 32 percent of the respondents. Do you think those percentages seem accurate, or are certain types of fraud more prevalent than most institutions realize?
SPEARE: It is my opinion that fraud is probably a little underreported for the larger institutions on ACH and wire fraud, but, in general, these are relatively accurate numbers. Part of it is because, only certain types of institutions -- and they tend to be the larger ones -- offer ACH and wire transaction capabilities, especially in the e-commerce space, versus checks, which continue to be easy to manipulate and conduct fraud against. It remains still the No. 1 item banks discuss when it comes to fraud. From a dollar standpoint, check fraud just tends to be bigger in terms of losses versus occurrence. Debit fraud occurs more often, it is just that the dollar thresholds are smaller. So, in general, I think those numbers are accurate, and I think as you become larger institution and have more offerings out to customers, you have to think through what are the potential fraud scenarios are and how you should prepare to react to them.
KITTEN: Now, talking about the reaction piece, when we asked how prepared most of these institutions felt to prevent those types of fraud, only 34 percent of the surveyed institutions said they felt prepared to fight check fraud. Why is the percentage so low?
SPEARE: Part of it is because of the technology itself. So, with the Check 21 initiatives that we saw five years ago, there certainly are more checks that are not being processed in paper format. They are being imaged and then shared between institutions through clearing houses. So, the ability to detect a fraudulent check that you can't touch, you can't truly see, you are really just seeing an image of that, makes it more difficult. The teller, when they receive a check, they can actually make that first judgment call. That has now been pulled out of the equation, and so you are forcing technologies to mature on the back-end to be able to detect fraud within an image. It is incredibly difficult to do.
ACH and Online FraudKITTEN: Online banking breach prevention and ACH fraud prevention also ranked relatively low, with only 34 percent of respondents saying they felt prepared to prevent ACH fraud, and only 32 percent saying they felt prepared to fight online banking fraud, which would be phishing attacks, for the most part. What do those percentages tell you?
SPEARE: Certainly, in online banking fraud, we are dependent on our customers being able to recognize that the e-mail they received is fraudulent or the site they were directed to is not truly the institution they meant to go to. Despite massive customer awareness campaigns, the fraudsters have gotten better over time -- instead of misspelled e-mails and sites that you know don't look anything like the institution's Web banking site. They have become more mature over time, and so the e-mails look like perfectly valid e-mails, and, in most cases, the phishing sites that they are being directed to are nearly duplicates of the Web banking sites that the institution offers. So, from a customer's perceptive, it is harder to detect. Unfortunately, you can't stop phishing. That is totally outside the institution's control. They can only monitor for it, and then attempt to get the third-party fraudulent site shut down. When it exists within the U.S. and is physically hosted in the U.S., it is easy to do. But when it exists outside the U.S. borders, it is very difficult and you are dependent upon some kind of third-party service that allows the top domain registrars to be able to black-hole that site.
Then on the ACH side, because ACH is really just transactions that are routing codes and check numbers, it is very easy for fraudsters to be able to create fraudulent transactions on those that the institution cannot see until it comes to them for the debiting of an account. So, this could have gone through multiple other banks before it ever comes to the supposed originating institution for fulfillment of the funds; it could be underway for several days and then at the last second it's picked up by the supposed originating institution. Unfortunately, what happens is, while the originating institution might be able to catch it there, it may have already undergone funding processes at two or three other banks. So, unraveling that spaghetti is challenging, at best.
KITTEN: When we talk about some of these types of fraud, especially ACH fraud, as we move into 2011, most analysts and industry experts expect more channels to rely on ACH. When it comes to fraud-detection technology, where are institutions missing the mark?
SPEARE: I'm not sure that the institutions themselves are missing the mark. I think we as institutions should be demanding more from our clearing houses, because none of us process an ACH transaction entirely in our own. Those are put out to processing houses that are providing the service and the interchange in between banks. So, demanding from them more robust fraud-detection technology and processes that can stop fraud mid-stream, versus waiting for it to show up at one of the banks, is something we should focus on going forward. I think that is where we need to push most as an industry, to have them help us.
Top Fraud TrendsKITTEN: Matt, can you tell our audience which fraud trends you think banks and credit union should be most concerned about in 2011?
SPEARE: I think that we will continue to see more robust malware that is being developed by organized crime that resides outside of our borders, and you know they are very sophisticated. They are always looking for the next opportunity. We will continue to see the rise of malware that is specifically going after our customer's PCs and non-bank systems, so that the fraudsters can garner credentials and information that they need to create fraudulent transactions outside the banks. So, I think that all of us need to think about how we can help our customers, and I think you can only go so far in education and awareness. So what kind of technical solutions can we put in the hands of our customers to provide them with a virtual secure environment that offers a higher level of assurance for the customer that is coming into Web banking or is attempting to do a mobile check deposit? How do we determine that the user signing in is truly who they say they are? I think that is probably going to be our greatest challenge and area of focus for 2011.