A risk strategy and how to build one.
A Fraud Strategy.
Fraud is driven by fraudsters who discover and attack our weaknesses 'almost by osmosis'. Whilst any single fraud event is not particularly clever or original, the overall effect of 'the fraud collective' manages to cleverly beat us time and time again.
Why is this? How do they do it and most importantly, what can we do to fight back?
First, the problems:
Let's explore what fraudsters are doing — not the individual scams but what they are doing to us, our fraud losses and to the market.
Then we'll try to define what we need to be doing better in our organisations, whether we are banks, processors or other parties within the 'fraudulent transaction.' Think of this as a snapshot of some of the key areas to look at and challenges that we see.
And lastly, let's look at what we can do to stop fraudsters; or more likely, to divert them toward our competitors or toward other industries.
An Easy Target for Fraudsters
Fraudsters don't really decide en masse to move and attack new targets; They simply migrate towards the easier targets as barriers are put in place in their favourite (read: easiest) haunts. Fraudsters will steal from banks and card companies, will shoplift, claim benefits illegally, forge insurance policies, and so forth. So if shops increase their security, insurance companies make more inquiries, and the health service benefits investigators start to get tough, then we can expect more fraud in banking — where card businesses are among the weaker targets.
In many industries, we have somewhat dropped our guard during recent years in several respects. The tools available to fraudsters have become much better, too. Some of the key reasons for this lowering of defences include the following:
For several years, many countries have been introducing better and faster payment solutions (e.g. ICC/EMV solutions for cards, aggregators for the insurance sector), with a marketing-driven business case. Fraud reduction was an ancillary feature but became publicly heralded as the 'all-encompassing' fraud solution, and we all got caught up in the furore. With the cards industry, before chip and PIN, there was a strong momentum towards multiple solutions with an emphasis on cooperation and data sharing. This was lost as chip and PIN momentum replaced all efforts, initiatives, creativity — and of course, investment — in other anti-fraud efforts. In insurers this was paralleled with the introduction of CUE/claims sharing databases, and again with the IFB/bureau investigations.
Maybe as a side effect, some businesses lost some of their fraud skills and fraud specialists as they moved on, retired or simply changed focus as they found themselves less needed.
Accordingly, the symptoms that we now see most regularly are those where fraud units lose their ability to be both reactive (to address urgent fraud in real time) as well as proactive (to prepare for fraud and build deterrents well before the losses arrive).
We have started to use technology more in everything we do. Five years ago Facebook, LinkedIn, Google, eBay, cheap airfares, Internet gambling, easy cross-border ATM cash, global payments, and cross-border trading were all non-existent or not what they are today. Fraudsters have adapted and now use them as tools to attack us.
While fraudsters have moved, attacked in new ways and changed their methods, we have not been watching them closely enough and adapting to their new methods. We have relied on our old solutions, our time-tested scoring models and our experienced sub-contractors to do what they have always done, without watching for changes.
Our accountants can often treat fraud losses akin to credit losses or claims losses and as a predictable but uncontrollable cost of doing business. Either way, this makes it harder to create business cases for taking action against fraud — especially before it happens — or to prevent fraud at new business acquisition stages in the product design.
Revitalising Your Anti-Fraud Solution
So what should be done about the fraud problem, and how can we start to plan for, react to and develop strategies to cope with and attack fraudsters to keep ahead of them at all times? Before we make recommendations, let's paint a picture of a fraud strategy model that can help us to better understand and talk about fraud solutions.
One needs to have a fraud strategy, clear ownership and a policy to direct thinking and planning. The four key areas to be addressed are:
Each of these areas is important, and the overall effect must be to deliver a balanced and effective policy.
For fraud prevention, it is always crucial to understand the problems and losses that a business is experiencing — but also to have clear measures of the key fraud indicators that allow the business to drive new initiatives and action. An organisation that does not understand the risks involved may easily do something ill-advised, such as sending out cards to non-domiciled customers in another country where post is known to frequently go missing; or taking on business through brokers without really knowing a customer. Businesses fail due to an incorrect assessment of the exposures.
What else? In a card business, clear authorisation strategies should be in place to prevent fraud — strong referral rules for unusual transactions, limits on transaction sizes in certain risk categories, card security, card dispatch, functionality, provision of services, limit sizes and pre-blocked dispatch. Whichever industry we are in it is the same, in the retail sector we could be sending out goods to unchecked addresses ..... repeatedly.
How and from where we acquire new customers, and who introduces the customers to us, also influences the fraud risk. We can likewise influence these in our policies and agreements with sales agents and introducers. In addition, how we deal with mail returns, post handling and replacement cards or certificates, PR messages, etc., should all be recognised as touch points where fraud can be prevented.
We should not forget that the fraud prevention task is a large one and covers a wide variety of issues across the business, but considered correctly can save more than a strong focus upon the 'investigation of frauds' alone. Lastly, it is worth mentioning that the corporate culture in relation to fraud should be one of the anti-fraud measures. We often see businesses suffering from high fraud losses in part because the company does not make fraud savings a priority. This usually accompanies a strong setting of accountabilities that are delegated to the card management in relation to fraud. Every growth in any fraud loss category should be seen as an opportunity to look at a new way of doing things and to write another business case for the next solution.
Increased detection means finding more fraud sooner. Rarely do we see organisations that closely track fraud losses on a daily basis (and make changes to their detection systems as a result), but also know how to adjust their efforts as they see things going awry.
In the extreme, if we were to remove the detection tools and functions from an organisation, we would have to wait for customers to tell us that their credit has all been used up or that their statement had arrived with transactions that they do not recognise. These can then be investigated, refunded, charged-back, etc., but the losses are going to be far too high. Often in other industries there are more challenging issues of detection - i.e. insurers often NEVER see the loss as it gets paid in and amongst the big claims payouts that are made.
In contrast, if we saw a customer with daily use of their card for six consecutive days in an ATM in Canada for the maximum amount, we might investigate this by calling the customer — or just block the card when we see that it has also been used in Sainsbury's in the UK in between these ATM transactions. An even better scenario would be when the first ATM transaction occurred only three hours after the last UK card-present transaction — in which instance the fraud could seemingly be stopped before we lose any money. Similarly, goods sent out en-masse from a retailer from internet orders should cause some concern as should repeat address changes, or repeat refunds or insurance claims claims.
So this in turn leads us to the transaction scoring systems, clever and clear analysis of patterns, rules built into our authorisation systems, earlier action upon compromises, tracking of transactions and looking for patterns. The solutions can get quite complex, as they should be.
If card businesses rely upon only one system, or one process based upon 'quarterly updates' in scorecards, then they will not be doing enough. Today we should be looking at fraud that happened yesterday in order to make detection tools better tomorrow, and in real time where possible.
As mentioned previously, investigation is often the ‘bread-and- butter' of a fraud department, and must be managed and investigated. This usually consists largely of clerical processes in assessing whether an insurance claim should be paid, whether a refund should be made from a utility supplier of responding to customers that claim fraud has occurred on their accounts; collecting affidavits (another opportunity for preventative statements to be made) and then refunding the amount involved; re-issuing cards as required and looking out for further fraud in the future for similar charge-off and processing.
Two areas of investigation are often neglected:
Identifying whether customers are being honest about the transactions being theirs. For example, if there are anomalous insurance claim issues or stories that differ or if the fraud is involved in an ATM transaction in Canada and the customer is clearly living in the UK, then there is not much to investigate. Treating everything that the customer says as true and refunding everything, or treating everything as false and delivering a poor customer service to customers, are equally poor strategies. Challenge interviewing, based upon the psychological theory behind what customers say and how they say things to spot fraud has become prevalent for determining the truth in these situations.
Analysis of fraud losses should drive future fraud investigation and also detection work. For example, when we see a second or third fraud that has a common denominator, such as the spend location or postal area address, we should look into this further. Maybe a common passenger over several claims or a common phone number or address for delivery. It could be that we have fallen upon a major compromise, a new fraud tactic or gang operating against us. In every case, we should act upon these situations — with major policy changes, corrective actions, changes to systems or other actions like system changes or enhancements.
Taking corrective action is not straightforward. In theory it should be, but strategic changes are often hard to make.
Operationally, a fraud team must recover all they can and stretch every aspect of the chargeback rules for opportunities to recover frauds and so forth, but the real challenge is to implement new products, solutions and initiatives in a 'business as usual' way.
A business (through the board member with accountability for fraud) needs to make sure that:
The fraud department has the ability to draw together a fraud business case with the potential exposure for every fraud loss project and likelihood of occurrence highlighted.
The management and timeliness of project delivery is tracked.
The business case is acted upon and tracked monthly through to implementation.
The board knows the situation and understands the real priority.
Projects and project delays should be tracked with associated 'real-time' costs and featured in board reporting — if not to the exclusion of all other fraud reporting.
Key areas for continued focus by the industry include cross-border transactions, Internet fraud and, above all else, ways of identifying and tracking points of compromise (especially in point-of-sale devices).
Fraud is Not Competitive. Or is it?
Unlike other sectors of the industry, fraud is both seriously competitive and non-competitive at the same time. Fraud strategies should be set in collaboration, designed with data sharing, initiative development and collective thinking with full openness and candour. After this, all the collaborators should return to their organisations and compete fiercely to implement the devised industry solutions and best practices, but also anticipate the agreements and implement solutions faster and better than the competition. In the end, competing with each other to 'get ahead' will benefit us all as we drive the fraudsters away from our industry.
What key things should fraud executives be doing or looking at in any environment prone to fraud? Here is our view of the top questions to keep in mind:
Ensure that a clear strategy is in place that leads to a focus in each of the areas detailed previously — prevention, detection, investigation and correction.
Make sure that management information drives each of these areas to ensure pro-activity in our detection of fraud.
Actively engage in the industry, sharing data and information, and yet compete aggressively by implementing projects and change quickly.
Ensure that there is a 'business case mentality' in the organisation to ensure that new capital spending, people costs and system changes and implementations are fast-tracked ahead of other projects.
Ensure that fraud-loss issues are part of any new product development or feature change in products and that anti-fraud measures are built in as standard.
Chase the fraud team to make fraud losses unacceptable, ensuring that every loss leads to a change in systems, processes or parameters and rules.
Want to know more?