A Strategic Review of Your Fraud Detection and Prevention Systems

 

By Tom Leuchtner
Senior Product Manager, Financial Crime
Financial Intelligence Unit, Wolters Kluwer Financial Services
Website: www.pciwiz.com

We are a competitive society, and if there is anything bankers would like to win, it would be the race to stay ahead of the perpetrators of fraud. The challenge: fraudsters have seemingly unlimited resources (think global networks of hackers and computers), are very clever and ingenious, can attack from anywhere, and often may be disguised as your customer. Bankers, on the other hand, tend to follow the rules and seek a respectable place in society, seeking low-risk opportunities with reasonable returns. It is not typically in their DNA to think and act like fraudsters, who are determined to figure out all the vulnerabilities within the financial institution (FI) and how to exploit them. For these reasons, it is paramount that you have a proactive strategy for identifying and dealing with fraud in your bank.

The Association of Certified Fraud Examiners (ACFE) 2008 Report to the Nation contains many interesting statistics on fraud schemes. For example, the median duration of the average fraud scheme is 24 months. Nearly 50 percent of fraud is detected by tip (46.2 percent, up from 34.2 percent in 2006), and 20 percent is by accident. Interestingly, “cash on hand” schemes resulted in an average $35,000 loss, while the average corruption (e.g., employee fraud) loss was $375,000, and amounted to more than 30 percent of all cases.


Source: ACFE 2008 Report to the Nation
http://www.acfe.com/documents/2008-rttn.pdf

Start with the Basics
The easiest and most effective thing to do is to start a tip line. The cost is minimal, literally a single phone line—nearly 50 percent of all reported fraud instances are flagged in this manner. A few simple policies and controls can also dramatically affect the scale of fraud. For example, as noted in the ACFE report, surprise audits can reduce the average fraud loss by more than 66 percent, and job rotation/mandatory vacations can reduce losses by 61 percent.

The next thing is to consider what fraud control systems you currently have in place, where your vulnerabilities lie, and where any planned investments in staffing and technology will have the most effect. Most FIs focus on check fraud, and have an automated detection system in place to identify check kiting. Usually the output is in report format for the investigators to cull each day for probable suspicious activity. If there is a way to automate the simple tasks, such as rendering a paper-based report in electronic form to help the investigators zero in on specific, high-risk accounts, substantial time can be saved. Tools that can help the investigator move away from paper shuffling to managing cases merit every consideration.

A Strategic Perspective on Fraud Detection
There are two fundamental approaches to fraud detection; the first is based on examining patterns of data and application behavior, looking for signatures of fraud. This is typically referred to as a ‘rules-based’ or ‘scenario-based’ approach. The benefits are that the system can sift through mountains of transactional data to find evidence of fraud in the patterns of data. The drawback is that the system only tells you that fraud has already happened. The second approach is to sift through the mountains of data and perform calculations on that data to statistically estimate the potential for future fraud. These systems are often called ‘neural’ or ‘predictive.’ The benefit of predictive systems is that they can help prevent loss. The challenge with predictive systems is they are imperfect and often are accompanied by ‘false positive’ flags, which need to then be investigated and resolved.

Relationship Between Compliance and Fraud
The new Fair and Accurate Credit Transactions Act (FACTA) Red Flag Rules are a signal that the Fed is taking a different approach to compliance, and recognizing that comprehensive risk management incorporates both Compliance and Operational Risk. The Red Flag Rules form the basis of a risk-based approach to Identity Theft, but are also meant to further prompt FIs to adopt a different model from traditional compliance when approaching this particular risk, while continuing to expand their programs outside of the scope of compliance. The regulators have intentionally left the Red Flag Rules vague for this reason—they want each institution to adopt a risk-based approach in determining their Identity Theft program. Financial institutions across the country continue to exhibit a wide spectrum of perspectives on Red Flags, from “we just need to know what boxes to check in the regulation” to “we’re adopting an Identity Theft strategy that will fulfill Red Flags and more.”

Certainly the idea behind regulatory compliance is to shore up areas where there is significant risk. If the FI can effectively employ a fraud strategy that leverages their existing compliance investment, the bank’s stakeholders will be better off and the investment can be better justified. Therefore, many FI’s are now considering how to consolidate their compliance and fraud programs, including systems, staffing and reporting. This often means reevaluating current investments and processes. Best practices include the development of a phased multi-year plan to move toward such a combined approach.

Getting Ahead of the Fraudsters:  A Risk-based Approach
Continuing with the Red Flag Rules example, a risk-based approach fits well in defining a Red Flags program, and can be continued and expanded to help the FI construct a strong defense against Identity Theft in general. A risk-based perspective easily translates to directives within an automated system. To get started, determine where your vulnerabilities are and then start a template for defining each ‘parameter’ of risk within your major functions. For example, within DDA accounts there are many ‘dimensions’ of risk such as cash, check, wire/ACH and ATM/Credit Card transactions. Each of these dimensions has a risk rating (in each FI), and some are riskier than others. For example, Automated Clearing House (ACH) is currently being systematically targeted for fraud. This is particularly true in instances of merchant/third party debits. Given this, putting a higher risk weight on ACH transactions, especially ones that are out of the ordinary, can help the bank focus on specific risk factors within multi-dimensional accounts. Similarly, a single transaction within a dormant account would appear as suspicious, regardless of the type of transaction. Therefore, there is risk related to account activity across the board. Additionally, the demographics of the account owner, such as age or address, may make the account more or less subject to suspicious activity. All of these examples are very hard to analyze by hand; they require automated systems that can chunk through the numbers and detect patterns, which an institution has ranked by risk score to determine its specific profile.

Some of this can be simplified, especially for the smaller institution. However even the smallest of banks are under pressure to install more and more services, opening up their value information service to attack. In particular, those institutions that outsource using a variety of vendors open themselves up to even more threats, primarily because detecting patterns of activity across accounts and credit/debit, lending, etc., is nearly impossible without a comprehensive detection system.

Framework for Automated Fraud Detection
A clear approach to the problem is the first step. Remember that your systems have many functions in common. You need to collect data from many sources. The type of data could be in numerous formats. So what data do you need? Start by assuming that any data from any source could serve to help you identify fraud. That data can be structured data such as from a transaction file, or could be from the logs from your core systems. It could also be in the form of analysis and behavior monitoring, such as a recording of all your employee activity, whereby you are able to monitor and detect what your employees are doing with your banking applications and when they are doing it. Data extraction and integration will often be the most difficult aspect of employing an effective system. Often your core system vendor will not want to share that data; however there are limitations to being ‘locked in’ to whatever services they provide for you. Invariably your core vendor will not have the whole set of services you’ll need for a comprehensive approach to fraud management.

Next, consider how you will analyze the data. Will you take a rules/scenario-based or neural approach? Perhaps you’ll want to consider both—to identify fraud that has invariably already occurred and focus on recovery, and implement a proactive approach to identifying it before it happens again. Also, an important decision at this point is to determine if you have the internal resources to allocate to customizing your rules or if you prefer to outsource. Each choice has consequences, and the ideal choice is to determine exactly what control your investigators and risk officers need—these specifics should drive your requirements from an automated system and vendor.

Once you install an automated system, invariably there is a ‘getting adjusted’ period in which it seems like you are getting more information than you really need. This ‘breaking in’ period is the time you start to fine-tune your system to filter out the noise. Sometimes these are called ‘false positives’ but that is a misnomer; the system is only telling you what you have configured it to do. You need to fine-tune the system to help you better identify what is fraudulent and what is ongoing activity that may look like fraud. This is where your investigators and their experience can help tremendously, and they need to be engaged in the ongoing input for system configuration and fine-tuning. Make sure when you are evaluating a fraud detection system that the investigators examine how profiling of parameters is done, and that they have the ability to either control the fine-tuning or, at a minimum, provide input into your processes.

If your institution has multiple divisions, regions, departments, etc., and each department has its own fraud detection and investigation units, an automated case management system will greatly assist in providing productivity improvements, consistent case investigation standards, and clear analysis and reporting from reported suspicious activity. Identify which departments can benefit from such a system and identify key individuals to provide input on what type of automation they need.

Vendor Selection: Cutting Through the Hype
The myriad options for selecting and implementing vendor technology render the landscape even less clear. However, some key concepts can be utilized in framing the choices and decisions to make vendor comparison easier, as well as aligned with a common framework for determining the firm’s anti-fraud strategy. First, ensure your anti-fraud strategy includes the key objectives of the program. Consider whether you want to combine your compliance and fraud systems. Often these systems perform similar functions, but migrating from a known and proven automated system (such as your anti-money laundering products) to something that is unknown, can prove challenging.

The best approach these days is to identify the most comprehensive options that provide the broadest set of services. These services should include data acquisition and transformation, rules and pattern matching, profiling and/or a predictive (also called neural) engine, along with an indexed archive, reporting engine and finally, a full-fledged case management system. With these features in mind, endeavor to evaluate an apples-to-apples comparison of the systems. This can easily be done by identifying the price point you are willing to pay (remember that you should expect from 4-1 to 8-1 return on your investment). A good vendor will be willing to work with you to prove the return on investment analysis for any of their technology. You should expect the payback period to be in months, not years.

Sometimes, systems can be complicated, cumbersome to manage, and also require the vendor to return on a frequent basis to update the rules, modify system configurations or conduct report creation. This can be a hidden cost of ownership and any vendor should also be able to give you a fair estimate regarding the ongoing support needed. Certainly check on the vendor references. Seek a financial institution of similar asset size, if you are concerned about confidentiality the vendor should help identify a customer out of your immediate market. Remember all FIs are enduring the same difficulties as you are, and often the security or risk management executives are willing to share their experiences both with vendor technologies and direct fraud cases. The ACFE is also a fantastic resource for support, education and referrals for independent and certified fraud examiners.

What You Can Do Right Now
First you need to determine your anti-fraud strategy. This is best done using a framework and employing a team that includes risk management, security/investigation, and Bank Secrecy Act (BSA)/AML staff. If you can afford it, seek an outside security or fraud consultant to guide the framework discussion to facilitate objective planning. Once you have a framework for your anti-fraud approach, roll it out gradually. First and foremost, identify where your vulnerabilities are. In the current climate, account or customer related threats are the most significant. Reputational risk is one thing that can’t be jeopardized, so ensure that your customers are who they say they are. This is typically done through your Customer Identification Program (CIP), but it is often difficult to identify suspicious activity from the account/transactional side. This is where sophisticated software systems can greatly assist in analyzing transaction activity and identifying suspicious patterns in the transactions. However, an often overlooked vulnerability is your institution’s employees. The ACFE in their 2008 Report to the Nation estimates that nearly 60 percent of all fraud involved an insider, at a minimum in the form of collusion, and at the maximum blatantly utilizing the trust and access to steal. There are automated systems in place to monitor employee activity, and these take the form of transactional monitoring, access logging analysis, and behavioral monitoring.

Fraud monitoring and detection is not a science. We use ‘science’ (e.g., software) to monitor data, application activity and processes; however, there is still an art to identifying and stopping fraud perpetrators. Familiarizing yourself with the schemes, scenarios and emerging activities of fraudsters is essential for building an effective defense. Ensure your investigators have the tools and resources necessary to do their job. Consult and involve yourself with the fraud community, particularly in the professional associations such as the ACFE. Finally, take a proactive approach to defending your institution against fraud. You will find, if you take a strategic approach, that the investment in knowledge and systems should pay off handsomely for all your stakeholders.

Fraud Terms

Neural – a term that refers to the process of ‘learning.’ Some fraud detection systems purport to be ‘intelligent.’ This is mostly marketing hype to describe an approach to fraud prevention. This type of system takes historical or transactional data and uses it to create additional statistical data, such as average money flow, number of checks, average balance, etc., and then utilizes these statistical calculations to ‘predict’ when activity passes a certain risk threshold. For example, if you have an account that has an average of six checks written per month, with an average of $125 per check, and then three checks come in within two days that are more than three times the average, that would trigger an alert.

Predictive – statistical system that is the equivalent of a ‘neural’ system above.

Rules-based – this is a pattern-matching system that sifts through mounds of transactional data looking for specific sets of data patterns.

Scenarios – these are the typical scenarios that a fraudster would perpetrate, and reveal evidence of suspicious activity or in fact real fraud. This would be, for example, a check kiting scenario where a series of checks, each with an escalating balance are deposited and withdrawn. Most rules-based systems utilize pattern matching to look at the transactional activity to match or look for approximations of matches in the data patterns.

Case Management – is a workflow-based electronic system to facilitate gathering all relevant case-related information. An automated case management system can help for both BSA/AML as well as fraud, and provides a consistent method for managing suspicious activity, SAR reporting and case activity. Some systems can also provide loss reporting and loss estimation, fraud case trend analysis and investigator productivity.

ACFE – Association of Certified Fraud Examiners (website www.acfe.org).

Fraudster – person engaged in the perpetration of fraud.

View November 2008 digital edition

 

Wolters Kluwer Financial Services—Executive Summary on Page 99  

TrackBack URI for this entry

Name

Email

Title

Comment

smaller | bigger

Subscribe via email (Registered users only)

I have read and agree to the Terms of Usage.

Write the displayed characters

Add Comment