Authentication Creates Opportunity To Solve FIs’ $1 Trillion Fraud Problem

The great digital shift has created a host of problems for banks — 1 trillion problems to be exact.

As reported by PYMNTS, more than half of all bank customers in the U.S. — representing 118 million individuals — use mobile banking apps. And 51 percent of mobile banking app users log in and use those apps more often than they did before the pandemic began.

That sets the stage for fraudsters to follow the money as consumers transact online — and steal a large chunk of that money.

As much as $1 trillion is lost to financial crimes annually, according to the World Economic Forum — and that does not begin to take into account the land grab that undoubtedly increased as so much more commerce and banking moved into the online realm over the past eight months.

But, as three banking security experts told Karen Webster, that same trillion-dollar loss represents a significant authentication opportunity for financial institutions (FIs) if they leverage risk-based authentication and behavioral analytics to help shape and safeguard the great digital shift.

Panelists included Schalk Nolte, CEO of Entersekt; Jen Martin, head of Fraud Operations at KeyBank; and Karen Boyer, Fraud Intelligence Director, Financial Crimes at People’s United Bank.

Even amid the constant (and rising) threat of fraud, noted the banks, there’s the value inherent in examining the processes and the tech used to protect customers, including the extent to which they ask the customers themselves to be part of the fraud-fighting efforts.

Getting the customers involved includes a bit of friction.

Friction in financial services, just a few years ago, was a matter of banks competing with FinTechs, with real-time payments. Now for banks, that means exploring the delicate balancing act of customer satisfaction and battling fraudsters.

As KeyBank’s Martin stated, “What we know about bad actors is they’re always eager to capitalize on new opportunities. They thrive in times of chaos and disarray.”

Chaos and disarray, of course, have been the hallmarks of the pandemic, and even of the leap in moving from paper checks and in-person commerce and banking to digital conduits.

Fraudsters have gotten creative, according to the panelists, turning aggressively to business email compromise and social engineering as they seek to probe the weak links inside enterprises and banks, and as they text consumers with bogus claims about personal protective equipment (PPE) and stimulus checks, trying to make off with sensitive personal information.

And on top of it all, as People’s United Bank’s Boyer noted, there’s still old fashioned fraud with which to grapple, too.

“So, it might start with a counterfeit check, but it comes from social engineering from social media,” she offered as an example. “And unfortunately, with the COVID relief scams, it’s becoming a bigger problem for us, especially in trying to determine who’s a suspect versus a victim.”

Spray And Pray

The challenges are mounting as the cybercriminals become ever wilier. They know the questions the banks are likely to ask, and by inserting themselves between the financial institutions (FIs) and the customers, they are able to actually coach the would-be victims on what to say. Customers are actually authenticating the transaction and authorizing the payments, and yet, in the end the damage is done because it’s still fraud.

Entersekt’s Nolte stated that “what we’re seeing at the moment is a perfect storm because you have a bunch of first-time users,” while criminals are using a volume-based approach toward fraud, which he likened to a “spray and pray” approach, and even a small hit rate will generate outsized returns.

And yet, advanced technologies, such as machine learning (ML) and artificial intelligence (AI), may not be enough to stem the tide. They may be the buzz words of the new century, noted Boyer, but a significant number of those solutions rely on “if, then” rules-based frameworks. Speed in detection matters, too.

“It’s only as good as how fast you can determine the fraud because if you don’t find it soon enough, then it’ll just appear to be normal activity,” Boyer told the panel. “Then it hides under the radar with increasing volume of transactions.”

That means that FIs need the proverbial boots on the ground to help detect and eliminate fraud and false positives, she said (especially when the models, which feed off of historical data, encounter aberrations or shifts like the ongoing move to eCommerce that have no real historical parallels).

With the rise of mobile devices, of online interaction with banks, the consumers themselves can be the “boots on the ground,” the panelists noted. At the same time, introducing gradual levels of friction into those interactions can help train consumers to be vigilant and protect themselves.

On finding that balance, said Nolte, the best option — the “magic” scenario — is to reach out to a customer and ask them if the transaction that’s been presented to the bank is one that is, in fact, one that the customer has initiated and wants to complete.

“Nobody knows if a transaction is real as well as you do,” he said.

Against that backdrop, intelligent friction makes use of knowledge formed about an individual’s transaction habits over time — and when to prod them at the right time for authentication and affirmation (and maybe, remarked the panelists, some limits on certain types of transactions).

Deputizing The Consumer

There’s another way to think about the collaboration between FIs and customers in the battle against fraud, according to KeyBank’s Martin.

“I love the term ‘deputize,’” she said.

FIs should give their consumers the tools to monitor their transactions at the levels that they want to, right down to monitoring every single payment.

That level of control would prove to be a positive for the FIs as consumers increasingly want to be part of the solution. Before the pandemic, the onus was on the FI to protect the consumer. Now consumers are waking up to the fact that they, too, might do well to shoulder some of the anti-fraud burden.

Indeed, PYMNTS’ own research has found that 24.7 percent of consumers claim that having the ability to authenticate specific transactions would make them more inclined to use mobile banking apps. It is the third-most commonly cited factor that consumers say could boost their app usage. Forty-six percent of individuals surveyed said that they would be more inclined to use apps if those apps offered transaction-specific authentication controls. More banks are requiring their customers to authenticate their identities using their email addresses, but customers would rather use fingerprint scans and PINs.

In the deluge of digital commerce, the standard methods of stepping up authentication processes — asking a slew of questions, sending a text and requiring a password — are simply proving burdensome. KeyBank’s Martin stated that it’s incumbent on FIs to leverage data spanning everything from name, Social Security number, device location and even device “behaviors” to triangulate risk scoring and streamline commerce.

Gathering up all that data, and gleaning actionable insights from it, remains another matter entirely, noted Boyer. Some banks, especially larger ones, can do it by bringing to bear the resources that other firms cannot.

Which leads us to the concept of standardization.

As Boyer remarked, “we as an industry need to work together on a standard of what authentication is.”

We’re at least partway there, said Nolte, with the Revised Payment Services Directive (PSD2) and strong customer authentication (SCA), and there are some indications that (a few) U.S. states are following suit. That sets the stage for FIs to be the gateway to all manner of activities, even helping establish identities. (Admittedly, the U.S. has roughly 11,000 FIs, and other parts of the world have far fewer, so harmonization and standardization may be relatively easier outside the U.S.).

“Banks are exceptionally well-positioned to take and apply a much larger role on this,” said Nolte. “Instead of using Google and Facebook to log in somewhere in the future, perhaps I can use my bank account because that’s where the anchor of my identity is.”

What Lies Ahead

As long as there’s been commerce, there have been fraudsters trying to scam their way into someone else’s money for their own illicit purposes.

Use of friction — intelligent friction — makes it harder for them to be successful and makes success less lucrative. Perhaps they will be persuaded over time to find another way to make their living.

As Boyer told Webster: “The challenge we have now is that we will never be able to stop fighting old fraud — and we’ll have to continue to keep fighting new fraud.”