In the battle against fraudsters, financial institutions (FIs) must start at the beginning – literally.
FIs are increasingly vulnerable as they race to become digital – and omnichannel – in a bid to offer customers as much choice as possible. This opens the door to new avenues of attack by those who wish to steal data, hijack accounts and make off with ill-gotten gains, as Eric Kraus, vice president of risk, fraud and compliance at FIS, told PYMNTS in a recent interview.
Increasingly, fraudsters are striking at the very beginning of customers’ relationships with banks and credit unions (CUs), focusing their efforts on account takeovers and new account fraud.
Kraus said that “looking at the digital transformation of the space, the rise of open banking and all of this API-driven integration, there are additional risk concerns. There are new data privacy concerns, too.”
Traditional FIs, he said, have been wary of disintermediation by FinTechs. In the rush to get new products and services to market, he said, FIs may forget about some of the fundamentals of fraud prevention – and smaller banks and CUs, with relatively scarcer resources than their larger brethren, may find themselves overwhelmed by the challenges of preventing fraud.
“Generally speaking, these smaller firms are the ones that I would say are struggling the most,” Kraus told PYMNTS. “Sometimes they'll have multiple providers – maybe they process debit with one provider, do credit with somebody else and do bill pay through yet another third party.”
Thus, data is flowing from and across multiple points of contact, and making sense of it all – and identifying attacks in real time – can prove to be challenging.
Fraud’s Shifting Landscape
That’s in part due to the “fraud shift” that has occurred over the last 12 to 18 months, marked by a higher incidence of card-not-present fraud, contended Kraus.
He told PYMNTS that roughly 50 percent of that fraud is originating through mobile channels, which might make sense given the fact that a growing number of consumers are shifting to mobile commerce.
Peer-to-peer (P2P) fraud is also gaining traction, Kraus noted, as fraudsters compromise new accounts and use stolen PANs (personal account numbers), debit cards and credit cards to register with an application and transfer funds back to themselves.
“You’re seeing a lot more fraud on the upfront provisioning side, too … but all of this can be countered by FIs using traditional methodologies,” he said.
The Fraud Itself
When it comes to P2P fraud, said Kraus, there are several effective measures an FI can employ, including monitoring the frequency of applications and transactions, as well as tracking the amounts and the number of requests for funds. Putting flexible business rules into place can be effective, too, limiting how much people can transfer out of their accounts.
“You also need to be monitoring all channels,” Kraus advised, “including your call centers, operational channels and then, obviously, online activity” – all of which equates to what he said is a holistic risk program. And, he added, an effective defense in the online realm must include protecting the bank’s brand, which means FIs must be ever-more vigilant about spoofed websites.
Proactive Fraud Prevention
To attack fraud in its planning stage – indeed, at any stage of attack – Kraus advises following this golden rule: “Assume you are being attacked all the time.”
With that mindset governing risk control efforts, he said, FIs can better understand what trends and tales the data conveys.
There’s a lot of data that can be used to combat the bad guys, he noted, but it still has a tendency to be siloed. An FI’s application database may not be linked to the transaction database – a linkage that, once established, might give rise to new policy rules to monitor risk. Other data points can be gleaned from mobile device identification, establishing usage histories and locations that can point to abnormal use as warning signs for account takeover efforts.
Against that backdrop, firms like FIS are leveraging efforts to tighten and augment a predictive analytics model that can examine transactions from all angles to ferret out fraud.
When FIs break down data silos and enlist the aid of machine learning (ML) and artificial intelligence (AI), “you can be prepared to pivot and address what the new attack vectors may be,” said Kraus. Pivoting means having an action plan in hand throughout the FI, he explained, which can be tied to, for instance, how many P2P transactions can be pushed through without monitoring across a 24-hour period.
“It can be as simple as changing your business rules or reallocating investigative staff,” he said of the pivot. It’s also imperative to convey to consumers and business clients the ways and means of disputing transactions. Such transparency can foster brand loyalty, Kraus noted.
“When you get this kind of ecosystem rolling and you’ve got issuers and merchants passing data to each other, making what I call connected and intelligent decisions by leveraging this data, then you can also work together in other collaborative means,” he told PYMNTS – thereby empowering consumer authentication at a higher level and increasing consumer satisfaction.