Bank Fraud: Where Do We Go From Here?

The work of so many bank fraud teams is to ensure that they don’t wake up to a crime scene.

In the latest episode of Reinventing Banking, a special podcast brought to you by Bank Director and Microsoft, we discuss the evolution of technology that helps fight cyber fraud and where the industry goes from here.

Seth Ruden is director of global advisory for the Americas for BioCatch, a behavioral biometrics company that helps financial institutions gain actionable insight, including fighting fraud. He talks with Bank Director’s FinXTech Research Analyst Erika Bailey about the promise that machine learning and automation have for bank fraud teams.

He also talks about the increasing sophistication of data analytics in tracking, and finding, potential fraud. Ruden also reveals his strategy for getting resources for bank fraud teams at your bank.

Finally, he chats a bit with Bank Director’s Erika Bailey on their mutual love for classic rock.

So ramble on …

Staff Shortages Snarl Fraud Oversight

For some community banks, workforce attrition and hiring pressures could be adding an extra layer of difficulty to their ability to combat fraud. 

Concurrent with the Great Resignation, financial institutions have been fending off fraud of all kinds, from spear phishing attacks to account takeovers to check fraud, sometimes with a digital twist. In response, boards should understand where their organizations might be vulnerable and what kinds of proactive measures they might take. 

“That intersection of increasing fraud attacks with the strain on the workforce — I would say that is the biggest thing that we are seeing our clients struggle with,” says Vikas Agarwal, financial crimes unit leader at PwC. 

Specialized anti-fraud talent is in high demand, and prospective employees can command higher wages than they could before.

Seventy-eight percent of the senior executives and directors who responded to Bank Director’s 2022 Compensation Survey in March and April say that it’s been harder to attract and retain talent in the past year. Forty-one percent indicate that their bank increased risk and compliance staffing in 2021, and 29% expect to fill more of these positions in the year ahead. 

Attrition in the risk and compliance functions can eventually lead to a backlog of alerts to work through, experts say. 

“With turnover, you lose institutional knowledge and some efficiencies with how to run a risk and compliance department. As you have turnover, backlogs may build up,” says Kevin Toomey, a partner with the law firm Arnold & Porter. “Backlogs are a scary concept for banks, but also for the boards of banks. It could mean that not everything is running like a well-oiled machine.”  

Higher turnover could also make an institution more vulnerable to phishing and spear phishing attacks, says Ron Hulshizer, managing director at the accounting firm FORVIS. Those are both types of email impersonation attacks, used to install malware or gain access to information; spear phishing tends to be targeted to a specific individual. Noting that his firm has seen an increase in ransomware and extortion attacks against banks, Hulshizer says phishing attempts often give fraudsters a foot in the door.  

“It’s typically a phishing email that comes in, somebody falls for something, eventually, [and] the really bad malware gets installed,” he says. “Then it starts doing its thing and destroying files.”  

Scams, account takeovers and synthetic identity fraud are among the more common forms of fraud that community banks are dealing with right now. A LexisNexis Risk Solutions study published earlier this year identified synthetic ID as a big driver of fraud losses and also noted a rise in phishing scams during the pandemic. Scams have gotten particularly sophisticated, says Christina Williams, financial crimes consulting manager at the accounting and consulting technology firm Crowe. In some cases, she says, scammers have spoofed a financial institution’s 800-number to fool customers into giving up information that is then used to gain account access. 

But fraud seldom ever goes extinct, and some financial institutions have seen a resurgence in various types of check fraud since the pandemic began. Many businesses still rely on paper checks and physical mailboxes, both of which can be compromised, says Williams. Remote deposit capture tools can also be vulnerable to check fraud. Williams says that in some cases, fraudsters have been able to make a phony deposit using the image of a check on another device. Often, the scammer will stick to amounts under $1,000 or $5,000 to avoid triggering a review before the fraudster is able to withdraw the money. 

“A lot of the automated systems don’t necessarily pick up on it,” Williams says, emphasizing the importance of having adequate staff to carry out those reviews. “The fraudsters are aware of this; they still are trying to operate under dollar amounts where they believe there won’t be a secondary review.” 

Debit card fraud has also been a perennial pain point for community banks, Hulshizer says. 

Though the board doesn’t need to get involved in day-to-day fraud oversight, directors should know enough to ask the right questions of senior management. In the first place, that means understanding the organization’s baseline: how many and what type of fraud attempts does it experience in a given period, and how much of that fraud is stopped? 

“Do they understand, month to month, is it trending up or is it trending down?” says Agarwal. “Oftentimes, we find that people don’t have simple metrics that help them gauge if their risk to fraud is increasing as an institution or decreasing.” 

Agarwal adds that it’s worth asking whether the bank can contract a third-party firm in the event of a staffing shortage. 

Boards can ask whether management is looking into any new fraud-mitigating technologies, like biometric features meant to curb password fraud, says Hulshizer. 

And make sure that existing technology is regularly updated. “When technology gets old, over time, it ends up not being supported,” Hulshizer says. “When we do audits, we’ll find old operating systems that Microsoft no longer supports.”  

Not only should directors ask about trends in fraud and risk, but they should also be prepared to question senior management about trends in the bank’s staffing and resources, says Toomey. 

“What directors were asking a year ago may be different than what they’re asking 6 months from now,” says Toomey. “And to effectively exercise their oversight responsibilities, they need to start asking these questions now, to assure that their bank isn’t one of the ones that you read about in the papers.” 

For Fraud Claims, Not All Call Back Procedures Are the Same

We are seeing more and more funds transfer and social engineering — also known as impersonation fraud — claims, and coverage for these claim scenarios vary from carrier to carrier. While there are several differentiating factors that could cause one carrier to approve a claim and another to deny, the most common is how they structure their call back requirements.

In 2021, we watched nine different carriers respond to similar funds transfer claim scenarios. Challenges to a claim were almost always based on the bank’s perceived failure to meet the listed call back requirement. As we compare and contrast all nine, here are several key differences that should be reviewed prior to the next claim.

Social Engineering Versus Funds Transfer Fraud:
Many fidelity bond policies offer the social engineering coverage with a sub-limit versus the full limit for the funds transfer fraud coverage. As such, it is helpful to know as early as possible in the claims process which of the two coverages will be referenced. The easiest way to contrast that is that social engineering usually relates to the loss or theft of the entities own funds, whereas funds transfer fraud usually relate to loss or theft of a customer’s funds. While we have seen social engineering sub-limits as low as $50,000, the most common sub-limits are $250,000, $500,000 or $1,000,000. They are often based on the overall limits: for example, a $10 million bond is much more likely to have a $1 million social engineering sub-limit than a $2 million bond.

When Is a Call Back Required?
There is usually a dollar threshold; all transfers greater than that dollar amount require some form of call back. The larger the threshold, the better. The most common threshold matches the bond deducible, otherwise they usually range between $25,000 to $50,000.

Call Back Requirement Ranges

  • No Call Back Requirements: For some cyber policies, which may extend to covering funds transfer frauds or other social engineering coverage grants, there are no call back requirements. While this does exist, it is becoming less and less available as claims increase.
  • Underwriting Approved: Some bond policies include generic language that states any call back type can be accepted, as long as that type of verification was first approved by an underwriter. If your policy includes that, we suggest your bank coordinates a call with its bond underwriter to share the bank’s current call back process and procedure for their confirmation of acceptance.
  • Simple Call Back: Sometimes the only requirement is a confirmed call back to a pre-determined number.
  • “Or” Beats “And:” One carrier states that acceptable call back verification can be done by valid test key or call back to the person who initiated the instructions, or digital signature or use of username and password/PIN, or biometric authentication or any other recognized two-factor e-authentication.
  • Singular Call Back Requirement:
    • Only acceptable call back is the existence of some form of valid test key, which has been mutually agreed upon by customer and the insured.
    • Some form of out of band (median difference from original request) verification (voice, email or text) to predetermined location requiring affirmative reply.
    • One carrier states that the commercial customer coverage only applies if the transmittal method by which the institution received the fraudulent transfer request matched the method authorized by the commercial customer in the funds transfer agreement.
  • More Stringent Multiple Requirements:
    • We have seen requirements for out of band verification that must be recorded for coverage to be afforded.
    • Two-factor authentication, typically representing some form of user ID, PIN, token or dual authorization, and the existence of a written agreement.
    • A call back to a predetermined number set forth in written agreement and the institution preserving a recording of the call back/verification.
    • Sender verified instruction with a password, PIN or code and a call back to predetermined telephone number, documented in written agreement, with verification preserved.
  • Lastly, the requirement that is perceived to be the highest hurdle to get over is the requirement of some type of handwritten signature verification from two separate employees, within their authority. Note this level of stringent requirement often goes hand-in-hand with a much greater social engineering limit, including up to the full limit.

In summary, we see significant variations to call back requirements. We recommend banks review the policy language in place prior to any claim scenario to have as good a chance as possible to realize claims coverage.

Your Board Can’t Ignore Biometrics and AI


biometrics-10-19-17.pngAs the digital landscape continues to evolve and consumers increasingly turn to digital devices to conduct business, bank directors and executives have made it clear—most recently in Bank Director’s 2017 Risk Practices Survey, conducted in January, and 2017 Technology Survey, conducted over the summer—that cybersecurity is the risk category they worry about the most. Given their high level of concern on the issue, it’s surprising—and troublesome—to see a significantly smaller number of bank leaders indicate that they don’t believe that biometrics and artificial intelligence (AI) will impact their financial institution over the next five years, because these technology solutions are already being leveraged in the industry.

technology-chart.png

“Passwords are not necessarily safe,” says Charlie Jacco, cybersecurity leader, financial services at KPMG. People tend to re-use passwords, or default to easily guessed ones: Password manager Keeper Security found that 17 percent use the password “123456,” and the company’s list of the 25 most common passwords of 2016 accounts for more than half of the 10 million passwords analyzed by the company. Cybercriminals use bots to crack passwords, but oftentimes individuals will respond to a phishing attack in an email and unwittingly provide their information directly to the criminals. Eighty-one percent of hacking-related data breaches in 2016 used either a stolen or a weak password, according to the 2017 Data Breach Investigations Report published by Verizon. “If you are relying on username/email address and password, you are rolling the dice as far as password re-usage from other breaches or malware on your customers’ devices are concerned,” wrote the authors of the report.

And it’s not just customers that use passwords. Employees have to log into a bank’s core system, call platforms, and the other technology solutions needed to do their jobs. “From the security aspect of being able to improve logins, to move away from having to remember a zillion passwords, is not only good for the customer … ultimately I think it is a larger impact to the bank associate or employee,” says Charles Driest, the director of digital banking at $1.3 billion asset Essex Bank, based in Richmond, Virginia.

Multi-factor authentication—requiring a single-use numeric code, for instance, in addition to a password—is one solution, but the experience isn’t convenient for the user, whose expectations are informed by companies like Amazon that strive to make shopping easy. “How do I get that slick customer experience for my consumers that they’re expecting, and still make it safe?” says Jacco.

Customers are growing increasingly comfortable with biometrics as a security solution, according to Javelin Strategy & Research. Scanning the user’s thumbprint is probably the most commonly used approach in consumer-facing technology, and facial recognition has been getting more attention of late, with Apple’s introduction of the iPhone X, which replaces opening the phone with a thumbprint to a facial scan. Apple claims that facial recognition is more accurate, with a 1 in 1 million error rate, compared to 1 in 50,000 for the phone’s thumbprint scan. Banks have been experimenting with voice recognition, another form of biometrics, for roughly a decade, with a few deploying this biometric within their mobile app.

At its best, biometrics weds security with an optimized experience. It’s more difficult to steal a thumbprint, but it’s still possible, says Jacco. Companies that want to enhance their cybersecurity protections will begin leveraging multiple biometric authentications. USAA already allows customers to use thumbprint, facial and voice recognition in its mobile app, and remembers the user’s preferred biometric. Varying the biometric modalities used by customers will lead to personalized services. A teller may use facial recognition to know who a customer is when they walk into a branch, or a wealth manager, through voice recognition, will know the client on the phone. “This is something that all of the big banks are talking about, and it will make its way across the whole industry,” says Jacco.

The industry still has work to do to make biometrics a more secure solution. Most major banks use biometrics in their mobile channel, but the app defaults to a password if the biometric isn’t readable, says Al Pascual, research director and head of fraud and security at Javelin. “They default to what is arguably the weakest security solution.” Security questions used in enrollment aren’t safe from hackers, either. The data breach revealed by Yahoo in September 2017 included the security questions and answers that users had chosen as a failsafe in the event of a forgotten password.

For biometrics to be truly secure, banks need to ensure that the person enrolling their biometric “is in fact who they say they are,” says Pascual. But he adds that new account fraud is on the rise, and banks need to work on their initial identity controls—making sure they know the customer—before tackling biometric enrollment. With the recent breach of Equifax’s data impacting the identities of half of the American population, this is no small task.

Artificial intelligence also shows great potential in protecting financial institutions from cybercriminals and from fraud, and staying on top of compliance. “Banks are overwhelmed by cyber risk management, and I don’t see how they can afford to ignore AI technologies,” says Joan McGowan, a senior analyst at Celent who defines AI as “the application of analytics, bots, robotic process automation and report generation.”

KPMG’s Jacco says that robotic process automation can help sort through potential cyber incidents to better identify what warrants further investigation—a task still best suited for human intelligence. He adds that fraud and security teams are more frequently collaborating to leverage AI.

AI continues to evolve, so it’s not a technology that banks can set and forget. Banks will need to employ data scientists and improve their data analytics capabilities, says McGowan—no mean feat in an industry where just 13 percent of executives and directors believe their institution effectively uses data, per the 2017 Technology Survey.

Almost half of bank boards discuss technology at every board meeting, and 38 percent discuss the issue quarterly, according to the Technology Survey. So why don’t more boards—or senior executives, for that matter—see the value in biometrics and AI? It’s possible that up-and-coming technologies just aren’t discussed frequently enough. Ninety-four percent say the board focuses on cybersecurity in discussions about technology, but significantly fewer use that time to focus on other technology-related concerns, such as staying on top of technology trends (40 percent) and evaluating new technologies (24 percent). Without understanding the solutions available for banks today, it will be increasing difficult for boards to oversee the cybersecurity risk facing their institution.

board-focus-chart.png

The 2017 Technology Survey was conducted in June and July of 2017, and examined how banks strategically approach technology. Bank Director surveyed 145 senior executives—including CEOs, chief information officers and chief technology officers—and independent directors of U.S. banks above $250 million in assets. Technology solutions provider CDW sponsored the survey.

Fraud: An Uneven Playing Field for Banks and Fintech Companies


Fraud2.png

The role of banks and other financial institutions (FIs) as repositories for large amounts of money has made them prime targets for fraudulent activity over the years. As a result of this, a wide range of laws and regulations have been created governing the activities of FIs with the objective of helping to protect consumers from fraud—whether it’s from the inside or outside. In recent years the question of fraud involving banks and other FIs has arisen again in a new context. Innovations in financial technology have raised questions as to whether banks or the fintech firms developing and operating such technology are responsible when its use exposes banks and their consumers to fraud.

Fintech has changed the way financial firms do business in a variety of areas including investment management, loan sourcing and data aggregation. Along with the ability to more proactively manage customer financial affairs and data through the use of technology has come an increased threat of cyberattacks. These types of attacks give malicious outsiders access to sensitive consumer data. A recent example involved two fintech lenders that were defrauded by a man who misrepresented his financial situation to cheat them out of more than $100,000 in total. He was convicted in Tennessee on six counts of fraud stemming from his actions.

The newness of the fintech revolution means that current laws and regulations, for the most part, do not clearly specify who is responsible for fraudulent activity that occurs in conjunction with processes involving both banks and fintech firms. This is likely to change over time as the courts more clearly apportion responsibility between banks and fintech firms in specific instances of fraud. However, when it comes to the regulatory treatment of the two types of institutions, the situation is much clearer; banks face stringent anti-fraud regulatory requirements governing their activities, whether using traditional banking methods or innovative financial technology, while fintech firms are not subject to the same requirements.

This disparity has not gone unnoticed, with leading financial institutions commenting on the danger posed to them by potentially risky fintech practices such as scraping bank websites to collect consumer financial data. At the same time, industry participants and regulators around the world have noted that they are aware of the regulatory discrepancy and that actions may need to be taken to help level the playing field.

Peter Misek, a partner at the Business Development Bank of Canada’s Venture IT Fund, recently opined that Canada’s emergence as a top five global fintech hub poses major risks due to an inadequate legal framework for dealing with fintech-related issues such as identity theft and fraud. He states that, in this regard, “Canada’s structures, rules and laws are antiquated and, in many cases, actually harmful.” Misek would like to see “innovative solutions to this problem” from tech companies, and wrote that his fund is willing “to put real dollars behind the effort.”

Addressing similar issues, the director and general counsel of Malaysia’s Securities Commission (SC), Foo Lei Mei, warned that digitalization in the financial services industry brings with it increased risk of fraud. In an article in Digital News Asia, Mei said that the SC planned to issue regulatory guidance regarding engaging with industry firms about the issue. “Discussions and focused group meetings have provided invaluable feedback to the SC in designing the regulatory framework for P2P lending in the capital market,” she was quoted as saying.

In the United States, the Federal Reserve Board has weighed in on the risks facing banks when outsourcing risk, such as using third party firms to provide data aggregation or digital wealth advisory services. The Fed’s letter on the matter includes commentary on various issues associated with working with fintech companies. In an article by Robert Canova, senior S&R financial/policy analyst at the Federal Reserve Bank of Atlanta, Canova states that, with the increase in data breaches, website attacks and wire transfer fraud schemes, “Banks will need to become more sensitive to safeguarding any systems containing customer data that their digital vendors have access to, given the fact that hackers are getting increasingly sophisticated at breaking those systems down.”

Canova writes that as competition between fintech firms and banks increases, the former are likely to become subject to increased scrutiny. He cites a consultative paper by the Bank for International Settlement’s Committee on Payments and Market Infrastructures which calls for greater regulation of fintech companies as evidence of this, along with a whitepaper by the Clearing House (a trade association consisting of the 24 largest banks) that discusses “the absence of a level regulatory playing field.”

With fintech innovations becoming increasingly embedded in the fabric of banking operations, the potential for fraudulent use of banking infrastructure involving such technology grows accordingly. With banks and other FIs currently subject to strict anti-fraud regulations, they are unlikely to outpace less regulated fintech companies when it comes to technological innovation in the sector. As banks and fintechs become increasingly intertwined due to mergers, partnerships or head-to-head competition, it becomes more and more likely that regulators will take steps to address this dichotomy going forward.