Financial institutions everywhere are facing a huge challenge in managing the security of their customers' assets from increasingly sophisticated fraud attacks. The online banking channel in particular has been targeted by fraudsters, driving the invention of security technologies for fraud reduction like multifactor authentication, antiphishing networks, image-based site authentication and transaction monitoring systems. Each subsequent technology has gone one step further in securing online banking transactions, but fraud continues to become more sophisticated and more prevalent.
In addition to online banking fraud, institutions must deal with the long-standing problems of check fraud, card fraud and ATM fraud. Internal fraud, where bank employees are involved in the theft of credentials or actual funds, is also a growing problem. Tomorrow, this list will likely include mobile banking fraud and RFID or Near Field Communication (NFC) fraud. In the early 2000s, one banking executive said: "We won't buy back another dollar of fraud loss by spending another dollar on fraud prevention." Unfortunately, fraud loss goes beyond the funds in a deposit account. For example, the manpower necessary to monitor, capture, analyze and report on fraud events is a cost many banks do not track. And of course there is always the cost of reputational loss from a large fraud event, particularly if it leads to headlines.
Fraud is clearly a problem that can happen at every delivery channel, even from inside. Given the breadth of the problem, it makes sense to create a fraud reduction solution that is systemic, focusing on the customer, and across the institution.
What the industry needs is the implementation of "customer security management." Like customer relationship management (CRM), CSM would combine information from multiple data sources at the bank to have a better understanding of the customer. But instead of driving marketing campaigns or product development, the CSM would create intelligence that can be used to prevent fraud before it happens, wherever it happens. This information is comprised of data that the institution most likely already has, including:
- Transaction logs
- Account files
- Session histories
- Customer preferences
- Payee lists
- Device information
This data can be analyzed to create each customer's "normal behavior" profile. Much like the CRM system that determines a customer's preferences, tolerance to risk or predilection to buy a particular product, the CSM system would establish a pattern of habitual banking behavior for that customer.
And exactly like CRM, the information gleaned from a CSM analysis would need to be actionable to justify the investment. By monitoring all data coming from the channels, ideally in real time, the institution can catch transactions that fall outside of the customer's "normal" transactional behavior. Once a suspect transaction or session is found to be outside of normal parameters, the institution can decide to terminate the transaction, issue a second challenge of some sort to verify the customer's identity, freeze the customer's accounts, or take other action.
Many fraud detection and prevention solutions in the market today have bits and pieces of the whole puzzle. Some are adept at monitoring online banking transactions on the fly and using rules-based engines to determine a risk score for those transactions. Some systems use heuristics and previous customer behavior instead of rules to learn as it processes transactions. Most do not tie into other delivery channels, at least not out-of-the-box.
Most security experts today agree that a layered approach to fraud prevention and detection is the best way to build a secure environment. While many of the past technologies have dealt with the layers in front of the application (i.e. multifactor authentication), and some technologies like transaction monitoring address the back office, no technology today addresses the entire enterprise like the proposed CSM solution would.
An effective CSM system would need to do three things well: capture, analyze, react and report. As the fraud prevention industry matures, it is likely that integration across multiple channels to capture information will become a standard feature. The analysis engines are already there, and would need minor tweaking to manage the differences from channel to channel. Today's solutions typically provide flags or a risk score when suspect transactions are found, but banks will have to create response strategies to perform the appropriate action at each channel for those transactions. Reporting also needs to be improved in many of today's solutions to offload the hours of forensics and compliance reporting that bank staff undertake today.
Only with a holistic approach that focuses on the customer across the institution can banks implement an effective fraud reduction strategy. Real money is at stake.
About the author:
Jerry Silva is a principal at PG Silva Consulting, bringing 25 years of financial services experience, and specializing in the acquisition and implementation of financial services technology serving both providers and institutions.
This was first published in November 2010