From debit and check fraud to ACH and billpay, financial institutions all face similar threats. So, where should they make investments, as they work to thwart fraud and conform to the FFIEC's updated Authentication Guidance?
Michael Wyffels, chief technology officer of Illinois-based CTO of Illinois-based QCR Holdings, a $1.7 billion bank-holding company, says institutions should not focus so much on technology that they ignore some of the more simplistic fraud-mitigation strategies.
"Customer education is important," Wyffels says in an interview with BankInfoSecurity's Tracy Kitten (transcript below). "Online education can facilitate that, but we also like to hold annual seminars with our customers."
To mitigate the risks posed by each of those threats will take a combination of solutions, including manual processes, Wyffels says.
"Sometimes, you just can't use the system to do what you're trying to get done," Wyffels says. "Even though it may be more efficient, that doesn't necessarily make it right. I think people can make a difference that technology can't."
But coupling manual processes with technology can assist in fraud mitigation. Institutions just need to realize that new threats mean additional adjustments.
"Technology solutions, over time, become ineffective due to new exploits that have not been predicted," he says. "Technology is probably going to follow the evolution of those threats, because we don't really know, and we can't always predict, what the new threats are going to be."
During this interview, Wyffels discusses:
- The critical and increasing roles customer and employee education will play in the fight against online fraud;
- Why financial institutions should implement social-engineering training and social-engineering vulnerability testing;
- How core-processing systems can be leveraged to provide cross-channel fraud detection.
Wyffels helps to drive technology investments for three banks in Illinois and Wisconsin. Each of QCR's banks provides full-service commercial and consumer banking, trust, investment services and asset management services.
TRACY KITTEN: As the CTO of Illinois based QCR Holdings, you helped oversee technology investments at the holding company's three banks. What can you tell us about the three banks that you oversee, such as the asset size of each institution and the types of customer bases they serve?
MICHAEL WYFFELS: We have three different banks, Quad City Bank and Trust which is about $1.1 billion; Cedar Rapids Bank and Trust which is just south of $600 million; and Rockford Bank and Trust which is just north of about $300 million. All of these banks are community banks providing services for commercial businesses, retail banking, trust services, asset management and investment banking services. They're in all those areas. Then we also have a strong leasing company - M2 Leasing - which is located in Brookfield, Wis.
Fraud and Risk Mitigation Challenges
KITTEN: What unique fraud and risk mitigation challenges does each of those institutions face?
WYFFELS: Debit card fraud, check fraud, ACH fraud, wire fraud, bill-pay - I mean those are all examples of fraud.... I think when you combine those with increased regulation and risk management cost, I think all banks become seriously concerned about the position of those items and what it means to their institutions and their customers.
FFIEC Guidance Conformance
KITTEN: Conformance with the FFIEC Authentication Guidance is consuming a great deal of attention and fraud investment dollars at many institutions, but it's not just conformance that your banks are focused on, you say. What would you say is the focus, if not on tech investments to conform?
WYFFELS: I think we would like to think it's all about the customer here, and our relationships are very important to us as I'm sure they are to other banks. So as a result, customer education is important. Online education can facilitate that, but we also like to hold annual seminars with our customers. People working with people - that feels right to us.
I think another item is manual processes can still be effective at times, and are both the most cost effective and intelligent approach. Sometimes you just can't use the system to do what you're trying to get done. I like to think that sometimes placing people with technology is not the right answer. Even though it may be more efficient, that doesn't necessarily make it right. I think people can make a difference that technology can't. It's called the human reaction and the human interaction that takes place - I think really the human touch. Customer interaction cannot be duplicated with technology. It can only be replaced, so as a result sometimes it just makes sense to keep people in control of the activity and keep people involved with the processes.
Top Fraud Concerns
KITTEN: We shared with you some results from our recent "Faces of Fraud" survey, and I would like to get some perspective from you about those results. When asked what types of fraud their organizations faced in the last year, our respondents said credit and debit, check, vishing and phishing, ACH and wire and ATM fraud ranked among the top five. Do those findings surprise you and do you find the same types of fraud plaguing the institutions you work with?
WYFFELS: I don't think anything anymore surprises me. I wish something did, but I don't think they do. I think the creativity that's used, that results in those threats, continues to grow and that's the real concerning issue. It's that organized community that continues to invest in research to identify new vectors to succeed. I think I see this across our industry, to all FIs. I think we all have customers that are impacted by this, and in some form of fashion I think we all see it.
KITTEN: When we asked institutions in our survey about the types of fraud that they felt best prepared to prevent and detect, they said they felt best prepared to fight ACH and wire fraud, followed by check and credit and debit fraud. They feel far less prepared to fight vishing, phishing and ATM fraud. Does that surprise you?
WYFFELS: No. My initial reaction would be no to that; it doesn't surprise me. I think there are a couple of different approaches here, two different things here that you have to think about. There's the fraud channel and then our fraud vectors. So ATM - that channel is subject to the environment that surrounds them and it's pretty challenging for a bank to control something that's in an environment that they don't have any control of. I think you get as creative as possible as you can to mitigate that risk, but at the end of the day sometimes those environments where those ATM lives you don't control.
I think on the vishing or phishing side, that vector is successful based on the conditioning of the person receiving the attempt. For example, if people are educated on what to look for, do they understand how these attempts present themselves? Are there security awareness programs in place to keep the information top of mind for them? If even social engineering, part of an FI or any organization's vulnerability touching program, the bottom line is it's hard to control human behavior and so I think education and maintaining an awareness program and doing everything you can to keep that vector and the way it presents itself top of mind to your employees is important.
Addressing Areas of Risk
KITTEN: Are the banks you work with adjusting their technologies to address some of those areas of increased risk?
WYFFELS: Yes. Banks I talk to realize that new threats mean additional adjustments at some point. It means that we complete risk assessments and evaluate threats alongside solution strengths and solution weaknesses, hopefully minimizing risk through layers of security. It's those layers that include both technology and non-technology solutions and people that will continue to help us mitigate those threats.
KITTEN: One thing that I found interesting in the survey's results when I compared them to the results we collected last year is that it seems some of the same risks continually come up in the same areas in which institutions face the greatest fraud challenges. Why do these risks continue to plague the industry?
WYFFELS: I suppose because you hear about them so much. Technology solutions over time become ineffective due to new exploits that have not been predicted come about. I think technology has to evolve to address the evolution of the threats as the threats evolve. Technology is probably going to follow the evolution of those threats because we don't really know and we can't always predict what the new threats are going to be and how they're going to manifest themselves. I think technology is available to mitigate risks across different channels. I think those technologies aren't always consistent for each of those channels. One channel has a different solution than another one, and they don't necessary follow the same approach and because those approaches differ it also increases the complexity of advantaging that channel. I suppose the fact that we keep hearing about it reminds us that there's no silver bullet and that one day sooner or later we're all going to be visiting that.
Cross-Channel Fraud: A Growing Concern
KITTEN: Another point that came out in the survey results was cross-channel fraud, and cross-channel fraud didn't really seem to be overly concerning to most of our survey's respondents, yet industry experts continually tell us that most of the fraud that we see is cross-channel. How do your banks fair when it comes to cross-channel fraud detection?
WYFFELS: Well, probably similar to a lot of the other ones, if I could see what the statistics were to actually compare us. But I think like most FIs, we have different solutions for each of those, and looking across those solutions for trends to identify where we have cross-channel fraud is hard and it's not a small effort to do, but we're also looking at implementing a cross-channel solution from Fiserv to try to automate the analysis and to use analytics to further detect and report fraud that's happening across the channels today.
Customer Fraud Awareness and Training
KITTEN: You talked about customer awareness being something that your financial institutions focus on. In our survey, 68 percent of our respondents ranked customer awareness as the greatest challenge to fraud prevention. Do you agree and is customer education an area of focus for your banks?
WYFFELS: Well I agree it's a significant challenge. I think that both technology and business education is important and customers can't afford to have IT staff. As a result, they have staff that wears many different hats including an IT hat. If they don't happen to wear an IT hat, they don't have IT staff and they outsource part of that technology support, but the customer may not understand how to manage and what to expect from the provider with regard to threat and vulnerability management. They just don't know it because it's not their area of expertise or why they're in the business in the first place. So it's not necessarily top of mind for them.
I think in addition to those items, many are not aware of insurance offerings to help them transfer risk of financial loss and recovery. Sometimes I think the businesses may assume they have protection when they really don't at that particular point in time. I did mention earlier that we believe here in both an online education channel that enables our customers to educate themselves at their own pace and schedule, [and] we still also believe in holding the annual customer seminars that allow us to meet with our customers face-to-face and talk to them about account takeover.
KITTEN: Before we close, what general thoughts do you have about the survey results where FFIEC conformance or other findings are concerned, relative to what you see within your own organization?
WYFFELS: I see similar trends so I think that we're seeing that all FIs have similar concerns and I think statistics show that there's some commonality across the FIs in terms of similar statistics. I think in terms of FFIEC conformance, I think all the banks are trying to move in the direction that was recently released by the FFIEC. I also think that it's going to be difficult as time continues to evolve and threats continue to evolve for banks to continue to adapt, and I don't think that's just going to be a FI challenge. I think as regulations and guidelines are released, they're going to have to continue to adapt as well.
My take away from this, just thinking about what has happened in the last three or four years, is this is going to continue to become complex and more complex for institutions. When you think about it, a lot of the institutions are trying to apply layers of security for each of the channels that they have. If you've got two channels, three channels, four channels, whatever they are you're multiplying your expense across those channels.
If there's anything that I'm taking away from what I've seen in the last three years in your survey is the fact that I would like to see more things done inside a core banking system's product that actually receives a financial transaction, that it's there before it's processed and generates alarms and notifications that a possible threat exists. I kind of liken that to a credit card system and products like Falcon. When you're swiping your card, it's going through a velocity scoring engine and it's making a determination if it's suspicious or not. I would love to see all these payment channels that FIs have through their core banking system go into a similar one-stop place that does that vetting for the banks so that we're not having to worry about every single channel out there. Where today, I think that's the best approach that all FIs have.