ACH Fraud Fight: Beyond Technology
Commercial Customers and Banks Should Share ResponsibilityThe survey, which included responses from 315 small to medium-sized commercial customers, shows that more businesses today are willing to partner with their financial institutions to reduce fraud, says Ben Knieff, a fraud prevention specialist for NICE Actimize. Knieff says most small businesses don't understand online fraud and ACH risks, but they are willing to work with banks to mitigate losses.
"It's all about partnering," Knieff says. "Commercial customers and banks working together: This is a real opportunity."
As financial institutions await the expected release of new guidance regarding online authentication best practices from the Federal Financial Institutions Examination Council, the roles institutions play in ensuring commercial customer security is an ongoing debate.
"[Smaller businesses] are not online security experts, and they don't typically have the resources a large organization has," Knieff says. "So, it's really critical as an industry that we support those smaller organizations. We should show them how to mitigate risk; and it's important for financial institutions to take on a lead role as an educator."
Greater communication between banks and commercial customers, as well as contract transparency, play keys role in fraud deterrence and customer-relationship health, according to survey respondents.
The FFIEC also supports that notion, evidenced by suggestions it makes for more customer education and fraud-prevention collaboration in the drafted guidance that leaked in late December. [Did Disclosure Delay Guidance?]
Knieff says banking institutions should show their smaller commercial customers what they can do to protect themselves, and the more fraud-prevention services institutions make available, the healthier the bank-customer relationship.
"The challenge for commercial customers is lack of bandwidth and expertise," he says. "It's not always apparent to them where they would even need to go, from an education standpoint. They don't know the mitigation opportunities they could take advantage of. They are also not aware of the liability that they may carry, so there is a lack of incentive for them to invest in technology that could curb fraud."
During this interview [transcript below], Knieff discusses:
- Liability for losses related to ACH and wire fraud;
- Defining "reasonable security"; and
- Collaboration and partnership to improve fraud mitigation.
Knieff oversees enterprise fraud prevention strategy for NICE Actimize, where he is responsible for defining the strategic direction for the company's fraud management technology. Knieff is an expert in security, compliance and fraud management. For more than 10 years he has consulted with financial institutions across the globe, helping merge technology with business objectives to improve efficiency, efficacy and profitability. Knieff often presents at industry conferences related to various financial crime topics, including regulatory compliance, fraud management and identity theft.
Building Strong Relationships
TRACY KITTEN: When it comes to ACH and wire fraud and the security of online transactions, a new survey shows that beyond the prevention of fraud itself, just taking steps and implementing measures to prevent and reduce fraud improves the overall relationship between financial institutions and their commercial customers. What lessons can the financial industry learn about the role more open communication plays when it comes to commercial customer health? I'm here today with Ben Knieff, who oversees enterprise fraud prevention strategy for NICE Actimize, which conducted a survey about the roles fraud prevention, fraud education and fraud protection play when it comes to building strong relationships between banks and their commercial customers.Ben, can you tell us a bit about the survey and how an expanded dialog between banks and their commercial customers is actually working to improve more than just security?
BEN KNIEFF: Definitely. The objective of the fraud survey was to explore whether or not small and medium sized businesses really understand the role they play in preventing and managing fraud, and understanding the responsibility for losses in the commercial banking world. We also wanted to take a look and understand the impact of fraud prevention programs, or the lack of them, and how that would impact the bank's relationship with those clients and their business. Finally, the survey revealed some very interesting results, finding that small and mid-size businesses reported that they were very willing to partner with their financial institutions and adopt business practices that would limit their exposure to wire and ACH fraud.
Customer Education
KITTEN: Discussions about online fraud, which often leads to ACH and wire fraud, have been abuzz for the last 18 to 24 months, and we've seen upticks in ACH fraud over the course of that period. Recently, a lot more attention has been given to the discussion about online fraud, since the new guidance from the FFIEC is expected to be passed down any day now. The new FFIEC guidance for online transaction authentication is expected to encourage banks to invest more in commercial customer education. Why is education so important when it comes to online fraud prevention?KNIEFF: When you look at the SMBs, their focus is on their business. They are not fraud management experts. They're not online security experts and typically don't have the level of resources that, say, a large corporate organization has, to protect the network and manage security. So, it's really critical that, as an industry, we have to support those small and medium-sized business organizations, at least with a basic level of education, so that they understand how to play a part in mitigating fraud risks. The survey that we commissioned showed a lot of great opportunities for financial institutions to take on an educator-type of role, both from a risk investment perspective and a product perspective -- products that are made available to those clients through the financial institution. The follow on to that is engaging and reaching out to educate those customers. It creates an opportunity for financial institutions to grow the trust and confidence that those clients see in the institution. We see that coming in two main areas. One is in showing how small and medium-sized businesses can do certain things to help protect themselves. The second is some education around what the financial institutions are doing, and the sorts of services that they are making available that the business can take advantage of in order to mitigate fraud as much as possible.
Commercial Customers Lack Fraud-Prevention Expertise
KITTEN: This recent survey found that commercial customers often rely too heavily or rely heavily on banks for security, finding that most commercial customers are not actively educating themselves about their current fraud risks. Why have commercial customers not been engaged in managing their own fraud?KNIEFF: In many cases, the challenge for those commercial customers is really a lack of expertise. Managers and business owners are typically spending their time trying to manage their own business and don't necessarily have the expertise in-house to manage some of the security aspects. On the flip side of that, it's not always apparent to them where they would even need to go, from an education perspective, and they don't know the risks or the mitigation opportunities that they could take advantage of. So, there is sort of a combination of not really knowing what they don't know, coupled with the fact that most small mid-sized business owners and managers are not very well aware of the level of liability that they may hold when it comes to fraud. So, there is, to a degree, a lack of incentive, because they are not be aware of the liabilities that they may be carrying.
KITTEN: Ben, can you tell us a little bit about the survey itself? When was this conducted?
KNIEFF: The survey was conducted roughly nine months ago, and we've gone through and spent quite a bit of time working through it and talking to various analysts and folks about what the results really mean. The reality, I think, is that until 18 to 24 months ago, the fraud attacks against commercial clients were not quite so prevalent and weren't quite so sophisticated, in terms of coming through from malware and the ability to really target clients through spear phishing. So, I think more than two years ago, there just wasn't a focus on commercial banking fraud as a whole. More recently, financial institutions have been putting a lot of time and energy into fraud management in the commercial space, and there is a real need to ensure that small and medium-sized business owners and managers have a good understanding and a good sense of where their piece of the puzzle is; the financial institution can no longer be the single point of protection. The organization needs to be a part of that fraud mitigation environment.
Understanding Liability
KITTEN: Now the survey also found that only 17 percent of commercial respondents were aware of the fact that banks are not obligated to reimburse commercial customers when those commercial customers are victimized by cyberfraud. What does that say, Ben, about the need for more communication and transparency, when it comes to the contracts between banks and their commercial customers?KNIEFF: I think it is a really good question. First, it's important that we always remember that a small business owner or manager is also a consumer, and it's not unreasonable that somebody would believe that the same protections that apply to them as a consumer would apply to them as a business. It's a fairly logical conclusion to come to. So, I think that is one aspect of it that is pretty important. I agree with you completely that communication and transparency are very important. Again, it's not always clear that the people who are responsible for managing their banking relationship within a small business have a great understanding of the terms and conditions that apply to their account relationship. And, also, they may not be experts in things like the Uniform Commercial Code, in areas outside of their business. So, another aspect of education, to a degree, is ensuring financial institutions can ensure that they do have a transparent relationship with the client and that client understands why their role in the fraud management process is so important.
KITTEN: Going back to the survey, 67 percent of the respondents also noted that think banks should be liable and that they should assume losses when ACH or wire fraud occurs. Does this expectation on the part of commercial customers highlight the need for more education (i.e., are commercial customers just not understanding the way fraud is perpetrated, which oftentimes is outside the bank's control)?
KNIEFF: Absolutely. I think a critical point is that they do not understand how fraud is perpetrated and they do not understand at what level the financial institution actually can do something about the problem. That is a pretty key point. Corollary to that, it's a little bit hard to expect them to have that level of knowledge, because it's not a part of what they do day to day. So, I think it highlights the need for education, but I think it is also very interesting. When you look at the survey, a really high percentage of customers, around 60 percent, said they would be very willing to work with the financial institution and accept a certain amount of friction and control within their transactional relationship in order to limit their liability. So, it points to an opportunity to partner, in which the financial institution can offer certain limitations of liability or protection and the commercial client can take on a certain degree of responsibility. It kind of becomes a win-win relationship for both parties.
KITTEN: Sounds like what you are alluding to is more of a partnership, and that is something we've talked about more often recently, as we've seen some of these cases between banks and their commercial customers over ACH fraud get settled out of court. It's very difficult to actually determine liability, when contracts oftentimes just assume the retailer or business merchant will be responsible for those losses.
Ben, you've noted that the survey took place about nine months ago. If the survey were to be conducted today, do you think these commercial customers would be more educated about fraud, and the way fraud it is perpetrated?
KNIEFF: To be perfectly honest, I don't think so. I think that what we might see is an increased awareness that fraud exists in commercial banking relationships. In particular, some of the news stories you mentioned around litigation have improved awareness. Similarly, there has been a little bit more mass media attention paid to things like malware, the Zeus Trojan. So, I think that the awareness has increased, but I'm not convinced that there is much better understanding around what an organization can do to protect itself.
Reasonable Security and the Uniform Commercial Code
KITTEN: You've mentioned the Uniform Commercial Code, and I'm going to ask about the Uniform Commercial Code's reference to reasonable security. It's often debated by commercial customers and banks: What is reasonable security? NICE Actimize notes that it may not be a realistic for banks to wait for government or some of the regulatory agencies to define reasonable security. Instead, banks may want to go ahead and move forward with improving their own security measures; but aren't banks already doing some of this? Aren't they already moving forward to enhance security, regardless of what the FFIEC guidelines or regulatory mandates suggest?KNIEFF: Absolutely. I'm not seeing institutions that are sitting on their hands waiting for the government to formalize a definition like reasonable security, nor are they really waiting around until the FFIEC guidance becomes complete and published. We are seeing a lot of financial institutions that are continuing to move forward with a good understanding that the new protection technology processes and education outreach programs that they are putting into place are timely, relevant and valuable, regardless of some of the specific details that we might see.
The reasons for that are fairly powerful. I think most of these financial institutions have a great understanding that promoting their ability to protect clients and manage fraud effectively is a competitive differentiator. Commercial clients are extremely important to financial institutions. The relationships that they create directly impact customer acquisition through referrals and retention, as well. The incentive to implement solutions is actually very high, regardless of the specifics that we see from the regulators and the legislators.
ACH Fraud Prevention: Beyond Technology
KITTEN: In closing, Ben, could you tell us what you deem to be the top three takeaways from this survey's findings?KNIEFF: Sure, I think there are a couple key takeaways that are really important. The first is that managing this problem is not purely about technology. There is a strategic plan that needs to be put in place for an institution to really look at the entire customer relationship, the education capabilities, and the transparency that they can bring to the table and communicate with those clients. Look at technology as a component of that overall strategy, and, naturally, the technology should be supportive of the strategy and provide the financial institution the maximum amount of capability to respond to the end customer needs. Similarly, financial institutions have great opportunity and the commercial clients are very interested in partnering and learning how to do things more effectively. Then, finally, I think it's really important to note that there is no one way to solve this problem. We've seen things like authentication, out-of-band authentication, be circumvented. We've seen that for some clients, certain methods of authentication just don't work for how they do business. So, it's really important that financial institutions have some flexibility and some capability to be most effective. If we put the customer at the center of our strategy, and we can leverage technology to support that strategy, then we get the best mix of capabilities to protect against the various and continually evolving threats, but also engage customers and continue to keep them in the loop, so to speak, in terms of how the fraud problem is being managed. It all works to grow the relationship between the financial institution and the business.