The Customer's Role Fighting FraudAuthentify's CEO on How to Maximize the Customer Relationship
When it comes to fighting financial fraud, Peter Tapling of Authentify says banking institutions are chronically underestimating and under-utilizing one key resource: Their own customers.
See Also: Threat Briefing: Ransomware
"I don't think, as an industry, we give the customer enough credit," says Tapling, President and CEO of Authentify. "They understand that essentially they are under attack and, yes, they'd like their bank to do more. But one of the primary things I think they would like their bank to do is stay in touch with them" about fraud risks and solutions.
Analyzing the 2012 Faces of Fraud Survey results, Tapling notes two key findings: Customers tend to be banks' best fraud detection systems, and institutions are now especially focused on better educating their customers.
But the key isn't better awareness, Tapling says. It's better customer engagement.
"I don't think [banks] need to be alarmists," he says, "but I do think they need to say: 'Look, it's not our job to protect you. It's our job to collectively protect you. So, you have to participate in this, and these are the tools we're going to give you to help participate."
In an exclusive interview about the 2012 Faces of Fraud survey, Tapling discusses:
- Why customers tend to be banks' best fraud detection systems;
- How institutions should discuss fraud with their customers;
- Effective ways to engage banking customers in the fraud fight.
Tapling co-founded Authentify in 1999 and has held the position of President and CEO ever since. He joined Authentify from Aurigin Systems (acquired by MicroPatent), and prior to that was Vice President of Strategic Development for NetDox and President of IDMetrix, a NetDox subsidiary. Tapling previously held senior management positions at startups in the information security and application development markets. He brings a wealth of industry and management experience having had responsibility, at various times, for sales, marketing, business development, finance and technical services. Tapling has concentrated his efforts on early-stage companies, both as a principal and advisor.
TOM FIELD: Coincidentally enough, as our survey ended, news of the Global Payments breach broke. What's your take on this particular incident and its potential impact on financial fraud as we review it in 2012?
PETER TAPLING: Global Payments is clearly a very large processor. The risk of exposure of card data is significant, but at the end of the day I don't think it's a watershed event because if you count the number of cards that are breached and you put that on the pile of card information that has been breached over the last couple of years, it's not that great of a number. That said, it clearly indicates that we're not doing enough as an industry to make sure that these kinds of breaches can't happen. I think one of the things that's disconcerting is the trickle of continuing breaches.
FIELD: The timing was interesting because we just ended the survey and you've had a chance to look at some of the survey results now. When you look at the overview, what are the responses that are most meaningful to you?
TAPLING: I think the things that we noticed were the responses that talked about the causes of fraud. [There are] things that are not directly in the control of the customer. There are things that happen to the customer, but the customer didn't necessarily do anything to cause the fraud to happen. By the same token, the banks, with all the fraud management tools we have in place, 82 percent of the time hear first about a fraud event from their customer. It's good that one of the other answers to the questions was that customer education is on the list, but I think that we really need to do more to engage the customer in protecting their own accounts.
FIELD: I'm going to get back to that point in a minute because you've raised a couple of good ones here. One is on the investments that institutions are planning, awareness being one of them. What's your take on the anti-fraud investments that the institutions say they plan this year?
TAPLING: They're certainly necessary. Part of the challenge we have here is the bad guys are continuing to do bad things and they're continuing to come up with different ways to attack the system. The fraud management systems are certainly necessary, but they aren't a panacea. The U.S. particularly, institutions are very nervous about putting things in front of their customers. They don't want to do anything that ruins the customer experience, and that kind of hyper-sensitivity to not communicating with the customer at the time of the transaction so that the transaction goes through creates a lot more risk. I don't think as an industry we give the customer enough credit. I think that they understand that essentially they're under attack. Yes, they would like their bank to do more, but one of the primary things I think they would like their bank to do is stay in touch with them.
FIELD: I'm going to bring you back to customer awareness because, as you noted, that was a resonant theme in the results. And again as you noted, it seems that the customers are very aware when fraud incidents occur. What's your take on this notion that we've seen a couple of times now as we have surveyed our respondents that the customer seems to be the best fraud detection system that institutions have?
TAPLING: I think that's true. At the end of the day, you go back five years and nobody wanted to talk about fraud. The industry wanted the customer to think your money is in the bank; your money is safe. Fast forward to today. You almost can't open a newspaper on a daily basis and see some type of attack or some type of breach or some type of loss for particular individuals - everything from a big headline-making story like the recent Global Payments breach down to a local newspaper story that some person had their identity stolen. Consumers are well aware that this is going on. People check their accounts frequently. They know what transactions they did and they know when they see transactions that they didn't do. As a result, this hypersensitivity to not wanting to "bother" the customer, I think there are ways that they can be engaged in the process to help the fraud managers manage fraud against the institution.
FIELD: You make a good point there because financial institutions traditionally have been reluctant to talk about fraud to customers. They don't want to scare them and then they go through the point that they don't want to bother them. They think they're bothering them if they're sending them alerts. How should they be discussing the topic of fraud with their customers?
TAPLING: At the end of the day, you've got to treat them like adults. You can't have a bank account unless you're 18. You're therefore an adult, right? I think it's a marketing game; nobody wants to be the first one. Nobody wants to be the first one to say, "I'm going to come upfront with my customers and I'm going to tell them that there are myriad forms of fraud and that these things can happen, and that's why we're putting these processes in place so that you can help us protect your accounts." That's scary. You went to the RSA Conference. You may have been to the Merchant Risk Council Conference. You sit in those conferences and you almost want to stuff your money in a mattress because the range of fraud that occurs is certainly frightening. I don't think they need to be alarmists, but I do think that they need to say, "Look, it's not our job to protect you. It's our job collectively to protect you so you have to participate in this and these are the tools we're going to give you to help participate."
FIELD: You and I have talked about this in the past. One of the other things that institutions are reluctant to do is to send out different types of alerts to customers about transactions or about authenticating transactions, because they're concerned about "bothering" the customer. Now I know you've got some thoughts on that. What are the most effective ways to engage banking customers, and maybe you can shatter a couple of the myths here at the same time?
TAPLING: It's all about whether or not you wanted to be contacted. I think in a conversation with you I brought up the example of if you want aluminum siding on your house and you pick up the phone and you call the aluminum siding company, when they call back you're not upset; you wanted them to call. If you're sitting down to your spaghetti dinner at 6 p.m. and the out-bound telemarketing call comes in and it's totally unexpected and it's for a purpose that you're not interested in, then you're upset. I think in the banking world, they did spend a lot of time doing telemarketing. If you think back to the heyday of the credit card era where we all had five and ten credit card offers in our mailbox every week, there was a lot of outbound telemarketing in order to get you to sign up with your bank, and so customers naturally kind of contracted and said, "If the bank calls, they're not calling me for anything good. They're trying to sell me something."
That has stopped and I think now customers are conditioned to sign up for alerts. Basically any online banking mechanism has a process where you can go in and say, "I want to know when charges happen over 'x' amount of dollars, when I get within 'x' amount of my credit limit," and things like that. So I think if they just look at their activity that's occurring in their own businesses, they'll see that customers do indeed welcome contact on their own terms. I think what needs to happen is they need to create these tools where the customer can get trusted communication that they know is coming from the bank and get it on their terms.
FIELD: We asked this in our survey of the respondents and I'll ask you as well. What one factor do you believe could make the greatest difference in the fight against fraud this year?
TAPLING: Engage the customer. At the end of the day, 82 percent of the time you find out about it first from the customer. What would be the difference in fraud losses if you encouraged the customer to contact you earlier? Just think about that. If I'm going to hear about the event from the customer anyway, I want to hear about it not when they get their statement 22 days after the event occurred. I want to be able to hear about it within a day or within an hour or within a few minutes. That really gives me, as a fraud organization, an opportunity to do something about actually stopping the movement of value outside of where it's supposed to go.