Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development
Fraud: Customers' Security ExpectationsGuardian Analytics on Newest Business Banking Trust Study
Guardian Analytics is out with its third annual Business Banking Trust Study. What are the latest fraud threats, and how do businesses expect their banking institutions to respond to these threats?
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
If anyone thinks fraud threats are abating, think again. That's one message from the latest study, says Terry Austin, CEO and President of Guardian Analytics.
This latest study surveyed about 1000 small-to-midsized businesses across the U.S. According to the survey, nearly three-quarters of responding businesses have been hit by online fraud, and over half have been struck in the past year. And let there be no question: These incidents do negatively impact the relationship between business and banks.
"In 52% of the cases, the small-to-medium business indicated that it would only take one fraud incident, whether successful or not, for them to lose confidence in their financial institution's ability to protect their assets," Austin says. "In fact, 72 percent ... indicated that they hold their bank primarily accountable for securing their bank accounts."
In an exclusive interview about the 2012 Business Banking Trust Study, Austin discusses:
- Emerging fraud risks, especially via the mobile channel;
- The true cost of a fraud incident - especially in regard to trust;
- The security controls businesses expect from their banking institutions.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
TOM FIELD: This is your third annual Business Banking Trust Study. What would you say you've learned after three years of administering this survey?
TERRY AUSTIN: The results are very consistent over the three years, which we think adds a lot of credibility to the findings. The net is that fraud is continuing to escalate and the small and medium business market is expanding their use of online banking and mobile banking, which increases their risk and vulnerability to fraud. The industry still has a ton of room to improve their fraud defenses. The financial institutions, the banks and credit unions and these small/medium businesses have a lot to lose, starting obviously with the financial loss from fraud itself, but the banks are also subject to a lot of lost time, tarnished reputations and ultimately the loss of customers if they don't solve this problem and get it right.
FIELD: Looking at this year's survey, what would you say are the top headlines?
AUSTIN: Number one, fraud is widespread. In fact, 74 percent of the small/medium businesses - and we surveyed about a thousand small/medium businesses across the country - have experienced electronic banking fraud and 52 percent of them have been hit with electronic banking fraud in just the past 12 months. Fraud is not an isolated or rare occurrence in this market.
In 52 percent of the cases, the small/medium business indicated that it would only take one fraud incident, whether it was successful or not, for them to lose confidence in their financial institution's ability to protect their assets. In fact, 72 percent of the small/medium businesses indicated that they hold their bank primarily accountable for securing their bank accounts. It's a very important, strategic issue, and this year we actually extended the rest of the study to specifically look at how small and medium businesses are using online banking but we've also added the automated clearinghouse, or ACH channel.
We've added mobile banking and we've added wire transfer to the scope of the study, and one of the interesting things out of that is that we learned across all of these channels, when there's a fraud loss, the bank does not fully reimburse the business for that fraud loss in about 80 percent of the cases. This is a real hot-button issue and that lack of reimbursement is not endearing the banks to these small and medium business clients.
FIELD: Given that you've examined fraud across all these channels, what emerges to you as the top fraud risks now for businesses and institutions alike?
AUSTIN: There's a lot of growth in the use of mobile and online banking. Using mobile devices to access online banking has increased from about 23 percent of businesses in 2010 to 54 percent in this latest survey, so it has almost doubled. And we know that the mobile devices are not secure; they're very vulnerable. At the same time, the use of online banking in this business community is expanding, and we looked at this in terms of how much of the banking activity is being done online. And the number of businesses that have said they're now doing 100 percent of their business banking using online has more than doubled. It was 9 percent in 2010 and it's now around 20 percent in 2012, and also the numbers that are doing a small amount of business online has shrunk. Those that are doing less than say 30 percent of business online has gone down from about 50 percent down to about 30 percent. We're seeing more usage and more expanded usage across this community.
An interesting fact I thought was that now as many businesses use online banking to execute their payments as they use checks. Online banking has caught up with checks as the predominant method for making payments. The SMBs are becoming more reliant on online banking; they're using mobile devices more and more to access those bank accounts and we know that the fraudsters are going to go wherever there's money movement.
FIELD: Let me follow up on the mobile point there. What do you find to be some of the specific fraud challenges of mobility?
AUSTIN: Mobile banking is very different. The device is a whole new platform and the behaviors and activities that a user's going to go through and that the bank's going to represent on mobile are different than online. We can't just apply the exact same techniques to mobile as we do for online. The device is vulnerable and it's vulnerable in a lot of different ways than the online computing device was. Just in the last year, we see the huge growth in malware developed from mobile platforms, like 1400 percent growth in malware being distributed for the Android and iPhone platforms.
This is compounded by the fact that users don't treat these devices as really the small computing devices that they are. They treat them very differently. They don't think of them as risky. In most cases, users don't put passwords, simple passwords, on their mobile devices and they will store confidential information like bank account numbers and PIN numbers and things on these mobile devices that are lost and stolen all the time. It's very, very common for these devices to be lost. Users will download anything. They will download apps. They'll use the app store. They'll just assume that those applications being downloaded are safe and in a lot of cases they're not. The app store is being used to distribute malware at an increasing and alarming rate. These are just very different devices and they're very, very vulnerable so they're very attractive for fraudsters. Fraudsters are looking forward to mobile banking and the growth and explosion in mobile access to the banking system.
FIELD: Let's talk about detection and prevention. How well prepared do you find businesses and institutions alike to be when it comes to detecting and preventing fraud?
AUSTIN: There's a lot of room for improvement both from the business and from the financial institution. Realistically, the banks are in the best position to do this. Again, I would emphasize that the businesses expect the banks to step up and to provide the fraud prevention expertise and to provide the protection. The study shows that the small/medium businesses have not done much to improve their own defenses and we believe this is because they're really looking to the bank and the financial institution to do it, and they probably don't have time to really focus on it. Two-thirds of the SMBs believe that their financial institution is committed to preventing fraud and a similar number believe that their FI is committed to ensuring a secure online banking environment.
However - and this is important - only 43 percent of the survey respondents believe that their bank is taking the appropriate steps to limit risky transactions, and that has actually fallen from 2010 where 49 percent believed they were. Forty-two percent say that their financial institution is making online banking too difficult, and that has gone up from 36 percent. The steps that the banks are taking to protect the channel both are seen as not being effective and not being the right steps, and they're also seen as making online banking too cumbersome. The courts seem to agree with the businesses that the FIs are not taking the adequate steps if you look at the recent rulings in some of these cases. And the results speak for themselves. Fraud is happening everyday so all in all I think businesses and financial institutions can significantly improve in their ability to prevent fraud.
FIELD: One topic we haven't discussed yet is financial impact. What did the study tell you in regards to the impact on banks?
AUSTIN: The financial impact comes in three forms. There are the fraud losses themselves. There's the productivity hit that a bank takes when they have to research and investigate a fraud loss, and then there's the risk of losing their customers ultimately because they're not doing an adequate job at this. The banks only fully reimburse fraud losses in less than 20 percent of the cases, so one could say that the nominal fraud losses to the bank are relatively low and the businesses themselves are bearing the brunt of the loss, but I don't think that's really good from either of these constituencies.
Having said that though, the banks still spend an inordinate amount of time and resources in investigating fraud cases, and in some cases defending themselves in lawsuits that can be brought because they're not covering their client's losses and we've seen a lot of examples of that in the market.
The third case, in terms of lost customers, 40 percent of the small businesses have indicated that after a fraud incident they moved some or all of their banking business elsewhere. An additional 30 percent said that the fraud diminished their trust and confidence in the bank's ability to secure their account. So there's a reputation hit, there's a lost customer hit and then there's time, resources and dollars that are all being lost because of this issue.
FIELD: What are the questions that the businesses really need to be asking of their banks now?
AUSTIN: It's pretty straight forward. They should ask what fraud prevention practices the bank has in place to protect them. They should ask about their reimbursement policy upfront. If we get hit by a fraud, how much are you going to reimburse us? They should ask about the bank's fraud notification policy. How am I going to be notified? How am I going to be communicated with? Then finally, they should ask the bank what fraud prevention practices the business themselves should be responsible for? What do you expect me to do as a business client of yours?
FIELD: We know that some banks are successfully preventing fraud. What is it that their doing that sets them apart from some of the scenarios that you've discussed and that I know are in the research?
AUSTIN: We're working with hundreds of banks and credit unions that are being very successful in stopping fraud. The first thing they do, as the recent FFIEC guidance indicated, is they're taking a layered security approach. They're not trying to have a one-size-fits-all solution, so they're taking the layered security approach. The center piece of that layered security approach is behavior-based anomaly detection as the foundation. That's using all the data in the banking system, whether it's online, mobile, ACH or wired data, and using that and accumulating that to really understand normal behavior and detect anomalous behavior that's seen whenever a fraud attempt's tried. The other thing that they're doing is they're protecting all account holders. They're doing it in an automated fashion and this has been proven to stop the widest array of fraud attacks and the widest array of threats. So it's very, very effective and we see evidence of it everyday that banks can really do a good job using these kinds of techniques.
FIELD: You talked about the questions that businesses need to be asking of banks. What if banks really need to step up to answer some of these questions?
AUSTIN: I think the business market views the bank as the expert, and the banks and credit unions need to step up to become experts at detecting and preventing fraud. They need to deliver the fraud prevention capabilities that their clients are looking to them to provide. The study found that in most cases, the small/medium business discovered the fraud themselves after the money had already left, and that really does not speak well to the bank's capabilities. These financial institutions need to get better and they need to get more proactive. They should not be waiting for the transaction to occur. Fraud is detectable much earlier.
If you're using behavior-based analysis and anomaly detection, you can detect the fraud much sooner than the transaction. That's [a] much better time to prevent it. The study found that [in] 73 percent of fraud cases the money was transferred before the fraud attack was discovered. That's just a terrible, terrible result. The money would have already left in 73 percent of the fraud cases before the attack was detected. It makes it much harder to try to recover the funds. It makes it much harder to remediate and the chance of loss is much higher. The FIs need to do a better job at detecting fraud earlier and proactively stepping in to prevent it.
Third, they need to develop internal communications. Fraud initiated in one channel like online could end up in another like ACH. It could be enabled through information in the online channel and then executed in the ACH channel or the check channel, so that internal communication within the financial institution between the different areas and payment systems is really important.
Finally, I think there's a huge opportunity here. I think the banks that are getting this right can use this as a competitive advantage. Businesses are looking for this. They expect this level of expertise, and especially right after a business leaves another financial institution because of a fraud attack or because they don't think they were able to protect their account, this is a huge advantage for somebody to go to market and portray their capability as a real competitive advantage.
FIELD: Very good. Well, the study is done. The report is up. Where can our audience see a copy of this report?
AUSTIN: It's featured on the homepage of our website: www.guardiananalytics.com.