Inside 2011 Business Banking Trust StudyBanks, Businesses Poised to Win War Against Account Takeover
This is the main headline of the 2011 Business Banking Trust Study conducted by Guardian Analytics and Ponemon Institute.
In an exclusive interview about the survey results, Terry Austin, President and CEO of Guardian Analytics, discusses:
- Key survey results and what they mean;
- How banks and businesses can turn the tables on fraudsters;
- Strategies for fighting fraud in compliance with draft guidance from the FFIEC.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
TOM FIELD: Terry, just a little bit of background on this study please if you will.
TERRY AUSTIN: Absolutely. This is a study that we commissioned starting in 2010. So, this is our second year running this study, and the focus is really to understand the small and medium business market, how they're experiencing fraud and in particular online fraud, what rate of fraud they're seeing and what their attitudes and reactions are to the fraud problems.
Are We Better Off in 2011?FIELD: Let me ask you up front. Are we better off in 2011 than we were in 2010?
AUSTIN: I guess the bad news, Tom, is that according to the data we really haven't moved the needle as an industry in stopping fraud. From any measure, the amount of online fraud is about the same as it was last year. The amount of businesses and banks that lose money as a result of fraud is about the same as it was last year. This has been a big headline grabbing issue now for some time, and while I think the industry awareness on the issue has really gone up, there has not been enough decisive action to really move the needle in concerns of this data. So I don't think we're better off this year than we were last year, but I'm hopeful that we will be as we move forward.
Study's HeadlinesFIELD: Well it sounds like your hinting at this now. What would you say is the major headline of this year's study?
AUSTIN: Well, I think there are probably four major points that I'm going to emphasize as the headline news here. The first is that account takeover fraud is very widespread. We surveyed 533 small and medium businesses with average revenue of $20 million. These were businesses across the country from every geography, from every industry, and in 56% of these businesses we surveyed they had experienced fraud in the last 12 months. 61% of those victims experienced more than one incident of fraud, and in 75% of those cases it was online related. It was online takeover or online fraud. So, the cybercrime epidemic is here, and it hasn't done away at all. So that's point one. It's very widespread.
The second point is that the reaction and detection is still occurring in the large majority of cases after the money has already left the financial institution. In 78% of the cases this year, I think it was 80% last year, money had left the bank before any fraud attempt was detected from any technique that's being used by either the business or the banks. So we're not being proactive. The industry is not being proactive in detecting fraud, not yet anyway.
The third major point is that everybody is losing. In 50% of the cases, the business lost money, so the funds weren't recovered -- the business wasn't made whole. And in 37% of the cases, the bank lost money. So it's pretty evenly distributed loss, and everybody is losing money from these cases. Nobody is immune.
Then it's particularly acute for the banks -- and this is the fourth major point. Businesses expect their banks to take responsibility for this issue. 70% of the respondents said they thought it was the bank's responsibility to protect them from fraud, and 43% of the businesses that were surveyed said that they would change banks, they would take their business elsewhere, because of a fraud incident. So, the bank kind of loses on multiple fronts in this situation. They lose money, and they potentially lose their customers as well.
So what is the big headline? Fraud is widespread. It's not being detected proactively. Everybody is losing money, and the banks are at a real risk of losing their customers.
Lack of ProgressFIELD: Well, Terry, from my spot on the sidelines it seems like as an industry we threw an awful lot at this problem in 2010, but seemingly there's no progress been made against account takeover fraud. What's your take on that? Why has there been no progress made?
AUSTIN: Well, I think that's right. I think there is a technology adoption cycle that takes some time to play out. 2010 was an awareness year. This is headline news. There was a lot of activity and examination of the issue, and there was a lot of growth of understanding, and some of our data suggests that the education and awareness level has gone up, so there is some good news there. My sense is that it's taking some time for the industry to fully come to grips with the size of the problem and the tools and techniques that are available to them to really combat this. We're certainly seeing in our business a big growth of customer updates. We've seen huge growth in the customers using our products, but we're still relatively small in terms of penetration in the industry. We're hopeful that with this growing awareness that more financial institutions are going to step up to the next layer of security here and do what it takes to really stop this problem but we haven't seen it. It's not widespread enough to move a needle.
Tools and Techniques that WorkFIELD: Terry, I know that Guardian Analytics has had some success. From your experience, which techniques and technologies have you found to be effective at fraud detection and prevention?
AUSTIN: Well, Tom, we specialize in behavioral analytics, and what we do is we monitor all the activity in the online banking system at an individual accountholder level and we detect anomalous activity that is usually the precursor of the fraud. So by creating this very detailed behavioral model that we can use to monitor all the activity in the online session, we can very effectively spot the anomalies and the high-risk action that lead to fraud, and we've been very effective at stopping all manner of fraud regardless of the type of threat, the type of malware, the type of effect. This technique has been shown to be incredibly effective, and we really think that this behavioral analytics approach -- the monitoring and anomaly detection -- is one of the key layers that the industry will adopt to defeat the cybercrime problem.
Message to Banks, BusinessesFIELD: Terry, I had a chance to go through the report and I noticed at the end you summarized two separate messages to the banks and to the businesses. If you were to characterize the message to the banks, what would that be?
AUSTIN: First off, it's been a tough environment for the banks for the last few years. It's tight credit, there's a lot of pressure on fees, there's a lot of change in the banking industry in general, and banks can't afford the financial hit or the customer losses that the cybercrime has been afflicting on them. It's really time to treat this as a top strategic priority. The tools the techniques and the technologies are there to win this war, and there is example after example of it. We really think it's time for banks to see this opportunity and to make the strategic investment its priority and it's a real opportunity.
Banks can be the heroes in this war, and they can really use this as a way to strengthen their trust relationships with their customers. They can play a leading role and really build on the vulnerability and create trust, and the vulnerabilities are only going to get worse.
One of the survey questions highlighted just a rise in mobile banking, which just multiplies the number of vulnerabilities that the banks are going to see because there's just more access points out there. So they can prepare for the new risk that remote workers and mobile bankers introduce and again step up, be the hero. They can rely on user education as an approach to fraud prevention, which has been proven over and over again that that's not enough. You have to think of education as just not enough to solve the problem, and there's a more strategic approach that they can take and a more holistic approach they can take. So that's kind of a summary of the message for the financial institutions.
FIELD : You spoke earlier about the shared responsibility of the businesses. So what would you characterize as the message to the businesses?
AUSTIN: Well, the business does have a role to play, and while their attitudes have really placed a lot of the responsibility on their financial institution, there is a definite role for these small businesses to play. I don't think it's realistic to expect the small businesses to be security experts or to be technology experts, but they really can devote some time to understanding what their contractual relationship with their bank is regarding security, who's responsible for what, what the fraud loss policies are, and they can choose where they're going to do business. They can really have a constructive a dialogue with their financial institution and understand what their bank is doing to protect their account, what policies and procedures, what rules and technologies that their bank is using.
Then there's an active role for the small business to play as well. They need to pay attention to their account, look for unusual activity, look for missing funds, and really I think it is incumbent on the small business to educate their employees about their risk and make sure they're not doing just foolhardy things that put them in harm's way. So there's a role here for their business to work in collaboration with their financial institution to really get those right.
Pending FFIEC GuidanceFIELD: Terry, just a final question for you. As you know, the FFIEC has come out with a draft of guidance about online banking, and account takeover was a big part of the dialogue in that draft guidance. Given what we have seen and this direction the FFIEC is headed in, how would you say financial institutions can both fight fraud and be in compliance with the guidance that might be coming down the pike?
AUSTIN: Well, that's a great question, and we certainly don't know when the guidance will come out or what it will contain. But based on what has been articulated or what's been seen, I think the potential is that it's going to be a lot more specific and that there is going to be a call for a layered approach to fraud prevention that's going to include some of the things that have been done in the past, but is also going to extend the expectation to include proactive monitoring and anomaly detection among other things. And I think the financial institutions can look at that agenda. There are absolutely affordable and accessible solutions in the market that can meet those requirements. and I think if the financial institutions take it on board, treat it as a strategic priority or imperative, they can really incorporate that guidance, be in compliance with it and be doing the right thing for their customers and for their business in the long run.
FIELD: Very good. Terry, where can people learn more about this new study?
AUSTIN: If you go to Guardian Analytics.com the executive summary is available for download and the full study will be available shortly.