How to Prioritize FFIEC Fraud Investments
Conformance is a Process, Not a One-Time EventFinancial institutions are making big investments in technologies and systems to ensure conformity to the FFIEC's updated Authentication Guidance. But are they investing in the right things?
Aite analyst Shirley Inscoe says most mid-tier banks and credit unions seem overwhelmed by too many options and too little tech knowledge.
And after reviewing preliminary results from BankInfoSecurity's recent 2012 Faces of Fraud survey, Inscoe fears most institutions are not making wise investments for long-term security.
"The respondents seemed overwhelmed, and they also indicated that they didn't feel senior management either understood or was as supportive of their efforts as they wished they were," Inscoe says in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
One of the results to come out of the survey is that cross-channel fraud detection continues to be a problem for institutions. "It's very difficult to tie activity together over a large number of bank systems and detect fraud in a real-time or near real-time environment," Inscoe says.
How should banking institutions make strategic investments?
Inscoe says banking/security executives need to look for fraud-detection systems that monitor a variety of fraud schemes, "not just one silo, like check fraud or debit card fraud."
"They need to be looking for a vendor that can help them with multiple types of fraud, and hopefully tie information together, in an attempt to identify cross-channel fraud when it occurs," she adds.
Most importantly, institutions shouldn't rush to buy anything. "Take the time to do a thorough risk assessment right now," Inscoe says.
During this interview, Inscoe discusses:
- Why it's critical for banking/security leaders to first consider the intent of the updated guidance and communicate their individual security needs with federal examiners;
- Steps institutions can take to address cross-channel fraud;
- Why training and communication with upper management will be key to making the right investments for long-term security.
Inscoe, who joined Aite in March, has 30 years of banking experience in enterprise fraud and payments issues. She has served as the chair of the BITS Fraud Reduction Steering Committee and the co-chair of Early Warning Services' Advisory Committee, and has been a member of ABA's Deposit Account Fraud and Payment Systems committees. Before joining Aite, Inscoe was the director of financial services solutions at Memento Inc., where she was responsible for guiding the company's overall strategy and supporting product development, marketing, and sales related to payments risk mitigation. During, she worked to expand the firm's product offerings beyond employee fraud to cover check, ACH, and wire fraud. Before Memento, Inscoe served as senior vice president and director of payments strategy for Wachovia Bank, where she previously served as senior vice president and strategic support manager of enterprise loss management. She also served as corporate compliance manager with First Union Corp.
FFIEC: Making the Right Investments
TRACY KITTEN: We recently shared with you some results collected as part of our "Faces of Fraud" survey. When it comes to FFIEC conformance, many institutions say they've updated their investments, but are they investing in the right things based on what you've gleaned from the results?
SHIRLEY INSCOE: I suspect these institutions are investing in the right things to achieve the letter of the law, but not necessarily the spirit of the law, as interpreted in the FFIEC guidance. They will probably achieve compliance, but they may not see much in terms of actual fraud loss reduction, particularly in an environment where fraud attempts and the sophistication level of many attempts are increasing. Unfortunately, this is a disconnect we often see as a result of regulatory requirements.
KITTEN: Now going to our survey, only 12 percent of the respondents say they see conformance with the FFIEC guidance having an impact on reducing online fraud. Why do you think that is?
INSCOE: First of all, let me say that many of your respondents may be making the assumption that compliance is a one-time event for this guidance. But in actuality it's an on-going process. Compliance in the spring of 2012 does not automatically equate to compliance this fall. Every time their institution releases a new product, a product enhancement, or makes changes to a delivery system such as online banking, for example, they have to evaluate that change in terms of compliance and make sure they take the appropriate action at that time. Having said that, I do agree with them that detecting identity theft or online account takeovers quickly enough to avoid money leaving the financial institution is not an easy task, and many of the smaller institutions have very few fraud-prevention tools currently in their toolbox. Once the funds leave the company, it's often very difficult to recover them, so loss often results.
Cross-Channel Fraud
KITTEN: One area that stood out to me in the results that we collected was that cross-channel fraud detection continues to be a problem. What are some of the ongoing challenges when it comes to cross-channel fraud detection?
INSCOE: Despite many vendor claims, it's very difficult to tie activity together over a large number of bank systems and detect fraud in a real-time or near real-time environment. Let me use a simple example. Let's say a fraudster gains access to a bank customer's credentials through the use of malware. He accesses the customer's account online and changes the e-mail address on the account, because the bank uses that to alert customers about suspicious activity. He changes it to an e-mail account he controls. He transfers $20,000 from a home equity line of credit to a checking account. Then he transfers that $200,000 to the customer's checking account to another checking account within the financial institution he had opened previously under a fake ID. Then he goes to a branch, obtains the official check, deposits it at yet another bank and on an account he has opened for this purpose and then wires the money out of that bank. After the institution sends the alert to the changed e-mail address, he may even change it back to the original, buying more time before the fraud's detected. His goal is to get the money out of the bank's reach quickly in case the fraud is detected. This is a real scenario that's actually enacted regularly with variations that include bill pay, ACH and wire systems, but think of the number of systems involved in this simplistic example.
First, (there's) the online platform itself. A transfer was made involving two more systems, a lone platform for the equity line and a DDA system. The e-mail address was changed involving the customer information system. That's a minimum of four systems that need to be monitored and this was a very simplistic example. The fraudster's actions probably took less than five minutes, and if the official check was obtained within a couple of hours, it's very doubtful this fraud will be detected before the funds are wired out of the second bank. Then it's just a chase, following the money until it eventually leaves the country or is withdrawn by yet another fake ID.
KITTEN: In your experience, are banks and credit unions considering cross-channel detection as part of their layered security approaches?
INSCOE: Most banks and credit unions are rating the FFIEC requirements with goals of passing an examination. They're talking to others who have already undergone exams, learning more about what examiners are looking for. Based on any additional funding they're able to receive for compliance, they'll apply it to make sure their institution complies with the requirements. Only the smartest ones are really using this as a tool to better fight cross-channel fraud and to reduce losses effectively. Many of your respondents comment that their cross-channel fraud experiences are low and that really concerns me.
A few years ago, only the larger financial institutions were targeted for fraud, primarily because they had a large number of branches within close proximity that could be hit on the same day. With the advent of online banking, all financial institutions became targets. They began to experience fraud incidents and many of them realized they weren't well-protected. My sense is that most of the experiences in these smaller institutions have been single incidents of fraud and many of them have never been targeted by a large fraud ring that hits them hard and fast. They may be totally unprepared for that, and senior management may have the "it can never happen here" syndrome.
The Greatest Mistakes
KITTEN: So where are institutions making the greatest mistakes in their investments?
INSCOE: I think sometimes it's a mistake to consider a case management system a fraud-detection tool. When a case arises, a potential loss has already occurred. Of course, some case management systems do handle alerts as well, so that would be a good investment if it handles alerts from a variety of systems and not just the one the vendor is selling. So that's one thing I would say would be a concern. I also think that at this point in time bankers and credit union executives should be looking for systems that handle a wide variety of types of fraud, not just one silo like check fraud or debit card fraud. They need to be looking for a vendor that can help them with multiple types of fraud, and hopefully tie information together in an attempt to identify cross-channel fraud when it occurs.
KITTEN: From what you've gathered looking at the results and perhaps from some of the institutions that you have spoken with, why are so many still confused about the investments they should be making for conformance?
INSCOE: It sounds like a lack of training and internal communication. Hopefully someone in the institution has been trained or has taken time to really study the guidelines, but it doesn't sound as though all employees have been trained as they should be. Also, I was struck by how many felt there was so much to be done they seemed overwhelmed.
KITTEN: What other points or areas related to fraud detection and ongoing compliance stood out to you based on the survey results, and it just sounds like perhaps maybe just the fact that they're overwhelmed?
INSCOE: I did think many of the respondents seemed overwhelmed and they also indicated that they didn't feel senior management either understood or was as supportive of their efforts as they wished they were, and again that could be simple lack of communication. Many have indicated they have addressed ACH and wire fraud and that's great progress. Every single payment system was mentioned in their comments though, including check, internal fraud; they mentioned every one. So it shows that they realize there really are many issues that need to be addressed and they also know that there's no silver bullet to solve these problems.
Recommendations for FFIEC Conformance
KITTEN: Before we close, what recommendations could you offer to institutions that are struggling with conformance?
INSCOE: I would like to make the point that most regulators have never been bankers and certainly most politicians have not. When these new laws and requirements are written, it's often with the best of intentions, but they really don't understand the implications of what they're writing. The bottom line is that financial institutions spend a lot of money to comply and sometimes very few meaningful results are achieved. Obviously this is not good for the regulators, the financial sector or their customers. I would urge bankers to consider the intent behind these new requirements and try to address that. Talk openly with your regulator and help them understand your environment.
In a nutshell, I'd say, even though it's 2012, don't be in a rush to buy anything. Take the time to do a thorough risk assessment right now, if you haven't already, and factor in the changes your institution is planning as well as the environment. Develop a strategic plan for the next three to five years to fight fraud and protect your customers. Prioritize investments based on the areas of highest risk and educate your senior management on the importance of committing to the plan. Document everything so that you can discuss it with your regulators. As you move forward, review your plan at least two to four times a year to make sure it's current. Be flexible to make changes when necessary. It's a plan. It's not written in stone. Fraud is constantly evolving so your plan should too.