THE BANKS, THE CUSTOMERS AND THE FRAUDSTERS
By counter-fraud expert Paul Ewen, AGS Risk Solutions
Historically a stick-up robbery was the recognised means of stealing from a bank. Those were the days when fraud was a relatively simple affair; an amateurish attempt to forge a signature on a stolen cheque to change the payee or to add a Zero to make the amount £1000 instead of £100. But as financial institutions develop ever new means of engaging with their customers online, fraudsters are constantly discovering new avenues to easy riches.
While major corporations spend millions developing comprehensive counter fraud technology, there is one constant in the problem: the lowest common denominator which remains the customer. By encouraging the use of new technology with its self evident cost savings, banks are enticing customers to adopt new means of using their accounts by offering online banking guarantees. In doing so the banks are transferring the risk onto themselves as they rely more heavily on the security consciousness of you and I along with our varying degrees of computer literacy and antivirus solutions.
People are by their very nature susceptible to deception. Some are easily deceived by the fraudster who calls them pretending to be their bank’s counter fraud team while others leap into answering a range of security questions in a phishing email. Protection on home computers or mobile devices ranges from the non-existent to the very best software that money can buy in the public arena. Yet despite these security measures it only takes opening the wrong email to make someone the victim of high-tech criminals capable of utilising every variety of malware, worms, Trojans and key logging, some of which are sophisticated enough to react only to the opening of online banking portals.
Of course, sometimes the customers themselves are the perpetrators; especially when it comes to application frauds in areas as diverse as credit cards, current accounts or mortgages.
As lenders move to stricter controls in assessing the ability of applicants to manage their finances, some customers are inclined to fabricate their financial histories – creating false companies, falsifying proof of income documents and references. The availability of a wide range of false documents on the internet assists both these first-party fraudsters, and also those wishing to create entirely false identities. The latter can often be linked to a wider transnational organised crime group.
While the measure of success for counter-fraud investments is the growing number of identified frauds, combating those attempts will continue to constitute a drain on bank resources. In the ever growing war between the fraudster and the bank, the bank will of course continue to implement and develop new technologies or processes, utilising ever more advanced card readers or biometrics, automated transaction monitoring, enhanced Know Your Client (KYC) requirements and other developments. But will this ever solve the problem? Unlikely. Instead we are lodged inside an ever growing technology spiral with the fraudsters, with cross border organised crime the likely opponent rather than the single thief who steals a purse to discover the card and pin number written down by an elderly customer.
One means of countering the false identity and fraud problem is by utilising comprehensive, real-time risk screening software which can be integrated into the financial institutions’ own systems. Typically such software consists of a database to record previously identified fraudsters or risk addresses, computer IP addresses, phone numbers and similar. These can be provided from either from the company’s own databases or cross industry datasets, such as CIFAS.
By setting up a series of bespoke rules, datasets and algorithms agreed by the bank with their own information and other commercially available data from the wider credit referencing, occupier and electoral rolls, we can seek to create an ever evolving barrier to the fraudster.
In addition to live screening such software can perform post event data washing against matrix rules to enable us to map key patterns of risk, frequency, geographical location and such to provide invaluable information to feed back into the rule development thereby making the screening smarter and seeking to plug any gaps that might have existed or been created by the fraudsters adopting new tactics.
One key to maximising this potential though rests in making core data available not only cross-industry, but also cross-border and cross-sector.
For example, both the insurance and retail sectors keep large fraud databases but this data does not move around as freely around the global village as transnational organised crime groups. And fraudsters will not only ignore national barriers, but will also cross sectors with ease – having created a false persona, why restrict oneself to defrauding a bank when at the same time you can use that self same persona to make false insurance claims, to steal from retail businesses or from government.
We must ensure therefore that we are not above engaging with colleagues in other sectors, and that we are actively seeking to create frameworks for the exchange of data in an appropriate and compliant manner. The Insurance sector already operates a number of internal systems, based around the Insurance Fraud Bureau (IFB), The Insurance Fraud Register (IFR) and Insurance Fraud Investigators Group (IFIG). Both the IFB and IFIG are recognised by Government in the Serious Crime Act 2007 as SAFO (Specified Anti Fraud Organisations) for the purpose of data sharing with public bodies, and this can surely be used to create a framework of trust with the banking sector to open the doors for the creation of a suitable exchange protocol.