In the midst of the battle to thwart both criminals and their subversive efforts to access customer data and plunder customer bank and card accounts, FICO convenes a regular Fraud Council consisting of practitioners, consultants, product developers, analytic experts and product managers to discuss best practices and to share trends. The Council members typically work directly or indirectly with financial institutions across the globe.
The last Council revealed some interesting findings based upon our experiences across the credit sector. Strategic and tactical defenses continue to squeeze losses out of previous areas of significant fraud exposure. These include counterfeit fraud, certainly in EMV payment card markets or where the level of check utilization is dwindling; mail intercept, with increasing volumes of statements and other bank communications moving online, and the delivery of financial instruments being more tightly controlled; and loss/theft, with activity profiling and monitoring across a customer relationship spotting irregular attempted use earlier, and with faster communication channels dramatically reducing the window of opportunity for fraud utilization).
But as we squeeze the balloon in one area, it bulges in another. Here are three areas that are seeing fraud growth in multiple global markets.
Prepaid and gift cards. These are becoming far more ubiquitous and have traditionally been seen by institutions as lower risk, believing that they can only be used for the prepaid value. Of course, many of these cards do not have the physical and virtual security capabilities of traditional payment cards. They may be anonymous; they may not be embossed; they may only rely upon a magnetic stripe; and they therefore are susceptible to relatively low-tech attacks. There are also control problems that arise around issue, with the person acquiring the card often not needing to be identified; around loading of the credit value, with the risk that the funds used might not be authorized or cleared value; and around use of the card, with the stored value being manipulated or incorrectly adjusted. One of FICO’s multi-national clients has, however, had considerable success applying the disciplines from credit card protection to prepaid cards, and the Council believes that this is the way forward.
Insider or staff fraud. Financial institutions have for years seen what were believed to be isolated cases of insider abuse, typically for relatively low values. But the uncovering of such examples have become steadily more prevalent, some involving far more significant sums, and the nature of the internal fraud or abuse has become far broader, often attracting regulatory attention around the globe. Individuals acting outside of their authority, or apparently collusively, have led to public scandals and even large fines. This “enemy within” can arise for a number of reasons, ranging from self-interest to coercion and even the casual opportunist. Organizations need to take a holistic approach to managing their staff (and internal supplier) risks, including:
- Education and support
- Dual- or multiple-variable authorisation protocols
- Robust and well-policed business controls
- Active and passive detective processes
- Profiling (event, access, person) and random checks
- Strict and public enforcement
First-party fraud. This is essentially where a “customer” uses their own identity or fabricates one, rather than posing as someone else, in order to accumulate as much credit as possible before they “bust out” and disappear with all the proceeds. Some of these first-party fraudsters are intent on making a quick return soon after taking out a new facility, but others will play a long game – sometimes over years – to lull the bank into a false sense of security and thereby gain access to even larger amounts. Loss levels in this area can often dwarf traditional third-party fraud, and there are cases where it accounts for more than 20% of bad debt that has to be written off. Experience across the FICO consulting and analytic community has shown that such behavior can be accurately predicted based upon certain behavioral characteristics. We can produce predictive models to help financial institutions to either avoid or mitigate the losses.
The Council continue to monitor and assess both qualitative and quantitative trends as the war on fraud continues. I will be blogging on other trends and changes to the fraud modus operandi as they arise.
