How is application fraud evolving? And what should fraud leaders be doing to manage fraud risk in a digitally connected world?
To answer those questions, we spoke with a man with 25 years of experience in fraud management, Bob Shiflet. Before joining FICO, Bob served as the Global Head of Fraud at both Citibank and Bank of America. In these roles, Bob was a true fraud practitioner, responsible for leading high-performance teams across strategic and operational roles and policies and working closely with his peers in Risk, Compliance, Security, and LOB functions across the business to protect the bank, its clients, and its employees. In this blog, Bob shares insights into best practices he’s found for creating a culture of fraud prevention.
In your roles at Citi and Bank of America, what did a day-in-the-life look like?
Managing fraud risk for banks is a very dynamic, fast-paced, exciting and complex responsibility, and one day is never the same as the one before. The people, processes and systems must be well-aligned and integrated at all organizational levels to adequately prevent and detect fraud. To execute this critical task of protecting the clients, employees and shareholders requires ongoing collaboration and teamwork between many different internal and external groups.
Fraudsters are adapting to the changes in the banking landscape — in fact, they are embracing changes! They constantly evolve tactics to systematically exploit weaknesses and vulnerabilities. For banks, that means the right processes and technology must be managed by knowledgeable people to respond to any fraud scenario immediately and agilely.
How did you liaise with other groups within the business? What are your lessons learned and insights into the best way to engage?
The fraud function touches and impacts every operational area, function, and channel within a bank. Prevention and detection must extend across the customer lifecycle, and therefore interaction with groups such as Marketing, Legal, Risk, and IT is required to help balance customer experience and top-line growth with operational fraud losses.
This balancing act ultimately requires banks to set a fraud risk appetite. A formal fraud management operating model should be collectively defined and adopted by the bank. The roles, responsibilities and business routines must be clearly defined and aligned to business channel, fraud type and control step (prevent, detect or recover).
One way to look at it is that every single customer capability, like opening an account, transacting on that account, maintaining and/or updating information on that account, etc., is a capability a bad actor can abuse to commit fraud.
How have you see application fraud evolving over your career, and what are the impacts from a technology and operational perspective?
Actually, application fraud and identity theft were the primary fraud risk concerns back in the early to mid-‘90s. Then, as fraud protection controls got stronger, the risk migrated to card fraud. However, we’ve now come full circle and are seeing a global resurgence in identity theft (as well as card not present or CNP fraud). This is primarily driven by the large rise in data breaches and the roll-out of EMV and chip cards in the United States.
While the flavors of application fraud, such as first-party fraud (including synthetics) and third-party fraud (identity theft) remain the same, the attack methodologies have gotten much more complicated and sophisticated. These methods include brute force attacks and cross-channel social engineering. Additionally, fraudsters are exploiting additional attack vectors online and mobile channels.
The good news is that fraud management control technologies, capabilities, solutions and supporting analytics have also gotten more advanced and sophisticated. Application fraud controls must evolve quickly to respond to emerging threats in real time while balancing that with customer experience.
Today consumers expect that they can apply for a financial relationship at any place, at any time, on any device, from any channel, for any product, while expecting an immediate decision. To meet this demand, application fraud controls — including analytics — have to be targeted and aligned to specific application fraud risk types, whether true-name, manipulated, synthetic or stolen identities, and whether the exit strategy manifests as first-pay default straight-rollers or bust-outs. The offense methodologies differ for each and so should the defense.
Leveraging advanced adaptive analytics upfront at the point of application is critical to enabling automated processing, reducing the number of applications alerted for manual review, and minimizing related operational expense. Even more critical, control capabilities must include agility to quickly adjust to rapidly changing attack vectors, complemented with a layered approach where prevention control capabilities are integrated with detection control capabilities in order to minimize loss severity and increase application approval rates. This also requires thinking big across the risk and fraud continuum; these teams need to work together.
In today’s digital world, fraud attacks proliferate and exploit weaknesses in our fraud and risk controls quickly. How do you manage fraud risk in a digitally connected world?
Faceless transactions make identity verification and authentication even harder. Banks are challenged with balancing between the customer experience and the right level of fraud defense.
A key imperative of your fraud management framework must be to understand the risk associated with the channel and product, and deliver with minimal friction. This involves many stakeholders and participants in the digital payments ecosystem, including banks, processors, acquirers, telcos, gateways, merchants, ISOs and MSPs. Fraud managers must understand that there will always be control gaps and must design fraud controls with this assumption in mind.
Lastly, the ability to measure and quickly recognize outlier behaviors and new fraud trends is critical in the digital ecosystem. Once risk is identified, the bank must be able to respond quickly and close that gap. The bottom line is that fraud risk controls must be customer-friendly, agile, layered, integrated and enable real-time risk assessment to support the complexity and speed of the digital world. There is no single tool or score that can be effective against the complex and ever-changing risk vectors in the digital space.
Improved client experience is a top strategic pillar for many financial institutions. How do you manage the art of detecting fraud while reducing impact for the good clients?
Fraud managers should always have two primary business imperatives: the fraud management imperative (protect the clients/bank) and the customer satisfaction imperative (delight the customer).
Fraud managers should consider complementary solutions and technology that shift the fraud control strategy from customer-involved or “active” controls to more hidden or “passive” controls (behavior-based analytics, device print, etc.). The sophistication and complexity of fraud control should truly be invisible to the end customer.
FIs are innovating at an ever-growing pace. New products, new channels, marketing campaigns… all these business changes have implications for fraud. What are the best ways to manage the moving targets, and help the business foster innovation while protecting the bottom line?
It’s critical that fraud managers are organized and structured around acquiring and implementing fraud tools and capabilities. The very first step is to conduct a proper “as-is” control capabilities inventory and gap assessment, and make sure it is well understood across the organization. Fraud tools and control capabilities must align to both the business’s strategic direction (e.g., digital banking/online payments) and current and emerging fraud risks (e.g., real-time payments, fraudulent applications).
The secret sauce for fraud management will always be in the convergence of the technology solution, the processes and the people to truly gain the most value out of tools and capabilities, and optimize their effectiveness and efficiency.
I have interacted with literally hundreds of financial institutions over the last 25 years, and I would estimate that less than 10% of these organizations have completed a comprehensive fraud capabilities assessment completed, defined the target end-state, prioritized their control capabilities and put in place an execution roadmap.
The fraud management team needs to be a core part of an organization’s business strategy and product development processes and routines. It needs to educate, quantify and make recommendations on how to best control the fraud risks associated with any given business strategy or product.
A good way to think about the fraud team’s primary focus is that fraud risk should never become the constraint or reason an organization can’t grow the business with any product, channel, or strategy. With the technology and analytics availably today, there are always ways to design the proper prevention, detection, and recovery controls to support any business product or offering. The fraud management team should not be looked at as the team that says “NO” — it should be the expert team that says “YES”.
Thanks so much, Bob, for your insights today! We look forward to sharing more about fighting application fraud in next month’s post.
For more on application fraud, check out my recent posts here:
- Trends in Application Fraud – From Identity Theft to First-Party Fraud
- Best Practices in Establishing Your Fraud Risk Appetite
- ELI5: What does the Dark Web have to do with Application Fraud
- What Data Do I Need to Fight Application Fraud?