190 likes | 370 Views
Fraud – Best Practices for Banks. Overview of the material. Why bank executives are interested in fraud Background on fraud Eight control points every bank should have The value creation process. Fraud is increasingly on the minds of bank executives.
E N D
Overview of the material • Why bank executives are interested in fraud • Background on fraud • Eight control points every bank should have • The value creation process
Fraud is increasingly on the minds of bank executives. • Losses: Perpetrators are utilizing technologies to their advantage: gathering personal data and duplicating documents and signatures. • Studies: In a 2002 ABA survey almost 40 percent of respondents ranked “identity theft” as the number-one threat to the banking industry. • Press: Recent coverage has brought the issue into a public spotlight. • Customers: Increasingly involved as victims and aware of fraud risks. • New Regulations: Attention to risk has been raised bytheUSA Patriot Act,Basel II, Sarbanes-Oxley, Check 21, etc.
The Check 21 Act will soon lead to a shift in fraud vulnerabilities and controls. Banks should pro-actively address these issues. • On the plus side, opportunities for deposit frauds and kiting will be significantly reduced by faster clearing of checks and faster returns of bad checks. • On the negative side, all the paper and printed controls built into the physical checks will be of little value in the new electronic clearing environment. • New techniques should be developed and employed in the new environment. • Electronic signature verification (both maker and endorsement) • Straight-through electronic processing of returned checks to the depositor. • Revised paper and print authenticity techniques • Wider use of “positive pay” and “reverse positive pay” (comparison of issued to cleared files) and internal double-pay traps. • Combined analysis of check and other frauds, as it is becoming less clear what items are “checks” vs. ACH, “E-check”, or some other payment form. • Cooperative identification and analytical techniques
Overview of the material • Why bank executives are interested in fraud • Background on fraud • Eight control points every bank should have • IBM roles in the value creation process
Most bank frauds involve a two-step process: • Obtain some form of false identity. Essentially no one is dumb enough to commit bank fraud using their own name, address, and social security number. They have three basic options: • Make up an identity. • Steal someone else’s identity or “identity tokens” (i.e. PIN, card, check, signature, personal data) • Buy an identity or identity tokens stolen by someone else. • Obtain money by executing transactions. Usually one of the following: • On-us fraud: Take funds from someone else’s account. In some form or another, this involves pretending to be that person. • Deposit fraud: Get the bank to credit funds to an account (which do not belong there), then quickly withdraw the funds. • Credit fraud: Obtain assets on someone else’s credit, (ie. Establish a loan, credit card, overdraft line, or lease).
Why is the “Identity Theft” aspect of fraud getting so much attention lately? • It is a large and still growing problem. • In 2001 “Identity Theft” became the #1 consumer fraud reported to the FTC. • It is still the fastest growing reported fraud, per the FTC. • The losses are mostly absorbed by banks and corporations, not individuals. • On average an incident took over a year for the victim to become aware, so annual incident and loss numbers may be understated. • It is large but a lack of a common definition and study methodology has resulted in a wide variety of data points from various studies: • Aberdeen Group estimates global 2003 losses at $221B and US losses alone at $74B with a 300% CAGR (i.e. $24B in US in 2002), while Synovate reports the losses as $53B in 2002 in a study for the FTC. • The Synovate study said some 10 million people were hit by ID theft in 2002; while a Gartner study put the number at 17 million, and a Center for Social & Legal Research study quotes the number at 7 million. • Average loss per incident is high (reported at between $4,800 and $18,000 per incident by various studies).
Identity aspects of fraud can take three forms: • Unauthorized transactions (using ID tokens) • Check forgery (either the maker’s signature on the front or the endorsement on the back) • Stolen cards used at ATMs or stores (with stolen PIN or forged signature as ID) • Charges to cards online or by phone with no physical card • Cash-back requested on a bogus deposit • Account takeover • Credit cards left open but dormant may be reactivated at a new address • Lines of credit taken over and activated • Deposit accounts or annuities rerouted • Retirement accounts may be the best targets due to both size and the time since establishment • New accounts • Credit cards set up with false or stolen ID • Loans taken out against someone else’s good credit • Cars leased under someone’s name • Deposit accounts established then overdrafted • Accounts set up with links to existing accounts (with the intention to transfer funds later). • Insurance policies set up then used fraudulently
Check fraud $ loss amounts reported vary widely. • Attempted check fraud at the nation’s banks surpassed $4.3 billion in 2001, doubling for the second time in four years, according to an American Bankers Association Deposit Account Fraud Survey Report. • But the same study indicated actual dollar losses to the banks remained relatively stable at $698 million. • A 2003 National Retailers Federation survey put total check fraud losses at $12 billion annually. Much of this represents losses taken by retailers. There may be value available for a bank that helps its customers avoid these losses. • Studies indicate half of check fraud is related to credits for bogus deposits and half is related to bogus debits against customers’ accounts.
ACH, a once-pristine world, is seeing fraud is on the rise. • Few fraud controls were built into the system since its typical file originators were major corporations, governments, and financial services companies, unlikely fraudsters. • Access has been expanded over time and its use now includes… • POP (point of purchase): Creation of ACH debits at a cashier’s station based on a scan of the check presented by the retail customer. • ARC (accounts receivable conversion): Lockbox processors and utilities are capturing check data and clearing the payment via creation of ACH debits. • Returned checks: Banks are attempting to collect on returned checks by representing them as ACH debits. • Recurring payments: Companies providing monthly services offer customers the option of ACH debits to their accounts. • One-time payments authorized via phone or Internet leading to creation of ACH debits. • The result is a rapid increase in ACH related fraud: • Fraudulent ACH debit transactions are hitting both consumer and corporate accounts. • Fraudulent ACH credits received which will eventually be reversed or “reclaimed”. Regulation E provides that ACH transactions can be reversed for a period of up to 60 days (compared to a normal check return period of 24 hours).
Credit fraud is largely an issue of borrowers utilizing others’ good credit. • U.S. banks reported $1.5 billion annual credit card fraud losses in a recent survey • A recent study by ID Analytics Inc. indicates 88% of borrowing fraud is mis-categorized by banks as “credit losses”. • In any case, the losses are generally traceable to either… • Decisions made by bankers when accepting bogus loan applications or • Bogus payments made out of legitimate lines of credit by perpetrators pretending to be the actual borrower.
Overview of the material • Why bank executives are interested in fraud • Background on fraud • Eight control points every bank should have • IBM roles in the value creation process
Banks should be addressing fraud at every possible point. Eight points of control where fraud can be addressed are: • Four Identity-Related Opportunities: Perpetrators’ actions: Bank’s controls: Establishes false ID Uses ID to obtain a bank account Maintains account undetected Tries to take over a valid customer’s account 1. Avoid being a source of ID information 3. Verify legitimacy of existing customers 2. Verify identity at account acceptance 4. Validate identity during account maintenance request process • Four Transaction-Related Opportunities: Attempts transactions at the bank Attempts transactions through other banks Leaves patterns of bogus activity Spreads reach using other perpetrators Perpetrators’ actions: Bank’s controls: 5. Stop bogus transaction at first point of touch 8. Analyze losses and create feedback to policy, process, and systems design 7 Apply analytical software to identify accounts with unusual activity patterns 6. Recognize bogus payments at point of presentment by another bank
Overview of the material • Why bank executives are interested in fraud • Background on fraud • Eight control points every bank should have • The value creation process
There are several ways to add value in the area of fraud: • Reduce fraud losses • These may be over $200 million per year in a large bank. • There may also be value in helping customers avoid losses. • Reduce total costs of the anti-fraud efforts by increasing efficiencies • New strategies and tactics • More and better tools to focus work on the right items • Better targeting/focus of efforts • Balance of reactive vs. proactive activities • Reduce costs related to "false positives" • Reduce the costs of placing unnecessary holds by better targeting • Reduce customer irritation (and loss of some customers) • Increase recoveries • From perpetrators • From other banks at fault
Software is part of the answer. We have plotted over 120 products to illustrate the anti-fraud market’s depth and breadth. OFAC AML Transaction Employee Other Credit Deposit Claim Identify • FACFile • FACFilter • FACline • FACScreen • FACSPC • Homeland Tracker • Hotscan • OFAC Alert • OFAC Reporter • OFAC Tracker • OFAC Watchdog • World Tracker • ASSIST//ck • Address Validation • AFACS//web • Application Risk • Manager for Identity Check • AuthoriCheck • AutoIndex • Bank InfoLInk • Bankruptcy Search • CP Authentication Services • CP Online • CreditScan • Customer Manager • Debtor Discovery • Detect • eIDverifier • Equifax Gemini Verify Score • Fraud Detect • Fraud ID-Tect • Fraud Screen • Fraud Shield • FraudPoint • GeoLocator International IP Location • GeoPoint • Global Watchlist • HAWK • ID Search • InstantID • LeaseSafe • National Criminal File • National Phone Directory • PayBond • Payer Authentication • Peoplewise • Reverse Phone Append • RiskFinder • Safecheck SSN Verification • ScreenNow • Secure Point • SENTRY/Batch Review • SENTRY/SigCheck • SENTRY/Signature • Signal IVS • SQL Direct • Total ID • TP Review • Transalert • Vendor Screen Prevent • ACI Proactive Risk Manager • BASE24-refunds • Case Review • Chargeback Defender • Electronic Loan Review • Falcon Fraud Manager for Merchants • Intelligent Lockouts • WinRefunds • WinStoredValue • BASE24-check auth • FraudLink Deposit • FraudLink Kite • FraudLink On-Us • FraudLink PC • PayPositive • SENTRY/Detect • SENTRY/Exception • SENTRY/Monitor • WinCheck • Business Manager • BSA Reporter • National Center for Reporting Fraud • Fraud Detection Manager • ISO Claimsearch • Risk Manager • Falcon Fraud Manager • Kiting Detection System • Kiting Management System • RiskTracker • Vector:Detect • Vector:Kite • COMPLY/CTR • COMPLY/EPS • COMPLY/kyc • COMPLY/SAR • Fraud and Money Laundering Detection • IEF - AML • IEF – Fraud • Investigation Manager • MLD Manager • Money Laundering • Risk Manager for Money Laundering Detect • CardAlert Fraud Manager • FraudAnalyzer Neural Network Risk Score • FraudShield • MasterCard RiskFinder • Pre-funding Comprehensive Screening and Audit • Directed Audit Services • FraudLink Positive Pay • Risk Management Assessment Asset Searches • Consulting Services • eFraudLink.com • Fraud and Educational Seminars • Fraud Solution Consulting • FraudBan Community • FraudDefender • FraudLink eTracker • National Fraud Center • Risk Analysis • Brokerage and Investor Protection • Claims Advisor • NetMap for Claims Other • WinCollect • COMPLY/Wire • Loss Tracking • FraudLink Core
Properly managed, the improvement process goes through standard steps: • Identify fraud as a business problem worth a fresh look. • Review the existing processes, systems and results. • Architect a "target environment" with improved processes, systems, and results. • Perform gap analysis to determine the required improvements and determine the projects required to achieve the capabilities of the target environment. • Lay out a path to the target environment in terms of the specific capabilities required, the timeframes, and the business case for their creation. • Select and implement specific components (software, process reengineering, policy revamps, etc.) through specifications, design, build, test, pilot, and roll-out. If the process started after Step 2, it may be a good idea to loop back to Step 1 and start afresh, looking at the big picture.
Presented by: • JimGeorge@Ureach.cpom 360.798.9202