Fraud is a serious issue for financial institutions, and it’s top of mind for American Banker magazine. The publication is offering a webinar on the subject, saying in its pitch, “Lending institutions of different sizes face ongoing threats from account origination and takeover fraud, and this risk may be increasing. According to a recent study of industry professionals, more than half of respondents feel that U.S. financial organizations are more vulnerable to bank fraud than a year ago.”
Fraud perpetrators commonly use technology: hacking, phishing and identity theft, for instance, to gain access to banking systems or accounts. Financial institutions are using technology to fight back.
“Fraudsters are attacking where the money is, and that’s banks,” said Thomas Hill, chief information officer at Live Oak Bank. “We are ground zero.”
More specifically, according to banking technology professionals, criminals are finding and exploiting vulnerable spots in financial institutions’ interactions with their customers. There are two ways of perpetrating fraud, according to Daniel Haisley, vice president of product management for Wilmington-based Apiture, a financial technology company.
“One facet is pure technology: A password is compromised, so various parties are able to log in and make transactions,” he said. “Technology is coming about so that data is being made available to banks in a way that is actionable. For example, John Customer logs in to his account online. He’s in Wilmington. Oh, now he’s in Phoenix, Arizona. The bank can now communicate that [breach] quickly to the customer. There’s a lot [of prevention] happening on the pure technology side.”
A more difficult facet, and big risk, is fraudsters’ exploitation of banking customers, Haisley added. He calls the phenomenon social engineering, which has taken on a new meaning in the context of information security: the use of deception to manipulate individuals into sharing confidential or personal information that a criminal can be used for fraudulent purposes.
“It’s getting an email, totally unsolicited, from someone you know, but it’s not quite the way that person would word things. Or an email from your bank, unsolicited, asking you for personal information,” he said.
As financial institutions and their customers conduct increasing amounts of interaction digitally, there is more opportunity for fraudulent interference, say Hill and Brad Day, Live Oak Bank’s head of loss prevention. Both are acutely aware of the risks, since Live Oak does not have branch locations and does all its business digitally.
“With branches, bankers and customers can have interaction on a personal level. With digital banking, the banks have to use electronic means to verify that you are who you say you are, not only in setting up an account, but in interacting every day,” Hill explained, adding that there are verifications that happen behind the scenes even for in-person banking, but face-to-face transactions carry much less risk than those in the faceless world of digital banking.
Day said that risk of fraud is greater in day-to-day digital transactions than in the lending process.
“Anytime you have a transaction style account, that’s the biggest risk,” he said. “Transactions happen quickly: deposits, bill paying, fund transfers. With lending, lending takes time, so there’s more of a chance to get to know the customer and to gather information.”
The good news, both Live Oak officials said, is that Live Oak – and financial technology firms – are designing systems that use customer data to protect those customers. They can use a customer’s geographic data to spot potentially fraudulent transactions and alert the customer, as in Haisley’s example of the bank customer who magically was in Wilmington and Phoenix at the same time.
Systems can also analyze data to learn and predict their banking behavior and spot anomalies that could be fraudulent transactions. “We are a very technology-centric bank, so we leverage artificial intelligence and big data analysis. We consume lots of data and use that data to make smart decisions … and manage risks,” Hill said.
Dual factor security is very important in making sure digital transactions are secure, he added. “We try to make the experience less intrusive, like as in a branch. Banks try to do [verification] behind the scenes so the [banking] experience can be pleasant, but also protect you so we’re sure you are who you say you are.”
Software systems are evolving to detect and prevent fraud, said Kendra Tolley, nCino’s director of retail product technology management. While nCino continues to offer one product: the Bank Operating System, that system is much more comprehensive than it was when Live Oak Bank developed it to support a streamlined online lending process that could operate nationwide.
“We have added a lot of features and functionality around fraud prevention: who can see data and interact with data,” Tolley said. “We’ve put a lot of time and effort putting preventive layers around that,” she said, referring to efforts to combat internal bank fraud.
“Our bigger focus is around adding products and services; new ones are more vulnerable. We have spent a lot of time trying to help banks automate really hard stuff so they don’t have to worry so much.”
nCino’s financial institution clients tell the company that a transaction with high risk for fraud is bringing on new customers, which can give an identity thief or other fraudster the opportunity to misuse a new credit card or take out a loan. As a result, according to Tolley, nCino’s system allows banks to dig deeper to confirm credentials, like [the new customer’s] credit approval and true identity.
“We automate those processes and standardize information, the questions banks are asking and the documents they are requiring so you can verify the identity of a new business customer. This is true for individuals as well, using background checks. We build a completely no-touch relationship.”
Of course, fraudsters adapt to new prevention technology by coming up with new scams and more sophisticated hacking techniques.
“You are never going to win completely,” Hill said. “It’s definitely a chess match. We do what we can to always stay ahead: predict that attack, figure out how we can detect [problems].”
That involves educating customers so they can be part of the defense.
“We look at the demographics of folks who are being targeted [by scammers],” Day said. “They have money or are thought to have money, or the ability to move money. Really looking at the demographic helps us identify potential victims and talk with them.
“Think of how much information we put out there. We create a digital footprint of our actions, which can be used to create a synthetic profile. We recently became an empty nester, lost a spouse, went through a divorce, went to Panama City on spring break. There are romance scams for people who are active on social networks or dating sites. There are work-from-home scams.”
Hill said education efforts aim to train customers to remove any emotions from online dealings, ignoring tearful pleadings or being suspicious of unexpected messages from a boss or a loved one. They also point out that many attempts at fraud occur around tax time.
Financial institutions’ fraud prevention network stretches out beyond the industry to include law enforcement and the banking industry as a whole, Day said, comparing the effort to a relay marathon. Hill agreed.
“In this area, it takes a village to control the risk. Banks compete, but in the cyber and fraud world, we are closer together than ever before. Hopefully, everyone is seeing the value in sharing.”