SECTOR SPOTLIGHT: Fraud Management in Banking and Payments
Fraud losses are on the rise globally.
Fintech companies reserve about $50M each year for fraud losses.
The global industry estimated a $20B total in 2022.
For those in financial services, the negative sentiment may seem ‘business-as-usual’ — but in this era of innovation and modern technology why is this trend the norm?
Fraudsters, bad actors, scammers, etc. are finding new, complex ways to expose weaknesses in program security and controls at financial institutions and banks. The need for frictionless, rapid delivery of banking favors this group as they have to jump through less hoops in gaining authorization to move money.
Fraud management has been in place for sometime, but it only captures a limited scope of illicit activity based on previous patterns. What’s needed is fraud prevention to proactively protect against the loss of funds and eliminate the negative impact from loss of trust (between banking providers & clients).
In this Sector Spotlight, we’ll dig into (TL;DR):
The current types of fraud;
Top fraud prevention activities;
Combating fraud with analytics;
Companies focused on mitigating fraud in financial services and non-banking verticals;
TYPES OF FRAUD
When banking was less digital (about 20 years ago), most fraud attempts took place in-person.
Fake identification documents, forged signatures, compromised personal info, skimming of bank cards — all required a fraudster to take action against a bank agent or terminal. Manual review & exception approvals (by bank staff) were needed.
In this sophisticated age of mobile banking, fraudsters have stepped up their game and are finding new ways to commit fraud.
Social engineering
Fraudsters manipulate victims into divulging confidential information (e.g. PINs for cards, authorization codes sent via text, passwords) OR sending funds through one-way methods (such as wires, peer-to-peer / crypto transfers) which are difficult to dispute and recover. The appeal with crypto is that once a transaction takes place, it’s not possible to reverse (since there’s an immutable ledger).
Many of us have seen emails that seem legitimate (from sources posing as banks, utility companies, or big-box retailers) with an urgent title message to take action. Behind links in these emails are fake websites asking for usernames & passwords in order to liquidate bank accounts.
The quickest preventive measure is at the user level by educating individuals and businesses with how to spot these types of schemes. The next level would be companies inserting additional verification methods when unusual requests are made.
Presentation attacks
These are more advanced fraud attempts in which bad actors impersonate actual customers by using their biometric info (e.g. photo, fingerprint) for online access to bank accounts.
Being able to get past facial recognition is now possible with deep fake technology. The fraudster can hold up the false image to a camera, unlock a fintech app, and then proceed to change security controls (i.e. email, phone number) to perform transfers.
To defend against these types of attacks, some companies are requiring facial movement and a speech test in addition as part of ‘liveness checks’. The customer would record a short selfie video in which they say a specific phrase and move their head (in real-time, according to preset directions).
Synthetic identity fraud
This type of fraud combines real personal data (such as social security numbers and address) with fake information (e.g. altered name, date of birth) to create a new person that can get past user onboarding checkpoints. Minors, elderly individuals, and the homeless are less likely to monitor their financial and credit history, which makes them easy targets.
By the time a bank or fintech realizes there’s a synthetic identity with a bank account, multiple transactions may have already occurred that lead to losses. Better checkpoints are needed to confirm a cohort of personal information — not just single, one-by-one validation points of SSN, date of birth, or physical address.
Account Takeover
Once a fraudster has access to someone’s financial accounts, they can proceed to takeover the banking relationship by replacing the existing contact information (email, phone number, address) and passwords. An estimated $10B in losses came from account takeovers last year.
The entry needed for ATO may come from a data breach in which thousands of actual customer profiles were compromised. The leaked info may contain partial login details — combining bots to automate numerous password attempts in seconds can then lead to full access for fraudsters.
It’s up to users to create complex passwords, not reuse the same ones across their other profiles, and change them often.
Payments (ACH) fraud
ACH for electronic payments and transfers is the most common (non-card) method of moving money in the US. Payroll deposits, loan payments, and billers use this rail most often due to its low cost per transfer.
Unfortunately, ACH fraud is increasing each year due to the minimal amount of information needed — bank account details and customer name. ACH is also the only rail that allows for payees (those requesting payments) to be able to ‘pull’ funds from a payor’s account (assuming a debit authorization is in place).
Lastly, there’s a processing lag with ACH in which balances at an account being debited are not checked at the time that funds are being pulled. Essentially, a request can be made to deduct from a $0 balance account and the bank receiving the deposit wouldn’t realize that funds aren’t available until 3+ business days later — at which time the money may have been withdrawn, representing a loss.
FRAUD PREVENTION ACTIVITIES across the industry
There are measures that financial institutions and fintechs take to deter the likelihood of fraud and reduce the size of its impact. Some of these actions end up adding friction (or steps) in a user’s experience. Ultimately, companies (of all sizes) that offer financial products need to find the balance between risk and customer experience.
Customer onboarding
Where manual processes previously existed, banking providers have now inserted automation to deliver a seamless, expedited customer journey from the start. Since there’s no face-to-face interaction or way to build a personal relationship (as in traditional banking), fintechs & non-fintechs must focus on speed + ease.
During a modern onboarding process, new users must have their identity details verified and be screened against watchlists to confirm they’re allowed to open an account. Trusted sources (like government databases) are accessed in real-time for these checkpoints and a response is provided within seconds.
What adds friction, but deters a significant portion of bad actors?
Government ID — State Identification Card or Driver’s License, US Passport;
Full Social Security Number — only requesting the last 4 exposes a company to a higher risk of impersonation and synthetic identity fraud;
Liveness check — a video with live recording is the ultimate tool in verifying a user’s account opening request as authentic;
Overall, platforms providing banking services should understand who their customer is AND what their customer should be allowed to do within their ecosystem. Any activity outside of this scope should be blocked and flagged immediately.
This falls as a requirement for risk teams to outline in their Customer Identification Program (CIP), which documents types of users and activity that is expected. Common examples of suspicious activity that may be outside of CIPs: international transfers and high-dollar payment requests.
Ongoing monitoring of users and transaction activity
It’s not enough to have a robust policy in onboarding a new customer, there must also be strong processes for continuous monitoring of existing users. Most new account fraud takes place in the first 90 days of account opening — even for established financial institutions.
Monthly checkpoints are needed to verify individuals aren’t added to sanctions or watchlists, and to ensure there’s no pattern of suspicious & unusual behavior. Changing a mailing address, phone number, and email within a short timeframe should trigger an alert at most companies.
Payment returns, bounced checks, card declines, receiving large lump sum deposits, wire transfer requests of recent deposits, and overdrawn account balances may have legitimate reasons, but collectively represent a red flag.
Monitoring behavioral patterns becomes critical — login time, standard transaction amounts & requests, and device fingerprint can help call out bad actors early (before fraud is even attempted). Companies need enhanced due diligence (EDD) frameworks to gather additional information (in real-time) to determine the likelihood of fraud or illicit activity.
Risk scoring
There’s complexity in determining (with complete certainty) if a particular user is fraudulent or not.
Risk and compliance vendors that are dedicated to quality verification processes (Know Your Customer, or KYC) can provide a risk score based on the data from a new user. A high risk score indicates that the user may be a fraudster using false data, while a low risk score provides high certainty that a customer is who they say they are.
Based on product and risk appetite, these scores can range differently for companies within the same sector. Crypto use cases versus neobanking shouldn’t be monitored the same way. Risk analysts can set benchmarks based on their product, customer segment, and scope of activity. These ranges can be adjusted as needed based on macroeconomic factors & fraud trends.
The accuracy of a risk score can help funnel in the quality users and block out bad actors seamlessly. Besides personal details and mobile device location, bank login verification and transaction data can also improve the quality of scoring. This is where machine learning & analytics are an invaluable resource for firms looking to prevent fraud (not just managing it).
FIGHTING FRAUD WITH ANALYTICS
There’s a welcomed boost in the fight against fraud — coming from artificial intelligence (AI) and data analytics.
The fallout from privacy & data breaches leaking personal information has contributed to actual user credentials being comprised and identity theft taking place.
Infusing AI into fraud prevention programs helps predict future behavior & transaction activity that can avoid losses. Data that can be leveraged in these efforts includes:
Device location being compared to transaction request location;
Bank transaction history that helps establish what standard activity for a user looks like;
App usage not matching up with a user’s typical behavior (lengthy session time, login from a different device, login time);
High-frequency activity taking place within a short period;
Preventive measures & processes can also apply to other types of fraud besides identity such as credit card, frivolous claims & disputes, and money laundering.
Automation becomes easier through AI as well, reducing the heavy dependence on manual (human) review. Learnings from real-time fraud activity can be added into models and prevent fraud ring attempts from increasing in scale.
There’s a transition from a rules-based approach (based on past activity) to a model-based approach (based on past & future activity) through AI. The former doesn’t incorporate all available info in making a decision. Thus, new fraud would be missed.
Large, continuous data sets are integrated into the models-based approach and help identify correlations for potential fraud behavior. The ability to work in real-time greatly reduces recurring fraud.
companies delivering fraud management products
This compliance niche within the financial services industry is rich with startups & established enterprises focused on fraud.
From risk scoring, real-time alerts, new customer verification, to better account authentication — there are multiple tools designed to drive better results in the constant battle to reduce fraud risk. Here are some of the top companies and a brief description of what they offer:
Riskified is an AI-based payment fraud prevention solution for eCommerce. The company utilizes big data analytics and machine learning to deliver insights for businesses to accept/reject transactions. Riskified also features behavioral analytics, IP geolocation, proxy detection, and order linking.
Arkose Labs’s fraud management platform detects bots and enables user-centric account security. With real-time risk classification, the AI-powered company uses enterprise-grade CAPTCHAs to defeat repeated bot attacks — protecting against account takeovers, fake account creation, and spam.
SEON uncovers fraud patterns through intelligent risk scoring (via AI and machine learning). Their solution adapts to the custom requirements of each business’ risk standards. There’s complete visibility and control when it comes to platform activity — users, orders, accounts, and transactions.
Sift showcases fraud their expertise, global data network, and innovative tech stack towards establishing long-term customer relationships. Sift’s ‘Digital Trust & Safety Suite’ combats fraudulent payments, bogus accounts, scams, and account takeovers.
Kount’s AI-driven Identity Trust Platform covers the entire customer journey for 9K+ top brands & payment providers. Powered by its Identity Trust Global Network ™, Kount connects billions of fraud signals in reviewing protect transaction and account opening requests.
Prove delivers phone-centric solutions for clients to gain new consumers and engage with existing clients — less friction with better security. Prove’s Pre-Fill™ boosts user signups via auto-filling forms (with authenticated identity info), which improve the overall user experience.
The list of all companies would span multiple pages, but from the ones mentioned above you can see a clear focus on preventing payment fraud, improving user onboarding, adding risk scoring, and delivering timely alerts.
The INDUSTRY awaits better risk controls & oversight
No longer a ‘nice-to-have’, fraud management is essential across the industry when it comes to any type of financial activity.
Payments, account opening, card programs, etc. are all features that come with financial risk of losses.
Fraudsters are actively searching for new ways to to steal identities & login credentials in order to make unauthorized transfers and purchases. Companies lacking proper management & prevention programs will be left covering the bill, which can quickly add up to millions in losses.
Financial institutions and card networks powering banking providers and payment processors are requiring fraud policies and controls to be in place from Day 1. If overall performance is heading in the wrong direction, providers may have their program shut down to avoid further losses.
The customer-facing platforms that find the right balance in user experience AND controls (verification + monitoring) will be the industry leaders of tomorrow. The challenge isn’t just finding this balancing point, but making adjustments based on changes with customer needs and market conditions.
Fraud detection providers offer supportive products in getting here, but ultimately it’s on companies to understand who their customer is and how best to address their needs.
Join our community @FinTechtris for more industry content & insights (including deep dives & sector spotlights).
As a bonus, access our subscriber-only resources for evaluating and building the next generation of financial services. Signup today —>