Following is a recap of the conversation led by FiVerity’s Doug Levin on how financial institutions are managing an uptick and evolution of fraud, and the role information sharing plays in fighting this threat. The following has been edited for brevity, but you can listen to the full podcast and check out our related eBook on intel sharing.
PARTICIPANTS
 |
Dustin White Global Head of Analytics & Platforms Visa |
 |
Frank Badalamenti Principal - Cybersecurity, Privacy & Forensics, Financial Crimes Unit PwC |
 |
Doug Levin Executive Chairman FiVerity |
DISCUSSION
The Evolution & Acceleration of Fraud
Q: How are banks handling digital transformation and the acceleration of fraud?
Frank: The industry as a whole has had to adapt very quickly. Some of the machine learning models that had a good handle on customer behavior are now a bit out of tune, given the rapidly changing transaction profiles. This has required a significant acceleration in the use of adaptive behavioral analytics and things that are much more nimble from a technology standpoint to react to these changes.
Q: Can you describe Visa's view of the expansion of fraud in the payment system?
Dustin: Fraud, as you think about it traditionally, was managed quite well. But there were exceptions – largely due to the digitization of our economy, especially during the pandemic lockdowns.
My grandmother now orders her groceries online – the fact that she was able to pick that up demonstrates the shift in how consumers engage with their payment credentials. There's a learning curve associated with that. At the same time, merchants were having to figure out how they were going to survive the pandemic and had to digitize their business.
In the early stages of the pandemic, there was a lot of creativity and focus on behalf of fraudsters to take advantage of our learning curve. This takes us back to information sharing – one of the things we tried to do when working merchant partners was to ensure those who are shifting into a more digitized space have the necessary tools and best practices to make that transition successfully.
"In the early stages of the pandemic, there was a lot of creativity and focus on behalf of fraudsters to take advantage of our learning curve."
Q: How can anti-fraud teams gain ground on fraudsters who are using AI?
Frank: The fraud rings are going to be technology sophisticated - they'll invest in machine learning and AI techniques and try to be one step ahead. The counter-response to that is increased innovation within and across financial institutions with leveraging more advanced and sophisticated forms of AI.
Dustin: I'd take a slightly different approach to this. There’s been study after study on the pitfalls of organizations trying to adopt AI, or failing to achieve a positive ROI from machine learning. Teams often focus on trying to have the best brain possible, but less on operationalizing and driving actual change.
There are a few things I think are really important to this challenge. One is, don't play the “set it and forget it” game. The second is that technology should be an enabler, not a solution in and of itself. Having folks that are actively engaged with that technology and bring it into a business outcome is critically important.
"The fraud rings are going to be technologically sophisticated - they'll invest in machine learning and AI techniques and try to be one step ahead."
Looking Back on Info Sharing
Q: Let’s talk about how financial institutions have shared fraudster info in the past.
Dustin: One of the most common and long-standing mechanisms for knowledge transfer between financial services participants are consortium models. These are models where many parties share data into a central location for common benefit. And there's many aggregators who provide those types of services and are active in the fight. I've happened to work for two of them in my career, FICO and now Visa. These are entities that have a unique position as an eye in the sky, and play a critical role in ensuring the fidelity, security, and integrity of our collective ecosystems.
But that battle has become increasingly complex and urgent in the face of new threat vectors. So there's been an increasing level of solutions that are based on identities and device IDs that leverage AI and machine learning. It's become an important part of the overall suite of assets that are necessary for successfully combating fraudsters in today's environment.
Q: 9/11 was a turning point in our view of information sharing, in part because of the commission’s findings about the lack of coordination among intelligence agencies. Could you comment on how these concepts apply to intel sharing among banks?
Frank: While I'm not an expert in the inner workings of the intelligence agencies, in terms of some of the conclusions from that report, it looked like there is an opportunity, obviously, for better and more efficient information sharing within and across agencies. There’s a parallel that applies to the banking community.
We’ve definitely seen cases where better collaboration, even within an institution across function areas – for example, sharing info between cyber, fraud and AML teams via fusion centers – creates a network effect. These organizations have an improved ability to identify threats earlier in the lifecycle, as opposed to taking a siloed approach. That network effect is magnified even further when that sharing occurs across institutions in the financial system. We've definitely seen firsthand the benefit of sharing through some of the investigative work we’ve done following a fraud incident.
"The fraud rings are going to be technologically sophisticated - they'll invest in machine learning and AI techniques and try to be one step ahead."
Impediments to Info Sharing
Q: Financial institutions have a range of concerns about sharing intel to combat fraud, such as logistics, privacy and competition. How do your institutions look at these issues?
Frank: I'll break this down into a few categories of what we believe are potential impediments to broader information sharing across institutions, or even within institutions:
Privacy
So the first is concerns about violating any data privacy or data protection laws. No one wants to inadvertently violate some government rule and then be subjected to a fine or reputational loss. That needs to be carefully studied before any kind of external information sharing happens.
The length of time and effort required to get the data protection officers, legal, IT and information governance to review, opine and align on a proposal could be a deterrent. So the path of least resistance is to do nothing and just, maintain the status quo.
Competitive Advantage
The next concern is about competitive advantage. Some institutions may not be willing to share information about either who their customers are or what rogue inappropriate customers have gained their way into their institution because their competitors could potentially glean something from that.
Liability
There's always the risk of being wrong or reporting incorrect information about a suspected fraudster who is not a fraudster. Institutions could be concerned about the repercussions there in terms of liability.
Value
I think just the last thing I would say is the benefits and the actual impact of participating in the information sharing is perhaps not well enough understood or publicized. Meaning, if companies truly appreciated the value, there might be more of an impetus to participate further.
Enabling Technology
There are also some enabling technologies that need to be better understood and evolved to enable more broad information sharing, where actual PII is effectively made available without exposing the actual clear text values of those indicators.
Value of Intra-Bank Sharing
Dustin: Oftentimes, information sharing starts in your own house. Making sure the various teams are interconnected, from your originations department to cardholder behavior to fraud, risk and back office functions. There are many financial institutions that do it well, and many more that don't. This notion of looking holistically across the data that you have available really matters, and it matters more today than it ever has.
It's easier than ever to get payment credentials at a competing bank. So, when your risk solutions and customer behavior departments aren't connected, you could be turning away high value cardholders.
So my point with information sharing is the network effect across institutions is really important, but intra-institution sharing is also super important. Make sure you have that full, robust view of the data that's already at your fingertips.
"This notion of looking holistically across the data that you have available really matters, and it matters more today than it ever has ."
Looking Ahead
Q. Looking to the next three to five years, what sort of changes do you expect as more people return to the office?
Frank: From the fraud practitioner's point of view, I hope that a return to the office will result in more collaboration, camaraderie and cross-training. There’s an ancillary benefit of having individuals co-located in something like a fusion center, where ideas can be freely exchanged. We’re missing that now with this shift to working from home. So hopefully, bringing together the anti-fraud at in-person events, roundtables, conferences – things of that nature should have a residual benefit.