The 'Newsletter on Financial Fraud' from CustomerXPs is your monthly insight into the various new fraud types and methods used by fraudsters globally in the banking space.
This will help you stay abreast of all the latest happenings in the banking fraud space.
Online banking is under siege. Web sites at Wells Fargo & Co. and JPMorgan Chase & Co., among others, have been stalled or shut down under coordinated denial of service attacks. The Office of the Comptroller of the Currency issued an alert in December 2012 that some of these attacks may be cover for fraudulent activity, and suggested banks "appropriately consider new and evolving threats to online accounts" and adjust customer authentication, layered security and other controls as appropriate in response to changing levels of risk. Bank boards are evidence of this heightened awareness, where cyber security is a more frequent topic of discussion.
What are the bank's cyber security policies and procedures and how do we make sure they're followed?
The board must approve an information security plan and get a written report annually on the effectiveness of that plan, according to the United States' Federal Financial Institutions Examination Council (FFIEC).
"The board of directors, or an appropriate committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program, and making senior management accountable for its actions," according to the FFIEC's Information Technology Handbook.
So what are the details of this plan and how are they followed? What's the security training procedure and does the bank perform drills to test security measures? Are the procedures easy for employees to follow? Also, it is important to understand how your information security function is staffed, the competency of that department and how employees are held accountable.
What are the practices and procedures of our vendors?
Most small and mid-sized banks outsource their online banking and mobile platforms and vendors handle much of their technology, including security. However, that doesn't mean the board isn't responsible for what the vendors do. It is. Find out how your vendors gather intelligence on new threats. How quickly does staff react to emerging threats? Assess the adequacy of the vendor's security program regularly.
The more significant the third party program, the more important it is that the institution conduct regular periodic reviews of the adequacy of its oversight and controls over third-party relationships.
What is the quality and quantity of reporting to the board?
"The annual approval [of the information security program] should consider the results of management assessments and reviews, internal and external audit activity related to information security, third-party reviews of the information security program and information security measures, and other internal or external reviews designed to assess the adequacy of information security controls," according to the FFIEC's IT Examination Handbook.
If the security audits find weaknesses, boards should ensure these are addressed and tracked through completion.
Do we have adequate insurance?
It is important to have adequate business liability insurance and directors and officers liability insurance. Insurance companies also sell cyber security policies but it is important to read the policies carefully to make sure they actually cover the bank's risk.
Have we established a plan for notifying customers of data breaches and providing remediation?
The United States' Gramm-Leach-Bliley Act sets out requirements regarding notification of customers and others of breaches of confidential information.
The Securities and Exchange Commission (SEC) requires companies to disclose "material" breaches in public filings and to warn shareholders of the cyber risks affecting the company. The Financial Crimes Enforcement Network (FinCEN) has its own requirements for financial institutions to submit what's called Suspicious Activity Reports when illegal activity is suspected in a transaction.
Source: Bank Director
Credit and store cards have returned to the top of the list of fraud targets, with a 28% increase in the first four months of the year - at a time when overall fraud levels fell by 16.5%.
For the past four years card fraud has accounted for less than 20% of fraud, according to CIFAS, the UK's fraud prevention service, but it has jumped to 25%. In 2009, it was 27%.
According to CIFAS, a large proportion of these frauds are accounted for by identity fraud, with fraudsters using the name and details of victims to impersonate them, and obtain a card account in the victim's name.
"The credit or store card - as one of the most widely used financial services products - is a natural target for those whose intentions are not so honest," said Richard Hurley, CIFAS communications manager. "Recent years have revealed that fraudsters frequently change their targets, however, so the fact that plastic card accounts are being targeted far in excess of other products indicates that this process of change may have come full circle.
"According to Hurley, the fact that while levels for plastic card fraud continue to increase, bank accounts and mail order account frauds continue to decline means that "we are possibly seeing the early stages of yet another shift in fraud dynamics, as some more 'traditional' targets are replaced by new possibilities of easily obtained money".
Financial institution employees have many methods for committing fraudulent schemes, including through wire and credit card transactions. But two avenues are vastly prevalent: loan fraud and money laundering. In fact, fraudulent lending practices are rising at an alarming rate, and are particularly unsettling since they often involve trusted employees in authority positions. For example, an employee could enter into an outside venture involving a shell company that may-or may not-be a legitimate business. Either way, the employee could finance the shell company by providing false information on a loan application and pushing for its approval.
This abuse of power happens more often than you think. According to recent investigations by the Secret Service, more than 50 percent of insider fraud is perpetrated by such highly trusted employees as managers, and their average time on the job before committing a scheme is five years. They're good at avoiding suspicious behavior and have been with the bank long enough to know the policies and procedures, as well as ways to get around them-which makes insider fraud exceedingly hard to detect.
It's prudent to keep a lookout for activities that don't feel right, including employees who work excessively long hours and refuse assistance from others.
Consider the following preventive practices and tools:
Utilize a segregation of duties to ensure only certain employees know what you're monitoring, as well as the criteria that raise flags. In turn, maintain a review of controls to "monitor the monitors" and confirm each employee's level of access along with who can override system messages and approve certain transactions.
Install software that detects when proprietary information is downloaded to such devices as flash drives.
Regularly monitor all employees' personal accounts at the bank to detect suspicious patterns and activities.
Pay special attention to departing employees. Watch their accounts for signs of concern and have IT personnel ensure they're not downloading proprietary information to flash drives or personal email accounts. This is particularly important in cases of downsizing.
Encourage fellow employees to file suspicious activity reports to help determine negative trends.
While we all hope insider fraud is something that would never happen to us, ere on the side of caution and use these tools to protect your financial institution from this unnecessary loss.
The first step to solving a problem is to admit you have a problem. I have been involved with card fraud systems for over 20 years and too many times when I have discussed fraud I've been greeted with the opening line "of course we don't have a fraud problem here.
"I was struck when seeing some fraud statistics for 2012 released by RBI for India how low they were. Indeed, VISA has also publically praised India on its low fraud statistics - has India found a solution to fraud that all the other countries have failed to find?
So I did a comparison against the Australian fraud statistic for calendar year 2012, and certain things struck me. Based on an average daily exchange rate over 2012, in US dollar terms, the reported fraud in Australia was over 27 times more than India - with Australia running at $270.8m and India at $9.9m. When you consider the amount of fraud per card, it comes out with a factor of 174 of Indian fraud over Australian fraud, this is with Australia having less than 1/6th of the card base of India.
The volume of transactions in both countries are broadly comparable with 5.6b in Australia and 6.2b in India, the value of the transactions in Australia were roughly double, at $622b vs $335b in India.
The number of frauds differ wildly, but that could be because the Indian numbers consider multiple transactions in a fraud case.
Looking at the next level, foreign banks seem to have reported significantly higher fraud rates in India with the exception of ICICI. ICICI have had far and away consistently the biggest fraud 'problem', yet banks with similar card bases and merchant bases have shown considerably less fraud. (It's not clear if the figures reported are issuer or acquirer fraud)
There are obviously many cultural differences between India and Australia, so these figures may be an accurate picture. It may be explained by the fact that India is in a different stage of economic development to Australia or an excellent job in fraud prevention and education by the Indian banks. As an example, local card not present is a substantial contributor to Australia's fraud, but it likely to be lower in India as it is not such a prevalent transaction. The significantly higher ratio of debit cards transactions in India could be a contributing factor.
The various anomalies may be explained away by environmental differences however, to me as a cynical grumpy old man, it seems improbable. A more likely explanation, I believe, is that the figures are simply under reported. This is not some fraud or conspiracy, simply a lack of corporate culture, often lack of standards to what constitutes fraud, and a lack of willingness to admit and share information about fraud.
The problem seems to extend further than just the official statistics - a recent report from the Mumbai police said that, in one of the world's most populous cities, there were only 47 reports of credit card fraud reported between 2010-2012.
I may seem to be unfairly singling out India, they are not unique in this - they just happened to cross my radar as I was doing some research. If you compare freely available fraud statistics in the UK and Australia versus the US as an example, I cannot help feeling the move to EMV would have more political pressure if the general public knew the true extent of fraud in the US.
Successful fraud strategies depend on honesty, agreement there is an issue and an open exchange of information - something I feel both Australia and the UK lead on (although there is still room for improvement). For other countries ranging from the US to India, it feels like there is still a long way to go.
To paraphrase Brad Pitt in the movie Fight Club - the first rule of Fraud Club is to talk about Fraud Club, banks throughout the world need to share and contribute to fighting the fraud problem. India needs to share information about the true extent of the fraud it encounters, or else share its secret on how it has succeeded in combatted the fraud problem that has outsmarted the rest of the world.
Archive Section[-]  2017