Intro: The Fraud Investigation and Dispute Services (FIDS) of consultancy firm Ernst & Young recently partnered with CustomerXPs, a leading provider of real-time multi-channel enterprise fraud management products, to assist enterprises with the detection, prevention and management of fraudulent transactions and activities across multiple business lines within the banking industry. Amit Jaju, director, and Mukul Shrivastava, partner, EY FIDS, speak about latest threat perceptions in the banking industry and possible mitigation measures:
N. Mohan: What could be the major trends expected in cyber security?
Amit Jaju and Mukul Srivastava:There have been some high profile cyber breaches in 2014. The future of cyber security will greatly be influenced by these breaches. Top management of most companies have realized that with the existing approach to cybercrime and with the best of tools and processes, even the most advanced corporations are not able to defend themselves against focused cyber criminals. Hence, a more holistic approach is required towards prevention, detection and response to cyber security. Some of the new trends expected are:
- Holistic proactive monitoring of cybersecurity than just silo (system or application or network) based monitoring
- Geopolitical situations will greatly influence the focus on cyber security
- Focus on employees as the weakest link
- Internet of things and social media would attract maximum focus as they provide a large surface and reward for an attacker
How would you value outsourced protection? Especially cloud-based?
Outsourcing decisions are no longer based on cost considerations only. Managing or risks and compliance are key drivers to outsourcing decisions especially when sensitive data and mission critical applications are ported over the cloud.
Key parameters that need to be evaluated are the preparedness of an outsourcing provider against serious cyber breaches, which are eminent. How soon can the breach detected and data is protected or salvaged. It is also important to note that under shared infrastructure if the attack is targeted for a specific entity then it might affect many other entities in that shared infrastructure such as cloud.
Do you think biometric based system offer greater degree of protection than other traditional methods?
Biometric based systems offer better protection against stealing of credentials however one needs to evaluate the business, operating environment and the application which needs to be protected before making a decision. As of today biometric is primarily used for physical security and is not easy to implement for logical security hence a more structured approach to authentication needs to be undertaken. Two factor authentications are still relevant and have become easier to implement with the advent of smartphone apps, which would also help in implementing biometric authentication for logical security. But not everyone has a biometric enabled smartphone.
Is mobile banking a more secure application compared to, say, internet banking?
Yes and no. Mobile or app based banking offers better security against traditional desktop based attack methods such as phishing, keylogging. However, it still is vulnerable to theft, shoulder surfing, mobile malware etc. But, with mobile biometric it would definitely be the preferred platform for banks for customer interaction as the rewards are more than the risks.
One of the major sources of fraud, according to banking experts is internal, that is, information theft by employees. How critical is this?
In our experience over 90% of the data theft investigations conducted by us had direct involvement of an employee or he/she was a critical failure as a defense against external attacks. Most anti-fraud frameworks and solutions now have a major module or process around employee behavior monitoring to identify suspicious activity. From a regulatory perspective that is an even bigger risk to carry. Hence, most banks have prioritized employee fraud detection as no. 1 ahead of alternate channels due to the additional embarrassment it brings.
How would you describe the level of efficiency of fraud management systems implemented by banks in India? What are the systems available and are these systems prevalent in Indian banks?
Indian banks started looking at systematic fraud management systems only in the last 2 years. This was fueled further with the rapid adoption of mobile banking and alternate channels. Fortunately, Indian banks have still not witnessed the impact of more serious organized syndicates that hire professional cyber criminals to carry out systematic high volume targeted attacks. However, it is high time that the Indian banking industry is prepared for such a scenario, which is currently witnessed by banks in developed economies. Traditionally Indian banks have only looked at AML systems as critical and were content with including a couple of fraud rules in the same AML system but that approach failed miserably and the banks found themselves in the spot with rapid growing instances of complex frauds that hit them financially and in terms or reputation. Around 2012, many banks evaluated and implemented offline fraud monitoring systems where it took around 3-4 days minimum before a fraud was identified based on the transactions that were already committed. This approach also failed to meet management’s expectations to prevent frauds and not merely reporting of fraud loss.
India also faces significant challenges in identifying a relevant system, which is customized for the Indian environment as well as cost effective and could have enterprise wide fraud detection capabilities across channels. Not many such options were available then. However, the anti-fraud solution industry matured farely quickly in last couple of years and now there are both international and locally developed solutions that can be showcased as success stories.
Some of the critical success factors of these solutions are:
- Real time monitoring
- Cross channel capabilities
- Customisable workflows and case management
- Advanced analytics – predictive models, machine learning and a rich set of fraud scenarios
- Investigative dashboard and visual analytics
- Alignment with the banks fraud framework
- Big data capability
Some of the banks have made investments in big data and analytics to provide greater customer and transactional insights. Do you think this will indirectly help these institutions in countering frauds?
This has greatly helped banks in countering frauds due to the availability of rich and large sets of data that can easily be mined. But the biggest challenge here is to have capable resources that have both technical and functional knowledge of frauds. There is an issue in availability of solutions, which have the capability to identify frauds from the data. This capability predominantly lies with the people looking at the data and these resources are limited. Most banks are looking at external service providers who are specialists in Forensic Data Analytics to help them identify frauds.
Can you explain some of the recent innovations in data analytics and use of forensic data analytics, which have proven to be a good counter measure against frauds?
Visual analytics, machine learning, predictive models and advancements in hardware and database technologies (processing and storage speed) have greatly helped in this area. It is now possible to look at large data sets quickly and drill deeper till the source of the fraud is identified. Mobile devices have also helped banks in shifting some of the preventive controls to the customers themselves.
When we talk about fraud management, AML is one aspect that banks are very concerned about, especially from the regulatory point of view. Are present systems effective? Can you explain the latest trends?
So far, the focus has been to run the specific rules defined by the regulator and to submit the Currency Transaction Reports (CTRs) and Suspicious Transaction Reporets (STRs) against these rules. This has primarily been a tick in the box approach. However, Combating the Financial Terrorism (CFT) is a big concern for India and the regulator has asked banks to take additional steps themselves to enhance the AML and CFT capabilities. Sanctions screening is also an important area, which is linked to AML and CFT. After the BNP Paribas sanctions, many international banks have come under the scanner of international banking regulators. Their investigation has highlighted that the scope of AML CFT is much beyond just running simple rules. It requires a more investigative approach to deal with the menace of money laundering and terrorism financing. Present systems were greatly ineffective and have minimum or no investigative or advanced detection capabilities. At present, this is a significant focus area in Indian banks and old systems are being scrapped to bring in a more robust approach towards AML CFT just like fraud detection. Eventually Indian banks would move towards a single enterprise wide system for Anti-fraud and AML/CFT compliance.
What are the benefits of having an enterprise-level fraud management system? What would the banks need to do in order to bring their organizational structure in alignment with such a system? How can each of the staff members be made aware of the critical issue that is fraud?
An enterprise wide system is able to put the customer under a single lens and evaluate his/her behaviors through the various relationships and channels that are used. For such a system to work efficiently, it is important to re-align the organization structure of the bank. It would require moving the anti-fraud teams from various businesses into a single team that looks at frauds in all businesses and channels. It would also require a merger of AML and Anti-Fraud function for better synergies and sharing of resources.
Lastly training and awareness will be critical to update all employees for the new capability that can be utilized within the bank and how employees can efficiently investigate and report frauds. There will also be a change in the customer experience which would require a significant effort to ensure customers are not adversely affected while the bank is in the learning phase.
Can you list some factors where technology can be a catalyst in fraud management in banks?
Technology plays a key role here. All banking technologies – core systems, data bases, data marts, analytics engines, and infrastructure components have to perform in unison for the anti-fraud system to work well. With real-time fraud detection, technology plays an even more critical role to defeat all historic limitations such as speed of data flow, uptime etc.
How can the present mindset of bankers – essentially a silo mentality – be changed in order to have a 360-degree approach to fraud prevention?
Accountability towards fraud is a key aspect towards changing the mentality. Linking of performance measurement of anti-fraud teams with the success in fraud-loss prevention would push these teams to have a more logical and futuristic outlook.
Tone at the top has to change and promote a more cohesive teaming between various silo teams that leads to an enterprise wide team, which looks at fraud as an attack towards their organization irrespective of the channel or the business it targets. There needs to be a military like approach in changing mindsets where the defense is holistic and not silo based. Only when now banks look at frauds with a 360 degree approach it will be possible in future to monitor fraudulent transactions across the Indian banking industry where anti-fraud savings of one bank with better defenses will not be a fraud-loss of another bank with weak defenses.
