In the last article of my blog series, I discussed how the occurrence of digital account takeover fraud is a core metric missing in most organizations when measuring the success of their CIAM strategy. I have a simple answer for why.
Drawing on my 27 years of experience in eCommerce and fraud risk management, one reality I learned is that most of those sitting in the C-suite have no idea how fraud occurs in their organization nor oftentimes, who within the enterprise is responsible for managing and controlling it.
Is it possible to realign success metrics and ultimately, prioritization and funding of initiatives, to adequately address the fraud imperative and reduce the burden of fraud across the industry? I’ll answer that question in a moment. But first, we must take a step back to see how we got to where we are today. There is historical precedence for this.
While maximizing the collaboration and effectiveness of the Cyber and Fraud functions sounds promising, funding between these two imperatives is not typically balanced across publicly traded U.S. financial institutions today. In the late 90s and early 2000s as internet commerce was in its infancy, financial institutions relied on (what is now known as) old-school, brute-force, authentication and network security solutions to keep “hackers” out of accounts they were not permitted to access. However, since the financial services industry has pushed (with Herculean efforts) since the early 2010s for faster and faster payments with less and less friction, the game of protecting customers transactions (and bank profits) from fraudsters has changed considerably.
In many corporate structures, the Chief Information Security Officer (CISO) is duly credited with preventing data breaches, “security events”, data loss/leakage, and securing the perimeter of the platform. Since emerging cybersecurity issues were so critical in the first decade of the 2000s, and mishaps were so frequent, the CISO was quickly given a seat at the table, just below or often equal to, that of the Chief Technology Officer, Chief Digital Officer, as well as direct access to the Chief Risk Officer and Chief Compliance Officer. The CISO’s well-deserved reputation for protecting the front door, the perimeter, effectively managing permissions, and preventing data leakage has kept them welcome at that table for a couple decades now.
However, one could say they did too good of a job, causing fraudsters to get more creative, eventually leading to them using the bank’s newer and faster payments systems and “frictionless experiences” against their own customers.
How did it happen?
Fraudsters realized banks are opening accounts and moving money faster than they can control it and wasted no time in finding ways to exploit that to their advantage. Since the robust cybersecurity controls at the time made it difficult for fraudsters to access accounts directly, they took it upon themselves to simply trick people into sending money to the wrong place, for the wrong reasons, as quickly as possible. With the upswing of instant payment platforms, starting with PayPal, leading to Venmo and Zelle, and then the latest Paze and FedNow, banks started to scramble for funding to protect customers and the bank from high volumes of BEC and scam-based fraudulent activity.
This scramble for solutions eventually sprouted new products and markets like DMARC, proactive phish testing, behavioral biometrics, and most recently, machine learning-powered fraud detection.
Simple Solutions to Help the Problem
While technology can help the problem, internal changes also need to happen. As C-Level executives struggle to understand why they are losing so much money to fraud (and why they can’t control it), oftentimes no one at their table can actually speak to the end-to-end capabilities required to prevent the fraud and champion the projects and funding required to address the real issues.
There is not a best practice for where the Fraud team sits in most of these organizations. Fraud teams may report to Operations, Risk, Compliance, or the CISO/CSO. But because it’s labeled a cost center, it does not have an equal voice at the table when discussing corporate strategy, initiative prioritization, and funding. Fraud teams often must rely on their Product, Channel, and Cybersecurity partners to reflect the fraud imperatives up through the prioritization frameworks within the corporation. However, the message is rarely amplified enough to compare with new revenue-enhancing opportunities, resulting in continued allocation of new development funds to enable new customer functionality - ultimately enabling faster, more frictionless experiences as well as faster, more frictionless fraud.
As a result of this general misalignment, strategically imperative fraud development work is not being prioritized.
What can executives do right now to help the problem? There are two things:
1. Bank CEOs and CROs should consider making a commitment to limit increases to the fraud loss budgets within their organizations or commit to a moratorium on fraud loss growth. This will ensure “suffering” imposed by fraud on customers, employees, and shareholders has a limit. (After all, if a bank cannot reduce the fraud on its network to a reasonable metric, are they really doing their job of protecting customer assets?)
Deep in the bowels of every bank, there is a (likely sizable) team of exhausted resources trying to process the amount of fraud impacting the organization and its customers through ever-improving detection strategies, alert management, customer contact, case management, and investigations. And this is exclusive of the IT integration, intelligence collection & processing, industry collaboration, analytics, and regulatory obligations that make Fraud Operations a huge albatross on any profit-seeking company.
This leads us to the second thing executives can do today to improve their organization’s fraud prevention posture.
2. Find the people who are actually managing the actual fraud in your organization today and give them a seat at the table.
Since Fraud teams are structured differently across organizations, someone who does not speak their language is sitting in the C-Suite trying to convey high level messaging from the Fraud Prevention teams regarding what’s working, what’s not, and what needs to be done to protect customers and the organization moving forward.
These requests often fall on deaf ears because the next new, shiny customer feature – which will generate revenue - is also being pitched. But since fraud is considered a “necessary loss,” it often only gets prioritized when major loss events occur. Otherwise, revenue-generating projects will receive funding and priority, and fraud loss budgets will simply continue to increase.
Hope for Change
However, there is hope things might be changing. Recent research on fraud organizational structures by Trace Fooshee, Strategic Advisor in the Fraud & AML practice at Datos Insights (and a long-time friend), shows that some banks are already undergoing an organizational transformation. There is a recognition among executives that the nature and/or frequency and severity of attacks and losses requires changes to effectively manage fraud. As noted in the report, “Fraud, reimagined as the customer-facing element of a customer safety business unit, has emerged as the third pillar of an ecosystem of risk domains that deserve a more deliberate, formally defined, and highly prioritized corporate strategy.”
The next article in this blog series will explore some concepts surrounding Cyber Fraud Fusion Centers and the capabilities required to make these teams effective.