Fighting fraud can feel like an endless game of whack-a-mole for financial institutions. As soon as you stop one scheme, fraudsters evolve their tactics and pop up in new places.
When your resources are in short supply, how can your financial institution find and prevent fraud? For one institution, it's a mix of technology, expertise and gumshoe detective work. At NACHA's PAYMENTS 2018 conference, Dave Richardson of First National Bank of Omaha offered a glimpse into how he and his team of analysts work to prevent noncard-based fraud, including best practices his organization employs to make sure crime doesn't pay.
It starts by following the money.
Make certain your staff is empowered to make decisions and take some risks. Keep the customer experience as a top priority.
"Almost every noncard transaction that comes into or leaves an institution goes through a demand deposit account (DDA)," said Richardson, senior manager of fraud and ATM operations for the Omaha bank. "Most of the time, accounts will tell you everything you need to know about whether an activity is suspicious."
Knowing where funds are going and how that compares to typical behaviors can help organizations spot an anomaly and step in if needed. Is a withdrawal or deposit especially large or unusual? Did the money come from a third party well outside the area? Is there a reasonable connection between where the money is going and where it's coming from?
Criminals are intent on fraudulently moving money from point A to point B as quickly and quietly as possible, Richardson said. He tells his team not to get lost in how the money comes or goes but instead think about the flow of funds.
First National Bank of Omaha takes a multifaceted, collaborative and practical approach to risk management, involving every employee and multiple teams dedicated to identifying, preventing and investigating fraud across all channels.
We talked with Richardson about best practices for monitoring and mitigating fraud against consumer, business and commercial accounts. That includes account takeovers, which are particularly troublesome because they can be the basis for many other types of fraud.
I believe that as the adoption of chip-card technology increased, fraud organizations lost revenue streams. Criminals could no longer steal millions of card account credentials at one time, so many turned to accessing account credentials.
The purpose of an account takeover is to access and move money – it's that straightforward. Once criminals have access, they can use the same channels as the customer to move as much money as possible without detection. The criminals might have fraudulently acquired account credentials, or they may have somehow persuaded the customer to send money to an account they control.
People are generally predictable when you think about base behaviors. Fraudsters are no different. Our team is constantly thinking, "If I was going to steal money, how would I do it through this channel or this process?"
Fraud detection has to evolve as threats evolve. That's why the focus on DDA accounts is so important. Regardless of how sophisticated the criminals become, they will always go where the money is.
Our responsibility is to identify how fraud might happen and create controls to stop transactions long enough to evaluate. We use multiple reports and sources created in-house or through various technology partners to identify suspicious behaviors through every channel. The key is achieving the balance between manageable volumes and adequate levels of protection. You can't possibly see everything that flows through an institution, but you can certainly develop parameters that will identify certain behaviors.
On the positive side, many customers appreciate that someone at their bank is watching their accounts for fraudulent activity. However, sound fraud detection and prevention often affects legitimate transactions. Because it's not an exact science, some controls may cause unexpected delays in processing transactions, which could include canceling a legitimate transaction. Organizations need to be ready to answer for that disruption. We take a customer-service approach when we talk with affected customers, focusing on helping them better understand and cope with the actions we had to take.
To minimize risk management's impact to the consumer, I'd encourage organizations to create controls with careful thought. Understand your business and customer behaviors. Develop processes that manage the probable risks and don't try to manage every scenario. Keep it as simple as possible and develop efficient methods of managing actions taken against customer accounts. Make certain your staff is empowered to make decisions and take some risks. Keep the customer experience as a top priority.
We have a front-row seat to the heartache and loss caused by financial scams. Victims believe they're doing the right thing – helping someone they know, redeeming prize money, paying off a debt – so they willingly and knowingly perform the transaction. Even though the purpose of the transaction is different than they believed, those losses are likely unrecoverable.
When that happens, a person's sense of trust and security can be undermined, often with long-term effects. Did someone they thought they knew scam them? Was the entire purpose of the relationship to steal from them? That's hard to take.
We want to help the customer understand what's happened and help ensure they never become a victim again.
If the customer had no knowledge of the unauthorized access and transaction, the effect is lessened. In the short term, they're still out the funds. Although that causes significant interruptions in their lives, those funds are typically reimbursed.
However it happens, there are administrative, back-end hassles for the consumer – filing disputes, signing affidavits, supplementing cash flows, updating account credentials or opening new accounts. The more automated a person's finances are, the more difficult it may be to re-establish normal transaction behavior. It can get pretty messy for consumers.
If we detect possible fraudulent activity, our team explains the situation to the customer and assists however we're able. We relay our concerns and ask pointed questions to reveal the nature of the transaction. We want to help the customer understand what's happened and help ensure they never become a victim again.
When fraud happens, it's overwhelming for our customers, some of whom have lost what it has taken a lifetime to create. That's why we, like every organization, work so hard to identify criminal activity before the damage is done.