Appeared in Banking Technology on April 1, 2008
Tuesday, April 01, 2008
Fraudsters are becoming increasingly adept at sharing invaluable knowledge and tips online that will help them steal more and more money from financial institutions and their customers. There are forums and social networking sites designed to share the information needed to undermine banks’ risk management systems. However, while fraudsters have been sharing information and growing their sizeable profits through activities such as phishing, money laundering and ultimately, in some cases, identity theft, financial institutions have failed to follow their example and take a more collaborative approach to fraud prevention and detection. As the seamless movement of money cross-border becomes a reality with SEPA, banks must address their current fraud strategies and begin to work together in the fight against the crime.
For financial institutions trying to comply with SEPA, one of the biggest challenges to date has been making the necessary changes to their IT infrastructures. Unfortunately, organised criminals view SEPA as the next big opportunity for making money, and have spent their time identifying the weak links they can exploit.
Fraud is constantly evolving and migrating as fraudsters look for new outlets when former ones are secured. Following the introduction of EMV cards in parts of Europe, for example, fraud moved to softer target markets where EMV had not been rolled out and also to the cardholder-not-present environment. Based on this experience, it is highly likely that a similar change in fraud patterns will emerge post-SEPA. In particular, it is those issuers and acquirers which have not yet implemented EMV, as required by SEPA, as well as non-card-based transactions such as SEPA direct debits and SEPA credit transfers that will be high on the fraudsters’ target list.
SEPA will deliver greater transparency for conducting transactions between countries and across borders, but this will create new and difficult challenges for financial institutions’ fraud departments. Banks have woken up to the increased risks they face as a result of SEPA and are now as addressing them as a priority. The potential impact of a security failure not only on revenue, but also on a bank’s brand and customer experience creates a strong business case for making the required investment. At a time when the general public is still reeling from the effects of the credit crunch, the Northern Rock crisis and the Société Générale disaster, banks must prevent further bad publicity and actively combat the growing lack of trust among consumers. In order to remain competitive and to protect their brands, banks need to demonstrate that they can cope with any new risks post-SEPA.
Currently, many banks do not have the necessary anti-fraud strategies in place to protect themselves and their customers in the post-SEPA environment. In order to face up to this security challenge, banks must become more open to sharing fraud-related data, ultimately collaborating with other financial institutions to fight the crime. While this fraud strategy is viewed by some as a utopian ideal, there are tools which can be implemented today to make the journey towards a collaborative fraud strategy a reality in the future.
The primary step for banks to respond to the security challenge of SEPA is to deconstruct the traditional silos which exist internally where each payment instrument is dealt with separately. Banks need to implement enterprise-wide risk monitoring systems that oversee and cross-reference data from multiple payment channels, including SEPA-compliant cross-border transactions, to provide fraud teams with a complete picture. Transaction and account information from a variety of channels will enable banks to better detect and put a stop to suspicious activities. While multi-channel monitoring should already be a key component in any banks’ risk approach, as they add further channels and endeavour to offer customers greater flexibility, enterprise risk management will become even more important in the post-SEPA environment.
Financial institutions must address potentially fraudulent transactions at the point of access as well as those that have avoided initial detection but appear suspicious in nature. According to the UK Payments Association, APACS, nearly 15 million people in the UK now use the internet to access their bank accounts and millions more regularly shop online. As the internet is not restricted by national borders that can be physically protected, it is one of the most high-risk banking channels available.
Security techniques that can work in conjunction with enterprise-wide risk management include two-factor authentication, real-time risk monitoring and the tracking of internet log-on details to generate alerts against suspicious IP addresses. The profiling of customer IP addresses as part of an IP intelligence solution can track internet log-on details and generate alerts against suspicious activity, effectively monitoring bank customers’ online activity to identify potentially fraudulent behaviour.
At the heart of all of these technologies must lie the ability to feed increasing amounts of fraud-related data into a more collaborative monitoring solution. Akin to the way in which fraudsters share information to strengthen their attacks to be more equipped to target multiple banking channels, financial institutions must introduce an enterprise-wide risk management solution. The newly formed FPEG (Fraud Prevention Expert Group) which discusses the preventative measures that can be put in place to combat payment fraud, particularly at a cross-border level, is a step in the right direction. This group demonstrates the industry’s growing appetite to rightly view fraud as a non-competitive issue – a perception that will ultimately serve to benefit banking revenues and, importantly, banks customers in the wake of greater fraud challenges such as SEPA.
By Michelle Weatherhead, manager of risk solutions at ACI Worldwide (EMEA) Ltd