At a recent customer event hosted by fraud and AML platform vendor Actimize, Bank Technology News sat down with Gartner vp and fraud expert Avivah Litan; Lester Joseph, principal deputy chief of the Department of Justice's Asset Forfeiture and Money Laundering Section; and Amir Orad, Actimize's marketing head; to discuss trends in fraud and AML reporting, technology and regulation. Below is an edited and abridged version of that conversation.
Avivah Litan: If you had your wishes, what would you want bank reporting systems to look like and how could SARS be more useful? Could everything be found in the data without people calling you up?
Lester Joseph: The SAR provides the lead and what's great is the SARS are being used much more now than they ever were to compare against other things. The FBI compares them against the BSA database and [its] terrorist database and they'll find connections there. You can run it against the drug database. [There are] all these different databases and you can run them against each other, so a SAR is maybe more than a SAR.
...I think we're getting good information [from banks]. Our biggest problem is the output of the SARS. The SARS as we get them are much different from what you put in because of the IRS computer [systems]. You may have a nice well-written SAR with charts, all we get is one long paragraph that could go on for seven or eight pages and is impossible to read. That's the way the technology is, it's way behind. Sometimes we'll actually get the bank SAR, and that's much easier to read than the way we get them [from the IRS computer].
BTN: A recent FinCEN report based on interviews with large banks found that most valuable information usually comes from front-line employees as opposed to fraud detection technologies. What does this tell us either about people or the systems in use today?
Amir Orad: I think it's a timing difference. Usually employee tips will happen sooner than when it will actually be visible [via technology] that something bad is going on. In employee fraud, a major input is employee behavior and tips. People talk about each other in the corridor. If you change behavior and buy a shiny new car, an automated system cannot detect a shiny new car. Definitely employee tips and the hotline are a major good source of information.
But once it becomes complex, and real time, human beings cannot do anything with it. You have too much information, multiple structured transactions, multiple products and multiple people involved.
Litan: That's why you have to take an off-line analytical view, it doesn't all have to be in real time. Social network analysis is what they call it now, and depending how much data you get in there, if you get it across enterprises, you look at all the relationships between all these entities and you can see the thing if you have the data. I've seen a lot of payback on offline analytical work looking at the different relationships.
Orad: Link analysis is a very, very powerful technology if you have all the inputs to the system.
Joseph: Fraud and AML systems have been a big topic lately; how do they work together and what are the challenges?
Orad: It used to be almost totally separate, five years ago. The direction right now, in most places, is to have an internal FIU [financial intelligence unit]. That investigation unit owns fraud, AML, corporate security and sometimes other compliance issues. While [fraud and AML systems] still have different detection algorithms and inputs, the outputs go to one investigation process.
An FIU has one workflow, one reporting tool, and you can link cases. The difference is really in the management of the process. The AML guys want to report everything because they're afraid of being slapped [by regulators]. The fraud guys want to do the most cost effective thing, so the mindset is very different between the groups.
BTN: What's the prevalence of FIUs? How many institutions have those, and in how many banks are AML and fraud still siloed?
Orad: There's a spectrum: One extreme is two groups not even talking to each other. At the other end is the FIU. There's a lot in the middle. Sometimes it's one system [serving] two groups and that's actually very common today. Sometimes its two groups, two technologies that talk to each other, because each one likes owning its own things. But the trend is clear.
Litan: Definitely I see them as separate groups and they both know they need to work together. There's turf battles over content, sometimes there's turf battles over the technology....but I question the premise of having these two groups, one's compliance and one's fraud. I don't see why you can't have it all built together....they're very siloed, and I don't see a reason for it.
Litan: Right. Maybe the regulators should change the rules.
Orad: We're seeing a big increase in wire fraud and commercial fraud in the last 12-to-18 months. Are you seeing that?
AL: These are big cases, millions of dollars being stolen [from businesses]. And the banks aren't obligated to return the money, which is a problem. With consumer accounts there's Regulation E which says the banks have to give the money back, but there's no such regulation with business accounts. I think that's one of the biggest holes in the regulatory environment.
BTN: Avivah, you often come back to the issue of regulation. Do you think that's really where the onus for increased security lies?
Litan: I think regulation really drives security spending.....Look at the banks, why have they gotten into such good fraud detection? It started out with the regulators, and now [banks] went beyond it because they want productivity efficiencies and they want to catch the fraud. It's just a reality of priorities; managers want to spend money on revenue-generating activities, they don't want to spend money on cost centers unless the regulators force it. The trick is finding the right amount of regulation.
I think the regulators have the power to drive the right kind of security solutions, and sometimes they're not driving the right ones because they don't know enough. They're looking backwards, in a sense. The FFIEC's another perfect example, they really haven't kept up. That was done in 2006 and they haven't gone back and kept it up to date.
BTN: How would you characterize the state of online banking security these days?
Orad: Our clients' working assumption is that the computer is compromised, which is a big change from a few years ago when you trusted the computer. So instead of trying to protect the computer, you go to the back end and say, `Okay, assuming it's compromised, what do I do?' You have to do more AML and fraud pattern analysis.
Litan: The really big banks that you deal with do that, but these smaller banks that I talk to just don't do that. I just talked to one yesterday; they have a crude fraud detection system in and it's not catching the wire fraud. I said, 'What are you going to do?' They're going to introduce biometric identification. ... That will be beaten too, because anything that goes through the browser can be beaten. But [small banks] don't all know that.
Orad: We have [as customers] a few processors, service providers that service the mid-tier and small banks; that's the only way to give [smaller institutions] good technology in a cost effective way. They can't afford the time, or the energy or the money. The only way for them to get the security is if their provider is offering some central protection.
Litan: And [the service providers] haven't all implemented it, and all the fraud is moving to the mid-sized banks and the credit unions. The core banking vendors are really behind on what they're offering. You'd be surprised....So, for example, Fidelity has an agreement with Actimize, but that's just an agreement, it's not in place. All Fidelity has is new account deposit account detection, they're not looking at patterns across the institution. Metavante's got Actimize in certain places, but not on all places. A lot of it is just looking at the Web channel, not looking at other channels. Certain pockets of Jack Henry aren't served. So there are a lot of pockets that aren't served.
BTN: FinCEN also heard complaints from banks that they feel peer pressure when it comes to procedures and technology, even though they're meeting regulatory standards. Do you hear that?
Orad: From what I know, the regulators are saying, 'Are you doing enough?' That's the approach. And doing "enough" is defined by what is possible and available. So if you have this science fiction technology that no one is using, it's not fair to expect anyone to use it. If there is something that everyone is using and you are not, it's really difficult to answer, 'Is this enough?' The answer is to define enough, because enough is loosely defined.
Litan: I don't see that much peer pressure. It's budget issues. There's jealousy, a lot of banks want to do what these other banks are doing but just don't have the budget. The desire to be aggressive and competitive on the fraud side.
Orad: I think recently the enforcement has been more aggressive. You look at the recent cases, there have been some huge fines out there, especially with terrorist financing, [up to] hundreds of millions of dollars. That's a big message to the market. I think it's way more effective than explicit, specific regulations.
Litan: That's a good point. It's kind of like the breach disclosure laws, [which] don't give you any mandate of what to do and how to do it, just if you have a breach you have to disclose it. And that would make a lot of sense.