Fraud-detection systems, also known as pattern-detection or transaction-anomaly systems, are back-end, non-customer facing systems that monitor the online activities and behaviors of users. Simply put, if multifactor authentication acts as the "locks on the door," then fraud-detection systems are the "motion sensors" that monitor the activity of online users (legitimately or otherwise) roaming inside the house.
The benefits of fraud detection are well documented. A June 2005 report by Avivah Litan of Gartner, Inc., clearly states the bottom-line benefit: "Background authentication and fraud-detection services are a practical way to validate customers and their behavior without imposing costly tokens or interfaces on them. They augment 'traditional' stronger authentication methods because they can constantly monitor behavior and transactions beyond initial logins and application access."
Perhaps the biggest boom to the fraud-detection market has been growing regulatory pressure to protect consumers, specifically from the Federal Financial Institutions Examination Council compliance. In October 2005, in response to growing concern over the rise of phishing and other forms of online fraud, the FFIEC indelibly cast its mark on the online banking world with its requirement that banks install two-factor authentication in their Internet banking modules. The deadline: December 31.
Sorting through the FFIEC-compliant vendor offerings to determine what's best from a compliance, security, and customer service perspective can be a daunting task, especially with a December deadline looming.
Tying risk assessments to a compliance checkmark puts the spotlight on defining and qualifying the nature of risk for online financial services. Since there is no stock template for assessing risk in the online channel, the burden of defining best practices falls entirely on the shoulders of financial institutions.
This is where fraud-detection systems can add considerable strategic value. By leveraging the transactional and behavioral information fraud-detection systems collect, banks have the means to better qualify and quantify risk specific to the institution. Armed with a clear understanding of what is and isn't "normal" online behavior, IT and business leaders can more effectively work together to define clear parameters and metrics for compliance, while remaining flexible enough to chart and respond to the changing nature of how online fraud is executed. The net-net: Fraud-detection systems can be extremely useful to establish best practices for risk assessment.
The key to leveraging fraud systems as a risk-management tool is choosing one that enables the implementation of immediate protections, the gathering and correlation of relevant data on online behavior patterns and the presentation of that data so it can be leveraged in a business context. Here are some areas to focus on to ensure that happens:
* Track empirical data: Unlike other channels, the bulk of Web-based fraud is not necessarily caused by stolen or hijacked transactions that result in an immediate dollar loss, but is often perpetuated by collecting customer data to commit fraud across another channel. The ability to collect a granular history of user behavior and transactions patterns provides the ability to trace a fraud path from end to end.
* Seek useful reporting: Fraud-detection systems collect vast amounts of data. How that data is contextualized, prioritized and presented matters. Solutions that come equipped with strong forensic capabilities and modeling tools can simulate "what if" scenarios can help to create the right mitigation strategy and map out necessary resources.
* Think long term: In order to gracefully incorporate multi-factor technologies, consider deploying a solution that includes behavioral fingerprinting and risk- based transaction monitoring, such a product will immediately provide login authentication and transaction integrity and allow the selection and implementation of appropriate multi-factor technologies. Also, remember that the goal is to implement an overall fraud-prevention strategy: Keep enterprise strategies in mind.
Investing in the ability to gain a clear understanding of exactly what is occurring online is already money well spent. Understanding how to leverage that information from a business perspective to better quantify and qualify risk introduces a whole new level of ROI that can prevent FFIEC investments from becoming yet another compliance-driven, long-term budget sinkhole.
Bob Ciccone is CEO of Cydelity, Inc.
