Banks are spending lots of money fighting fraud, but security experts say they could do better when it comes to mitigating fraud and detecting money laundering.
"There's a lot being spent by bankers to keep these risks at bay," says Michael Versace, a research director at IDC Financial Insights. Versace says global spending on bank risk will be about $70 billion this year, with security spending reaching about $28 billion. He says that's growing at about 15 percent per year, so the anti-crime tech market looks bullish.
This level of investment suggests there's plenty of awareness of crime such as fraud and money laundering. But experts say what needs to change to meet the new threats is the strategic approach. Banks will need to organize the way they fight fraud and other crime around the entire company, breaking down departmental silos and bringing together isolated fraud fighting efforts such as anti-money laundering, insider fraud and payments fraud.
"On the organizational level, banks will have to look at their crime prevention capabilities across areas to draw together their risk and compliance functions toward the common goal of fighting financial crime," Versace says.
Versace and Bob Beckett, senior director of worldwide data and insight for Dun & Bradstreet (D&B), spoke with BTN this week about emerging fraud and crime threats, and offered some tips as to how banks can change their approach to improve effectiveness of prevention.
D&B recently published a set of tips to help combat fraud, most of which (somewhat self-servingly) rely on better data analysis and improved aggregation and sharing of information across departments. D&B says three of the keys to fighting fraud are acting quickly to spot potential fraud at the point of sale, verify fraud on the spot via reliable business data, and continuously track fraud to improve prevention.
The good news when it comes to data is most banks are already improving data management for other purposes. That includes new analytics tied to structured, internal transactional data; and unstructured external sources such as social media.
The data centralization projects that are underway at banks across the globe to centralize disparate sources of internal and external data are being used mostly for credit risk and marketing. This integration, which creates more breadth and depth of user and transaction information, can make the behavioral and probabilistic modeling used by new anti-money laundering tech to locate potential threats more powerful, because more relationships are taken into account.
Beckett says bank data is still distributed across departments at many institutions, and the centralizing of data that's helping marketing can also help ensure the legitimacy of consumers, internal users and third parties, as well as track transactions and communication to spot trouble.
"What we find with customers [bank clients of D&B] is they have disparate databases across the organization, in the sales, retail, investment or leasing channels. Often what we see is [the bank] has acquired or been acquired and there are different back end systems with different data sets."
Beckett says there are subtle differences in the way customers engage different channels and departments at a financial institution — forms may be slightly different, or procedures to register or vet potential customers may vary. These discrepancies can contribute to the siloing that makes aggregating data difficult. Versace says the manner in which different departments and different types of crime are investigated and reported can be standardized, along with corrective actions. "Banks can look at a common workflow to support incidents that are flagged for follow-up investigations, as well as look at common factors [to spot fraud] across the enterprise," Versace says.
Versace says new software is emerging that can integrate CRM and transaction systems to produce a picture of a customer's financial relationships, transaction history, and demographic information, and match it with real-time transacting tracking. "You can build your own social network to understand who your customers are doing business with. That can help determine whether the person is doing business with an entity that may be involved in criminal activity," he says.
One of D&B's other tips suggests banks get more cooperative, particularly with other banks, tech firms and government agencies. This approach has been floated in the past, to mixed reviews among participants who remain concerned about proprietary solutions, but D&B says a closed loop sharing network can be an effective way to share threats and preventative techniques to combat fraud and other financial crime.
The use of Social Security numbers as a primary consumer identifier is waning, but there are still plenty of old-world security techniques in play to vet business partners or third-party relationships of corporate clients, such as verifying mailing addresses. Beckett says in the U.S. alone, there are now more than 300,000 virtual offices where call forwarding and other telecommuting technology enable staff to work in a location different from a firm's formal address. While most of these virtual offices are legitimate, it's also an easy play for money laundering operations or card theft rings, so the presence of a mailing address isn't nearly enough to vet a third party, nor does a 212 number mean that a person is tied to a real company in New York. Beckett says techniques such as device fingerprinting can be effective in determining the source or destination of a communication or transaction. "You can find that the language in Windows [connected to a download] was in [Windows'] Russian form, yet the person was supposed to be Bob Smith in Danvers, Massachusetts."