The Inside Threat

  Identity theft is on the rise and poses a serious threat to financial institutions and their customers. A recent Gartner research note indicates that "During the past year, 3.4% of U.S. consumers-7 million adults-were victimized by identity theft." Identity theft can be a horrendous experience for a consumer, the tangled mess of which sometimes takes years to unravel. Financial institutions, telecommunications and insurance companies also lose
  billions of dollars a year to identity theft.
  The problem of identity theft has roots not only in secret dens of organized criminals and nocturnal hackers, but also within the corporate walls of the financial institutions whose customers' identities and accounts are
  being stolen. Where consumer financial information is believed to be most trusted, in the sacred systems of the lenders, it is actually most vulnerable. The challenge of identity theft when linked to internal fraud is that the
  modus operandi is less obvious and the cases are much more difficult to detect and solve.
  Internal fraud has an increasing role in identity-theft cases. Lenders capture a wealth of useful information about their customers, as much as will allow them to sufficiently understand their customers' borrowing behaviors. Customer data are necessary for a lender to be effective throughout
  the life cycle of their customers' accounts. From deciding how much credit to grant an applicant, to servicing customers' accounts, to tracking down and reporting delinquent borrowers, the more data the better. For
  financial institutions, their most valuable resource is also their most vulnerable-customer data.
  Unfortunately for lenders, much of this data must be readily available for a majority of their employees. For example, to service customers' accounts, service representatives must have access to key customer-verification data such as Social Security number, mother's maiden name, date of birth, address, and phone numbers. Depending on how they service the customer, they may even
  have access to customers' financial histories, such as information about other open revolving credit accounts, installment loans, mortgages, auto loans, checking and savings accounts. For an employee who intends to perpetrate
  internal fraud, or to the organized criminal with ties to the issuers' employees, this is a wealth of information.
  According to a KPMG fraud survey entitled "The Unmanaged Risk," 60% of Fortune 500 companies believe that internal fraud is a growing problem and expect it to get worse. The survey also suggests that more than 80% of the companies believe that significant internal fraud could occur within
  their organization in the future. However, less than half of the companies have plans to do anything about internal fraud in the next three years.
  From a fraud-detection standpoint, internal fraud poses the greatest challenge to credit card issuers. Advanced analytics and neural networks effectively "pick out of the line-up" fraudulent transactions resulting from lost, stolen and counterfeit fraud, because the instance of fraud is
  usually contained to a single account, and the fraudulent transactions don't usually fit the customers' typical spending behavior. Neural networks can be designed to detect fraud on accounts, transactions, and by employees. Anomalies
  in the behavior of each of these entities can and do provide indications of fraud.
  In the case with internal fraud, neural networks are less effective at detecting instances of fraud that stretch across multiple accounts. Therefore fraud managers must find a way to look across multiple accounts and add business
  rules and other forms of predictive analytics to detect identity fraud. This represents a major shift in the way fraud managers view and detect fraud, from the perspectives of strategy, systems and processes.
  Internal fraud cases also have a less obvious point of compromise. Credit card issuers seeking out points of compromise in fraud events are accustomed to finding it in transaction data and events external to the issuer. An example of an external event that might represent a point of compromise is a high-risk card mailing. Because fraud managers typically focus their efforts on detection of
  external fraud, they haven't honed their systems or their skills to detect internal fraud. It is believed that about 40% of internal fraud cases go undetected, according to KPMG. Those numbers are not expected to improve without the development of internal fraud-prevention programs, including
  monitoring systems and detection tools that currently aren't prevalent at most card issuers.
  Those tools will have to rely on different types of data to be merged from multiple sources. Data relevant to internal fraud detection will include keystroke records, telephone records, account monetary activity and account
  non-monetary activity. For example, telephone data would come from one type of data from one source and the monetary transaction data would be from another type of data source (diagram).
  There are a variety of steps issuers can take to eliminate internal fraud. A well-executed, multi-faceted internal fraud-prevention and -detection program can help issuers reduce internal fraud, and consequently help mitigate identity-theft cases linked to internal fraud. A strong program has three major components: prevention, detection and investigation.
  Internal fraud-prevention programs start at the hiring process and extend out onto the operations floor. To help prevent internal fraud, employers should conduct background checks, credit checks, and validate references for all
  candidates they intend to hire. Crooks sometimes infiltrate an organization by joining as a temporary employee. Traditionally, issuers require much less credit and background checking for temporary employees than they do for regular employees-the wrong assumption is that the temp agency has already done adequate background checking for them.
  'In The Face'
  Employers should watch for candidates who have had several jobs in a short period of time. Candidates who specifically ask for evening or weekend shifts, or other times when supervision is minimal, could also be considered high-risk.
  Managers also must discourage and prevent employees already on board from committing internal fraud. Organizations should develop, distribute and embrace an enterprise-wide internal fraud-awareness program. The best awareness programs are "in the face" of employees and offer rewards to those who are willing to report ethical incidents. Such incidents might involve a representative who
  accesses or writes down account information or makes personal calls from work. These programs make employees aware that the organization is monitoring activity and that the organization is serious about detecting internal fraud
  and protecting their customers' information from being misused.
  Unlike the prevention measures, internal fraud-detection and -investigation programs rely more heavily on systems and data. The most effective internal fraud-detection program is one that uses data readily available from multiple sources. The same data are used to link additional cases to the fraud
  event, and can be used for investigation and evidence. Data should come from four main sources: keystroke logging, authorization monitoring, facility access records, and elephone records. It is critical that these be used in
  conjunction with each other.
  The volume of data from these sources can become overwhelming quite fast. Predictive analytics provide the ability to reduce the volume of data to only the most relevant and suspicious. A suspicious event recorded by an
  individual data source does not aid in the detection of fraud, however, suspicious events recorded by multiple data sources suggest something may be wrong.
  Keystrokes
  Suspicious keystroke monitoring might include the logging of the following suspicious events by service representatives for accounts that turn fraudulent: alpha searches through customer data, address changes, name changes, Social Security number changes, credit line changes, card requests, PIN requests, and excess access-an analyst repeatedly accessing an account, presumably to check
  to see if it has been closed or if it is under investigation for fraud.
  Alpha searches-looking up accounts by name-are popular with employees who plan to sell customer information to someone on the outside. Changes to account information, particularly card and PIN requests, are more common for the
  employee whose plan it is to directly perpetrate account fraud.
  Authorization monitoring should focus on transactions that could be easily facilitated by an employee. The normally observed fraud transactions involving mail orders, electronics, jewelry, and other valuable retail goods should
  be sought out, but combined with the geographic location of each of the issuer's locations. For example, a fraudulent jewelry store transaction from Richmond, Va., on a customer's account from Dallas, Texas, may not be considered
  a risk of internal fraud. However, it may be risky to an issuer that has a major call center in Richmond.
  Inbound call monitoring should focus on inbound calls made to the call center or to the voice response unit (VRU). More specifically, issuers should log calls made from the areas local to call centers. Internal fraud often results in ID theft by friends or families of the person committing the
  internal fraud, so the ID fraud is likely to take place in the area of the call center. Crooks often repeatedly utilize a bank's VRU to monitor whether the account has been closed, and to check the amount of money available to spend.
  Call monitoring also should focus on calls placed regarding accounts that result in fraud.
  It may be difficult for an issuer to match up calls to accounts. Some issuers have gone as far as to record the caller ID number in the memo section of each customer's account. This is less likely to be an issue for calls placed
  to a VRU, as most VRUs have the capability to log an inbound call and the specific account that was accessed by that caller.
  Facility access information, however, is simpler to collect and archive but is just as useful for identifying behavior risky to internal fraud. Entrance and exit dates and times should be recorded for employees. This data can be
  used to single out employees who frequent the workplace at times when they are not expected to be there. It is not uncommon for employees to come in to the office after hours, but it can be risky behavior when combined with other high-
  risk indicators. For example, if an employee has suspicious building-access behavior, it might not be that big of a deal. But a person who has suspicious account-access behavior and suspicious building-access behavior is a considerable risk.
  The systems development for a comprehensive internal fraud-prevention program may be a significant undertaking. Some potential challenges include the facts that: data must come from multiple sources, sources may be both internal and external systems, uncommon marriages of data must exist, some data sources may be huge and difficult to access in production, and the data must be made available to the fraud group in relevant time.
  Since many different types of data are required for internal fraud detection, data must originate from many different sources. For example, authorization data will have to come from the authorization system, telephone call information from the call routing (PBX or ACD) system, keystroke logging data from the account management system, and facility access information from badge access logging systems. The native environments for these different data
  sources and eventually the data have to be homogenized to a single workable format.
  Difficult Marriage
  Of the many different systems from which to pull data, it is not likely that each of the systems will be owned by the issuer. Some of the systems will be external systems that may impact the ability to get to the data required, or
  get to the data in relevant time. Some issuers who primarily rely on external systems for card servicing and transaction processing have commissioned vendors to help facilitate the development of an internal fraud exception reporting
  program. For example, a transaction processor would have both transaction data and account-servicing data in one system from which to combine with additional data from the issuer.
  Additionally, the multiple data-source issue can make it difficult to marry data sets into a single workable format.
  For example, account information and transaction data are both likely to be indexed by account number. Telephone log information is likely to be indexed by an incoming caller ID number, and not by account number. Sometimes account numbers can be linked to telephone records when the incoming call is
  serviced by a VRU. Facility access logging data are not likely to be linked to account numbers or telephone numbers.
  Some of the data required to be stored may be very large in volume. This is particularly true for transaction data. Keystroke data in their entirety will also likely be very large, as issuers employ many representatives, and each
  touches a large number of accounts each day. To get around this issue, data have to be sparingly archived depending on what is absolutely necessary to facilitate the monitoring program.
  For example, not all transaction data are necessary. Only fraud transactions and transactions originating from regions where the issuers' call centers are located are required. The monitoring program is then able to isolate
  accounts that may have been compromised and used by employees in their home regions. The same applies to telephone records stored. For keystroke data, only high-risk account management activity should be logged, such as customer information changes, alpha look-ups, changes to credit line, and PIN or card requests.
  Possibly one of the most challenging data requirements is the need to have all of this data presented to the fraud group not only in a meaningful format, but in relevant time. An issuer's ability to curtail internal fraud is heavily
  dependent on its ability to react quickly to the suspicious activity of employees.
  Gap
  Almost all internal fraud-prevention programs that are in place at issuers today are in the form of exception reports. These are generally driven by parameter-based rules considering all of the different data sources to highlight
  instances of suspicious activity. Parameter-based rules and predictive analytic systems that detect suspicious behavior using multiple data sources, employee, position, and location profiles, in addition to confirmed frauds, are the
  most proactive way to detect fraudulent and collusive employee behavior. This approach ensures the highest protection against the misuse of the consumer information.
  Internal fraud represents a significant gap for most financial institutions. Lenders should strive to implement a program to keep internal fraud losses at bay. Comprehensive internal fraud-prevention programs don't have to be slick
  and sophisticated. To stop internal fraud, lenders only need to focus on a workable, meaningful solution that is reasonable to implement.
  Randall Casciello and Wesley Wilhelm are fraud-loss management experts at Fair Isaac and can be reached at randallcasciello fairisaac.com or 804-248-0335 and wesleywilhelm fairisaac.com or 509-448-1674.