Copyright held by The John Cooke Fraud Report. Reprint rights are granted with attribution to The John Cooke Fraud Report with a link to this website.
By Robert K. Cofod
Financial fraud is an increasing problem in an industry that continues to evolve and change at a dramatic pace. According to the American Bankers Association’s Check Fraud Survey of 1994, national check fraud losses that year were at least $10 billion. Estimates for 1995 losses are in the range of $12 billion, representing a 20 percent increase. Consider also that these figures are likely to be somewhat conservative since fraud isn’t a subject most banks want to discuss in public. With new opportunities for fraud criminals being created almost daily, nearly every projection for the future concludes that the problem is only going to get worse and that banking institutions will continue to hand over more and more of their money every day to fraud criminals. Given this, it’s time to take a hard, honest look at our traditional methods for protecting financial institutions from the threat of fraud. And what better place to discuss change and new directions than in the premiere issue of the John Cooke Financial Fraud Report.
The Case Against Recovery
Traditionally, banking institutions have used a combination of detection systems and recovery methods to fight fraud. This approach discovers the occurrence of some fraud attacks then focuses on how best to recover the lost money. The recovery process is typically handled by the bank’s security personnel, whose backgrounds are generally rooted in law enforcement, and their experience with rules of evidence and case development are applied to the problem of determining liability, interacting with appropriate law enforcement agencies, and seeking collection or prosecution. Statistics, however, reveal that our judicial process provides limited support either as a means of getting the money back or as a way of deterring fraud criminals. For example, if you compound the fact that the justice system prosecutes less than 10 percent of all financial crimes valued under $100,000 with the fact that less than 5 percent of court-ordered restitution is ever collected and the fact that fewer than 2 percent of the people arrested for financial crimes go to jail, it’s easy to understand why bank fraud is considered a pretty low-risk, lucrative profession by many criminals.
Compounding the problem is the fact that banks, faced with increasing competition, are aggressively seeking every possible means to increase profits, including accepting business from higher risk customers. Where increased sales are not sufficient, costs must be cut. Since recovery costs are often estimated to be as much as three or four times the face value of the fraud itself, many banks view the fraud investigative function as a pure “cost” center and have already reduced these staffs to a point where investigators are faced with increasing workloads and less support from management to make changes. With fewer resources available, both in terms of numbers of employees and the ability to acquire tools to help fight fraud more efficiently, it’s no wonder that many banks are so easily victimized by fraud.
Because of the delays in many mainframe processing methods used and the limited availability of comprehensive fraud analysis tools that would allow investigators to see fraud as it was happening, this after-the-fact recovery approach was inevitable. While the evolution of the recovery perspective is natural and has been our only resort, we are quickly learning that recovery is not only losing its cost-effectiveness, it is no longer the only alternative to fighting fraud.
Change is an inevitable fact of life and, given all of the above, it’s obvious that the time has come for a departure from the traditional fraud protection methods. We’ve been hearing the call for “proactive” and “preventive” methods for a few years now, but what exactly is involved in crossing the bridge from where we are to where we need to be?
The Case For Prevention
According to the American Heritage Dictionary, the word prevent “strongly implies decisive counter-action to stop something from happening.” With bank fraud, we need to ask what we want to stop from happening, the loss or the actual fraud event. If we decide that “prevent” means loss prevention (i.e., preventing the financial loss), then the recovery process could be considered prevention since, for example, shifting the loss to another bank does prevent the loss to our bank. On the other hand, if we focus on preventing the fraud event from happening in the first place, we not only reduce the number of successful fraud attacks and stop the money from leaving the bank, we achieve a number of new benefits as well. For example, we obviate the need for many of the costs associated with recovery. More importantly, we begin to understand how fraud really works and can then more accurately define its expected impacts on a particular bank product or product feature. From this knowledge, we can then reduce their vulnerability from the start. This leads to the fraud prevention function becoming more closely connected with the profit generation of the bank and less of a pure “cost” activity.
Can such a change take place? In the past, the data analysis needed to perform true fraud prevention has been held back by the high cost and lack of availability of the necessary technology. Such technology, however, is now available and affordable. While some fraud analysis still must use a mainframe for processing, the tremendous increases in computing power and declining costs of PCs now provide a wide range of analysis options. Graphic interfaces and data displays greatly reduce the learning curve and improve an analyst’s ability to see fraud patterns in data. Improved speed and higher storage capacities let us use these systems to perform complex but automated analysis of reasonably large volumes of data. Perhaps even more significant is the fact that new software tools and advanced object-oriented languages allow the rapid development and easy modification and maintenance of analysis systems. With the adoption of advanced data analysis methods, many of them derived from the intelligence community, we can perform automated surveillance of transaction data in ways never before possible. From this, we can learn how to predict fraud and detect an attack in time to take the necessary decisive counter-actions.
There really isn’t much of a contest. We must improve our fraud prevention abilities and focus the results on the bank’s bottom line. Competition among banks will not decline, and the number of individuals with the need, greed, ability, and opportunity to commit fraud will likely increase. The vulnerability of electronic banking products also opens up even more opportunities. Change is needed and it will take time, but it is possible and we must begin now. So, what’s involved in such a change?
Transitioning from Prevention to Recovery
The first thing we need to do is begin to think of fraud as a process with a purpose and definite characteristics as opposed to merely a case. The purpose of fraud is to attack the vulnerabilities of a bank’s system. These vulnerabilities are found in the policies, procedures, products, and processes that shape the nature of the bank’s operation. Fraud criminals are very good at figuring out how to manipulate the system, and we must become as good as they are at finding our own vulnerabilities. To do this, we need to learn the characteristics of fraud and how they shape its processes. For example, most fraud is time-dependent and operates within a limited time cycle. The fraud approach is usually cost-constrained, meaning that the criminal does not invest a lot of money in operating his scam. Fraud also tends to be geographically focused and attacks differently at different locations and different times. There are many other such characteristics that are useful when modeling the fraud process and determining the patterns we should be looking for. By viewing fraud as a case, or collection of cases, we only see what the criminal shows us, not what is really there to see.
To aid the transition process, we also need to understand the functional differences between a prevention and a recovery approach. For instance:
-
A prevention viewpoint generally looks forward to a fraud event that has not yet happened and, therefore, needs to be predictive. A recovery viewpoint generally looks back at an event that has already happened and needs to be descriptive.
-
Prevention is proactive while recovery is reactive.
-
Prevention is highly time-sensitive since the goal is to detect a pending attack and initiate counter-actions before the money leaves the bank. The recovery approach is much less time sensitive because the event has already happened. In some instances, investigations and subsequent court actions can take years.
-
Prevention requires that bank transactions be continually monitored for the telltale indications and patterns associated with the various types of fraud and that only the significant results of this process be provided to the analysts to keep them from being overloaded with useless data. The recovery approach requires that investigators review only the information related to the specific case at hand.
-
Prevention involves understanding fraud as a process and its characteristics from the viewpoint of the bank’s vulnerabilities. The recovery process often requires less analysis skills and more command of such knowledge as regulations, compliance, liabilities, and rules of evidence.
-
A prevention program needs to rely on automation for its ability to “see” the enemy. Consequently, we are more dependent on computers to help analysts retrieve, manipulate, and analyze the data. The recovery process, while it may involve reviewing data extracts to produce evidence of fraud behavior, typically requires less dependence on automation for the actual analysis than does prevention.
The Prevention Vision
It seems clear that we cannot continue business as usual. The fraud threat is increasing and it’s time to begin the future. The benefits of before-the-event prevention are substantial, and the initial examples of fraud prevention analysis systems are currently available. The industry, however, is still poorly equipped to accept and capitalize on their potentials. Ultimately, the concept of an integrated Fraud Prevention Unit that employs advanced analytical methods and systems needs to be promoted, first by obtaining proactive support from management. Next, we need to learn more about the potentials of these systems across the spectrum of the various types of financial institutions. The Fraud Prevention Units need to be supported with systems and a staff of trained analysts, and the systems support for these units must be integrated so that a common view of the fraud threat can be exposed while optimizing analyst productivity. Finally, and most importantly, a system for measuring and analyzing the results of the fraud prevention effort must be developed and used to provide feedback to the analysis process and the appropriate product and functional area managers within the bank. Over time, the Fraud Prevention Unit should become a vital source of information for minimizing the potential cost of fraud and aiding in improving the design of products, organizations, and systems.
Successful fraud is, above all, lost profit, not an obligatory write-off. An effective prevention program can preserve and restore profit at the bottom line. Knowledge gained from the process can also have a significant impact on operations and customer relations. Finally, fraud is a social illness that cannot be ignored. By pursuing a concept focused on true prevention, we can produce a win-win-win result: we can increase profit, improve competitiveness and efficiency, and perform a valuable service to society.
Over 2,500 years ago in his Art of War, Sun-tzu wrote: “In general, whoever occupies the battleground first and awaits the enemy will be at ease; whoever occupies the battleground afterward and must race to the conflict will be fatigued. Thus one who excels at warfare compels men and is not compelled by other men.”
So, we can become worthy adversaries by predicting the fraud threat behavior and doing something about it, or we can stay the same and remain victims.
Bob Cofod, president of FRAUDetect and its subsidiaries BANKDetect and MEDetect, spent 25 years developing and operating military and national intelligence systems. He can be reached at 703 359-0996.
© Copyright 1996 Alikim Media