The Evolution of FraudHow Institutions Can Keep Pace with the Schemes
When Joseph Bognanno of Wolters Kluwer Financial Services examines 2012's financial fraud trends, all he sees is more - more of everything, from schemes to new guidance. How can banks stay ahead?
See Also: Role of Deception in the 'New Normal'
"What concerns me the most is what I think concerns everybody in the public and private sectors," says Bognanno, who works in Wolters Kluwer's Financial Crime Control unit. "It's the trend of what I call 'more of everything' - more regulation, more fraud, more technology, there's more cost."
And yet as banking institutions continue to recover from the economic crisis of 2008, they still are playing catch-up on anti-fraud investments that were deferred.
"So, it's more of everything, but having to do more with much of the same [resources]," Bognanno says.
In an interview about the 2012 Faces of Fraud Survey, Bognanno discusses:
- The most concerning fraud threats;
- The regulatory evolution;
- How strategies and solutions must change.
Bognanno, Director of Consulting/SME, CAMS, has been working with stakeholders for over 10 years, to open and encourage direct dialogue between the financial sector, regulators and solutions providers to raise awareness of fraud and money laundering risks, facilitate a better understanding of effective practices and programs to combat such risks, and strengthen implementation of targeted financial crime controls. He worked as a U.S. Treasury Advisor for 7 years to combat financial crime through technical assistance programs, training, and technology implementations.
As a Subject Matter Expert on Financial Crime, Bognanno provides knowledge and insight on Bank Secrecy Act requirements, Fraud detection, investigation and recovery, CIP/KYC, OFAC and US PATRIOT ACT requirements, perspectives on risk, and the efficacy of different mitigation efforts, emerging trends in financial crimes and efforts to combat them, as well as related analytics and technology solutions.
Faces of Fraud: Biggest Surprises
TOM FIELD: We just conducted this 2012 Faces of Fraud Survey, and we're starting to analyze the results. As you look at them, what do you find to be the biggest surprises from the results?
JOSEPH BOGNANNO: I think my biggest "whoa" moment was when I saw almost 30 percent of financial institutions participating in the survey don't know if they will be or are sure that they won't be in conformance when regulators come calling and begin their reviews of whether or not authentication security is up to snuff. That's a big number. That doesn't mean that 70 percent will be in conformance; 30 percent means perhaps the starting point on non-conformance. Nobody bats a thousand or even a hundred in their first season, so we're likely to see many institutions, even those that think they're in conformance, finding that there are still gaps that need to be addressed.
And given what we know about fraudsters seeking out the weakest links and exploiting them, it's obviously concerning to say the least. Regulators will probably give some leniency because this is the first time around with respect to this type of guidance, but what I think we can expect to see is that, given that so many institutions are unsure or even know that they're not going to be in conformance, regulators are going to probably come down hard on some individual institutions and send a message.
It's definitely concerning and I think something that folks want to pay attention to. I give some guidance to the institutions in that they need to be proactive as they get ready for these reviews and give some thought to how they're going to discuss this with regulators, not just saying, "Hey, we didn't understand the guidance, give us another shot after you've explained it in more detail," but rather taking a look at the guidance, understanding as much as they can about it and coming up with their own approach to how they're going to try and be proactive.
Concerning Fraud Trends
FIELD: You make some good points about the guidance, and I want to bring you back to that in a minute. But I want to ask you first, when you look at the forms of fraud that institutions are facing, what are the fraud trends that really concern you the most?
BOGNANNO: What concerns me the most is what I think concerns everyone in the public and private sectors, and that's a trend of what I call "more of everything." There's more regulation; there's more fraud; there's more technology; there's more cost. Consider this: The private sector is still reeling from the financial crisis of 2008, and in the wake of that budgets were cut, staffing requisitions were often eliminated and everyone had to do with less. Now they're being asked to do more but with less because although the survey indicated that most institutions expect to have budget increases, they still haven't caught up to the lag from recent years. Technology is part of the solution, but that costs money to implement and the staff hasn't come around yet.
As technology uncovers more red flags, alerts, etc., the staff, managers and everyone up the chain start to really become overwhelmed. It's more of everything and having to do more with much of the same, and I think that's what's overwhelming and becoming a real challenge for the private sector to overcome. And I think the trend is just going to be more in that direction with more regulation coming out, more demands on private sector, not only from regulators but also from the private sector, because of the risks that everyone is more aware of in this day and age.
We're so much more connected in terms of the information that we manage, in terms of the insight, the options that we have among institutions and the services that they provide. The expectations that we the public have is something that's also part of this mix and so institutions need to be weighing all of those factors as they look at how they're going to approach these different threats. And frankly, authentication security is just one factor among many.
FFIEC Guidance: A Lack of Understanding
FIELD: Let's come back to the FFIEC authentication guidance for a minute because, as you realize, that's the biggest piece of regulation that came down for U.S. institutions in 2011, couldn't have been any more publicized by the regulators and yet we find that the respondents say they really, overall, don't understand the guidance and the expectations. To what do you attribute that low understanding of the expectations?
BOGNANNO: It may not be that surprising to anyone who's read the FFIEC guidance that financial institutions are rather confused about what exactly the regulators are looking for when it comes to authentication security. Certainly all financial institutions are not exactly the same. They have different business models, different products, different customer bases and so on and so on. So to expect that one piece of guidance would be sufficient to communicate to all financial institutions what should be done begins to sound to be a bit much. And in fact, if you go to the regulators, they'll tell you the same. They didn't plan the guidance to cover everything and for everyone. That's why they call it guidance. And we also see that regulators are moving toward principle-based guidance, and this may be one preview of that trend.
Another reason for the low conformance and the misunderstanding is that this is a new world, so to speak, as I mentioned before. There are new threats and new social interactions creating new risks. There are so many new frontiers that it's difficult to keep up with everything. The regulators aren't subject matter experts anymore. Their guidance and regulations usually come from input from elsewhere: the private sector, other regulators, lawmakers, other cultures, other countries. And then they go out and they enforce these regulations by measuring compliance.
Again, it's not surprising that there's turbulence and some degree of non-conformance. It's inevitable at this stage. Regulators will be coming around, doing their evaluations and measuring that compliance with the guidance and with regulations, and probably coming out with more information about what they expect. But it's likely to be principles-based vs. a checklist.
FIELD: I want to come back to this topic of principle-based regulation. I'm fascinated by that. But I want to stay on the guidance here for a minute. What the survey told us was that institutions by and large aren't in conformance with the guidance, many - too many - don't understand the expectations, and yet when you look at where they're investing their anti-fraud resources, they do seem to be planning smart investments that are in conformance with the guidance. Do you agree or disagree with that?
BOGNANNO: I do think some smart investments are being made, although on the surface, the big surprise to many is the current extent to the non-conformance with the FFIEC guidance. However, having said that, and not to diminish the importance of that realization in any way, it's also really interesting to consider what the survey indicates about what they're doing, as much as they may say about what they're not doing.
I wrote a piece in conjunction with the results of the survey and I did my best to point out that financial institutions don't usually just sit idle. Financial institutions are traditionally very good at performing risk analysis and then focusing their resources in the red zone where the likelihood and impact combined indicate the greatest risks. However, given the sheer number of risks, managers and executives are overwhelmed, as I've mentioned. Traditionally, threats like credit and debit fraud, check fraud and ACH wire fraud still represent significant financial risks. Data breaches and account takeover fraud empowered by the growing prevalence of socially engineered schemes highlight the reputational risk that financial institutions face.
So while conformance is low with respect to a specific area of fraud prevention and security measures, it seems clear that the financial sector is directing money at a range of threats that are growing in number and volume. Financial institutions see no other option at this point, very likely, than to make their best effort at a multi-layered approach to managing that risk, in spite of the confusion that they may have about authentication guidance. The survey indicates intentions to use funds primarily for fraud monitoring, but also for a variety of other technical and non-technical measures.
It's clear at this point that they're making some smart investments. They're not going to sit idle; they're going to move forward with their efforts to prevent fraud because it's in their own interest and they tend to be the best experts at the threats they face individually and are based on their unique profiles and business models.
FIELD: Let's come back to this concept you introduced called principle-based regulation. You say you think that's where the agencies are headed. Can you explain that concept a bit please, and what you expect to see?
BOGNANNO: What we're seeing - and this is not only a U.S. trend but an international regulatory trend - is that regulators are moving away from very specific checklist-type regulations and guidance to something that's more principle-based. The expectation that financial institutions will take it upon themselves to manage their risk and address those risks through specific controls - and this is based on their business model - it's a more effective risk-based approach to anti-fraud and to protect financial institutions' core business.
Guidance that's too specific or the expectation of detailed guidance may create distractions from addressing critical risk faced by a given institution, and it can be argued that regulations and guidance that are too checklist-oriented cannot keep up the pace with the rate of change of today's fraud schemes and scenarios.
Again, this puts the onus on the private sector to convince regulators of their effectiveness in addressing financial crime risks at their respective institutions. It also places responsibility on regulators to develop greater expertise and understanding of the risk profile specific to the individual institutions. The end result could be a much more collaborative, public-private financial crime prevention strategy where both sides meet in the middle to push forward better anti-fraud and financial crime control policies.
Strategies and Solutions
FIELD: Given all that you've reviewed certainly in the survey results and what the institutions have said to us, how do you see the fraud fight evolving? What are the strategies and solutions that most encourage you?
BOGNANNO: I mentioned that the trends were all up: more fraud, more regulation, greater expectations on both private and public sectors, greater expectations on customers to be part of the solution. ACH transactions in 2011 were up 20 billion transactions - $34 trillion worth of transactions - a lot of that attributed to the expansion of native electronic payments, increases in online payments by consumers, escalating the use of ACH networks for vendor payments and business-to-business transactions. Venture capital for e-commerce is up at about $400 million. That's up 4.35 percent.
What I expect to see is that institutions will continue this multi-layered approach because they really have to. Their threats are increasing and there are so many more ways that they become vulnerable in today's world. And so the strategies that will be deployed will be broad and will be fairly specific in some cases because of the nature of core business that an individual institution carries out. And I think those are the kinds of things that regulators will be looking for.
In closing, I think it's important to focus the emphasis on process and procedures and the trends with regulatory principle-based guidance and regulation, really focusing on the risk to consumers vs. the risk to the institution or the market. Regulators are asking the private sector to become more proactive. They're asking even the public to become more proactive. There are new imperatives for how compliance's going to be administered within the institution. There are expectations that institutions will find the problems, that they'll control and prevent problems and manage risk in an integrated way on an integrated basis, looking at things like enterprise risk management in conjunction with the specific controls that they have for anti-money laundering, financial crime, specific frauds like internal fraud, ACH wire fraud, debit card fraud and pre-payments card fraud. I think that the strategies will have to align with that and will have to more and more bring both the private sector and the public sector together at the table to discuss how they're going to approach these threats because really if it becomes adversarial, there's really no way we can compete against the fraudsters if we aren't cooperating.