Bank fraud is increasing day by day and at the same time getting more sophisticated. This has led to a rising demand from regulators, and growing expectation from customers, for banks to improve their fraud defences. The preventions currently in place are seemingly allowing fraudsters to run rampant with little to lose. A couple of specific trends – namely real-time prevention of fraud and a holistic digital personality – may offer improvements, although not without challenges.
Note, the scope of this article focuses primarily on third-party fraud which is committed by using a person’s identity without their knowledge. This means the ability for a bank to accurately identify and verify the individual is who they say they are is paramount. The tools and techniques for addressing this type of fraud differ to those used in fighting first-party fraud (i.e. misrepresenting one’s identity or giving false information to achieve a better outcome) or second-party fraud (using a person’s identity with their knowledge).
Step in time
The first trend gaining traction is the move towards countering fraud in real time. Historically, banks have been able to do little more than remedy the effects of fraud after the fact. This usually entails the bank responding to a complaint from their customer and reviewing their transactional history to validate the claim. If the claim was legitimate, the missing funds would be granted back to the customer, and the bank would pick up the bill. So it is in the best interest of both the banks and their customers to find ways of stopping fraud taking place in the first place.
This should be both doable and a big step in the right direction for banks. Many technologies are now available to help detect and prevent fraud in live customer interactions. These, however, tend to be limited to a single channel, e.g. mobile, online or telephony only. In a context where most fraud arises from blended attacks, i.e. where fraudsters exploit vulnerabilities across a number of different channels to achieve their ends, this approach has obvious limitations.
It is impossible to predict what fraud attacks or preventions will look like 5 years from now. For this reason, merely continuously implementing the latest tech, one channel at a time, can only have limited success. This leads to a game of whack-a-mole with the fraudsters who, when temporarily defeated on one channel, will simply move on to the next most vulnerable channel. Also, with the implementation timescales of many months if not years, any such solution would quickly become outdated by the time it was actually deployed.
So if constantly looking for the next shiny tech solution one channel at a time is not the most effective or efficient way of dealing with the problem, then what is the alternative?
The ‘full Orwellian (…aka ‘the digital personality’)
The prospect of a universal social credit score, as exemplified by some of the trials being run in China, has caused many to recoil in horror. Certainly, the idea sounds creepily Orwellian – combining the full gamut of information available about an organisation or individual (credit history, family history, criminal history, political views, shopping habits, social media behaviour, online search history, biometrics, etc) – in other words, their digital personality – and reducing it to a single ‘trustworthiness’ score. Having said that, the same richness of data applied to the particular context of preventing fraud, could actually prove quite useful.
Banks are data hoarders, and the amount and type of data available to them will only continue to increase, in particular with the advent of APIs, PSD2 and Open Banking. However, they have historically underused the available data to inform their fraud prevention solutions. There is now an opportunity for banks to go ‘full Orwellian’ and combine inputs from both internal and external sources to achieve a more accurate and reliable ‘identity confidence’ score. This could include account related information, payment history, biometrics such as voice/finger-print/DNA/facial recognition, behavioural analytics, etc. The output of a single decision using a single database could in turn be used to inform fraud-related decisions across a variety of channels and system, in real-time.
Any material gains in the battle against fraud will, therefore, be made not based on the most modern technology deployed on a given channel, but rather on the speed with which banks can absorb new inputs into the decision model and leverage the output across their estate.
Purely from a fraud-busting perspective, the application of richer data applied to the problem in a real-time manner, holds considerable promise. The eternal dance between fraudsters and fraud-prevention specialists will go on, but banks can now employ a more coordinated defence.
There are, of course, important drawbacks to the full-Orwellian. There is an implicit tension here between fighting fraud and data privacy. Some versions of the identity confidence score are based on a centralised repository of personal details, provided by either private companies or by the government, and made accessible to banks, fintechs and other players. The idea is that this digital identity would make taking out financial products and services in someone’s else name, for example, far far harder.
Many observers would argue that having everyone’s personal and financial details (the eggs) in one central location (the basket), could have catastrophic consequences. To this day, Equifax are having to deal with the fallout from their information leak in September 2017, which exposed the personal information of 230 million people. Massive Chinese financial institutions such as WeChat Pay (with over 300 million active users) and AliPay their direct competitor, have legitimate claims to obtaining UK retail banking licenses. Allowing financial institutions which might be considered part of the Chinese State Operation, access to all of our personal information should give us pause for thought.
There may be more palatable alternatives to the centralised model. Distributed ledgers, in particular, may offer a more secure means of storing the data and remove the problem of a single point of failure.
It is impossible to predict what fraud prevention will look like 5 years from now, but the direction of travel appears to be towards bringing digital identities to bear in a real-time (if not predictive) way. And unless real improvement is made soon, the fraudsters will only be half a step behind the banks, continuing to run rampant.