The Hidden Costs of FraudWhat Price Do You Put on Reputation Loss?
One measure of an incident's impact is dollars lost of fraud. But the "soft" costs - loss of reputation and productivity - are the ones that most get the attention of Terry Austin of Guardian Analytics.
"If there's a publicized or publicly-acknowledged fraud loss or case between an institution and a customer, the impact on the reputation of a financial institution can be pretty profound," says Austin, President and CEO of Guardian. "That can lead to customer churn or more difficulty achieving growth metrics or revenue metrics. So, the soft costs, I think, can outweigh in a lot of ways the substantial hard costs."
Another concern: That far too many institutions first learn of fraud incidents only when their customers report them. "Institutions really need to find the techniques to identify fraud much earlier in the process," Austin says. "Waiting until the money is gone and the customer notices is just not good enough."
In an exclusive interview about the results of the 2012 Faces of Fraud survey, Austin discusses:
- Evolving online fraud threats;
- Gaps in institutions' understanding of the FFIEC guidance;
- An emerging solution to detect and prevent mobile banking fraud.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
Fraud ThreatsTOM FIELD: Let's dive right in and talk about online fraud threats. You've had an opportunity to review our survey results. What do they tell you about the evolution of these threats and how prepared banks are or are not to face them?
TERRY AUSTIN: From our perspective, it looks like not a lot has changed in the last year, even though there's been a lot of activity. Eighty-two percent of your respondents said that fraud threats have increased. The online threat has stayed very high, and I thought that it was interesting that only 28 percent said that they were prepared for a basic phishing or vishing attack. Mobile threats are a big, growing concern over the last year, and only about 14 percent said they're prepared to detect and prevent mobile fraud, so that's a big growing area of concern.
Our conclusion is that as FIs look at this and plan their investment, they have to really keep in mind that while online fraud is growing and is a very dramatic problem, it's also a gateway to all the other types of offline fraud. It has a compounding effect. And obviously, the FFIEC issued updated guidance this year and they explicitly included anomaly detection in the guidance as a way to combat this growing threat in online and mobile fraud, and I think they included it because it's been proven to work. That's the big takeaway impression from this survey and from what's going on in the market.
Cost of a BreachFIELD: One of the things that stands out is when we asked respondents about the total cost of a breach - not just dollars but beyond dollars. What strikes you when you look at some of the hard and soft costs of a data breach?
AUSTIN: The hard costs are obviously the fraud losses themselves, and then any money that's spent on investigation, forensics, if there's any legal implications between the financial institution and their customers or any legal costs in pursuing the criminal, so all of those are quantifiable, although they're often not accumulated together as one way of looking at the hard costs of fraud. But then, even more importantly, is the soft cost in my opinion, the hit to reputation that a financial institution can take if there's a publicized or publicly-acknowledged fraud loss or a case between a financial institution and a customer, that the impact on the reputation of a financial institution can be pretty profound. That can lead to customer churn or more difficulty achieving growth metrics or revenue metrics. The soft costs I think in a lot of ways can outweigh the substantial hard costs of a fraud event.
FIELD: That struck me as well, especially when you see close to 60 percent of institutions saying that productivity is one of the biggest hits they get when there's an incident.
AUSTIN: That's absolutely right. The productivity hit in following up, investigating, doing the forensics and dealing with all the aftermath of a fraud event can outweigh the financial costs.
Customers as Best DefenseFIELD: The trend that's growing, and not in the right way, is that customers tend to be the best line of breach detection. We've got 82 percent of institutions saying they first hear about a fraud incident from their customers. Where are institutions failing in that their customers are their best line of detection?
AUSTIN: The fact that it continues as the number one fraud-detection technique when a customer notices money missing, it's a pretty big indictment of what financial institutions are doing to be proactive. Institutions really need to find the technique to identify fraud much earlier in the process. Waiting until the money is gone and the customer notices just isn't good enough, and there are techniques that can be used to detect fraud and the precursor to fraud much, much earlier in the process. Financial institutions just need to step up and take those techniques on.
FFIEC DisconnectFIELD: Probably the first thing that jumps out is that institutions - 58 percent of them - expect some sort of an increase in their fraud fighting resources this year. And yet following that, they don't seem to understand the basic requirements of the FFIEC guidance, the biggest guidance to come out in the last year. What's the nature of this disconnect? They've got resources, but they don't understand the basic tenets of the guidance that's in front of them right now.
AUSTIN: The thing where there's an understanding or there seems to be more understanding is doing a risk assessment. The financial institutions seemed to have figured out to a large degree that they have to do a risk assessment, and a lot of them are telling us that's what they're going to do as a starting point. Then they're going to use that as a way to adhere to the guidance. But I suspect that the sense of urgency really has to pick up. I think it needs to go beyond doing the risk assessment and to actually start implementing the behavior-based anomaly detection solution, which is a minimum expectation.
We're seeing a lot of our customers really take that on-board and even small institutions that have become increasingly targets for fraud are able to very effectively get a risk assessment completed and meet the minimum expectation around anomaly detection and behavior-based predictive detection solutions that have been proven to work and that the FFIEC has said are needed.
I just think that there's this grappling with and coming to terms with what the guidance really says, and the urgency needs to pick up, and I think your survey really supported the fact that there's still a lack of understanding, there's still some education that's needed. But at the end of the day, it's very clear what the guidance says. And we're seeing some of the customers we work with and banks we talk to getting the sense of urgency, and I think that's just going to increase by necessity throughout the rest of this year.
FIELD: I've got to ask you a question as a service provider now because there's an interesting message that came through about vendors. Institutions seem to have an instinctual faith in their service providers, particularly when it comes to helping them conform with the FFIEC guidance. But they aren't necessarily confident that the service providers can deliver effective solutions needed to conform to the guidance. How do you reconcile those two very clear statements? In one hand, they've got some faith, but on the other they don't consider the solutions necessarily effective.
AUSTIN: Yeah, it's an interesting paradox. I think the solution/service providers play such an important role with the financial institutions. They really come to rely on them as the source of information and the source of direction for the solutions they can put in place. At the same time, I think there's recognition that fraud detection is hard. It requires a very deep set of expertise and many years to develop an effective solution. So since most service providers don't really have something in place today, I think there's a market recognition that it's going to be a long time coming before a service provider can step up and take this on.
We would suggest that it's not really the strong suit of the platform providers and that it's not something they should invest in-depth in but really look to the vendor community and partner with the vendor community to provide these solutions to their financial institution customers. We're seeing that really accelerate in our business where many of the service providers that we've kind of coexisted with are now looking to us to form partnerships to really provide this capability to their customers, and I think that's ultimately how this is going to get reconciled.
Mobile SolutionFIELD: You talked about mobility. One of the gaps that our respondents told us that they saw in the FFIEC guidance was mobility, no mention specifically of mobile banking. You've come out with a mobile banking solution. Maybe you can talk about this gap that banking customers perceive and how your solution may help them going forward.
AUSTIN: Interestingly, we've had discussions with some of the regulators about mobile. And while they did indicate in the guidance that there was more to come on mobile, they consistently say - and I think it's even written in the guidance - that this e-banking directive does cover mobile. We think that financial institutions do need to consider mobile and mobile fraud as they grow their mobile offering. The marketplace is in a lot of turmoil right now around mobile because on one hand there's a big competitive push to have mobile offerings, to be part of the mobile wave and the mobile trend, but it's also a huge vulnerability. It's largely unprotected data. We're seeing an escalating amount of malware that's specifically designed for the mobile device. And our sense is that the criminal network is just really waiting for this explosion in growth and mobile banking to exploit that, and they're preparing all the malware and tools to take advantage of that.
The number one thing that's blocking mobile adoption in banking right now is customer concern around security. There's sort of the perfect storm of events occurring and brewing that we saw as a real opportunity to come to market with a very comprehensive solution that leverages all of our years of experience in behavior-based anomaly detection for the online banking channel and applies it to the specific use cases that are associated with mobile banking. We've gotten very specific in all of the mobile activity sets and the unique behavioral models for each individual user in the mobile banking environment: what networks they're using, what do they do, what types of transactions do they do over the mobile device.
We announced the introduction of FraudMAP Mobile. We've already got some early-adopter customers using the solution very effectively. We're very excited about being able to be part of this wave of growth in mobile and provide the fraud and security solution that I think the market really needs in this emerging space.
Tips to Reduce FraudFIELD: We've talked about the FFIEC guidance and certainly we've talked about fraud trends. Going forward, what's your best advice for institutions to be both compliant with the guidance and to be able to reduce their incidents of online fraud?
AUSTIN: It's really not as complicated as some will make it seem. I think the FFIEC was right on the money in moving away from authentication, talking about layered security and risk assessments, and specifically calling for anomaly detection as the minimum expectation. I think for a financial institution today, don't wait. Get on the risk assessment and make it a dynamic process and part of your environment. There's a lot of help out in the market to get those risk assessments done.
And your starting point has to be this minimum requirement that the FFIEC dictated. You need to find the right behavior monitoring and anomaly detection solution, and the good news is it's proven. The FFIEC pointed this out because it's proven, it works, it scales to any size institution, and it's readily available on the market. There are literally hundreds of financial institutions who are successfully using this technique today. It's really kind of a no-brainer. That's the starting point. Meet the minimum expectation.
The financial institutions that we work with, that have been through their FDIC or OCC exams already this year and have been held to task on the FFIEC guidance, have come through with flying colors because they really addressed the minimum expectation around anomaly detection. This is something that can be addressed easily and readily today and banks can go on to worry about other things that are on their agenda.