The Green Sheet Online Edition
February 08, 2010 • Issue 10:02:01
Do banking silos hinder fraud prevention?
Following a precipitous drop last year, spending on technology by North American banks is expected to grow to $51.4 billion in 2010, from $50.3 billion in 2009. What's more, spending will continue to expand over the next few years, reaching $55.2 billion in 2012. That's the upshot of a new report from the research and advisory firm Celent LLC.
Jacob Jegher, Senior Analyst in Celent's Banking Group and author of the report, IT Spending in Banking: A North American Perspective, said he's excited by the trend. But there's a downside: most of the money will be consumed by compliance and regulatory demands; post-merger, back-office integrations; and maintenance.
"In an ideal world, spending on new investments and innovation would take up the lion's share of the pie," Jegher said. "However, U.S. banks have slashed spending on new investments, particularly those focused on retail banking."
It's a situation with potentially dire consequences for payment systems as modern-day Willie Suttons find ever more insidious means to locate "where the money is." (Remember Willie Sutton? He was the bank robber who, when asked why he robbed banks, reportedly responded, "Because that's where the money is.")
Forget guns and safe-cracking tools. Today's bank robbers don't even need to walk inside a bank. Instead, they rely on Internet chat rooms and evolving technologies to siphon billions of dollars a year from banks and bank customers.
It's a huge and growing problem.
According to the 2009 LexisNexis True Cost of Fraud Study, credit cards are linked to nearly half of all fraudulent transactions at merchant locations. In 2008, half of all large retailers experienced an uptick in fraud, and 29 percent saw jumps in fraud involving alternative payments.
The study, based on research conducted by Javelin Strategy & Research, also points to greater incidences of "friendly fraud," especially among online retailers. Friendly fraud refers to incidents in which consumers institute chargebacks, claiming a card purchase was unauthorized or simply not delivered.
Financial institutions lose about $11 billion a year to fraud involving unauthorized credit card transactions, according to the LexisNexis study, and merchants lose approximately 10 times that amount.
While credit card fraud is the biggest category of payment fraud today, LexisNexis said the research it commissioned found "pronounced increases in fraudulent use of all major payment methods."
"Terrorists and crooks are becoming more sophisticated, and they can easily change the channels through which they perpetrate frauds," said Maggie Scarborough of FinServ Strategies, a Baltimore-based research and consulting firm. "There need to be better integration efforts by banks, especially in terms of fraud mitigation."
That's a tall order, given the operational silos that have evolved at banks over decades of technology innovations - what one industry analyst dubbed a "spaghetti-ware of payment systems."
It's a situation that becomes ever more apparent in fraud management, where different systems and staff experts are generally tasked with identifying and preventing fraud in different channels. For example, credit card, debit card and check fraud management are typically handled with in different parts of banks, which use separate offices that rely on different systems and procedures.
These operational silos have been generating concerns within the banking sector for years; more recently such concerns have begun to enter the public discourse, especially as they relate to the federal government's bank bailout of 2009.
"Silo but deadly," reads a Dec. 3, 2009, headline on Economist.com. "Messy IT systems are a neglected aspect of the financial crisis."
Dan Schuster, Executive Director of the Financial Services Technology Consortium, said it's the responsibility of banks to address the implications these silos have on efforts to combat payment fraud. The FSTC is an industry think tank that promotes collaborative research and technology projects involving financial technologies.
In a message to FSTC member banks, Schuster wrote, "The time has come for management to explore how to better coordinate and manage their people and resources applied toward physical and cyber security, new product development, operations and maintenance, and risk management in a more unified fashion, measured and managed through common metrics."
Some banks are responding to these concerns by creating payment hubs, from which all payment services are managed. "Large and small banks alike are exploring an enterprise payments strategy and applying a more holistic approach to their payment architecture," said Susan Feinberg, Research Director for Wholesale Banking at TowerGroup.
"These hubs can be very beneficial," Scarborough said, provided they feature sophisticated analytics that can assess risks across payment systems. The benefit is obvious: by capturing a broader view of customer activities, banks should be able to gain a clearer understanding of customer risk profiles.
Meanwhile, vendors and the card brands have begun to introduce fraud solutions that cut across payment operations in an effort to catch what Scarborough refers to as "fraud in flight."
Two birds with one solution
Many of these solutions rely on predictive modeling techniques that assess the likelihood of various consumer actions. They can help answer questions such as, "What is the likelihood that a customer who withdrew $400 from an ATM this morning would now be writing a check for a $50 grocery bill?"
Global profiling is another emerging technology. It takes the analytical process further by integrating cardholder profiles with other pertinent facts, such as the frequency of stolen card activity at a given venue.
For example, profiling might show a surge of transactions at a certain ATM at a particular time of day (such as around midnight); it might indicate the customer writing a $50 check for groceries is not the same person who withdrew funds at an ATM from that same account earlier that day.
Monitoring and analyzing transactions and related data across payment systems is a challenge, one that few banks can perform in isolation, according to Scarborough. "The key is to be able to share data without giving away competitive differentiators," she said. "It's going to take time before we see that kind of cooperation and coordination between banks. It's just so competitive."
This is also the case within banking institutions where silos dominate and payment offerings can differ widely, not only technologically but legally. To put into perspective some of the most obvious differences in the evolution and treatment of different types of payments, here's a little background.
Compromised banking credentials
Check payments are paper-based, staff-intensive, back-shop operations that have been slowly migrating to electronic processes, such as truncation with electronic check conversion. Check payments are governed by the Uniform Commercial Code (a set of model laws that get adopted state-by-state), as well as Federal Reserve Regulations J and CC.
Reg J details the responsibilities, duties and procedures required of the Federal Reserve Banks and the senders and payers of checks and check-like instruments (such as money orders). Reg CC speaks to consumer protection issues, such as availability of funds from check deposits.
When checks are cleared electronically, however, the payments may also be subject to automated clearinghouse (ACH) rules and the Fed's Regulation E, which stipulates consumer protections for electronic payments.
The ACH was founded nearly 40 years ago as a replacement for the check system; transactions generally post to demand deposit accounts (DDAs, or checking accounts). And although the ACH has made notable strides, checks still outnumber ACH payments in the United States.
The ACH also supports the back-end of the credit and debit card networks as the vehicle for net settlement transactions.
For much of its history, the ACH has been considered a relatively safe payment system. However, some experts worry that fraud has become a bigger problem with the growing popularity of consumer-oriented applications (such as POS check conversion and online bill pay) and increasing reliance on public networks (like the Internet) by banks and customers alike.
"The ACH is the Hail Mary pass of payments," said industry consultant Richard Crone at a conference presented last year by the Federal Reserve Bank of Chicago.
In the first 10 months of 2009, alone, the FBI said it identified $100 million in attempted ACH fraud, including "a significant increase" in frauds involving corporate checking accounts, Crone said.
Much of the fraud involved malware that had been placed inside bank or corporate computer systems, the FBI said. The real culprit, though, is the absence of adequate controls at financial institutions and third-party providers of ACH services. "The lack of defense-in-depth at the smaller institution/service provider level has created a threat to the ACH," the agency warned in an Intelligence Note released in November 2009.
Playing with plastic
Credit cards are lines of credit that are managed, typically, from a bank's consumer lending division. Although they were first introduced in the 1950s, it took nearly 25 years for credit cards to really take off, with the introduction of electronic data capture at the POS and sophisticated, back-end network technologies.
According to the Federal Reserve Bank of Boston, which last month released preliminary results of its latest survey of consumer payment habits, 73 percent of Americans today have credit cards.
Credit cards are governed by the card brands (Visa Inc., MasterCard Worldwide et cetera) and by Federal Reserve Regulations B and Z. Enforcement of federal regulations is carried out by the Federal Deposit Insurance Corp. (when banks are involved) and the Federal Trade Commission, which has jurisdiction over nonbank creditors.
Reg B deals with the credit granting prices. It prohibits credit card issuers from discriminating against applicants, and establishes guidelines for gathering and evaluating credit information, among other things.
Reg Z (Truth in Lending) sets forth acceptable methods for computing annual percentage rates, for disclosing terms of credit and for resolving disputed transactions. The Credit Card Act of 2009 ushered in several notable changes in Reg Z, including limitations on card fees and additional disclosure requirements, many of which take effect this month.
While federal regulations are most concerned with consumer protections, data privacy and fraud are major concerns for the card brands, as evidenced by the Payment Card Industry (PCI) Data Security Standard (DSS), which applies to credit, debit and prepaid cards.
Debit - decoupled and prepaid
Debit cards crept onto the payments scene in the early 1980s with the introduction of ATMs and ATM networks. But they didn't gain popularity until the mid-1990s, when banks began issuing debit cards with Visa and MasterCard logos, and the bankcard brands started promoting signature debit options.
Today these cards look and act much like MasterCard and Visa credit cards, except transactions are posted to cardholder DDAs rather than deducted from lines of credit. The cards also double as ATM cards.
According to the Boston Fed's payment research, today debit cards are in the wallets of 80.2 percent of U.S. consumers. Over the years, there have been several attempts to marry POS debit to the ACH. While it seems like an obvious tandem (since both access customer checking accounts), it's always been a tough sell since most banks manage ACH operations on the wholesale (corporate) side of the bank, and debit cards are a retail offering.
The latest of these has been the introduction of "decoupled debit" cards. With decoupled debit, the authorization and merchant settlement processes are performed through the card networks, but funds are deducted from cardholder accounts using the ACH.
Decoupled debit card issuers may be banks but can also be merchants. One of the best known issuers of decoupled debit has been the credit card bank Capital One Financial Corp., which ran a year-long trial in 2008 that tied decoupled debit to a consumer rewards program.
Prepaid cards are considered debit cards, but they are not always held to the same standard. For example, industry consultant Paul Martaus noted that while the PCI DSS and related standards apply to open-loop, network-branded prepaid cards, closed-loop, private-label cards issued by retailers are exempt.
"This could cause some serious problems," Martaus said, adding that fraudsters are always on the lookout for payment system vulnerabilities. "We have to assume all kinds of things are being tested by the crooks," he noted.
Taking off the stove pipe
As payment experts will tell you, successfully combating fraud requires a multifaceted approach: security at the POS and all the way through the life of the transaction, ending in the total lockdown of cardholder data storage.
Given the vulnerabilities inherent in paying with plastic, the elimination of siloed systems may be a crucial step in keeping those vulnerabilities to a minimum.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.