The Global Squeezing of the Fraud Balloon – The Sequel

Written By Donna Turner

You may have been in the fraud risk management space long enough to recall the months leading up to the EMV standards implementation (Chip cards) date in the US in 2015. If you were, you recall the work that went into readiness, but what you most likely still have nightmares about were the intense increase in attack rates on all forms of card payments in the months leading up to effective date. We all modeled increased attack rates, based on what had been observed in other geographies leading up to their implementation, but what transpired was attack rates that were MATERIALLY higher.

We survived, perhaps with some lingering PTSD, but we learned that the fraudsters were not going to go quietly into that dark night. (Déjà vu point #1)

Sure, if you ask me, I’ll always tell you that the US had not willfully adopted EMV because the business case simply wasn’t there and we were tracking to leapfrog directly to contactless, but regardless, we were the last large region to adopt, and we got hammered as the fraudsters sought to monetize large troves of compromised card data.

These attack levels helped the business case, but the mandate was set, so that hurdle was circumvented. (Déjà vu point #2)

Most importantly from all this, we learned the effects of the ‘Global Squeezing of the Balloon’. The fraudsters are never going to go get real jobs. Just like in all economic scenarios fraud attacks are driven by:

  • Supply – a successful fraud playbook for stealing funds

  • Demand - humans, Card data, DDA data, PII, FIs, any source that can be monetized

  • Value - margin – cost to execute; monetary gains

So the playbook had been successful for many years, but the demand supply was shrinking to the US, so applying a simple approach of rate/volume, they amped up their attacks to derive as much value as possible leading up to the changes in the ecosystem. (Déjà vu point #3)

So here we go again.

We’re watching other geographies, either through central banks, centralized legislative entities or consortium-based efforts come together, across sectors (Financial Institutions, Big Tech, Telecomm, social media, Law Enforcement etc.) to define, collect, analyze and apply insights to better prevent, detect and mitigate fraud attacks.

Of note: UK, France, Australia, Singapore, Brazil, the Nordics, India … all working holistically to strike back effectively against fraud attacks of their citizens, businesses, financial institutions and payment rails.

Remember déjà vu point #1 … will we be the last large region once more to orchestrate, apply and benefit from cross sector collaboration to beat back the attack?

Why haven’t we acted? These increased attack rates to data have largely focused on successful playbooks for:

  • Authorized Push Payments – removing the human/business as a line of defense to prevent & detect the fraud, to being a participant, thus blurring the lines of how to solve and who is accountable.

  • Card Not Present Payments – the gap on issuer economic liability gives them little incentive to aggressively target CNP fraud, although dispute volumes and the associated operational costs, may be changing that.

  • Check Fraud – pandemic shifts to digital, years of legacy systems that lacked modern fraud solutions to prevent & detect check fraud had us take our eye off the residual time bomb of checks in the payments ecosystem.

What are the drivers to these increased attack rates? Recall, we need a successful playbook, supply of victims/targets and economic margin.

  • Playbook – check. Human and businesses continue to fall for rapidly evolving scams and related attacks, as the ability to portray urgency, opportunity and/or sincerity gains momentum with the application of new capabilities by the fraudsters.

  • Supply – with a population of more than 333 million and 33 million businesses, the US checks this box and then some.

  • Economics – the nefarious use of enslaved labor to affect the playbooks; the growth and adoption of social media and digital interaction broadly have materially lowered the cost to operate while the success rates noted above drive top line growth, and you have a viable and attractive business model for fraud.

The fraudsters have their business case, and it’s paying dividends, while too many on the side of countering all this struggle to articulate their role, and the business case to invest to prevent and detect these attacks effectively and efficiently.

Remember déjà vu points #2 & #3? Will this be the case again until the attack rates are so high that the demand and need is for investment is glaringly self-evident?

I do believe in living by the rule of trying not to raise a problem, without a proposed solution, so what is needed to not repeat history in a painful manner?

First and foremost, financial services will not solve for this on its own. Just as we had to change the whole ecosystem (merchants, acquirers, processors, issuers, manufacturers, etc.) to positively affect card present fraud rates, we will need a broad approach to collaboration and action to beat back this scourge as well.

As noted previously, this includes, but is not limited to financial services, telecoms, social media, big tech, suppliers, law enforcement and regulators/legislators/governing bodies to come together with a shared vision of ending this attack on our citizens and businesses.

Developing and following a view of ‘who knows what and when’ we can map the attack vectors and apply self-governed actions to identify and counter the threats. I say ‘self-governed’ yet I call out regulators/legislators as a means to the end.

Yes, there is the option and a viable one for a federally orchestrated effort to address what is happening. What I think can be even more impactful in the near term is for an open-minded approach to hearing the unintended consequences of mandated actions.

For example:

  • Model governance disciplines that slow the deployment of fraud detection models to the point of ineffectiveness.

  • A safe harbor gaps that expose any sector from actively work with law enforcement in the identification of organized crime rings behind these attacks, for fear of being called out for regulatory shortcomings in any way.

More tactically and equally as urgently, we need:

  • Common language – the fraud classifier and scam classifier models developed and released by the FED are a great foundation we can all use and apply.

  • Aggregated data – a common repository of attack and observed fraud across payment types, channels, networks and form factors.

  • Reporting – the ability to turn this data into insights, positioning us to learn, apply and respond based on a constant view of the ‘tall bar’ of impact.

  • Ability to Analyze – this data should be organized and accessible in such a way to promote a sandbox analytical environment. Rapid fire hypothesis testing, and identification of cross and intra sector trends will arm us with what we need to know to win the battle.

  • Action – mind share, resources and a will to act.

These attack levels didn’t happen overnight, but I assure you that they will continue to be more focused and aggressive as they are successful. Driven by:

  • Actions to address the threat effectively in other regions

  • Use of ever evolving technology and scale to improve the success of the attacks

  • Use of enslaved labor to staff these attacks and drive up positive margins for the fraudsters

Are you ready?

  • Have you stressed tested how much higher these attack rates can go before you have exceeded your risk tolerance for losses, brand impacts, usage and adoption?

  • Are you actively working to drive collaboration within your sector? Across sectors?

  • Are you staying abreast of the work done in other regions for lessons learned, and a proactive view of the timing of increased attack rates?

  • Are you able to build and articulate an effective business case to drive needed changes across people, process and tech?

Donna Turner
Previous

Feedback No One Really Wants on Conferences