Where Credit’s Due Ep. 7: Uncovering fraud in financial services with LexisNexis and Javelin Strategy & Research

With consumers continuing to take a digital-first approach to everything from shopping to dating and investing, fraudsters are finding new and innovative ways to commit fraud.

Traditionally, when a person would walk into a bank branch to open an account, they would need multiple forms of identification. But online, customer onboarding has turned into a riskier process for banks and consumer fintechs, with fraudsters trying to take advantage of their systems.

There's many different types of fraud, with ID theft and synthetic fraud being the most common. Synthetic fraud is a name, date of birth and social security number that doesn't belong to the same single real person. While ID theft is easier to do, synthetic fraud is more prevalent and harder to catch.

Reducing the stress of fraud allows for a more streamlined application process, making it easier for consumers to get approved for a loan or bank account. This aspect also has implications for groups of consumers that previously had a hard time accessing credit or other types of financial products and services, as banks can verify the applicant in a way they weren’t able to before.

I talk about this today with my guests Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, and John Buzzard, lead analyst, fraud & security at Javelin Strategy & Research.

Subscribe: Apple Podcasts I SoundCloud I Spotify I Google Podcasts

The following excerpts have been edited for clarity.

Can you give us an overview of what type of fraud is happening most commonly in financial services, and why?

John Buzzard: We certainly have seen consistently for years now, and with fluctuations back and forth with regards to the type, account-based fraud and a wide variety of automated attacks that seem to be persistently growing. And those automated attacks are certainly designed to circumvent and break through the accountholder authentication process. It's weaponizing information that sometimes is just out there and readily available in order to sort of penetrate through financial services, authentication practices, so it is a huge problem. And as account fraud of all types continues, it's sort of that marriage of how do we keep the bad guys out, while still enabling the consumer to have a reasonable customer experience without provocation? So there are a lot of challenges.

Kimberly Sutherland: I completely agree. The areas that financial institutions continue to address are across that entire customer journey, beginning at new account opening. New account opening fraud continues to be the challenge with supplying incorrect information, or trying to use a synthetic identity, or trying to manipulate the entire process to make it easier to commit more fraud attacks and to build trust with the financial institution.

The shift to digital has been an ongoing process for many years; now we're seeing digital transactions using mobile devices at its highest rate, since most users now have a smartphone, and it becomes their preferred way to interact. But financial institutions are also challenged because they have to fortify every way in which a customer may choose to interact with them.

Can you give us a little bit of a definition of what the different types of fraud are?

John Buzzard: With everybody defining things so differently, it'll be helpful if we sort of share the definition here. When I look at an account takeover scenario, what I'm seeing is a criminal entity using information that they've obtained in such a way either directly from the consumer or from the dark web, or wherever their sources are, that allows them to literally go into the financial based account and change things that are significant, that literally cuts off the consumer from contact with their own accounts.

Today, everyone is mobile, we have phone numbers that are generally associated with our accounts, and we're frequently uncomfortably accustomed to getting notices and alerts and pop ups and things that are constructed from our financial institution. When the criminal is taking over an account, one of the first things that they want to do is get into that account, and materially change the email and the phone numbers to something that they control. So while I'm here busy working on my desk all day, if they can just do that much, then I'm not going to receive any alerts or anything as a follow up as an example for like an account takeover scenario.

Javelin research found that, in the last year, there was a 90% increase in account takeover fraud, so that was about $11 billion.

New account fraud is pretty self-explanatory -- it's when criminals are using information to establish new accounts. There we saw a 109% increase. So every year, it's a little bit different. But this was a roughly $7 billion problem just in the last research year. So it's a big issue, certainly.

Kimberly Sutherland: When I think of any of the definitions with fraud, I think of the most simplistic as possible. Synthetic identity fraud is about taking data that is not intended to belong together, and to be able to create an identity. So it can be all fictitious information, or it can be bits of real data mixed with data that doesn't belong to the same identity to kind of merge it together. But ultimately, it does not align with a real user. And it makes it very difficult to detect because no one, the actual user itself is not being impacted by it, because that person doesn't even exist.

I wanted to go back also to the concept of account takeover fraud, I like to simply think of it of when any unauthorized party is gaining access to an account. And the reason why I think of it in that manner versus just criminal is because often, it's people that you even know, and it's hard to point them out as criminal sometimes when it is an adult child, unauthorized access to an account of a senior parent, or if it is a child using their parent's credit card to be able to make more online purchases, and it didn't seem like it was that big of a problem. But either way, those are unauthorized parties gaining access to an account. And that is fraud.

John Buzzard: For people who really want a deeper understanding, the Federal Reserve has done just a marvelous job of categorizing fraud types and defining synthetic identity as well, with a really great online toolkit, so just wanted to throw that out there.

How do you see striking the right balance between having a good customer experience without friction, but at the same time, taking those steps to make sure that there's no fraudulent activity happening?

Kimberly Sutherland: There's definitely an ongoing shift that's been occurring around trying to give that best user experience and, like you said, lightning fast, convenient, intuitive, even customized, while respecting the privacy of the user, and maintaining the most secure environment for the user. I think it feels often like competing goals for many institutions, as they try to balance those business processes that they have - being able to make decisions with the least amount of information that businesses have ever asked for, so you can open up some aspects of an account or add a user with just a name and an email address to get started, for example.

They're having to deal with financial institutions and with the compliance side of things, but they really want to balance that user experience, and it all kind of centers again around the mobile device often now as we see digital banking scenarios and being able to try to open that account completely remotely taking effect. So I think that the biggest thing that companies are trying to do is more passive ways to detect fraud, ways to recognize the device more. Even things like behavioral biometrics to be able to see how an individual is interacting with the device, and help them identify if it's a human or a bot. Bot attacks are extremely challenging in account takeover events, and we're seeing the need to try to protect that experience of the customers that the businesses want to have while trying to weed out the bad actors.

John Buzzard: I think everybody visually can almost think of this process in two layers. Layer One is sort of like what the customer sees and experiences - a lot of times just the sheer ubiquitousness of a password, that customer may be coming into our digital space by using a username and a password, they may hopefully interact with a one-time passcode type verification of some sort. But it's that vast array of contextual information that should be layered to, just as Kim said, biometrics for behavioral in-device profiling, there are great vendors out there. I call those supercharged tools that make millisecond decisions to help you push the good guys forward and hold the questionable ones in the background.

And then the other part that I always think about is for people who are making purchase decisions, step up authentication should be flexible, so that you can deploy it anytime you want, anywhere you want across your enterprise. So when people are vetting products out there, I think one of the challenges is whether they're getting the most functionality with their step up, because there could be a moment where a criminal comes into your digital space through your app or a browser, and they're behaving adequately, in sort of in tandem to the way that the existing consumer can behave. And then five minutes into this session, things start to go downhill.

If you have biometrics that you could lean on that would say, 'Hey, this is a completely different sort of session than what we have with the genuine customer,' wonderful, you've identified a problem. But you should be able to also pop up and say, 'let's apply some more step up authentication from end to end, that whole session', I think it's really important.

There are innovations that just seem to sort of pop up and they leapfrog over things that folks are still working on. So I just want to remind everybody that this journey that we're all on, we have to remember to keep the consumer educated in prompted to safer ways to pay also, not just when they come and visit us, but when they're out in the world, make sure they understand and get really comfortable with tap into and digital wallet. We want to kind of have everybody super comfortable with those ways to pay and understand that it's not just convenient, but it's encrypted and really safe. And I think it's one that start now and educate gently rather than having to like go through a huge effort all at once.

Kimberly Sutherland: John, you really touched on an important thing around consumer education as it relates to fraud. One of the biggest challenges that financial institutions are running into right now has to do with scams.

We saw scam attacks, being one of the largest concerns in Europe for many years. It seemed to be somewhat less of a concern in the US, but that is no longer true. It is something that is pervasive globally. I think often users of digital of devices and digital transactions start to think that they're really savvy about it, they often miss the fact that fraudsters are taking advantage of sometimes the limited education has people quickly shifted to digital, and didn't learn all of the security aspects of things. And trust is hard there. Trying to educate consumers on on scam activity is a very hard thing for financial institutions, but they are equally responsible in learning and in helping to prevent that process.

I know that there's going to be some interesting legislation that will be coming out in the future around this, but just the whole idea of making customers understand the importance of using authentication factors. Not feeling as if it is being too invasive at times, in order to protect their account, is all really an important thing for financial institutions to think about.

Do you see any differences in approaches between the digital-only banking services and more established financial institutions?

John Buzzard: I'll approach it from an opinion rather than a fact perspective, since I'm not in possession of a lot of the facts. Here's my reservation, I worry about domain expertise inside of new ventures, even though they may feel very confident, and there's always a senior adviser or someone in the background of some of these FinTech startups.

Consumers, for example, when they have a fraud resolution problem, they may find themselves interacting with like a service-end bot about sensitive issues when they need the expansiveness of like a full service or sometimes physical location. So I do worry a little bit about domain expertise.

Kimberly Sutherland: I think that that's an interesting angle. For me, I'm just thinking about the sheer nature that traditional financial institutions typically have still a brick and mortar, you still can go into your physical banking environment, they have websites, they have mobile apps, they have call centers.

Typically fintechs and neo banks, virtual banks, have less fewer channels to even be concerned about. Omni channel fraud detection and fraud prevention is something that traditional banking environments care so much about, and they see that fraud shift from wherever it is not being fortified. So many financial institutions right now are really trying to go back to protecting their bank bank branches, and we talked so much about the digital side of things when we when we think of fraud detection, so I think that that's another just really important thing to think about the more complex nature that traditional financial institutions have just based off of their footprint.