According to a recent study, 62% of companies were subject to payments fraud in 2014, with 19% of organizations losing more than $250,000. In addition to tangible losses, there’s negative impact that can’t be measured including stockholder trust, employee morale and most importantly, the reputation of the company and its ability to gain and/or retain business.
Nowadays, organizations looking to strengthen their fight against fraud are required to go beyond implementing stronger password policies and educating clients. To win this battle and significantly reduce risk, institutions should implement a comprehensive anti-fraud program, composed of technologies and polices that can be applied in a flexible and personalized way.
Another recent study notes that the average time to contain a cyber-attack is 31 days, with an average cost to the organization of $639,462 during this 31-day period. Multiple methods to detect an attack increases the probability that an attack will be discovered more quickly, which lowers the money lost in an average incident.
That is why anti-fraud programs should be designed with a variety of components that allow companies to create a multi-layered scheme that effectively prevents fraud no matter the people involved or the channel, creating strong and secured processes that can’t be skipped or modified. This is the base of a strong anti-fraud program: the processes. When implementing it, all processes should be reviewed by the fraud and security teams, to ensure they are secured and potential points of weakness are significantly minimized.
As part of the operations team of Easy Solutions, a large portion of my time is spent meeting with different organizations to assess their fraud operations and make recommendations to improve their anti-fraud programs. When it comes to fraud prevention, there isn’t one solution that fits every single organization but rather a series of steps that we take with every organization. We have proven time and time again, that these actions allow fraud managers to deploy programs that show an immediate and measurable ROI and minimize the risk of fraud both over the short and long term. These steps include:
- Fraud Gap Analysis
The most important step in implementing an anti-fraud program, is having a thorough understanding of the current fraud state. It’s always interesting when a fraud manager at a financial institution tells me they simply don’t have any fraud. In most cases, organizations are losing money due to fraud—but they don’t know it. So how do you really know? First, analyze all financial operations exposed to clients and evaluate which fraud losses occurred to obtain metrics to understand how the fraud is affecting the company. This allows the organization to validate the effectiveness of the anti-fraud program in place. In addition, it is important to make a Root Cause Analysis to determine the various methods the criminals are using to compromise the company’s systems. Performing a Root Cause Analysis offers the company valuable intelligence including what to protect and what to look for once the program is implemented. Once the organization has a full understanding of what channels are being affected, which processes are most vulnerable, and quantify losses in terms of dollars, then they are ready to move forward. Understanding your weaknesses is essential to implement a highly effective anti-fraud program that fits the needs of your business.
- Process Modeling and Analysis
All processes exposed to end-users are targets for cyber criminals, such as opening a new account through a web banking site, paying a credit card through a mobile app or updating personal information over the telephone. As a result, risk-based decisions should be made based on possible exposure, the relative probability of risk for each process, and the ease of mitigating a potential vulnerability.
Each process should be modeled, analyzed and secured keeping in mind protection, functionality and ease of use. Normally, improving one of these elements has the potential to negatively impact the other two. Making decisions keeping these three factors into considerations is really about maintaining balance.
- A Fraud Risk Assessment
Organizations implement fraud protection technologies as they become aware of fraud opportunities and risk. In other words, just because an organization isn’t aware that fraud is taking place, it doesn’t mean that it doesn’t exist. As such, protecting an organization’s end-user should be a proactive project that can be done by identifying and measuring fraud risks before they become a real threat. Fraud Risk Assessments are designed to meet the specific needs of an organization (size, business model, industry), with the goal of covering all potential avenues for fraudulent activity. Assessment typically involves examination of all existing policies and controls, as well as all metrics gathered from an organization actual incidence of fraud. Fraud Risk Assessments should include brainstorming about possible fraud scenarios where financial or reputational loss exists in order to identify, measure and mitigate electronic fraud. With that said, an anti-fraud program is designed to mitigate fraud, but it will never prevent all fraud.
- An Oversight Process
An anti-fraud program requires dedication and supervision. It’s not enough to implement secured processes and technologies without monitoring their performance. The most effective fraud programs have some degree of oversight, using defined metrics that can help stakeholders measure and benchmark actual fraud incidents against the past. For example, if a program is implemented and a flaw exists, the speed in which it is discovered can have a critical impact in terms of mitigation.
A well-designed and effective oversight process is important to mitigate risks and reduce fraud. The oversight process provides a broad oversight of potential risks and outlines a process for responding to them. This process should be executed on a regular basis and it's governed by a company’s board of directors or/and an independent audit committee.
- Consider the Expertise of a Certified Fraud Specialist
We shouldn’t assume that all security teams within an organization are equipped to handle the selection and deployment of effective anti-fraud solutions. A fraud specialist has the ability to offer organizations a unique skill set that combines knowledge of complex financial transactions with the understanding of how and why fraud incidents occur. There are several options to access this kind of talent: hire someone full time, identify an expert consultant for your organization or identify someone within your organization to go through the training and certification process.
Organizations should be both proactive and quick when it comes to implementing anti-fraud programs -- the faster they do it, the better positioned they will be to identify vulnerabilities before a criminal does, and consequently reduce the risk of the organization as a whole. It’s important to understand that an effective anti-fraud program needs to be custom built for each organization, there is no off-the-shelf solution or generic program that can be applied to meet the needs of every business.