August 23, 2019 By Chris Lewis 6 min read

Change is afoot in how organizations serving customers online can deliver fraud detection and improve the customer experience. The disruption is happening in every sector, especially banking and insurance. Growing customer expectations for immediate approval of new accounts and faster payments, for example, and a shift to real-time technology are converging on the financial sector at the same time, adding complexity and creating an urgency for action. This convergence of expectation, regulation and technological opportunity seems to be in danger of encumbering some of the sector’s major players. It could also potentially limit their competitive agility over fintech and challenger banks, which are typically less burdened by IT legacy and widely dispersed customer management and compliance teams.

In the past, uncertainty and a need to act quickly saw security fraud teams throw people, or money, at the problem. While this Hail Mary approach may have provided organizations some kind of solution, even if temporary, today’s approach leans toward embracing controls and fraud detection and user authentication technologies that flex to match risk appetite and business goals.

Evolving Compliance Demands, Growing Costs

But security is not the only ongoing issue the financial and insurance sectors must reckon with. These heavily regulated industries must continually spend more to keep up with evolving regulatory demands. With an estimated £650 million per year in staff costs and a further 5–15 percent of all resource across U.K. financial services (FS) institutions, compliance is clearly a significant operational burden — if not the most important one — affecting U.K. FS companies in 2019.

To cope with the widening regulatory scope and cover the operational overhead, significant investment has been made in staff. But has that solved the core issue? More staff can spawn challenges in talent retention, staff costs and the ability to focus high-value resource on high-risk remediation activity, further dwindling resources. When this limited pool of talent applies significant time to investigate thousands of medium- to low-risk customers without raising a sufficient number of suspicious activity reports (SARs), if any — due to the sheer scope of the task and inadequate means — it’s easy to see how financial crime and regulatory compliance drain banking and insurance organizations’ resources yet continue to thrive.

To respond to challenges in budget and staffing, automation is emerging as a key solution component for addressing regulatory issues. For example, using automation to transform the Customer Due Diligence (CDD) process — a process for assessing the risks to which customers can expose an organization — can help realize benefits while enabling a risk-based approach that aligns with evolving regulatory demands.

Control and management of advanced surveillance technology and networked security systems is especially important in environments where security is operationally critical. For many banking and insurance clients, technology and automation have proved of important value in fraud prevention/detection analysis. Organizations can benefit from expanding the same learnings across the wider operational activity.

Which Areas of Fraud Protection Should You Automate?

So, if automation can help, which extended bits to automate?

Risk monitoring is a good place to start, especially with regular screening for politically exposed persons (PEPs) and sanctions, adverse media, fraud and commercial risk. By regularly screening the entire customer back-book against a selected list of high-priority, risk-focused data sources, an organization can potentially start moving away from manual remediation for low- to medium- risk customers.

This automated screening would need to be incorporated into a flexible customer risk assessment (CRA) model that validates changes and automatically prioritizes remediation activity once the screening process is completed. When changes to customers’ circumstances or the CRA model occur, accounts can then be automatically reprioritized in accordance with risk appetite to ensure that high-value investigatory resources focus only on high-risk fraud detection cases.

Automation can also help companies significantly reduce the number of false positives worked on by investigators. The need to remediate low-risk customers is reduced because both risk managers and regulators can be satisfied that these customers are frequently and appropriately risk-assessed and that customer data is accurate and up to date.

Incorporating dynamic workflows and prioritization also ensures that ok-book customers that carry a higher risk receive the full focus of remediation and enhanced due diligence (EDD) where required.

Adopting technology and automation can help reduce the investment required to staff costly manual processes and enhance the user experience for low risk customers, avoiding unfavorable user experience scenarios such as ringing up a loyal customer of six years to request they authenticate themselves.

Making Sense of Data to Make Sense of Compliance

When it comes to addressing the risk management demands of regulators, financial and insurance companies need greater flexibility to adopt a more coherent risk-based approach to CDD, moving away from box ticking exercises toward data-driven risk management. This shift can help give regulators more confidence in the organization’s ability to execute fraud detection and mitigate risks effectively. Adopting this approach can help minimize the need for regulators to request additional skilled person reviews (S166) of a company’s activities, which can place further burdens on existing processes.

Ultimately, in some cases, a full compliance transformation may be necessary in the remediation process to create a paradigm shift that would allow automation to work alongside people in the CDD process. The costs in time, money and focus are too high to remain with the status quo because challenges are evolving and growing and must be addressed proactively.

Today’s challenges around anti-money laundering (AML) compliance, CDD and other risk mitigation factors linked with financial crime are akin to having a haystack the size of a small town and hoping a few hundred compliance professionals will be able to find the “bad” needles within it. We need to start thinking about burning down the haystack and investing in something better than throwing people/money at the problem and hoping for the best. Alarming regulatory fines potentially await at the end of the day unless companies are proactive and preempt the inevitable regulatory pressure.

The industry and its customers recognize that there’s a problem. A 2018 Javelin study revealed that only 52 percent of financial services organizations surveyed are confident that their fraud protection and mitigation processes are effectively identifying fraudulent applications. And 4 of 10 of financial service companies surveyed don’t believe customers — who are reminded of their vulnerability almost daily when they read of data breaches — have full confidence in the security of their digital channels. The results of these studies seem to suggest that improving the status quo is a pressing organizational priority.

Figure 1: Trust in digital channels manifests in higher usage of online and mobile banking (Source: Javelin study, 2018)

What Is the Benefit of a Digital Identity Trust Solution?

Digital identity trust solutions take a proactive approach to mitigating risk and offering an enhanced digital customer experience. Innovations in technology such as artificial intelligence (AI), machine learning that helps build in automation and behavioral biometrics make it possible for organizations to help safeguard their customers and brand from fraud and address regulatory requirements while providing the ease of use across the customer journey that can help their digital business grow.

Figure 2: Digital identity trust solutions can protect against fraud while enhancing the customer journey, from onboarding to login and throughout the session

It is possible today, for example, by leveraging an effectively built digital identity trust solution, to securely let end users in without a password, affording them seamless, logged-in access to their accounts at the swipe of a finger or a click of a button. Passwordless authentication starts with the proper user context. By setting contextual data against a decision-making framework, organizations can deliver a seamless end user experience for the vast majority of their legitimate users. Think of the customer bliss that can bring.

Figure 3: Digital trust solutions can make passwordless login a reality

To bring clarity to the core issues the financial and insurance sectors face nowadays, Synectics will host a conference on single customer view (SCV) and the value of digital identity trust as strategic security solutions that can help improve the customer experience, protect against account fraud and improve compliance with regulations. At the conference, set for Sept. 26 at the Hilton London Bridge in London, Shaked Vax, IBM worldwide technical lead for Trusteer and digital identity, will provide an overview on fraud ecosystems in a world of digital identities.

Learn more about the Synectics conference on the ramifications of fraud and financial crime in an age of digital identity, and book your place today.


More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today