When we look to how our digital payments landscape continues to evolve, including new account-holder solutions, we must consider how risk controls are used in conjunction with new product offerings. Consumers and businesses demand simplified user experiences—without the friction of multiple passwords and prompts—and protection over their data, and state laws require those protections. Technologies such as fingerprint and facial identification have emerged as the new norm for banking apps. Yet biometrics alone will not stand the test of time in this more sophisticated technological environment; FI risk protections must continue to evolve, providing additional behind-the-scenes layers that support the way customers/members interact with payments today.
Engaging enhanced analytics
The introduction of new solutions that leverage machine learning (ML) and artificial intelligence (AI) technologies help FIs implement those additional protective layers by adding an automated analysis of critical data points. For example, if your customer/member uses fingerprint ID to log in to your banking app at home in Burlington but within seconds an attempted charge on their card from your institution hits a gas station in Quincy, you want your analytics to flag the gas station charge immediately. This sort of back-door analysis of multiple customer/member interaction points has grown in popularity—predominantly with cards—but as AI and ML continue to mature and become more accessible and cost-effective, these tools will find their way into an array of products and services. In the future, they will help parse your payment data across all channels and services in near real-time to better protect you and your customer/member from fraudulent activity.
We already see these trends taking hold globally with large international banks. According to Deloitte’s Global Risk Management Survey, 11th edition, financial institutions cited enhancing the quality, availability, and timeliness of risk data (79%) and enhancing risk information systems and technology infrastructure (68%) as extremely or very high priorities over the next two years. While this sentiment rings true for community banks and credit unions in New England, incorporating this new data analysis into traditional operational protocols may prove to be more challenging in certain ways.
For example, in many cases, payment ownership lies with the operational team, and those individuals may or may not be tasked with specific fraud detection protocols or responsibilities. Even when not directly tasked, in product line responsibility, operations oversees the flow of the transaction. The good news is that they really can be the first line of defense against a fraudulent attack. In fact, often they can detect unusual patterns of activity before a fraud team or detection system can.
“Operations is the keeper of payments, and as the gateway to that payment that goes in and out of the institution, they are in a key role when evaluating a transaction,” notes fraud expert Rayleen M. Pirnie, AAP, CERP, RP Payments Risk Consulting Services. “If they had deeper knowledge of the trends, of what to look for, it would help with mitigation, not just recognizing fraud.”
Staffing up for fraud
So, how does an FI staff up for that vision of a more risk-focused culture? It starts at the top: In fact, 95 percent of global institutions in the Deloitte study point to having a Chief Risk Officer position. While those surveyed represent large entities, the emphasis they place on risk management at the highest levels leaves a clear signal for all FIs: Risk management remains a priority, and staffing must support it.
But having a senior-level risk lead may not be the right solution for your institution. The unique structure and needs of your organization may mean that the person better suited to this role may function in a more operational capacity, with direct links to the other lines of business and executive management.
“Step one is identifying someone internally who has the interest and motivation to do fraud investigations,” advises Pirnie. “Then give them the resources, autonomy, and education necessary. Now you have someone who can work the cases appropriately; you have someone who can look at themes and how they can better mitigate risk for the institution in the future.”
Combining technology and people
Once your risk or fraud investigator is in place, your FI has the opportunity to move from a defensive position to an offensive one, shifting from identifying fraud to mitigating the risk of it. And to do that, cross-institution dialogue remains key. In fact, bankers reported collaboration between the business units and the risk management function as the
Merging resources top priority for enterprise risk management (ERM). Most importantly, fraud and operations should become a cohesive team in detecting and combatting fraud. The frequently present silos in these areas can potentially harm rather than help combat fraud. This means the lead on your risk program should have access and be able to reach out to every department. They should hold regular meetings with all product lines to identify trends, emerging threats, and mitigation strategies. Operations should also be able to bring concerns and flow information back to the risk management area. This back and forth flow of information and data is a critical aspect of ERM.
This is where data comes back into play. Financial institutions leveraging cross-departmental data can create a more automated approach to flag “out-of-character” transactions for further scrutiny. Globally, bankers are capitalizing on this approach with nearly three-quarters (74 percent) of surveyed institutions investing in automating processes to access and analyze the information in their systems.
“This is the state of the future,” Pirnie forecasts. “We’re just getting our feet wet in analytics. We will see more of platforms that sit between the account holder and the internal network and offer a more robust set of behavioral analytics to help combat fraud.”
On the other side of these analytics will be the Risk Investigator, ready to interpret the trends.
“That investigator will take the data that’s flagged and how it’s a problem,” Pirnie concludes. “The technology will take the place of the manual data aggregation, but the investigator will have to apply it for the institution. It all goes back to having a fraud investigator and those within operations who can identify possible trends.”
Taking that first step toward establishing risk mitigation leadership and responsibilities will go a long way in creating a culture of risk management, and NEACH can be your partner as you set it up. Don’t hesitate to reach out with a question on our Payments Hotline or let us know what risk mitigation needs you may have. At the end of the day, risk management is an industry-wide responsibility, where we all contribute to the solution.