2011 Fraud Focus: Integration and ACHDoug Johnson Says Banks Will Spend More on Automated Detection
As Doug Johnson, vice president of risk management policy at the American Bankers Association, says, "Customer education is only effective if it is continuous. It's not one and done." Johnson says customer education, on the commercial and consumer side, is something banking institutions must continually re-evaluate, tweak and market. "I think that while there might be technological tools associated with customer education, customer education itself is very personal," Johnson says. "One of the things we found to be very effective is for financial institutions to actually hold sessions within the branch, to bring their small business and their municipal customers in to tell them about the seriousness of ACH fraud."
The customer needs to be aware of negligence and financial loss in the ACH environment, he says. "There's nothing like having that responsibility to get someone's attention and to realize that they have to work in partnership with their institutions."
Going forward, regulators will be keeping a watchful eye on fraud and the role identity management plays in the fight against ACH fraud. "I think institutions -- and this will be consistent with what we see the financial regulatory agencies doing -- will be increasingly providing customers with a variety of identity management options, and explaining those options to the customer," Johnson says. "That is going to be a mandate from the administration, and I think it also will flow into the risk-management process within identity management."
During this interview, Johnson discusses:
- The expanding role customer education and identity management will play in transaction authentication;
- How enhanced channel integration is expected to streamline and improve efficiencies; and
- How internal audit controls and cloud computing are expected to help banks fight ACH and other types of fraud.
Johnson is the American Bankers Association's vice president and senior advisor risk management policy, where he is involved in a variety of public policy and compliance issues. He currently leads the association's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness.
Integration of AML Tools and Fraud DetectionTRACY KITTEN: Doug Johnson of the American Bankers Association shares his thoughts about expected bank investments in channel integration, ACH security and innovations and solutions. Doug, as the vice president of risk management policy at the American Bankers Association, what are you hearing in the industry from bankers about investments in channel integration and efforts to curve ACH fraud?
DOUG JOHNSON: We've been talking quite frequently with our institutions about the challenges associated with ACH fraud, particularly right now. And while I think there is some impact still from the economy associated with technological innovations and the payment for those innovations, there are a couple of different things that institutions are looking at and really desiring from the vendor community, as it relates to ACH particularly. One of them is really ensuring that there is a better level of integration between what banks have, in terms of product on the anti-money-laundering, and what they have on the fraud side. There is an expectation, I think, going forward that those two types of products are going to be better integrated. In some cases, they aren't as well integrated as they should be right now. Generally, the money-laundering applications are in batch form, and so that really doesn't do a whole heck of a lot of good if you need to know almost on an instantaneous basis when a fraudulent ACH transaction or an unauthorized ACH transaction has occurred. So, I think there's going to be a better level of integration between those types of tools, because the banks are demanding it. It gives senior management a better value proposition, because now those anti-money-laundering tools are not just a cost; they actually add dollars to the bottom line, because, essentially, you are deterring fraud. I see those kinds of integrations occurring to help anti-money laundering activities as well as fraud deterrence within financial institutions.
Cross-Channel Integration and Identity ManagementKITTEN: Most institutions continue to rely on manual fraud detection, meaning that cross-channel fraud detection is not really part of the equation. Why has cross-channel investment continued to lag, and do you expect that to change in 2011?
JOHNSON: I do expect that to change, to some degree. I think some of it is manual for the very reasons that we were discussing earlier, but I think that the tools are quickly catching up and may prove to be of substantial value, because they have dual purposes. I think one of the things that we're also seeing is enhanced identity management and authentication tools that can go cross channel as well. For instance, if someone is trying to defeat the standard Internet banking channel and get credentials into that channel in order to conduct ACH transactions, a stronger authentication measure and security measure on the front-end could actually attempt to frustrate that. So, I think that manual fraud detection will always be one component. You're not going to take the human being completely out of the equation; but I do believe we will see more automated tools, particularly tracking and triggering tools, as they relate to ACH fraud. One of the things, obviously, which is very important is it to be able to detect when a transaction does not fit a normal pattern. We're very accustomed to doing that within the retail card market, but we're not as accustomed to doing that in the ACH environment.
Customer Education: Primary Fraud-Fighting ToolKITTEN: Most institutions say they are doing more to fight ACH, as well as other types, of fraud through customer education. How effective do you see customer education being in the fight against fraud, and do you think that more technology investments are needed?
JOHNSON: I think that really there are a lot of different tools that institutions and customers have. Let's face it: The world is a different place then it was when brick-and-mortar was the primary delivery channel. I think that our surveys here at ABA demonstrate that's no longer the case. Now, for the first time, we have more customers indicating that the online channel is their primary delivery channel. So, that is a different environment. When you've got a brick-and-mortar environment, essentially, the customer is protected by the bank. The customer goes into the bank. There are security cameras there. There is probably bullet resistant glass. There are greeters. There might be armed guards. There are a series of protective measures that take place in that particular environment. However, if you can't translate those kinds of protections into someone's bedroom, where they bank online, then those security tools don't work very well. So, customer education is vital to really continue, to really impress upon that customer that because of that new environment, they have to have some skin in the game. They have certain levels of responsibility to help fight ACH fraud, and they need to take those responsibilities seriously.
Customer education is only effective if it is continuous. It's not one and done. It's something that the institution has to continually partner with the customer on. As to whether or not technology is needed, I think that while there might be technological tools associated with customer education, customer education itself is very personal. One of the things we found to be very effective is for financial institutions to actually hold sessions within the branch, to bring their small business and their municipal customers in to tell them about the seriousness of ACH fraud and the fact that the bank is there to protect them, but that they also have some responsibilities to protect themselves. If we do this together we'll be on the side of the millions of these ACH transactions that occur safely daily, as opposed to the few that periodically occur that are not done safely.
ACH: Open for Fraud and InnovationKITTEN: ACH fraud, obviously, is a huge concern, namely because of the many points of access the ACH network opens for payments and other types of financial transactions. How can institutions do a better job of securing ACH transactions, while also reaping the benefits from expected innovations in ACH rails for payments?
JOHNSON: Tracy, I have always recommended that institutions use every tool they have available in the toolbox, essentially. It's really a series of things that the institutions could do. Some of those tools are technological, as we've spoken about before; but other tools exist in the customer education realms, as we have discussed, or within the internal-control realm, which is something we haven't talked about. There is nothing like your basic internal-audit controls -- your basic blocking and tracking that really can serve to frustrate a technological exploit, such as malicious software, putting in dual control for any ACH transactions, particularly those ACH transactions that are over a certain dollar value. Maybe using positive pay, as well, so that the financial institution can determine whether or not that's a payee you've authorized and the payee amount that you've authorized. Those kinds of things, in conjunction with technological solutions and in conjunction with education, really set up an environment where you can minimize losses. The only way you can expect to reap the benefits associated with these innovations in the ACH rails and get people to ride those rails is if you minimize those losses, because in a lot of these cases, the customer needs to be aware that in the ACH environment, if they are negligent, they might actually be responsible for the loss. So, there's nothing like having that responsibility to get someone's attention and to realize that they have to work in partnership with their institutions. So, I think it's all those three pieces wrapped together. It's technology, in conjunction with education, plus your standard level of internal controls.
KITTEN: How will security investments impact ACH payments? It sounds like it just needs to be more of a collaborative effort, as far as making sure that those transactions are secure to enhance consumer trust as well as commercial customer trust.
JOHNSON: Yes, I do believe that there is going to be some innovation in the identity management space that will affect ACH security going forward. The Obama Administration is very interested, within their national strategy, in securing transactions in cyberspace -- of really tightening that space and increasing customer trust by essentially giving financial-institution customers and customers of other online services more control over that environment. That includes more control of the manner in which they authenticate themselves and let themselves be known on the Internet. So, I think institutions -- and this will be consistent with what we see the financial regulatory agencies doing -- will be increasingly providing customers with a variety of identity management options, and explaining those options to the customer. In partnership with that customer, the two will come to a conclusion regarding which one of those makes the most sense for that customer. That is going to be a mandate from the administration, and I think it also will flow into the risk-management process within identity management, whereby institutions are going to be required to ensure that their risk management process isn't one and done. They just don't take an identity management product and an authentication product and think that they are finished with it. It's a continuous review process to make sure that those products are actually meeting the threat.
ACH Fraud: An Unknown Variable?KITTEN: In a recent (Twitter #FacesofFraud) fraud survey, we found that only 37 percent of respondents deem ACH fraud to be a problem. Most industry experts agree that ACH fraud is a much larger problem then the majority of institutions may realize. Do you agree with that? Do you think institutions are unaware of ACH fraud, and what educational steps is the ABA taking to help banks get a better handle on the fraud?
JOHNSON: Tracy, I found that number interesting. When I do sessions in conferences or seminars or otherwise on ACH fraud, I generally do ask the question of how many institutions have been impacted by ACH fraud, and roughly about a third of the hands do go up. More hands have gone up as the threat has increased, but being human beings, I think, unless you are impacted by ACH fraud, you might not be properly sensitized to it. That is where the ABA comes in, I think. Folks may be unaware because they have not been impacted by it. It is our job to ensure that they understand what the threat is, and I think you are familiar with some of the work that the Financial Services Information Sharing and Analysis Center (FS-ISAC) has done to respond to detect and deter these kinds of threats, including ACH account takeover. You know, we're providing a variety of tools for banks, not only to just educate themselves, but also educate their customers. So, the banks can get a better handle on ACH fraud and also have the tools that are necessary to more adequately protect the environment.
Top 3 Fraud Focuses for 2011KITTEN: Doug, could you tell me what you deem to be the top three security areas, especially as they relate to ACH/wire fraud and channel integration, that banks will focus on in 2011?
JOHNSON: I mentioned identity management. I do think there is going to be some increased emphasis from the bank regulatory agencies on identity management. I do also think that there is going to be somewhat of an emphasis on what the risk management process within institutions looks like from the standpoint of the examiner. I think institutions, as I indicated earlier, will be held to a standard of continuous review, which they should be. That is what the examination guidelines currently call for. I think another thing that we're going to see is increased triggering tools, so that institutions will know when an ACH transaction occurs in a particular account that is outside the norm, and the utilization of those triggering tools and some out-of-band call-back before those transactions are ultimately approved. I think this is something that we're going to see to a greater degree.
Also, something a little off center but certainly related to information security, we do know that the agencies are looking at cloud computing, and whether there is necessity to put out some guidance other than the standard vendor management guidance. The guidance would help institutions know what the agencies believe are the proper considerations when someone does move to cloud computing.