By Gary Duncan, 20 May 2024
Despite ongoing efforts, fraud remains a persistent threat, costing billions annually and causing significant harm to businesses and individuals.
A recent ICA Member Webinar, hosted by Wayne Haynes, Global Lead, Financial Crime Prevention at the ICA, looked at the evolving fraud landscape, technology’s role in the fight against fraud, and how organisations can strengthen their compliance programmes to improve detection and prevention.
He was joined by Claire Maillet, Counter Fraud Expert and Host of the ‘fraudible’ Podcast; Richard Bromley, Director of Fraud and Disputes Risk at Monzo Bank; and Jan Stappers, Regulatory Solutions Director at NAVEX, a provider of risk and compliance software solutions.
A multilayered approach
Fraud is the most common crime in the UK and most of us are likely to be affected by it at some point – probably more than once.
Haynes said he sees fraud as a constant battle. ‘That’s the title of our webinar, and that’s what it is – a constant battle to prevent the ne’er-do-wells from impacting us in both our professional and daily lives.’
To illustrate the scale of the problem, he asked attendees to list some of the main fraud-related technologies used by both fraudsters and crime prevention teams. It was a long list – behavioural biometrics, graph analytics, synthetic data, natural language processing, second authentication, encryption protocols, domain-based message authentication, general artificial intelligence and deepfakes, to name a few.
Stappers said organisations should adopt an interactive approach that takes in all these technologies – and the sooner the better. AI, for example, already affects anyone who uses technology, he said. A few years ago, no one really knew what it even was, but now 11-year-olds are using ChatGPT to write essays in five minutes. That, he warned, is a red flag for crime prevention professionals.
Bromley urged organisations to adopt a multilayered risk-based approach. If they don’t, their systems and controls are doomed to fail. He said he sees deepfakes on LinkedIn ‘probably every couple of hours’ and that the technology is becoming increasingly and more economically viable for would-be criminals.
Proactive organisations should focus on horizon risk, but that doesn’t mean dropping everything and reacting right now to every threat. ‘Understanding how emerging risks could affect your organisation or customers is key,’ he said, ‘because running to your CEO and asking for a bucket load of cash for investment for something that maybe isn’t quite here yet is a challenging conversation to have.’
‘We’re all data analysts’
Haynes asked the panellists what they would change about the profession if they had a magic wand.
Stappers said crime professionals’ self-perception. ‘Many people say they prevent fraud or they’re an investigator or whatever,’ he said, ‘but I think they should say they’re a data analyst who uses data to prevent fraud or investigate cases. That’s still a reality that few people are comfortable expressing.’
Looking at AI, the ever more sophisticated ways to commit fraud and the increasingly international nature of business, he said it’s no longer a human-only profession. Organisations need to start gathering data across as many sectors as possible and then connect those datasets. ‘Ideally, you’ll start seeing your work as analysing datasets and gathering and understanding as much data as you can because that’s the only way to maximise the opportunity to see actual red flags or red flags in the making,’ he said.
Haynes agreed. ‘At the end of the day,’ he said, ‘we’re all data analysts.’
Looking for a gap
Stappers said he would like to see more collaboration. ‘Companies try to keep everything to themselves, sometimes even within their organisation,’ he said. ‘I think too many are trying to reinvent the wheel themselves, and there’s too little sharing of information across the industry.’
Haynes had first-hand experience of that when he worked in law enforcement. ‘I’d have those discussions with various agencies, including policing ministers,’ he said. ‘It would be a case of “Why don’t we have a central database to collect all this information to get a better picture?”.’ There were lots of barriers, he said, including confidentiality, GDPR, protecting company IP and legislation.
The UK’s new Economic Crime and Corporate Transparency Act – introducing new powers to tackle fraud, corruption and money laundering – could be a step in the right direction, he said. But criminals will always try to find new ways to stay ahead. ‘They’re entrepreneurs,’ Haynes said. ‘They’re looking for a gap, a new method, and they’ll squeeze something else. That’s the battle.’
Bromley said banks are fairly good at sharing intelligence best practices, but not so good at sharing them across sectors. He said 70% of authorised push payment fraud originates outside financial services, starting on the tech platforms. ‘If we had that data across the ecosystem from outside of financial institution into financial institution, our controls could be significantly more targeted,’ he explained.
The best fraud prevention strategies need to be fast, balanced and collaborative to address the natural tension between managing fraud and optimising the customer experience. ‘They should reflect your customer bases, channels, products and services, where you operate and how they’re integrated with your broader, more strategic objectives and priorities,’ Bromley said. ‘If you’ve got a fraud strategy which sits outside your company’s strategic objectives and priorities, it could become fairly siloed.’
Risk assessment is key to helping organisations understand what controls they have in place and what that means for their residual risk, the severity of those risks and what they need to prioritise in terms of control investment. ‘That’s super important,’ Bromley said, ‘because if you don’t do the risk assessment and start to add systems and controls, that could lead to undesirable outcomes.’
He also emphasised the importance of education, awareness and training – about giving customers the tools to protect themselves and be aware of the risks. Many people will have become desensitised to messages sent out by banks and financial services firms, he said, but banks still need to ensure those messages and warnings are targeted.
Monzo recently launched an app to enable its customers to confirm that they were actually talking to the bank and not a fraudster. ‘We saw a spate of impersonation scams where fraudsters were pretending to be from Monzo to build trust and then get victims to move money from a Monzo account to a so-called trusted account,’ Bromley said.
‘I’m nice, but I could be a fraudster!’
Maillet said insider fraud might not be the biggest threat in terms of reported cases, but it still comes with its own challenges. ‘People don’t really want to talk about it,’ she said. ‘Understandably, they don’t want to admit that their staff might feel the need to perpetrate fraud.’ During her research, she said, most people say, ‘We don’t have that issue here because our staff are lovely people. And you think, “Yeah, I’m nice, but I could be a fraudster!”.’
Maillet said organisations should look at every department in their business and ask themselves, ‘If I wanted to perpetrate insider fraud, how would I do it?’ Do they have access to data that isn’t being monitored? Do they have processes in place to look at expense claims or overtime sheets? Do they have a whistleblowing policy? Do they understand their processes inside out? ‘As a first step,’ she said, ‘your risk owners should go through every single team, look at all the processes and find the gaps that need to be plugged.’
Maillet said organisations need to be even more vigilant now that more people are working from home.
Takeaways
Haynes wrapped things up by asking the panellists for their key takeaways.
‘Get out of your silo,’ Stappers said.
Maillet said organisations should look at their onboarding, monitoring and offboarding processes, and apply the same measures to their own staff.
Bromley’s message was simple: ‘Invest in risk assessment, understand your current risk, understand your horizon risk and socialise that across your organisation. That will be key.’
The full webinar Fraud wars: Fraud prevention in 2024 is available to ICA members via our Learning Hub.
For more information and to sign up to our upcoming ICA webinars, visit our events page.