"Fraud, unfortunately, is a part of our world and fraudsters have great resolve," observes Douglas Twining, director of fraud service for Cleveland-based KeyCorp ($95 billion in assets), who spoke to us this week about the bank's recent investments in fraud-fighting technology. "Organized crime has become more sophisticated in the last couple of years, criminals are leveraging technology more than we've seen in the last couple of years, and we've seen an incident rate associated with sophisticated phishing, malware, and man-in-the-middle attacks. When that occurs, it's not only an attempt to exploit the financial institution, but it calls into question the integrity of the product and the channel."
KeyCorp has purchased fraud detection software from Actimize to be proactive and to "view risk in a holistic instead of a silted manner," Twining says. "Detecting fraud is not the goal in and of itself, the real goal is to be able to respond in a timely fashion." The real-time nature of the software KeyCorp has purchased is designed to let it catch suspicious transactions before they're completed, so that the customer can be called or the transaction blocked before fraud actually takes place.
The bank is in the process of building applications on the Actimize platform — this is expected to take about two years. Twining plans to focus first on remote banking delivery channels, although he notes that the bank already has anti-fraud controls and processes in place and it conducts webinars and client discussions about safe online banking. "What we're really investing in is the ability to use behavioral analytics to enhance the investment we've made in authentication technology," he says. "We are leveraging information about transactions and account activity changes and determining whether or not to pend transactions, to have one of our fraud analysts review the activity, to contact the client, or to approve and potentially look at it later." Clients want to be educated, but also want the bank to help and protect them, Twining relates. "Working with them and helping protect them is good for us."
The Actimize software compares incoming transactions against existing bank data, scoring them based on such risk factors as familiarity of the IP address and consistency with a customer's past behavior. Rules can be set to identify suspicious activity.
The bank will need to feed information from its online banking, mobile banking, ATM and other applications into the Actimize software, making this a large integration project.
"My mantra is data, data, data," Twining says. "It's important to get that perspective in order to be timely and quickly prevent or detect aberrant behavior." But this approach will let him build a flexible platform, he says. "We won't be solving all fraud risks through this mechanism tomorrow, but we'll build onto it over the next few years to incorporate more of a holistic approach," he says.
Small businesses have been particularly hard hit by fraud in the past year, particularly by incidents in which malware lets a criminal hijack a computer and send wire transfers. Twining says the Actimize software can detect and prevent such activity. However, he says, "we believe that it's a shared obligation. We did a webinar recently with small businesses and we gave them some very practical suggestions to consider to help them manage the risk."
KeyCorp also plans to offer clients other fraud prevention measures such as text alerts for suspicious activity, keystroke measuring tools, and biometrics. It plans to provide some with no fee, others with a small fee. "Everybody has a different risk tolerance, we want them to be able to protect themselves in a way that makes them comfortable with their relationship with Key, instead of telling them, this is all we offer," Twining says. The bank provides digital certificates and offers authentication tokens, again, based on customer preference. "There's a lot of concern in our society around banks' ability to protect their clients," he says.