June 26, 2006

Fraud incidents across the banking industry continue to skyrocket, and San Francisco-based Wells Fargo ($492 billion in assets) can attest to just how scary these incidents can be. Already the victim of three security lapses in the past three years that exposed sensitive customer information, the bank again found itself at the center of a security breach this spring. >>

A company computer that contained the names, addresses, Social Security numbers and account numbers of Wells Fargo's mortgage customers was reported missing while in transit between Wells Fargo facilities, according to published reports. While law enforcement officials believe the computer was stolen for the hardware -- not the data it housed -- this tends to be the exception.

Mission-critical data and consumer-specific information often are the target for savvy thieves who prey on the financial services industry. Further, as consumers, employees and external business partners demand -- and are given -- greater access to sensitive data, banks are more susceptible than ever to internal security breaches.

Clearly, fraud is a costly fact of doing business. Approximately 3 million adults said they were victims of ATM or debit card abuse in 2005, according to a survey by Stamford, Conn.-based Gartner that focused on the global IT industry. These incidents resulted in $2.75 billion in losses, with an average loss of more than $900 per incident, Gartner reports. Another 1.9 million online financial services users were victims of illegal checking account transfers, the study adds. These hijacked accounts resulted in nearly $3.5 billion in losses -- an average of roughly $1,800 per incident. Banks absorbed most of these losses, Gartner points out.

"Real costs are being driven out of the business," says Austin Wells, VP, product management, for Digital Harbor, a Reston, Va.-based risk management solutions provider. "Dollar losses aside, however, banks are just as aware of how damaging fraud can be to their reputations among consumers as well as in the way of fines they are subject to for noncompliance with regulations."

The fastest-growing incidents of fraud are cross-functional, meaning they involve multiple areas of a banking customer's portfolio. While banks have solutions in place to evaluate and detect incidents of fraud, not many solutions "look across systems and link the pieces together," Wells contends.

Segregated fraud detection solutions and disparate data streams "remain siloed across enterprises," agrees Andrea Klein, chief marketing officer, IdenTrust, a San Francisco-based provider of identity management solutions. In addition to being difficult to control, these silos require banks to allocate different sets of people and significant IT investments to manage information and detect fraud.

"Fraud does not just encompass Internet-facing issues or identity theft," says Jonathan Rosenoer, global risk officer, financial services sector, for Armonk, N.Y.-based IBM. "Dimensions start at security levels and bridge through to privacy issues. Banks need to consider fraud from a broader sense," he continues. "They need to look at systems and rethink how operations can effectively shut the door to criminals."

The Helping Hand of the Law

Unfortunately, some banks have been slow to react and only have begun to rethink their risk strategies and fight fraud on an enterprise level as the result of regulatory mandates. The USA PATRIOT Act, for example, requires banks to monitor and disclose any potential international money laundering rings or the financing of terrorism. Meanwhile, Basel II requires that banks identify customers on a global level, calculate credit reserves and report credit risks.

"These and other regulations are forcing companies to look at all customer activity, even across silos," says Rosenoer. That is where the CRO comes in. "The role of the CRO -- or chief risk officer -- is to ensure the bank is compliant across these regulations," he explains. "Further, the CRO bridges business continuity in the event of fraudulent events. Again, this is not just an online problem. CROs are evaluating money laundering rings, compromised internal systems or anything that is threatening the enterprise."

Besides creating a watchdog to detect and ward off potentially dangerous scenarios, privacy and security regulations foster something more important -- the need for banks to gain an enterprisewide view of customers and their account activity, Rosenoer suggests. Gaining a holistic view of the enterprise requires an arsenal of risk management tools. The best solution set will enable banks to pinpoint breaches, from compromised consumer privacy all the way up to organized fraud rings. They must be able to monitor instances wherever they occur in the organization. To do this, banks need to employ a common set of tools across the enterprise.

"Banks need a consistent approach to fraud assessment and prevention, otherwise they will never truly get ahead of [the problem]," says IdenTrust's Klein. "Siloed solutions cannot fight the bad guys. Fraud has to be fought on an enterprise level, otherwise this problem cannot be solved."

For example, identity theft is consuming many banks' fraud prevention resources. However, companies are equally bombarded by threats of money laundering and from organized fraud rings. That's why Digital Harbor's solution links disparate fraud detection technologies throughout the organization to detect patterns across each area, according to the company's Wells. By investigating the exceptions across multiple systems, the solution "provides a single view of a suspicious customer or account," he says. "If banks can start to find patterns of fraudulent activity across accounts early on, they can avoid big losses." By linking different fraud detection systems together, Wells asserts, banks can reduce fraud losses by 30 percent and increase their loss recovery by between 25 percent and 40 percent.