ACH Fraud , Fraud , Payments Fraud
ABA: Fraud Losses are up - But Don't Blame Banks New Study Pins Increase on Surge in Third-Party Breaches Doug Johnson, senior vice president of payments and cybersecurity, American Bankers AssociationAlthough financial losses tied to fraud against bank deposit accounts increased about 12 percent from 2012 to 2014, banks are not to blame. This is the contention of the American Bankers Association in a new report. In fact, the ABA argues that banks are making significant strides in their fraud prevention efforts.
See Also: The Criticality of Securing Open Source Software
Sounds like a contradiction? I agree: The ABA's position on the surface may seem like an effort to "spin" the results of its biennial survey. But upon reflection, its conclusions are defensible.
If you think about it, most of the losses in 2014 were from debit cards that can be traced to retail breaches that occurred outside the institution. Meanwhile, losses related to online banking and ACH/wire fraud (account takeover) inside the institution have decreased. That reduction shows that, yes, banks actually are making improvements in fraud reduction.
Doug Johnson, senior vice president of payments and cybersecurity policy at the ABA, shares his perspective on the numbers:
"We saw an increase in fraud losses in 2014, most likely due to the number of large-scale retailer data breaches, which resulted in a significant increase in attempted debit card fraud," Johnson, says. "Banks recognize that many customers are moving online to perform banking transactions and have invested billions of dollars to create very effective online fraud-prevention systems that include features like multifactor authentication and monitoring IP addresses."
Financial losses linked to debit compromises accounted for the greatest industry loss, at 66 percent, followed by check fraud, which accounted for 32 percent of overall loss, he adds.
"Banks' sophisticated fraud-prevention systems and customer vigilance successfully stopped 85 percent of fraud attempts in 2014," Johnson adds, noting that losses linked to online banking and wire and ACH transactions accounted for only 2 percent of the banking industry's overall fraud loss.
ABA's Survey
The ABA's Deposit Account Fraud Survey Report is conducted every other year, rather than annually, like other bank fraud surveys, including those conducted even by Information Security Media Group (see Account Takeovers: Did FFIEC Guidance Make a Difference?).
Annual surveys tend to find that online and wire/ACH fraud losses increase year-over-year, and have steadily gone up since 2012.
But I think the ABA's findings make sense, as banks are not necessarily good, on a year-over-year basis, at gauging, measuring and allocating fraud losses to specific categories.
For instance, fraud losses that might actually be related to a debit compromise could in the short-term be attributed to an online banking/account takeover. After more thorough investigation, however, the bank could find that the loss was related to a card compromise, and not an online breach.
Additionally, the figures in the ABA study are based on data collected from 101 of the ABA's member banks between May 2015 and August 2015. The banks that participated in the survey range in asset size from $1 billion to $75 billion or more, so it's a fair representation of the industry.
Outside Perspective: Solid Results
To get some outside perspective on the ABA's latest findings, I spoke to Shirley Inscoe, a financial fraud expert and analyst at consultancy Aite. She says that while no survey of fraud reporting is perfect, the ABA's reporting is solid.
"Banks spend far more money on fraud prevention than people realize," says Inscoe, who previously worked for Wachovia Bank, which was acquired by Wells Fargo in 2008. "And in addition to all the technology solutions, large numbers of staff members are required to support the output of those systems."
I also caught up with Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, who says data breaches have been the primary source of fraud suffered by banking institutions in the past two years - a factor over which they have little control.
"These data breaches have resulted in compromised card data," Nelson says. "Criminals have used that data to create fraudulent payment transactions at in-person point-of-sale terminals, card-not-present online transactions, or even unauthorized ATM withdrawals. Financial institutions have implemented techniques, such as anomaly detection, velocity and transaction limits to restrict their potential losses from card fraud," but they can't prevent cards from being compromised.
Investments in Fraud Prevention
Like Inscoe, the ABA also finds that banks have made significant investments in anti-fraud technology that is having an impact.
The median amount spent by banks on fraud department salaries and staffing ranges between $10 million for larger institutions to $10,000 for community banks, the ABA finds.
Additional anti-fraud investments, not related to salaries, reflect similar numbers. According to the ABA, big banks spent upwards of $10 million on these investments, while community banks spent between $10,000 and $50,000.
"There are many types of technology solutions used to detect and prevent fraud," Inscoe says. "While some institutions use enterprise case management solutions, there are dozens of additional point solutions required, due to all the payment types, delivery channels, etc. Many solutions must be deployed, monitored and constantly analyzed to maximize results. As fraud trends shift and new ones emerge, banks must revise system parameters, add new rules or scenarios, and, perhaps, invest in new solutions."
It's clear that U.S. banking institutions are upping their investments in anti-fraud technologies and awareness. And over time, it seems, we truly can see those investments having an impact.
My question to you: Do the ABA's findings jibe with what your institution is experiencing in fraud expense and reduction? Post your comments below, please.