Design Basis for a Banking Fraud Risk Management (BFRM) Solution

By balaji

December 21, 2010

Despite the enormous worldwide focus on corporate governance, risk management and information security measures over the past couple of decades, we are still seeing major frauds happening in the Industry. Some of the global statistics on Fraud are really scary, viz:

Despite the enormous worldwide focus on corporate governance, risk management and information security measures over the past couple of decades, we are still seeing major frauds happening in the Industry. Some of the global statistics on Fraud are really scary, viz:

  • Companies on an average lose 7% of their revenue due to fraud (Nilson Report)
  • Global loss estimate is over 660 Billion Dollars for all categories of fraud. This includes all kinds of industries & all types of frauds including financial statement frauds like Enron (Nilson Report)
  • Average financial fraud lasts 25 months before it is discovered. (ACFE Report)
  • Technology frauds (online, card & computer frauds) have been growing at over 50% year-on-year with last year estimate of losses being over 25 billion. (ACFE Report)

When a fraud is committed using a technology channel and by defeating the existing technology controls, it is quite natural to think that the existing Information security measures are ineffective and the CISO (Chief Information Security Officer) becomes the prime target for the Management. The consequence of such a situation is implementing more and more information security point solutions and restricting measures for the technology users. More budget spent, more inconvenience to users and thus less productivity. But fraud continues to grow both in size and numbers… And the CISO also continues to be blamed - A true "Blame-the-Victim" syndrome in the organization.

In such a situation, it is imperative to understand the root cause of the problem and then design an effective solution instead of fortifying the information security measures to combat this.

Information security controls are designed to allow certain users and disallow certain users on a "Need to Know" basis. Thus if a user, who is allowed to do certain activities misuses his or her rights and responsibilities, this cannot be detected as harmful by any of the information security controls. Further if somebody impersonates a valid user and tries to enter into the system, the information security controls will treat these activities as innocuous. As majority of technology frauds happen either by impersonating valid users through some social engineering attack or by the authorized users themselves, none of the information security controls can detect and prevent those frauds.

Thus, there is a need for another kind of control/solution viz Fraud Risk Management solution over and above the information security measures to control the Technology Frauds. Broadly this solution should effectively monitor the transactions and detect/prevent fraud on a real time basis.

Design Basis for Fraud Risk Management solution

Before getting into the design basis for an effective Fraud Risk Management solution, let's discuss about what will NOT work as solutions.

  1. A pure rule based system i.e. by adding certain rules like "Do not allow third party fund transfer above certain amount" will not work as Fraudsters will always outwit the rule.
  2. Solutions in silos i.e. a solution for Internet Banking channel and another solution for card etc will also not be efficient as frauds aren't committed using only one channel. The fraudster actually uses multiple channels to perpetrate a fraud. For example, the credentials may be stolen by Phishing but the same is used through a call center to get the transaction password and then a fund transfer is made using the wire. Therefore, a solution in silos will not work.
  3. A Pure Artificial Intelligence based system for detecting and preventing transaction anomaly will not work in a financial system because it has the potential of generating many false positives. Blocking a genuine customer's transaction based on a false positive report will be counterproductive. Thus such systems will also be inefficient.
  4. Off line surveillance also will not be very effective as more and more banking systems are becoming real time and so the frauds also need to be detected and prevented in real time.

Therefore, the design basis for an effective Fraud Risk Management solution should inter alia include the following:

  • A hybrid approach that includes rule, anomaly detection and predictive modeling for fraud detection
  • The capability to maintain a single profile of the user across all channels
  • The capability of multidimensional profiling i.e. profiling any entity viz customer, POS, ATM, Branch, etc on the basis of certain statistical parameters
  • The ability to detect and prevent fraud in real time
  • The ability to integrate with existing authentication systems, thus enabling Risk based authentication
  • Modular Implementation
  • Robust work flow and Case Management system for Investigation and Enterprise view
  • Ease of integration with the Core Banking Application
  • Efficient response time (say 10 ms)

Although all the above points are very essential for designing an appropriate Fraud Risk Management solution, a technology solution for Fraud Risk Management per se will not be sufficient unless the organization has appropriate policies and procedures around it. Thus there is need for a holistic, continuous and integrated Fraud Risk Management Framework.

Tags: Features






Buyer’s Guide to Managed Detection and Response


Get AI Powered

Managed Detection and Response





AI-Driven Managed Detection and Response

Download Report



Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset