Leap Year Edition

Did you know 2024 is a leap year? That's right, this month, we have 29 days instead of 28 days.

The first thing that came to mind when I realized that fact was Modern Family. Am I the only one that remembers the Leap Day episode...? ??

If you are new here, welcome. Here, we talk about what's happening, what's new, and what's next in the world of fraud risk management. For returning readers, thank you for your continued support??

This month, I have some??hot topics lined up for you:

• ?? Themes across the fraud capability assessments I have conducted for banking clients, with a focus this month on common gaps
• ?? A dive into the expected impact of scam refunds on first-party fraud (check out the initial piece on scam liability and the update on scam liability in past editions of Fraud Thoughts)
• ?? How to leverage GenAI for a fit-for-future Fraud Risk Assessment program

Read on, and let me know what you think in the comments.

This newsletter will be in your inbox on the first or second Thursday of each month - if you enjoy the content, share it with your network and subscribe above. For original subscribers, you may remember it being the first Thursday of the month. I have had to make a shift to allow for more flexibility, but don't worry! You will still get a new edition each month ??

A big thank you to Suzanne Carlson for her contributions to this edition of Fraud Thoughts. And this month, a special shoutout to the incredible folks who have been on my teams, including Berta Perez, Colin Virag , Lauren Thomas , Karley Herschelman, Allen Ahn, and more. Without them, our series on capability assessments - and Fraud Thoughts overall - would not be possible.

If you have a topic you want to see covered or have questions about any of the content in the newsletter, feel free to reach out to me on LinkedIn or by email at [email protected].

What's Happening? Fraud Capability Edition - Banking Part 1

Is your fraud program up to snuff? This is the question that usually leads clients to my doorstep. Burning questions like what are my peers doing? Or what are regulators looking for? Even more specific questions, like do we have the right metrics? Or does a specific process have the right fraud controls?

This type of industry benchmarking or current state review is imperative to approaching fraud risk management strategically. This type of insight enables an organization to understand where it stands and how to prioritize needed enhancements to stay in line or ahead of industry practices. It is often the key to shining light onto what is on par, what is outside the norm, and what should be tackled now vs. later across every aspect of the program, from the small details to the big picture.

As the title implies, this is part one in a series we will embark on here at Fraud Thoughts. One of the core ways we serve clients is through current state assessments. These assessments lead to a wealth of insight into practices across many institutions - small and large. And I am no gatekeeper ?? So, in this series, we will take time to boil those insights into bite-size pieces.

This month, we will dive into common gaps. Instead of one big list, we will break it down between foundation-level gaps and what I will call more tactical or operational-level gaps. Foundation-level gaps in this context relate to the large puzzle pieces needed to build a robust fraud risk management program. Tactical or operational-level gaps are more in the weeds in a fraud management program.

This month, we will cover common foundation-level gaps in fraud capabilities based on my work with clients.

Top 5 Common Foundation-Level Gaps in Fraud Capabilities

#1 | ?? Operating Model - an effective fraud risk management operating model that everyone is happy with can be elusive.

A common struggle I have seen spans from a lack of documenting who does what in enough detail or with enough clarity. This can lead to anything from a simple misunderstanding to an actual program gap because no one takes ownership of an activity as they assume someone else is doing it.

Another common struggle is fraud activities performed by people who are not in fraud. This can lead to decentralized fraud risk management or fraud work being performed by folks lacking domain expertise, leading to mixed results.

#2 | ?? Governance & Policy - setting strong governance with effective supporting policy is more challenging than people may think. Every client I have worked with in my career has had a struggle here. We commonly see a lack of defined governance or gaps in that definition. For example, there may be a lack of a defined fraud decision-making tree (i.e., no fraud working group or committee that feeds into the broader reporting hierarchy up to the board). Or it may be that it is not written down anywhere, leading to gaps in understanding and difficulty articulating the structure.

Now, foundational documentation usually encompasses fraud risk management policy and program documentation. Often, if policy documentation exists, it lacks sufficient, necessary detail. Fraud program documentation has a similar story. These artifacts set the foundation for how the fraud program is communicated across the organization and detail the program's inner workings. They are essential for regulatory reviews and ensure everything is set up as it should be. In the absence of such detail or documentation, I have seen clients get hit with matters requiring attention (MRA), which speaks to their importance and the impact if that documentation is lacking or missing altogether.

Need help determining where your documentation stands? Or starting from scratch? We will dive into these artifacts in a future edition, and feel free to contact me directly with any questions on how to build effective policy and program documentation.

#3 | ?? Internal & External Training - investing in training can pay serious dividends. However, while many institutions have some form of training occurring both internally and externally, the efficacy is up for debate.

The most common gap is a lack of a formal strategy for both internal and external training. A strategy is critical - it is where you should outline the topics you plan to cover, the mediums you will use, the specific audience, and more. There should be space for ad hoc training as needs arise, such as a new or emerging threat. This should be a defined process to enable swift response vs. an informal process that lacks clear steps from content development to approvals to roll-out.

More nuanced gaps for internal training center around outdated materials, standard vs. tailored or role-based materials, and materials that lack sufficient tactical insight, such as end-to-end case studies.

Check out tips for enhancing your internal training in the Holiday Edition of Fraud Thoughts! You can find them at the tail-end of the 'What's Next' section.

External training gaps usually span across the following:

• Information about fraud or contact support is not front and center in the user interface
• Communication is not tailored to different audiences or demographics in the customer base (i.e., relying primarily on email, which may only be a preference for certain customer demographics)
• Messaging does not grab the customer's attention or convey the message intuitively
• Communication is too often or not often enough - it is usually a struggle to find the sweet spot or the level of outreach that is just right

#4 | ?? Metrics - there are several common gaps across metrics and reporting. First and foremost, a lack of a proper strategic framework for metrics. Often, we see fraud teams with tactical metrics that aid in the day-to-day functioning of the team but fail to provide needed insight into overarching performance. For example, we may know how many alerts there are from one day to the next, but do we know if there are particular trends in alerts being closed as “not fraud" that were later confirmed fraud by a customer?

The lack of a strategic metrics framework is usually coupled with gaps in metrics in comparison to regulatory standards. For example, a lack of clearly defined fraud tolerance and thresholds. Or a lack of metrics related to volume and compliance with Reg E or Z Disputes.

Finally, we often see data living in Excel spreadsheets, a focus on historical vs. real-time data, or high levels of manual effort needed to calculate or update metrics or produce reporting.

#5 | ??? Fraud Tech + Solutions - Fraud tech and solution gaps can be thought of in a couple of ways; do we have the right set of tools? And do we understand how to use the tools we have?

Related to having the right set of fraud tools, common gaps in fraud tech stacks usually include behavioral biometrics, call center authentication, and image forensic solutions. Image forensics ties into the surge in check fraud - we have consistently seen a focus on manual check review to identify red flags. This type of tech can reduce that manual effort and catch things the human eye may miss.

In terms of understanding the tools in place, commonly, we see institutions invest heavily in different fraud tools, but there is a consistent lack of training folks on how and when to use those tools effectively. This can mean that while fancy tools are in place, the institution is not getting the full value out of those tools. Tactically, this can look like a lack of training or documentation on tools for relevant staff. Or inconsistent use of tools from one investigator to another.

The final gap takes a turn to governance. We often find that there is no clearly defined fraud tech + tool ecosystem governance approach. This process usually includes ensuring clarity on current tools in the ecosystem and the proper use for each tool, ensuring the right tools are being used consistently, training for new tools, turning off access for tools being phased out, etc. Without such a process, it can lead to some mayhem in your tool ecosystem.

Can you relate to any of these common gaps? Or is there something you think we missed? Let me know in the comments or message me directly on LinkedIn or at [email protected].

What's New? First-Party Fraud Edition

Here at Fraud Thoughts, we have spent a good amount of time on scam liability - including shifts in the landscape abroad and shifts happening here in the US. In previous editions, we have not yet talked about the other side of the coin. While a change in scam liability may yield positives for those falling victim to authorized push payment (APP) schemes, the shift will lead to...more fraud.

As liability shifts and scam refunds are more widespread, we will likely see an uptick in first-party fraud, such as false claims. This may be at the individual level. For example, consumers may claim they fell victim to an APP scam when, in reality, they are experiencing buyer's remorse. Or, similar to the industrialization of refund fraud, we may see consumers and fraudsters work together to cash out.

What the Numbers Say

Committing this type of scam refund scheme would not be a novel occurrence. In October 2023, Socure conducted research into first-party fraud:

• First-party fraud costs U.S. financial institutions and merchants more than $100 billion a year
• 35% of survey respondents admitted to engaging in some form of first-party fraud, such as making a Buy Now, Pay Later (BNPL) purchase without intending to pay it back
• 40% of survey respondents indicated that they know someone who has committed first-party fraud
• 77% of survey respondents believe that there are some instances where first-party fraud should not carry any legal consequences

The figures showcase a troubling fact: first-party fraud is insidious and widespread.

Downstream Impacts

As the liability landscape shifts across the globe, institutions must 1) develop processes to enable scam refunds and 2) proactively mitigate potential upticks in fraud claims and first-party fraud that may result from scam refund requirements.

Develop Processes to Enable Scam Refunds

The new process for scam refunds will need to be defined. This includes:

• Defining roles and responsibilities from intake to closure
• Creating new procedures or updating existing procedures
• Employee training on new or updated procedures
• Addressing any tech or system impacts
• ...and more!

While part of the needed process can likely be embedded into existing fraud operations and investigation efforts, tech and system impacts, specific procedures, and related training will likely need to be addressed for activities not captured by existing efforts.

Mitigate Against Upticks in Fraud Claims and First-Party Fraud

Related to an uptick in inbound customer fraud claims - either legitimate or first-party fraud - there will be higher volumes (an obvious one!), and depending on the scalability of the fraud operations and investigations team, this increased volume may impact handling times. It may also impact the ability of the fraud operations or investigations team to meet SLAs; it may also lead to increased customer complaints if the process to get a refund is long or lacks transparency.

These potential impacts must be forecasted and planned for to ensure continued effectiveness, efficiency, and quality of fraud operations and investigation activities.

Aim for Operational Readiness

The 'downstream impacts' highlighted above get to operational readiness. Proactive preparation today will enable your institution to mitigate potential first-party fraud losses and reduce the operational readiness impacts of scam refund requirements.

Want the full details on scam liability abroad and in the US? Check out the entire piece on scam liability here.

What's Next? GenAI-Powered Fraud Risk Assessment Edition

Fraud risk assessment is where my career in fraud got started. I have led fraud risk assessments across many industries, spanning government, automotive, insurance, financial services, healthcare, manufacturing, utilities, telecommunications, and so on!

Fraud risk assessment is industry agnostic - it is one of the tools in your toolbelt that an organization in any industry can leverage to understand its unique fraud risk landscape better and take targeted action to mitigate those threats proactively.

The benefits may be immense, but often the process is...let's go with not ideal ?? I have seen organizations struggle with assessment methodologies that are too in-depth or too surface level, or methodologies that lead to outcomes that lack actionable insights. I have seen organizations with fraud risk registers with thousands of risks, but they do not know how to manage or streamline them. I have seen organizations struggle with fraud taxonomies that don't flex or adapt as the landscape changes, leading to gaps.

I have seen it all. It is hard to create a fraud risk assessment methodology that is not only detailed but streamlined and yields impactful, meaningful results. Enter, GenAI! There are already several tech or automation-enabled fraud risk assessment tools or solutions in the market. However, I believe that GenAI has the power to supercharge or revolutionize fraud risk assessment efforts, including expanding on solutions that may already exist today. But how?

Let's dive into 5 ways GenAI can support end-to-end:

#1 | ??Fraud Landscape - a core component of a fraud risk assessment is understanding the external risk landscape. For example, what are the top threats in your industry? Or what are the top cross-industry threats? This type of intel usually requires consistent digging and research to stay abreast of trends. However, GenAI can provide those insights in a matter of seconds.

#2 | ??Fraud Risk Register - Mapping out the significant fraud risks relevant to your organization is the foundation of a fraud risk assessment. Usually, this involves building a fraud taxonomy as the foundation and building additional levels of details as needed or in line with your organization's risk management or risk mapping approach. Once created, this type of register can quickly become stale as the threat landscape shifts and evolves quickly.

So, why not leverage GenAI for the initial build and to support the continuous upkeep? GenAI could pull in internal and external insights - meaning, internally, have we seen any new fraud patterns or trends emerge that are not already captured in the register? Or externally, have there been any new or emerging patterns in my industry that are not already captured in the register? This last item connects to number one above, but in this case, you already have a starting place and are looking for updates.

#3 | ??Controls Identification - a significant component of a fraud risk assessment is mapping controls to identified fraud risks. This enables a view of where risks may be low due to solid controls or where risks may be high due to a gap in controls or ineffective controls.

This often involves reviewing many procedures or process documents and interviewing stakeholders to get a clear picture. Some businesses often have control inventories; however, usually, they are not mapped clearly to fraud risks, or they are not mapped in enough detail. For example, I have seen organizations with 'fraud' as the risk that specific controls are aligned to. 'Fraud' does not provide enough insight to work with! Are we talking about internal or external fraud? Are we talking about deposit fraud, identity crime, account takeover, etc.?

GenAI can support this effort - by reviewing procedure documentation, control inventories, and the like and making alignments to documented fraud risks in the fraud risk register. While the result may not be perfect, it provides a much better starting point for fraud assessment leads and practitioners, as this effort is usually labor-intensive and takes a lot of time.

#4 | ?? Fraud Risk Scoring & Prioritization - risk scoring is primarily subjective. Whether your organization adheres to inherent vs. residual scoring, uses 3-point or 10-point risk scales, etc., the result is intended to provide a sense of what risks are a higher priority than others. This then informs action. It helps answer the question of where we should focus or where our investment is best spent.

When it comes to GenAI, this process can not only be streamlined but it can also be data-driven in a more seamless way than ever before. For example, GenAI could develop initial risk scores based on internal data (i.e., fraud losses, historical and emerging trends, and patterns) and external data (i.e., see number one above!). This would lead to better outcomes - if we have a clearer sense of our significant risks, we can better prioritize our resources.

#5 |??Aggregation & Reporting - I led several enterprise-wide assessments across organizations that included 50-85 individual assessment units. The process of aggregating the outcomes up into groupings or for an enterprise view can be manual and labor intensive. From one assessment to the next - even organizations with fewer assessment units - this final step of aggregating results to identify key themes and developing reporting for various audiences takes time.

Enter GenAI to save the day again! GenAI could support in creating grouping-level or enterprise-level views of more granular unit-level results or even help pull out key themes, patterns, or trends across those granular unit-level results. GenAI could also support in drafting initial reporting based on the audience, purpose, or scope of the ask.

The Future is Coming

Whether sooner or later, I predict a future where our current approaches to fraud risk assessments are a thing of the past, where we can leverage innovations like GenAI to streamline and automate current manual or labor-intensive components while supporting better outcomes and insights. You will always need fraud risk assessment practitioners, but the assessment of the future will enable those resources to focus on higher-value activities through the help of technology.

How can I level up my fraud risk assessment without GenAI?

Great question! ?? In a future edition, we will cover the 'how to' steps for completing an effective fraud risk assessment. Or feel free to contact me directly and we can chat through all your fraud risk assessment-related questions.