Contact
Contact

Contact Info

  • Ivan Skula
  • ivanskula.com
  • info@letstalkfraud.com
00_Header_GirlBehindPC_animated

Customer in Control: Reducing Fraud Risk by Allowing Customers to Manage Their Own Exposure

  • 13.7.2023

As per the recent NICE-Actimize report[1] Account Takeover fraud (ATO) grew YoY between 2021 to 2022 by more than 35% while at the same time, Authorized Push Payments (APP) overtook ATO (by share of the cumulative amount of attempted incidents) by 12% - APP 56% vs. ATO 44%.

This shift from ATO towards APP is assumed to be the result of improved defenses around customer authentication (e.g. via device fingerprinting). Nevertheless, the problem remains, and with it shifting to APP it becomes even more difficult than before for the FIs to distinguish the fraudulent transaction from the genuine one.

As if the above wasn't enough, the government in the UK has pledged to give the Payments Systems Regulators (PSR) authority to force FIs to reimburse the victims of APP fraud[2][3]. The final version of the document is still being prepared, but there are already some practical exceptions in the available early versions. While this is not a widespread approach globally, it is expected that due to the continuous increase in fraud losses, it will be adopted by other countries as well.

As a result of such initiatives, FIs will have to adopt more advanced techniques to be able to detect fraud, like

  • more granular behavioral profiles,
  • multiple entities (accounts, cards, channels, devices, etc.),
  • network-based techniques as well as
  • machine learning (ML) algorithms focused on specific use cases (account takeover, mule accounts, bust-out fraud, card not present fraud, cheque fraud, etc.)

While all of the above is most probably on the table of relevant business stakeholders with a well-defined roadmap, there is one area that is rarely considered but could substantially complement the above-defined steps - allowing the customers to manage their own risk exposure. This is the same concept which is applied in cyber security aiming to reduce the exposure or attack surface.

Such strategy usually entails various actions like

  • temporary or permanent disabling of certain functions available to the user
  • "hardening" of the devices (computers, servers, mobile) by removing functionality that is not generally used by users to perform their work but could be abused by an attacker
  • restrict access to resources based on the users' group membership privileges
  • etc.

Similar to the above, FIs can implement functionality that will allow customers to manage or restrict the use of products, channels or services.

For products, customers could temporarily block the use of cards, or disable the option to apply for a pre-approved loan.

For channels, customers could disable login to Internet banking from outside of the home country, or completely disable e-channels if the customer is elderly and only interacts with the bank through branches.

For services, customers could block on an ad-hoc basis:

  • international transactions on cards,
  • funds transfer above a certain amount,
  • transactions against certain merchant types,
  • funds transfer to unknown beneficiaries.

Another option for services could be a "hardening" approach by adding mandatory requirements for Step-Up authentication for customer-defined transactions (e.g. required MFA for CNP transactions by default).

From the overall customer portfolio, only a small fraction of customers will probably be eager to jump on using these functionalities. But here we could leverage our marketing capabilities and target selected customers or segments (high net worth individuals, politically exposed persons, elderly, etc.) who might be priority targets or be more susceptible to fraud. 

Since FIs - as part of required fraud detection capabilities - are already doing entity profiling required for anomaly detection, this same data could be easily utilized for e.g. generating a list of elderly customers owning credit card that wasn't used outside of the country for the last 6 months and we can promote an option (show them a message when they login to Mobile Banking or Internet Banking) to temporarily disable international transactions to reduce their fraud risk exposure.

There are many similar scenarios that could lead to a significant reduction in customer fraud risk exposure. Another benefit of this approach is that we are giving the customers control over what services, products, and channels are enabled for them so these restrictions will be: 

  • more accurate as customers will enable them based on their future use expectations
  • increased friction as a result of these restrictions will not damage the customer's perception of the bank, as it was them who enabled these restrictions


References:

[1] https://info.nice.com/2023-NICE-Actimize-Fraud-Insights-Report.html

[2] https://www.reuters.com/business/finance/uk-banks-told-reimburse-customers-tricked-by-scams-2022-09-28/

[3] https://complyadvantage.com/insights/app-fraud-reimbursement-what-should-your-firm-do-next/

Categories

  • Announcement
  • Awareness
  • Banking
  • Book review
  • Cyber
  • Data
  • Fraud
  • Fraud Analytics
  • Fraud Operations
  • Fraud Rules
  • Implementation
  • KPI
  • Opinion
  • Personal
  • Phishing
  • SAS
  • Social Engineering
  • Statistics
  • Training

Recent Posts

From Hype to Reality - Fighting Fraud with Synthetic Data
From Hype to Reality - Fighting Fraud with Synthetic Data

20.05.2025

Fear Not The AI, But The Automation
Fear Not The AI, But The Automation

16.04.2025

What The Culture Map Taught Me About Cross-Cultural Work and Trust
What The Culture Map Taught Me About Cross-Cultural Work and Trust

31.03.2025

Mastering Fraud Solution Implementation - Importance of Leadership and Unified Priorities
Mastering Fraud Solution Implementation - Importance of Leadership and Unified Priorities

31.07.2024

Essential Skills for the Modern Fraud Fighter
Essential Skills for the Modern Fraud Fighter

12.07.2024

Mastering Fraud Solution Implementation - The Art of Defining 'What' and 'How'
Mastering Fraud Solution Implementation - The Art of Defining 'What' and 'How'

24.06.2024

Don't make the headlines! Or everyone is the target - its a fact!
Don't make the headlines! Or everyone is the target - its a fact!

16.11.2023

The dawn of the vishing!
The dawn of the vishing!

08.11.2023

Customer in Control: Reducing Fraud Risk by Allowing Customers to Manage Their Own Exposure
Customer in Control: Reducing Fraud Risk by Allowing Customers to Manage Their Own Exposure

13.07.2023

Why don't we just block the fraudster's IP address and be done with it?
Why don't we just block the fraudster's IP address and be done with it?

06.07.2023

Approve or Decline - are these all our options?
Approve or Decline - are these all our options?

25.06.2023

Device fingerprinting - how it works and where it fits in fraud detection?
Device fingerprinting - how it works and where it fits in fraud detection?

16.06.2023

Changing face of phishing or what to be aware of!
Changing face of phishing or what to be aware of!

09.06.2023

Does SAS still matters? Absolutely! And let me tell you why.
Does SAS still matters? Absolutely! And let me tell you why.

04.06.2023

Fraud rules basics or How to design a rule?
Fraud rules basics or How to design a rule?

22.05.2023

© 2024 letstalkfraud.com

  • CMS AdministriX