No one is perfect. Mistakes are hard to avoid and they can cost us a lot of money when we make them. But they don’t have to be.
What if I told you that I could save you millions and millions of dollars by telling you 10 Mistakes that I see banks make in their fraud prevention programs every single day and then tell you how to avoid them. Would you believe me? Would you take the advice?
Organizations Make the Same Mistakes Over and Over
In the annals of fraud prevention history, the same mistakes are made by the same organizations year in and year out.
It’s like a rollercoaster. Make a mistake. Fix the problem. Make the same mistake again. Fix the same problem.
I like to call those mistakes – WORST PRACTICES. Worst practices are things that banks will do, that will only lead to bad things down the road. These worst practices can be avoided if you can spot them early and change course.
Here is my Top 10 List of Worst Practices, and how to avoid them.
Worst Practice # 1 – Turning Off Fraud Strategies
Believe it or not, this happens all the time. Executives of a bank will receive escalated calls from customers complaining about how they were impacted by the fraud strategies – like their card was declined.
The executives will demand that the fraud strategies be reduced to avoid impacting good customers. The fraud managers comply by turning off high volume fraud strategies.
The only problem is that those fraud strategies also PREVENTED LOTS OF FRAUD. So when they are turned off – fraud losses spike.
Everyone panics. The fraud department is in turmoil. Executives demand to know why fraud losses increased. Sometimes they even bring in high-paid consultants to tell them what went wrong. It doesn’t take a rocket scientist to know that when you turn off your fraud strategies, you open the door to fraud and losses increase.
What a mess! But it happens all the time. Over and over again. I see it every day.
How to Avoid This.
Print this warning out and show it to the executives if they are asking you to turn off your strategies.
Worst Practice # 2 – Buying A Fraud Tool and Letting It Run Itself
Fraud tools are just that – tools. They can help you identify fraud but they can’t run themselves. Sadly, one mistake banks make, is writing a big check for a Fraud Solution, and then expect that it will run itself.
Fraud tools are NOT the Ronco Rotisserie. You can’t “set it and forget it”. You need to invest in training, in resources and management reporting to actively manage how well that tool is used to stop fraud.
I saw a bank several years ago buy a fraud tool that cost them $3,000,000 every year. After writing the check, they let the vendor put in the “default” rules and then never checked them again. The tool was failing. The executives were blamed for wasting their money.
But it wasn’t the tool that failed. They failed. They didn’t actively manage the tool to find fraud. They didn’t train resources on how to use the tool properly. They didn’t build effective reporting to tell them how the tool was doing each and every day.
How To Avoid This
Hire a single resource – A Strategy Manager – that is responsible for managing the rules, the reporting, and effectiveness of the solution. Hold the strategy manager accountable for the success of that tool each month.
Worst Practice #3 – Creating Too Many Rules And Overloading Your Operations
40,000 rules are too much! But that is exactly what I inherited when I took my first job as a strategy manager for a large bank.
For 20 years the bank relied on dumb rules to stop fraud. Every time they detected a new fraud scheme, they would write a new rule. Over those years, they kept adding rules, but they never deleted any rules. They were too afraid that they would have a fraud.
Pretty soon, they had a mess on their hands. They were declining 3% of all card transactions with those dumb rules. And they still had high fraud.
The surprising thing I have found is many, many banks have the same problem. It only gets discovered when the guy in charge of managing those rules leaves, and they don’t know what to do.
How to avoid this
Trust your fraud scores and analytics. You should rely on models 80% of the time. Rely on expert rules 20% of the time. And never, never have so many rules that you don’t know what they are all doing. If you have more than 100 rules in the system, it might be too much.
Worst Practice # 4 – Getting Rid of Fraud Staff When Losses Are Low
Are your fraud losses way down this year? If they are, is management already looking at ways to cut cost? Are they licking their chops to get rid of some “un-needed” fraud analyst?
If they are. You are a candidate for Worst Practice #4 – Laying off fraud staff when losses are low.
Banks and lenders do this all the time. They try to cut their fraud management cost when losses are low because the ROI just doesn’t make sense. After they cut staff, the fraud losses increase. Then they rush to rehire more fraud analyst.
DON’T THEY GET IT? That’s not how it works. Your fraud analyst are often the only thing standing between you and fraud losses. If you fire them. The fraud floods in. It’s cause and effect.
How to avoid this?
Simple. Don’t cut back on your fraud budget just because your losses are down. Otherwise, you will quickly find that they will be back up in a hurry.
Worst Practice #5 – Hiring A Bad Fraud Manager
Banks that have good fraud managers, have low fraud losses. The money you spend on your fraud manager is well spent.
A bad or inexperienced fraud manager could save you a few thousand dollars in salary, but they will just as likely cost you millions, and millions and millions of dollars in fraud losses.
It’s your choice, invest now or pay later.
How to Avoid This
There are 3 things you need to have in a good fraud manager. #1 – Experience – You have to understand fraud to manage it. Hiring someone with no experience means they have a long painful learning curve ahead. #2 – Passion – The person needs to care about stopping fraud. It needs to be in their blood. If they don’t really care too much about stopping fraud, they probably won’t be that good at it. #3 – Communication – Half the job of the fraud manager is persuading the rest of the organization to do the right thing around fraud. They need to convince people of why it matters, they need to defend their fraud strategies, they need to communicate their successes and they need to bring everyone on the same page.
If you hire for these 3 qualities you will yourself a great fraud manager.
Worst Practice #6 – Ignoring Fraud That is Written off As A Credit Risk
Fraud is hidden. As I have always said, it is oftentimes a ghost. And if you don’t believe in it, it will come back to scare you. I believe banks and lending companies globally have billions of dollars of fraud that they don’t even know exist.
20% of credit losses are synthetic identity fraud. Up to 70% of mortgage and auto lending early pay default losses are fraud. And, 20% of bad debt is thought to have occurred because fraud is at play.
So why ignore it? But many banks still do, choosing to let the losses accumulate while they use credit risk tools to try to avoid it. That just doesn’t work.
How to Avoid It
The first step is to analyze your credit risk losses for fraud risk. Do a data study, run a model. Do something to identify what percent of your bad debt has fraud in it. Then, buy fraud tools that can help stop those loans that you identify. Trust me, you will save your company millions and millions and be a hero if you do this.
Worst Practice #7 – Allowing a Toxic Sales Culture to Run Amuck
Wells Fargo probably knows this better than anyone. And they are actually a great bank with good fraud controls.
If you let the sales and marketing people take over the bank without checks and balances you could create an organization with a toxic sales culture.
What is a toxic sales culture? It’s when an organization allows the pressure to sell, to outweigh everything else – including doing the right thing. Once you create a toxic sales culture you must resign yourself to very high fraud losses.
When Wells Fargo set their sites on being the bank with the most new accounts per customer and ignored what the fraud investigators and whistleblowers told them, they created a toxic sales culture.
That’s a worst of the worst fraud practices in my book.
How to Avoid This
Listen to your fraud manager. Don’t disregard them. Don’t shut them down. Don’t ignore them. They are your check and balance against a toxic sales culture.
Make Fraud Strategic. Include fraud representation in all new product launches and bring them into strategic discussions. Show them the fraud voice is important.
Make Fraud As Important as Sales – Don’t let the sales team shut off fraud tools just because they don’t like them and they turn away good business. Make fraud as important as sales.
Worst Practice #8 – Thinking Everything is A-Ok
When I hear a bank say, “We Don’t Have a Fraud Problem” sometimes it makes me wonder if maybe they might be a little too comfortable.
Often times that turns out to be the case, because when I visit that bank again several months later it turns out to be a completely different story.
Payment providers sometimes fall for this too. Apple Pay is a great example of that. Apple believed that their product was so secure it would eliminate fraud. Yet when they rolled it out fraud losses on the product skyrocketed as fraudsters took advantage of loopholes they could not have imagined.
How to Avoid This
Don’t allow yourself to get overconfident. If your losses are low. Look for where they might be hidden.
If someone tells you a new product like their faster payment solution is “totally secure” and there will be no fraud, give them that skeptical look and probe a little deeper.
Worst Practice # 9 – Keeping an Old Fraud Technology Just Because You Understand it
I see some really old, old technology at banks that are used to fight fraud. Check fraud is a good example of that. Many banks are still using technology built in 1995 (right around the time that Windows 95 launched) to detect their check fraud losses.
Why do they still use it? Because they understand it. And they are afraid of new technology and don’t want to make the leap.
How to Avoid It
Don’t be a prisoner of your old technology. Take a leap of faith with models, machine learning and all of the progress that has been made over the last 20 years. Get off those old Windows 95 machines and into the much newer and much better technology available.
Worst Practice #10 -Putting Fraud in the Wrong Place Organizationally.
You can really mess up a fraud department if you put it in the wrong place in your organization. For example, If you have fraud report into sales, that can be very bad. Believe it or not, that is where many of the fraud departments were placed by mortgage originators right before the mortgage meltdown.
It can also be a mistake to put Fraud Departments in areas like “Compliance” because fraud is fundamentally different and requires a much more dynamic process than Compliance Departments.
It can be a mistake to put Fraud Departments in “Operations” because they can be dwarfed by the customer and day to day operations.
How to Avoid This
The best place for a fraud department is in “Risk” under people that understand fraud. I mean really understand fraud. If they don’t, they can wreck your fraud department.
Thanks for Reading!
Thanks for reading. Please let me know if I missed any big “Worst Practices”!