5 Biggest Mistakes I See Banks Make Around Fraud That They Always Regret Later

After working with over 150 Banks, I start to see a lot of the same patterns repeating themselves over and over again.   Some of those things are good, and some are bad, and still others are very very bad.

Here are some of the most common mistakes. If you are bank and you are thinking of doing any of these things, I strongly recommend that you evaluate what you are trying to accomplish because from my experience most of these things are dangerous pitfalls that can really cause some damage.

#1 – Turning Off VIP Fraud Prevention Strategies

I was 28 and was in charge of fraud prevention strategies for one of the biggest banks here in the US.   As part of my job, I was responsible for writing the rules to decline risky transactions at the point of sale.

I got a call one day from an executive that told me to stop declining charges on VIP (Very Important Customers) accounts that had millions in deposit at the bank.  I told them I could not remove the strategies but that I could put the customer in a different strategy that was more tolerant of high transactions by big spenders.

The Executive said “Ok” and then started rattling off names that he wanted removed.  It was a real list of who’s who.  Madonna, Rosanne Barr, Tom Cruise, Cher, Tom Hanks.  I was writing names down so I could make the adjustments.  But I could not find any of them.  I asked the executive,  “Could you please give me the account numbers instead?”

He paused and said, “I don’t have account numbers. I don’t know if they are customers of the bank I just want to make sure that if they are, you turn them off.”  OMG. I could not believe it.

This is typical for fraud managers to get these desperate requests from nervous executives but the fact is turning off the VIP strategies will certainly lead to very high fraud losses.   From my experience, turning off VIP strategies will make the fraud rates jump to between 100 to 250 basis points within a short period of time.  I have seen it many times.

Normal fraud rates are .07 to .10% however if you turn off your VIP strategies you can expect fraud rates between 1% to 2.5% which is 10 to 25 times above normal

If you are forced to turn off your VIP strategies, that is fine but make sure that you budget in increased losses on those accounts close to 250 basis points.  Even if you don’t budget it in, you will still get them so be prepared.

fraud rates

#2 – Not Blocking and Reissuing Cards Breached Plastics Because They Don’t Want to Spend the Money

I am a big proponent of block and reissue as a fraud prevention strategy.  I know it is expensive.  I know it is a headache and I know it inconveniences customers but the alternative is far worse.

Here is the deal.  20% to 30% of breaches these days are going to result in very high fraud rates on the breached plastics.   When I say “high levels” I mean that the fraud rate will be 5% or more meaning that at least 20% of the compromised plastics in that breach will experience fraud.  Remember that the typical fraud rate is .07% to .10 so that is 50 times higher than normal.

But you don’t know which breaches will be bad and you really can’t wait because the losses are large.  Banks that wait and wait or refuse to reissue plastics on breaches get hammered badly.  Banks that bit the bullet and reissued plastics on their Target and Home Depot breached plastics were far better off than those that waited.

My recommendation is this.

  1. Reissue plastics as soon as possible on your big breaches.
  2. If you can’t reissue because executives will not let you than monitor the breach and reissue plastics once the fraud rate exceeds 2%.

Do not wait.  Do it as soon as possible. This will minimize your losses over time.  I know it cost $2.50 to $5.00 to reissue the card but if you have fraud on a card than your average cost to reissue can jump to hundreds of dollars per card.  Do the math.  Most financial models will probably indicate that you should reissue your plastics sooner rather than later.

#3 – Outsourcing Too Much Of Their Fraud Operations

No one is going to care as much about your fraud losses as your own employees of the company.  Believe me there are some amazing outsourcing fraud vendors out there that are passionate about stopping fraud but in most cases they are going to be doing work for hundreds of banks not just yours.

I think outsourcing is good. But I think too much outsourcing can be a major mistake for a bank. The key is finding the balance where you still have absolute control over your fraud and it is not entirely in the hands of a third party. If you cut your internal fraud staff staff so much that no one is monitoring the fraud trends on your side you are potentially in for trouble.

The only time I think outsourcing most of your fraud operations is when you are a smaller or mid size bank or card issuer and you cannot afford to have a fully staffed fraud department and don’t have the expertise to recruit the right people. In those cases outsourcing is a wonderful alternative.

Most banks forget to factor in rising fraud losses as part of their business case for outsourcing. I have seen many outsourcing projects fail because fraud losses rise and the cost savings are never achieved.    Outsource sparingly and wisely for best results.

If you are a semi large bank however, I recommend keeping fraud strategy, reporting, specialized fraud detection, internal fraud, investigations and fraud policy fully staffed internally.    You need to keep a critical mass of your fraud experts within the bank or you will lose touch with fraud and losses will rise.  Rising fraud losses quickly erode any business case for outsourcing that you ever modeled for financially.

#4 – Letting Fraud Analyst Call the Shots

I see Banks spend millions and millions of dollars on sophisticated fraud systems only to let those fraud systems get undermined by recently hired fraud analyst with 1 month of training under their belt.

It makes no sense.  In the fraud prevention world we call the process “smile and dial” which generally means don’t put too much decision power into the fraud analysts hands of when to work an account versus passing an account.

Your fraud strategy should be dictated by math and logic.  If something has a high probability of fraud in a queue it should always get worked and handled in a consistent fashion.

In 2001 with various banks we tested the efficacy and efficiency of letting analyst decide when to work a case or not work a case.  The results showed that when an analyst was presented with a fraud case, they incorrectly passed that fraud case 50% of the time.  This is no better than the flip of a coin.

When a fraud analyst is presented with cases to pass or review, the will incorrectly pass on the fraud case 50% of the time.  This is the case for always using a smile and dial approach to fraud management.

The moral of the story is this – set your fraud strategy and don’t give analyst too much discretion of what to do.   Use statistics and probabilities to take the best course of action.  Don’t rely on the human factor too much.

#5  – Moving the Fraud Department Out of Risk

Organizational changes in fraud management can either be a big win, or a big fail.  One change that I have seen fail more often than I have seen succeed is moving the fraud department out of the risk function and into the operations group.

One area that I saw this fail badly was with several mortgage lenders that I worked with.  The executives wanted the operations groups to have more interactions with the risk managers so they moved the risk managers into the operations area out of risk.

It was an unmitigated disaster.  Underwriting supervisors descended on the Risk Managers every time the risk managers found something risky.  The pleaded their case why it was not fraud and they often won.  Since the Risk Managers reported up through the same executives responsible for pushing volume through, they had no escalation path for resolving serious issues of fraud.

It was the fox guarding the hen house and it resulted in catastrophic losses for those lenders.  Moving fraud management under operations might work but it has failed in the past so be careful.

Beware of the Pitfalls of Fraud Management

As you can see, most banks failures or pitfalls when it comes to fraud management is when the fraud team is weakened or unable to perform their job in the right way.   It’s important to give your fraud and risk managers the right environment, the right reporting structure and not erode their strategies effectiveness by making them take things out.



Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California