I read some good news this week. Swift announced the launch of a new payment screening service that will help small banks defend against fraud attempts on their network. The service will place a red alert flag on Swift payment messages that contain signals of fraud and out of pattern behavior.
The massive $1 Billion fraud attempt against Bank of Bangladesh where hackers made off with 81 million dollars in a few hours revealed weaknesses in the network. Fraudsters were able to infiltrate the network and send out hundreds of fraudulent request for payment transfers. The massive scheme was only revealed after someone noticed that one of the names in a transfer request was misspelled. The fraud attack was a big wake-up call to Swift.
But not initially. At first, Swift pushed back and advised that member banks were responsible for their own security. Even though they had visibility into the entire network, and that could prove useful, in detecting massively connected fraud schemes like the Bank of Bangladesh incident, they pushed it back to banks.
Too Little, Too Late
It was the biggest bank heist in history. And it only will take Swift 2 years to put a fraud screening service in place to respond to it. That is too little, too late. But it also draws into focus, a fundamental flaw in the way companies approach fraud risk. Most companies fail to invest in controls before fraud happens, only after. And in many cases, they do so far too late.
While Swift is now implementing better fraud controls, there are 3 big issues I see:
- They pushed responsibility for fraud control to others. (that never works)
- They didn’t respond fast enough to fraud (2 years to implement fraud controls)
- They didn’t realize small banks needed more help with security (they overestimated their customers, and underestimated the fraudsters)
Swift could have learned much from both Visa and Mastercard who have been actively providing tools, consulting and transaction based alerts for 20 years to protect their big and small customers alike.
New Security Controls Still Put Onus on Members
Swift’s new security controls are in effect as of now. The security controls require banks to set up multiple tiers of protection. They will hire a team of auditors to go out to the field to make sure that banks are compliant.
The See-Saw Effect
Fraud experts, consultants, and analyst see it time and time again. Organizations bury their heads in the sand and ignore the warnings of fraud that will come.
“We have no losses.” the CEO says, “why would I invest in a fraud tool? That would be a waste of money.”
Then a big fraud case occurs, and the company sets up a high priority project and spends millions on fraud tools. After the fraud risk subsides, the company believes they have fraud under control, and they stop investing.
And the vicious cycle repeats itself. This is called the See-Saw Effect. Periods of rapid increases in fraud, followed by investment, followed by no investment, followed by rapid increases in fraud. Up and down. Up and down. Up and down.
The Only Cure is Institutional Memory
As a consultant, I get to work with many banks. In fact, I have been to the same banks over and over. Sometimes, I find myself helping them solve the same problem I had tried to help them solve 10 years earlier.
In many cases, companies forget their fraud woes of the past and fall into the same trap of non-investment in fraud tools, people, and processes during the good times. They get lulled into a false sense of security and then they get hammered in fraud.
The only cure for the see-saw effect is institutional memory and commitment to vigilance. Companies that remember their fraud pains of the past and pre-invest in fraud tools are better off. Companies that spend money on tools they know will protect them even when the ROI is low can win. There is always an ROI for that fraud tool you want. You can simply wait for the ROI to become 100:1 when your losses are soaring, or you can invest when the ROI is modest and prevent that future fraud and all of the headache.
Thanks for reading!