Good ideas and insights for fighting fraud deserve to be shared. That’s why it’s my pleasure to share the latest installment of my Industry Leader Q&A series, which features Eric Kraus, VP/GM of Fraud, Risk and Compliance Solutions at FIS.
Eric discusses what FIS clients are saying about their biggest fraud challenges, and the exciting fraud-fighting innovations FIS is developing and launching in response.
Let’s begin by talking about the FIS card issuing community. What seems to be their top fraud challenge?
Eric: Card enumeration schemes, also commonly referred to as BIN attacks, is the #1 issue that I talk about with all types of card issuers of late. I think of these as high-velocity scripted number-guessing–fraudsters trying to flood authorization systems with account number combinations, expiration dates, security codes and the like. Fraudsters know that while most attempts will fail, there’s a material percentage that will get through, making the venture worthwhile.
In your estimation, how significantly are card enumeration BIN attacks against card issuers increasing?
Eric: Within our own portfolios at FIS, the ones that we fully manage on behalf of our issuing clients, we’ve seen these attacks increase 115% year over year.
The scheme keeps evolving. It used to be that you could identify attacks by what we used to jokingly call “alphabet soup merchants.” These were just merchant names that would come in with random alpha character combinations, making it pretty obvious that it was a bogus merchant set up for malicious purposes.
These days we’re seeing a lot of these attacks being intermixed with legitimate purchases and the merchants aren’t necessarily at fault. Fraudsters are counting on the fact that it’s difficult for the industry to get extremely aggressive with fraud strategies because it could negatively impact a lot of very legitimate card holders making legitimate transactions.
Let’s talk about the FIS merchant community. What are you seeing with them in terms of fraud?
Eric: We do a lot of processing for many top merchants and e-commerce sites in the world, and first-party fraud is really the top issue for a lot of them.
As I talk with merchants, particularly online e-comm focused merchants, they’re telling me that anywhere between 70-80% of the fraud that they encounter is really more of a first-party nature. It’s somebody in the family, like a kid using mom’s card, or another type of friendly fraud. The merchant community believes that they’re losing a lot of money just from disingenuous cardholders and consumers.
And last, but certainly not least, what fraud challenges are your retail banking clients talking about?
Eric: Our retail bank clients tells us that check fraud is absolutely exploding. It’s wild because a lot of this fraud is not innovative or groundbreaking. It is like stealing checks out of the mail and washing them out like in the old days. We’ve seen kiting, obviously. We’ve seen a lot of duplicate deposits being presented. We’ve seen instances where the fraudsters use remote deposit capture – taking a picture — and then a few minutes later taking that same paper check to a physical location trying to deposit it.
Account takeover and new-account fraud are also very much top of mind. We’re seeing a lot of compromised credentials being used for those schemes. A lot of times, it is consumers giving those credentials directly to criminals as part of scams. In fact, FIS just sponsored a Javelin Strategy & Research annual identity theft study, and it still blows me away, because consumers reported $23 billion lost in fraud scams alone. So, this is still a big, big, BIG industry problem and it is important we continue educating consumers repeatedly against identity threats.
And, of course, there has been a lot of focus on compliance and regulation. We have several solutions we have taken to market around AML, sanctioned screening, KYC, focusing on beneficial ownership.
What is FIS building or doing to help its clients overcome these challenges?
Eric: FIS is doing a lot of cool things when it comes to innovation. First, we sponsor several tech incubators and accelerator opportunities through our FIS Impact Ventures group. I’ve had the pleasure of being able to work with them and get to know some of the new companies and startups. We’ve got some that are focused on AI space, some that are focused on the identity space, and some that are focused on the predictive modeling space, for example.
Another one of our innovations is Sentient, which we introduced at our annual Emerald Client Conference in May. It’s an enterprise fraud offering for retail banking that combines AML, deposit, and card fraud data attributes into one view – one unified presentation layer. Banks were reporting that several things were happening in DDAs over the course of the first 30-some days after the account opening. Individually, they never got to a level of severity that would raise concern. But if you started triangulating all the signals together, the situation looked riskier. Banks need an enterprise-wide view to be able to see the nits and gnats that are happening over a set timeframe that, if looked at together, might be leading up to a final cash-out event. The objective is to identify, correlate, and shut down suspicious activity as quickly and gracefully as possible, so that you’re also not negatively impacting legitimate consumers or cardholders.
Do you see holistic, enterprise fraud or identity solutions as the wave of the future?
Eric: I have been in different channels of fraud-mitigation for so many years, and I have often asked myself whether there is a better way to start correlating some of the data and insights together and looking at the bigger picture.
So yes, I think we’re going to see a broadening of efforts to better leverage data and create enterprise approaches. With these approaches, fraud-fighters can combine historically disparate data sets across historically disparate channels and bring that together with AI and ML to build a holistic view of the consumer’s life cycle through every interaction and every channel that they participate in.
Regarding your Sentient holistic enterprise fraud solution: What other data do you plan to add to the AML, deposit and card data you’ve already combined?
Eric: We’re looking at adding check imaging and items processing data, P2P and perhaps Zelle to Sentient. And we have new-account inquiry data, which gives us insight into the velocity at which credentials are being used across thousands of banks in our ChexSystems network. Data from FraudChex, especially the data on addresses and phone numbers reported as associated with investigated fraud cases.
And over time, we’d like to build it out to where banks will see individual channel risk scores as well as an enterprise fraud score. So, you could have channel specific scores and then you as an individual banker or credit union risk officer could actually then go in and determine the overall risk of your consumer relationship, not just the individual channel that they’re transacting in.
Tell me more about your planned use of AI, machine learning, deep learning, and other advanced methodologies?
Eric: There’s a lot in our innovation labs and in our Skunk Works right now that take advantage of these methods. For example, we’re launching a modernized AML platform that incorporates an AI/ML model for the first time. A lot of false alerts get generated in the AML space, and we’re working with a very innovative data shop right now that has got some secret sauce around predictive modeling through AML. And there will be automation capabilities around the triage of the alerts. This is a planned 2024 launch.
We’re also using AI in what we call our Fraud Fusion Center. Think of this as a tool that can disrupt fraud across multiple industries. There’s a lot of malicious code or malware that gets dropped on e-comm websites and then these become the attack surface that the criminals use to perpetrate card enumeration and BIN attacks and other types of fraud attacks on the retail banking and issuing communities.
The intention here for Fraud Fusion is certainly to provide strong defenses, but the bigger idea here is to focus on offensive capabilities. We’re going out and identifying the emerging trend quickly, shutting it down, and then sharing our insight with the rest of the universe so we can stop the spread. We’re fusing together many aspects of data, people, technologies and processes, across multiple industry segments with the common goal of stopping fraud.
Hasn’t cross-industry collaboration something FIS has been focused on for quite some time?
Eric: Definitely. As just one example, FIS and Worldpay have the AuthMax program, which has been beneficial to both the merchant and bank issuing community. It’s a subscription-based service. The idea is that merchants attest to whether the consumer is a trusted member of their community and provide even more streamlined efficiency for approval of authorizations for trusted consumers.
Merchants have some data that sometimes banks can’t see. Banks have some secret sauces and predictive models that merchants don’t always understand or don’t have full visibility to. So, by FIS pulling this network together between participating merchants and banks, a network where everybody comes in and agrees to play by a certain set of rules, it’s been highly effective. In a lot of cases, we’ve seen returns as high as a 15% increase in approval rates across some of these merchant authorization attempts.
There’s certainly a lot of fraud out there for us to fight through.
Eric: Yes, and realistically, we’ll never be able to stop ALL fraudsters. But we can sure make it harder for them to be successful and profitable.