The MoneyPot Live: A Question of Identity

Show Notes

How do financial institutions combat the ever-evolving threat of identity fraud? In this episode, Noreen Ali, the US Head of Fraud at TransUnion, sheds light on this critical issue, underscoring that while 69% of institutions express concern, all are indeed affected. We analyze the rapid advancements in technology that have accelerated the speed, scale, and sophistication of fraud. Why might some organizations not voice their concerns? Noreen suggests it could be robust mitigation strategies or perhaps a concerning lack of awareness. The discussion navigates the complexities of fraud management in today’s digital age and the necessity of proactive strategies.

We also spotlight the human side of fraud, exploring schemes like romance scams that prey on vulnerabilities. Financial institutions play a pivotal role in protecting their customers, and we dive into the concept of "responsible friction." This involves implementing layered defenses, much like the Swiss cheese model, where each layer helps shield against potential threats. From step-up verification to direct interventions, these proactive measures are essential. Listen in as we stress the importance of consumer education and the vital responsibility of financial institutions in preventing victimization, ensuring a safer financial future for all.

Follow us on LinkedIn

Chapters

• 0:07: The Evolution of Identity Fraud
• 15:50: Preventing Fraud

Transcript

Rachel Morrissey: 0:07

Welcome to The Money Pot coming in live from Las Vegas, Nevada. I am Rachel Morrissey, US Head of Content at Money 2020 and Executive Producer of the show, and today we are talking about one of the hottest topics in fintech identity and, in particular, identity fraud. Now speaking of identity not speaking of frauds, but speaking of identity. Not speaking of frauds, but speaking of identity.

Ian Horne: 0:29

I'm gonna identify my co-host I'm really glad you qualified that ian horn.

Rachel Morrissey: 0:34

Ian Horne is our EU Head of Content, one of the great MoneyP ot producers, and when was the last time we discussed fraud? Oh, we discussed fraud at The MoneyP ot in the EU.

Ian Horne: 0:43

Back in amsterdam we did.

Rachel Morrissey: 0:45

So this will tie, this is a nice tie. Thank you, Naureen. You got us to tie our shows together, so we ended up making some loose plan to call it Fraud 2020.

Ian Horne: 0:58

Yeah, our interviewee for that episode was talking about how fraudsters are becoming so sophisticated they could create their own show, much like ours. So we went on a kind of flight of fancy and started creating Fraud 2020, which isn't a real event, but who knows, maybe one day, if we really turn to the dark arts, we can make it happen.

Rachel Morrissey: 1:14

Maybe, maybe. So today I'm going to introduce our guest, noreen Ali. She is the US head of fraud at TransUnion and she is a self-confessed banking veteran. You're going to actually confess to being a banking veteran. Is that a thing you actually confess to Noreen, you know?

Naureen Ali: 1:34

it's one of those things. It's a blessing and it's not, so you have to take it with a grain of salt.

Rachel Morrissey: 1:40

And she has seen the entire evolution of both fraud and fintech firsthand. So, noreen, welcome to the Money Pot. Okay, well, I'm going to turn to my non-fraudulent co-host to start talking about this.

Ian Horne: 1:57

So, ian, yeah, I haven't gone rogue yet. I haven't done fraud 2020 yet. So for now, yeah, as those who've read the session description will know, 69% of financial institutions are concerned about fraud. That actually feels low to me, to be honest, but that still is getting across the fact that most people are concerned about fraud. Why has it become such a big problem now, Noreen?

Naureen Ali: 2:18

Two things very quickly. I think 69% are concerned about fraud doesn't mean 69% are experiencing fraud. I think 100% are experiencing fraud. I think that's an important distinction, right, and it's you know. Fraud has always been a big issue. I've been in this industry for over two decades and it's always been an issue. But what feels very different now is that think of the massive technology shift. Think of what the pandemic accelerated, right, in terms of the digital explosion, which was certainly happening before the pandemic and it's certainly continuing after, but the pandemic did accelerate that you know. Think of the advancements and think of our insatiable appetite for instantaneous things like instant decisioning, faster payments. That keeps getting faster and faster. So you have a situation where the scale of fraud, the speed of fraud and the sophistication of fraud is very different. It's unprecedented. I love it.

Rachel Morrissey: 3:17

The three S's, the three S's, the three S's Speed, scale and sophistication. So let's talk about those. So we obviously scale. You're saying 100% experiencing for us. I have a question for you 69% are concerned about it, but for sure, 100% are experiencing, which I totally agree. Why aren't the others concerned about?

Ian Horne: 3:42

it. I was going to ask the exact same thing, yeah.

Naureen Ali: 3:45

I think two things. One could be that they feel that they have sufficient foundational critical mitigation in place. Because if you approach fraud very deliberately fraud mitigation as a strategy and you're very deliberate about that right and you actually cross off on your basics, I am convinced right and this is through practicing fraud for many, many, many years I'm convinced that it's not a whack-a-mole strategy, that every time you have an emerging attack or a new fraud vector, you don't actually have to go scrambling to find a new solution. So if you're one of those very few organizations where you have taken the pains to be very deliberate about setting up your fraud strategy which, by the way, takes years, if you do it well, then I don't think you have a reason to be concerned. You're combating it, but you may not be concerned. The other reason is the more obvious one where you may not be concerned is because you simply don't have a grasp of what's attacking you, right, or it's getting hidden in other types of losses, so you're losing line of sight into what's true fraud.

Rachel Morrissey: 4:54

So either you're ignorant or you just feel like you've planned ahead.

Naureen Ali: 4:58

I was trying to be nice about this.

Rachel Morrissey: 5:00

Yeah, nice is not really something I'm credited with, so I'm not going to worry about it. But that is really interesting because the idea about mitigation, though like we're talking about these three S's right, so speed, is mitigation a factor when you're dealing with speed as well as scale.

Naureen Ali: 5:19

Yeah, oh, absolutely Right. Think about it. Think about the world of digital issuance. Let's take cards, for example. A lot of your attendees are from the financial institution world. They deal with credit cards.

Naureen Ali: 5:30

There was a time right, there was nothing called a digital instant issuance. You had to actually wait for the card in mail. It was an inherent fraud. Check that the address that you provided on your application was authentic, or is authentic, because ultimately that's where you got your card and that's when you started spending. Fast forward many years to today. You have a situation where you can do a host of different financial transactions at the time you're approved instantly approved, right Like balance transfers without ever getting your physical card. And there's a vast population of our consumers where they never even use an actual physical card. It's a digital card that they will use all the time, right. So the speed definitely makes a difference in how we are going to mitigate it and at what point in that consumer journey do we mitigate it? Because if we are waiting to mitigate the actual monetization, I would argue we are already too late. We have to mitigate it at not allowing a fraud account to be booked to begin with, or not allowing that account to be taken over to begin with.

Rachel Morrissey: 6:37

So nip it at the bud, See that seems like a good pivot to what you guys were talking about about wanting. How is TransUnion looking at this whole thing? How are you guys looking at combating fraud?

Naureen Ali: 6:49

So before I answer that, let me give you a little bit of context, because otherwise my response will kind of not really make much sense. So, in the industry, even our most sophisticated clients, I've noticed this about them is that at best, they have a very fragmented view of two things the identity and the identity risk profile and the actual fraud event. Right, so it's a very fragmented view. And why is it fragmented? It's fragmented because, over time, as fraud attacks have evolved right, what have organizations done? They have implemented an ACH solution or a wire solution or a debit card solution. Right, what have organizations done? They have implemented an ACH solution or a wire solution or a debit card solution, right? Or just an origination authentication solution, but it's in piecemeals, right, so these solutions are on disparate platforms. They don't necessarily speak to each other. So what happens to the view of the fraud event? It's very fragmented. What happens to the identity as it traverses across these different platforms? It's siloed, it's disparate and it's fragmented.

Naureen Ali: 7:52

So, given that's where the industry is at, and given that you cannot really triage why something is happening unless you have a holistic view of the event and you cannot actually baseline authentication without having a very comprehensive view of identity risk. Because of that, transunion's approach to identity is very powerful. So what we have done at TransUnion is we have brought to bear the breadth of our data right and we have a lot of critical data assets we have, both organically as well as through acquisitions right Like we have one of the most well-established, one of the most mature device risk consortium data, patented forensic technology because we are a phone carrier ourselves Just things like that Marketing footprint of hundreds of thousands of devices and addressable households. So think about this massive amount of data we are bringing together to form that very holistic identity risk profile and that single view of what is actually happening, the fraud event itself.

Ian Horne: 8:54

Yeah, can I get into the siloing thing as well, because obviously that seems to me like it's possibly a result of just the gradual evolution of financial services and the way that people build out their propositions. But from your perspective, what is the reason why people are so siloed? And for those who are, what can they do to kind of mitigate that risk?

Naureen Ali: 9:12

Very good question, but not an easy-solving, like I said, because we address what we must. If you're bleeding millions, you're not going to say, oh wait, I'm not going to put a stop to this, I'm just going to follow my strategy. Now you can't do that. If you're bleeding millions, you address that right then and there right. So that's a function of why it's siloed, because it didn't all get built at the same time and it's an impossible task to do right. So a very important part for organizations, particularly financial organizations where they have a lot of legacy systems, is to have a technology strategy that unifies these siloed systems and fraud solutions engines right and bring those solutions in one common ecosystem and, perhaps even more importantly, bring the data behind these solutions to inform what I'm talking about. You know that continuous identity, that continuous view of that fraud event.

Rachel Morrissey: 10:09

So if you're looking at that like, what do you guys see as the major challenges banks face as they try to implement this technology strategy?

Naureen Ali: 10:19

That they have a massive amount of legacy, very expensive platforms. That takes years to retire, that takes years for conversions to happen, because it's awfully disruptive as well, right? So the thing to remember is that you should define your strategy. Take inventory of all that you have. Where do you see the industry being here today and where do you predict it will go? Predicting fraud trends is very important in strategy building, right? So you predict that, and then you say this is my five to 10-year strategy. However, you have to do it in piecemeal, but you can't define the strategy piecemeal. Does that make sense? Yeah?

Rachel Morrissey: 11:01

But that brings us back to those three S's, because we're talking about how the fraudsters have become extremely sophisticated. So the banks are almost hobbled by this legacy and the fact that they can't move as quickly. So how would you mitigate against the sophistication?

Naureen Ali: 11:22

There is no two ways around it that they will have to try, unless they already have, which several institutions I guarantee you have already started, but the vast majority haven't, right, At least not from what we observe. They have to start on this transformation journey. They just have to, Because, think about it, If we have AI and ML tools and so many of your topics today are about AI and ML right, and we think of data sophistication and connecting dots and discovering hidden latencies Fraudsters have the exact same things at their disposal, but the massive amount of data that's out about us and publicly, and not just about breaches right? So they have all the tools we have. They have all the data we have, right? That adds to that sophistication. So we have a fragmented view. Guess what If we don't solve for that? They'll have an upper hand in there as well, and I frankly believe that we have everything that we need to have to combat that. So the transformation has to start.

Ian Horne: 12:26

If it hasn't, yeah, and what sort of data are we willingly giving away that's helping people do these more sophisticated crimes? I mean, you mentioned data breaches. I know that over a billion public records have been breached this year alone, and we're not even at the end of the year. So what kind of data is it that fraudsters are now using that's being particularly effective for?

Naureen Ali: 12:46

them. So you have everything that's PII right. That kind obviously has always been at high risk, which is why we have so many rules and regulations being very strict about what we have to win data at rest, data transit and all of that you know are very strict, particularly in the financial industry. It's that kind add to that data that fraudsters are able to convince the actual consumer from. You know they convince the actual consumer to share about themselves and social engineering Fraudsters calling into call centers where it's been underinvested for years, by the way, call center fraud mitigation right, and convincing the call center agent who they're just doing their job right, to give up a lot of that information.

Naureen Ali: 13:38

So the power, using tools that are very sophisticated as well, the power of bringing together PII, everything about your social life and everything about that you use, you know that you happen to use for your identification at your institution, bringing all that together. So it's not one or the other you know, one or another particular kind of data. It's actually about a number of different kinds and very quickly I just want to mention something here is that this is where we also see a convergence of fraud types. So, with scale, speed and sophistication, a convergence of fraud types is a very distinct phenomenon that has become very, very intense over the past. I don't know, maybe seven to eight years.

Rachel Morrissey: 14:21

When you're talking about combination, it's like you're using two different kinds of data. You're using something like a fake personal relationship or something and you're using financial data from somewhere else. What do you mean by that? I mean just clarify that for me.

Naureen Ali: 14:36

So what I mean by that is that years ago it used to be that credit card fraud and fraud rings used to just kind of have an expertise on credit cards and they used to just do credit card tax, and then you had ACH fraud and then you had fraudsters who would do skimming right. Years ago skimming was a big problem. Now it's not one or the other they have. You can open a new account. They have all the identity information, sometimes to entirely fabricate new identities like synthetic identities, then open up an account enough from your card information to even have a fake card right and then do an ATM fraud. It's all these different kinds of frauds coming together, converging almost in a single fraud event. It's something that is not just about data, though. It's about data, it's about the systems, it's about a continuity, like the dots get connected very fast and at scale.

Ian Horne: 15:33

Wow.

Naureen Ali: 15:36

Because they have access to different avenues that they now bring together the fraudsters.

Rachel Morrissey: 15:39

Yeah, that sounds terrifying. Actually. I'm actually sitting here going. I kind of wish I didn't have this conversation.

Ian Horne: 15:48

That always happens with fraud, I mean. Another thing is you mentioned, you know, the social aspect of fraud and convincing people they're speaking to someone who they know or love or so on. You know a lot of fraud preys on human vulnerabilities, like romance scams, pig butchering and things like that. So, I'd like to ask what can financial institutions do to protect their customers about that, you know, especially if they believe they're engaging with someone who they trust?

Naureen Ali: 16:13

So I think one thing that I see financial institutions do well and most do, most do and most do well is consumer education. But here's what happens in consumer education it's only as good as the consumer getting educated and actually being able to execute on that awareness right. So it shifts the onus to a consumer who doesn't think like those of us in the fraud professional. You know, in the fraud mitigation world we look at everybody suspiciously, not you two, but you know it's like second nature to us. I don't know, I'm pretty suspicious. But you know, a consumer, an average consumer, no matter what we throw at them in terms of education, they'll only be able to retain so much. They'll only be able to retain so much. They'll only be able to protect themselves so much. So the onus needs to shift back to financial institutions. So two very quick things there. One is that often in impersonation scams, in these romance scams, the actual loss, of the liability of the loss lies with the end consumer, because they are the ones who willingly, inadvertently, willingly, but inadvertently authorize that right. It doesn't matter, it shouldn't matter where the liability lies For financial institutions. It should be critical that they treat it and take it as a loss period that they are responsible, that we as an industry are responsible for preventing, right, because this is about preventing the victimization of hundreds and thousands of people.

Naureen Ali: 17:43

The second thing there is what I like calling responsible friction. Right, step up things. If you see somebody doing a $500 transfer out of their account, maybe not step it up. If it's $5,000, maybe step it up because it does two things. Maybe not step it up If it's 5,000, maybe step it up because it does two things. When you send, say, a particular message that says are you sure you want to transfer? You want to do an ACH transfer, say, for instance, to a new recipient, right, are you sure it allows?

Naureen Ali: 18:11

I said two things, right, so it allows the consumer. Pause. At least you are forcing a pause. That's one. Also on the background. You're also running these hundreds of strategies and rules that should be able to pick up on that anomalous behavior in that account. So you push out a verification and a step-up call and that allows you. The second part of it is intervention. It's a proactive intervention Together. I call that responsible friction. So I think we need to bring that together, we need to promote that. We need to actually have that approach if we seriously want to prevent consumers being taken advantage of. We have that in the UK.

Ian Horne: 18:54

If I'm sending a significant amount of money, I will get a bank notification. This could be a scammer and I'll see a significant amount of money. I will get a bank notification. You know this could be a scammer and I'll see that it's my girlfriend. So, yes and no, you never really know.

Rachel Morrissey: 19:05

Anyway, but it is useful. That's on you, yeah, yeah, no, she's not.

Ian Horne: 19:10

But it does work. It is actually quite. Yeah, I think it works in the UK for sure. But are there any other kind of versions of responsible friction that you think are effective? Or is it as simple as just a notification that says are you sure about this?

Naureen Ali: 19:21

There's a notification, but remember, there's also the outbound call. You're doing the verification, so you're actively intervening to say, hey, this doesn't look like you, it doesn't fit the pattern that we see with your account, Are you sure? So there's a passive notification, but there's also an active, proactive call made. And again, these are not silver bullets, these are not panaceas, but these are methods to try to bolster and do whatever we can to prevent this right.

Rachel Morrissey: 19:48

Yeah, and it feels like you know. It's funny because we've all just gone through a pandemic right and as we were looking at measures to prevent getting sick, it was not. There is a silver bullet, it was. These are layers that can help you prevent getting sick, sort of like Swiss cheese, but if you layer enough of them, hopefully you cover all.

Naureen Ali: 20:07

I love that.

Rachel Morrissey: 20:08

Yeah, and I think that's exactly what you're talking about here. That's the only way you can do that is to kind of layer, layer your Swiss cheese people.

Ian Horne: 20:18

Just more European inspiration. I'm delighted, happy to be here, okay.

Rachel Morrissey: 20:23

Well, I think we have to wrap up. You want to take it, Ian? You want to do the closer?

Ian Horne: 20:28

Yes, I am, and I'll skip the bit about us being out of time because you've covered that. Noreen, thanks for joining us on the Money Pot. It's been a real pleasure having you here and a great insight into the world of fraud. We've talked about all sorts of things. We've talked about, well, I mean, the many, many ways in which we can now be defrauded, which is always wonderfully terrifying, but good to know. So, yes, thank you, and thank you also to our live audience for listening. Thanks to anyone listening online, wherever you are. As ever, if you have a golden podcast idea, send your pitch to podcast at money2020.com and don't forget to follow us wherever you listen to podcasts. This has been the Money Pot live from Vegas. We'll see you next time.