Smaller regional financial institutions are facing some big challenges when it comes to fraud on a number of fronts. As attacks against big banks are thwarted, fraudsters are increasingly turning their attention to the next tier of financial institutions.
This trend, coupled with consumer demand for friction-free mobile access to banking creates not only more, but also new vulnerabilities. Lastly, as compliance regulations tighten, these institutions find themselves facing more stringent requirements that demand increasingly sophisticated solutions. Let’s tackle these issues one at a time.
Perhaps the biggest concern for regional financial institutions today is that fraud is increasingly moving downstream, away from the large multinational banks. These large national and global banks have been steadily improving their security systems, implementing multiple layers of sophisticated solutions. In response, fraud perpetrators are setting their sights on smaller regional banks, which often have less robust security capabilities.
Attacks on these institutions are becoming increasingly sophisticated, requiring advanced prevention and detection techniques – often beyond the native capabilities of these organizations. In addition, smaller financial institutions generally have fewer resources at their disposal to analyze and attempt to identify repeat attack attempts or detect cross-channel attempts for fraud.
Another trend presenting new risk management challenges is mobile banking, which increases the tension between convenience and security. Because mobile devices are usually used for more immediate and casual transactions, consumers have increasingly become accustomed to the immediacy and no-hassle interactions of such applications.
In order to compete, regional and local banks need to provide customers with the convenience of mobile banking capabilities. But without the same resources as the bigger banks, they are not able to develop custom apps with intrinsic security requirements built into the applications.
As such, many smaller banks turn to third-party mobile banking apps. While these can be quick a fix for smaller FIs hoping to satisfy consumer demand, they often sacrifice convenience for security, exposing banks to new vulnerabilities.
Furthermore, as smaller FIs expand into the mobile channel they will need to be prepared to face the slew of mobile-specific fraud risks – man-in-the-App attacks, mobile malware distributed via the app store and mobile ad networks, SMS-based phishing attempts, etc.
Further complicating the situation are increased regulations. The FFIEC has recently updated its banking security guidelines to require complex device identification as part of its layered security recommendations.
These recommendations also include anomaly detection and effective response to suspicious activity, enhanced control over changes to account maintenance activities and fraud detection and monitoring systems that include consideration of customer history and behavior.
A daunting picture to be sure! Despite the fraud challenges that are stacked against smaller FIs, there are some benefits as well. Regional banks usually have fewer legacy systems and a more integrated core-banking environment. The ability to tap into a broader range of systems makes it easier for smaller banks to gain visibility not only into customer activity but into fraudster behavior as well.
Preparing for compliance with the FFIEC’s new guidelines is a perfect opportunity for thinking about how to gain new visibility into emerging fraud trends and enabling fact-based strategy development.
The key is to take a holistic view of all customer interactions – from online account origination through the account lifecycle. Key takeaways:
- Screening new customers is key not only for preventing new account fraud but also for detecting rogue accounts opened to serve as mules or for other nefarious purposes
- Cross-channel monitoring enables not only better detection of compromised accounts
- Complex device identification enables better linking of additional accounts compromised by the same fraudster
- Account behavior should be viewed not only for signs of account takeover but also for signs that the accounts are rogue and serve as mules
- Prepaid cards may be the next MO for cashing out. As money mules are becoming harder to come by and more difficult to manage, some fraudsters are moving to prepaid cards for cashing out
- Complex device recognition, coupled with advanced correlation of online and offline activities can provide important intelligence and spot compromised and rogue accounts
- The mobile channel introduces new security challenges. When assessing the risk of the new channel, banks should not analyze the channel in isolation, but rather think of how mobile impacts the risk of all channels (e.g. online)
- A good partner with exposure to the newest attack MOs can assist in pointing out the vulnerabilities and suggesting effective solutions.