Insight. Innovation. Industry.
Banking / Risk Management /  •

Criminal element

Digital misdeeds abound on the Internet, requiring a delicate balancing act for credit unions who have to thwart cybercrooks while protecting their members' privacy and ensuring they enjoy seamless transaction.

A recent financial industry survey paints a less-than-optimistic view of how the war on fraud is faring for Canada’s credit unions and other financial institutions. The results suggest that the industry feels it is barely keeping up with fraudsters’ constantly evolving techniques, despite corporate anti-fraud spending that Statistics Canada estimates in 2018 exceeded $14 billion. The frauds involved everything from financial institutions’ computer systems to thefts of customers’ identities and takeover of their accounts.

The survey from last September was conducted by Forrester Consulting on behalf of the credit reporting agency TransUnion and included 465 decision makers in the financial services and insurance industries in Canada, the United States and India. Some of the key findings include:

  • In the past two years, 96 percent of financial firms had experienced fraud. Of those, 66 percent reported an increase in synthetic identification fraud (a fabricated fictional identify) and 64 percent in identity fraud.
  • Sixty-nine percent of decision makers in the financial service industry and 57 percent in the insurance field say fraudsters are constantly evolving their tactics and are always one step ahead.
  • About 55 percent of Canadian financial services leaders say their current identity verification and fraud detection processes are too complex and burdensome, not only for the customers to conduct transactions but also for the organization to maintain.

TransUnion Canada executive director of identity management and fraud solutions Anne-Marie Kelly says there are three main forms of fraud. The first is account takeover, where a criminal conducts unauthorized transactions on a victim’s account. The identities of the victims are obtained through malware, phishing or data breaches or by physical interception, such as theft of identification.

A second form of fraud is synthetic fraud, where the perpetrator is one step removed from the fraudulent activity. “It is using a fictitious identity that is manufactured with real and fake information to build a persona: my first name, your last name, your neighbour’s social insurance number,” says Kelly. “These are glued to together to make an identity but not a real person.” From a law enforcement perspective this can be an extremely difficult fraud to fight because there is no one to arrest and no one to incarcerate, she adds.

Another growing form of fraud occurs where the credit card is not present, as with online retail purchases.

Who are the fraudsters?

Who is behind these digital misdeeds? “That’s the magic question,” says Kelly. “If we knew who these folks were and they were easy to identify, wouldn’t financial fraud be easier to prevent?

“Twenty years ago, when I first got into this business, we would talk about criminals in basements and deep corners stealing identities or credit cards,” she says.

“Twenty years ago everything was in person and you could walk in with a driver’s licence and open a bank account. Now it is very difficult for these [financial] organizations to keep up with consumer demands and identity demands.”

“If we knew who these folks were and they were easy to identify, wouldn’t financial fraud be easier to prevent?” – Anne-Marie Kelly

The other trend dominating cyberfraud, says Kelly, is the growing presence of well-organized crime and the complicity or outright involvement of nation states such as China, Iran and North Korea. “You have to remember that these financial fraud schemes are funding something bigger, such as money laundering, which is why the Canadian government is talking about coming down hard on terrorist financing.”

Kelly advises that credit unions need to be asking more questions, ascertaining more documents and looking to biometrics (retina and face-recognition technology and even consumer behaviour patterns) to determine whether the person is who they say they are.

“We as consumers are careless with our identities,” she says, adding we aren’t cautious about where we go and what we click on, while credit unions are struggling to protect consumers from malware and other cyberfraud. That is causing a friction between institutions and consumers on protecting identity.

Castle and moat

At least one credit union leader says his North Vancouver-headquartered organization and other credit unions are not standing still in dealing with cyberfraud. Chris Catliff, CEO of BlueShore Financial Credit Union (40,000 plus members, $5.7 billion in assets) says his financial institution is fighting cybercrime on numerous fronts, from keeping software systems up to date, conducting tabletop cyberattack exercises, educating members about preventing identity theft, to keeping staff on their toes. “We do phishing exercises on our existing employees at least quarterly and they get scores on it,” Catliff says. “Anyone who clicks on an attachment they shouldn’t have gets a learning moment and a little computer-based training. You can have the castle and the moat but if you are letting people across, it doesn’t work.”

Catliff is frustrated about federal regulations, which “are making it more complicated to open accounts and far more complicated for financial institutions to do their business. Yet another part of the government is creating sandboxes so that fintechs will be able to join the payment system. We are going to be forced to deal with them in a system called ‘open banking,’ which is now in about 40 other countries around the world.” Open banking is when traditional financial institutions open up the data they hold on customers to allow new products and services to be created.

Sara Goldvine, senior manager, stakeholder relations at Coast Capital Savings Credit Union, (572,000 members, $23.4 billion in assets), says the credit union movement has to build awareness and strong platforms if it is going to win the fight against fraud.

“At Coast Capital we help members through a wide range of channels, in branch, through social media campaigns, through media interviews and by continually investing in technology and partnering with third party suppliers.”

Take nothing for granted

Garry Clement is a financial crime prevention expert and advocate who has 34 years of policing experience, including serving as national director of the RCMP’s Proceeds of Crime branch. Clement doesn’t mince words about the state of cyberfraud in the world. “The bottom line is that fraud is definitely not diminishing. It’s going to continue,” says Clement.

“The advancement of the skills of organized crimes and organized entrepreneurs in the cybercrime space means it’s not a matter of if they are going to be defrauded, it’s when. We are in a new world that operates in the post-industrial revolution and for the most part, a lot of organizations haven’t kept up. And without a doubt, it is getting worse.”

Clement says that what used to be strictly local crime is now being acted out in an international environment. “The fact that institutions do online banking means they open themselves to sophisticated criminals. Those criminals are often more skilled than the law enforcement agencies.”

Clement’s advice to credit unions is to take nothing for granted. “Nothing bothers me worse than talking to a Chief Information Officer and having them say, ‘we’ve got it covered.’ They are fooling themselves, they are fooling their organizations and they are fooling their boards of directors.”

“Nothing bothers me worse than talking to a chief information officer and having them say, ‘We’ve got it covered.’ They are fooling themselves, they are fooling their organizations and they are fooling their board of directors.” – Garry Clement

Clement also urged the industry not to become comfortable or complacent about new technology. He noted that credit card fraud is actually on the rise in the US. Innovations such as chip technology do work — but only to a point. “The reality of it is there were 60 million debit and credit card numbers stolen in the US last year and most of those were chip-based cards. When they were rolling out the chip technology they said, ‘Now we are going to eliminate fraud.’ When I hear people say that, it is almost laughable. Technology is man-made. If it is man-made, it is hackable. And that is what people have to understand.” ◊