>>Jinee Ellis: Welcome, everyone, to the Wells Fargo Treasury Management webinar, a new way to think about fraud. I’m Jinee Ellis, and Senior Vice President, Manager of Digital Solutions for Business Fraud Prevention and authentication at Wells Fargo. We’re excited you could join us today. I would like to take a moment to introduce our guest speakers. I’m pleased to have with us, Jim Fox, Senior Vice President in Treasury Management Financial Services at Wells Fargo. Also joining us is Ann Kirst, Assistant Director in Treasury Operations for Northwestern Mutual, a financial services organization based in Milwaukee, Wisconsin. Jim and Ann both bring a unique perspective on taking a strategic approach to fraud. Ann and Jim, thank you so much for joining us. Let’s start by quickly reviewing the agenda for today’s webinar. First, Jim Fox will talk about what’s behind the rise in fraud, who are the perpetrators, and why we need to think about fraud in a new way. Then, Ann Kirst will share Northwestern Mutual’s story. As part of this, she’ll discuss some of the technology-based tools Northwestern Mutual is using to help safeguard their business from fraud. I’ll jump back in to discuss some of the key take-aways and then we’ll open up the phone lines and wrap up with a few minutes of Q&A from our audience. Before we begin, let’s start with a quick poll of our audience. Just a quick note on polls. Your responses to our polls today– throughout today’s webinar are completely anonymous. We’re simply taking the pulse of our audience on a few topics. Please take a moment to select one of the following five options appearing on the screen. What has been the primary impact of fraud on your company in the last twelve months? Worried that a fraud attack could occur, fraud attempt, loss of confidential information, financial loss, or reputational damage. Let’s wait a moment for the results to tabulate. Then I’ll share them with the group. You can make your selection on the screen and hit submit.
Let’s take a look to see what the audience has responded, and it looks like we have a split response. So it looks like many of you have avoided– a fraud attempt or attack in the last 12 months, about 36%, but that doesn’t mean it’s not on your mind. Given that this is one of the top reasons of your responses, clearly, you’re not alone in your worry. Worry about fraud is keeping a lot of executives up at night and the nature of threats today mean we all have to be up– we all have to up our efforts to protect against fraud. We also have about 38% who have responded that you have experienced some form of attempted fraud. That sure makes you worried. Will the fraudster succeed in their next attempt? I’d now like to turn things over to Jim Fox. Jim is going to talk more about the evolving threat of fraud, who the adversaries are, why they win, and why the nature of the threat requires a new way of thinking about fraud. Jim?
>> Jim Fox: Thanks, Jinee. It’s great to be here today. The following three statistics underscore why so many companies are worried about fraud. 84% represents those companies that have experienced a fraud incident in 2017. The threat of fraud is pervasive and every year, more businesses fall victim to fraud. 63% of businesses have experienced the same or more fraud losses in the last 12 months.
The impact of fraud financial loss is growing. 75% of businesses want advance authentication and security measures that have little or no impact on the digital customer experience. Criminal tactics are constantly evolving. There’s more happening in the digital space as most companies are communicating with customers via the internet and businesses recognize this. So the challenge for many businesses today is, how do you keep your organization and your customers safe but still make the customer experience easy?
We’re dealing with fraudsters who are increasingly sophisticated in their ability to penetrate an organization. The fact that organizations are interconnected and not only is their footprint physical but most businesses increasingly run their organization using technology and the internet, which is a public domain. It is a big shift from the closed networks of the past in which there were a limited number of vendors and partners who were participants. You know, so much is run through the web, just think about how your organizations connect to third parties, how you use the cloud and APIs. That really expands the number of entry points. This level of complexity makes it even harder to keep at least one step in front of the fraudsters. And all those possible points of attack, think of it as a package of Swiss cheese with more holes than you can count. Windows and back doors that criminals can crawl through, and you might not even know they entered. There’s so much information readily available on the internet including through social media and there’s a lot of interconnectivity. Your company is like a big, complicated jigsaw puzzle with a lot of pieces that fit together. So many that few people, if any, in the organization understand the whole picture.
It is highly interconnected, and that it takes everyone in the organization coming together in order to succeed.
Another problem is that historically organizations have not had the mechanism to track the opportunities or the risks associate with the various types of fraud that have been attempted or perpetrated. Tracking has been in silos and the information has not been shared effectively across the business. So who are these criminals? They’re organized. They’re specialized, and they’re monetized. They leverage an underground marketplace. They research, discover, capture. They’re bad actors with legitimate marketplace ratings. They advertise, social skills, service levels, and capabilities. They use social media to assist them in their research and they share information through collaborative websites. And why do they win more and more often? They look for diverse ingress points. They’re opportunistic and they know your vulnerabilities. It’s all out there in the public domain. They can get their hands on a how-to video for penetrating a main frame. With zero day malware, they infect and spread laterally. Today, 88% of incidents occur through distributed denial service attacks, web application attacks and card skimming.
The nature of the threat unfolds in ways you don’t expect. Fraudsters steal information but what will they do with it and when will they strike? It’s like a game of chess. There’s so many directions that they can take. Like a strategic game of chess, you must meet every threat with a stronger, protective move so you are always a few steps ahead. The more you are familiar with the patterns of the opponent, the better your responses and more you strengthen your advantage. The game is always changing and there are so many moves that criminals can make. Given all that interconnectivity and the various ways fraudsters can enter your organization, it’s clear the approach to fraud protection must change. From a transactional response to a strategic approach, payments are no longer the only area of your business at risk required a focused fraud strategy. Today, the risk has evolved to be more operational. So the fraudsters are getting into organizations at the point of time in what I would consider client acquisition, and it becomes a strategic risk as they interact more within the systems, change client information, and then it leads to catastrophic costs. So what really has to change is you need to be aware of the breaches that are occurring and how to contain them. In reality, the information that’s out there today from breaches will continue to be out there and companies will continue to be breached. So when you identify patches, you’ve got to fix them fast. That’s critically important.
You can see the approach changes from narrow to broad-based. That includes shifting from fraud protection being the work of a few who are operating in silos to investing in an organizational awareness and enterprise wide education and participation. It’s a cross-functional, highly collaborative approach that gets everyone involved including treasury, finance, legal, compliance, I.T. staff, customer service reps, and operation staff and even more. A strategic approach shifts from a few tools to an integrated tool set. This includes using technology to fight increasingly technology-based cyber threats. Like pieces of a jigsaw puzzle, you have to put the right pieces into the right place. That includes tracking key customer entry points like email and phone so you can see what the fraudsters are attempting to do and thwart them. Having the right tools helps your people stay focused on their primary roles on serving the customers and running the business.
Finally, you’ve got to change from conducting annual reviews to continually adjusting your fraud strategies for protection, detection, and continually evaluate the latest tools and solutions.
>> Jinee: Thanks so much, Jim. It’s clear that organizations must think about fraud in a strategic way. Transactional controls on their own are no longer enough given today’s threat. We are thrilled to have Ann Kirst from Northwestern Mutual. She will tell us how Northwestern Mutual evolved in their approach to fraud protection. Ann, thanks for being here with us today.
>> Ann Kirst: You’re very welcome, Jinee, and it’s great to be here and take you through Northwestern Mutual’s fraud prevention journey. I’d like to share with you what we’ve learned about fraud and what we’re doing about it, but first, let me tell you a little bit about our company. We provide insurance and investment services and help our clients with planning, whether it’s for financial, college, retirement, estate planning and more. We’re a mutual company. That means we report to policyholders and every decision we make is based on doing right by our clients.
Something we’re very proud of is leading the industry in giving back to our policyholders by issuing dividends every year since 1872. A lot of people are putting their trust in us. That makes fraud prevention very important to our reputation and to protecting our assets and those of our clients. Prior to 2013, fraud pretty much didn’t exist at Northwestern Mutual but since that time, we’ve seen it increase exponentially. What you see here is from 2013 to 2016, we had a big jump in gross fraud losses. Gross fraud, meaning the amount of money we actually sent out due to fraud attacks. Fortunately for us, we’ve been able to recover most of this money. We noticed a shift in what criminals were going after. What started out as small dollar wires then moved into large dollar wires and then eventually to ACH. With these losses, we could contact law enforcement, but there’s a couple issues here. One is that our net losses are very small. Again, we’re fortunate to recover most of our losses. The other issue is that a lot of these scams are originating outside of the U.S. so that makes it very difficult for law enforcement to prosecute them.
We were noticing these increase in attack and the dollar amounts were getting bigger. In 2015, we saw much more growth in fraud attempts. That’s when we started talking within our organization. At first, our focus was on ACH, but we later shifted to a cross-functional approach that looked at fraud protection broadly across our organization. As you can see, payment fraud has decreased in 2017. That’s because we were well along our way on our fraud prevention journey and the tools were starting to work. Even though fraud attempts continue to increase, we’re identifying more of them and thus sending out less funds in error.
So where does the fraud come from? Within payments, we’re tracking various fraud attempts and just to give you a sense of breakdown from last year, 29% happened during our account application process. That means a policy holder or a potential client misrepresented information or didn’t disclose information on a policy or an account application that could have affected our underwriting process. Almost all of these were detected during underwriting. Another 23% involved internal or external networking schemes. That’s where attackers have created fraudulent websites that mirror Northwestern Mutual’s or the attempt to hack into our network to gain confidential information. Again, our monitoring process detects almost all of this now.
21% relate to theft of client assets.
That’s where a third party gains access to our client’s information and uses it to obtain funds. We’re detecting a lot of this using the various tools which I will discuss shortly. Lastly, another 23% is attributed to the disclosure of confidential information. Basically unauthorized people are attempting to get information on our policies or accounts. This is different from theft because they are trying to steal information but they aren’t asking us for any disbursements at the time.
Overall, we anticipate that identity theft and social engineering schemes will continue to put pressure on our control environment. It’s so easy for people to be taken advantage of through social media sites and information mining. They’re being asked what seems like pretty benign information, which ends up being the information they use to authenticate their identity. You know, if you’re sharing information with your social network, such as the name of a pet or a street you grew up on, that’s publicly available now to fraudsters. Often, it’s this type of information is what people use to answer their password security questions. So that’s one of the areas where we see the biggest potential for an increase in fraud.
So you can see, like Jim was saying, we’ve really needed to look at the problem as a whole. If we just Band-Aid payments, criminals can attack from somewhere else. There are so many windows they can crawl through from the internet and social media information, which is readily available and accessible, to the account or policy underwriting process. If you don’t control the whole process from end to end, you may be missing something very important. Maybe a payment is valid, but maybe that policy never should have been written in the first place.
But then there’s the flip side to think about. I bet many of you are like us and the statistic that Jim talked about earlier shows it, how 75% of businesses want advanced authentication and security measures but they want those measures to have little or no impact on the digital customer experience. Northwestern Mutual is proof of that. As a company, we’re at odds. At what expense are we prevent fraud? We don’t want to slow down our processing areas. Our operations people handle a lot of calls and want to keep call times as efficient as possible. We process millions of payments each year. Just how complicated do we want to make that process to detect just a handful of bad transactions? If you talk to people in our operations area, they want to make it easy for clients to do business with us, whether it’s how we authenticate them or what data we ask for. You just want to minimize the number of hoops the client has to jump through.
Think about your own Amazon experience. All you have to do is click once and you can buy something. Now maybe we don’t want to make it that easy in the insurance industry, but that’s kind of what people are used to in the marketplace. Therefore, what we have to do is make it as frictionless as possible. Our service people need to protect the confidential information. When they are on the phone with a client, they used to say, I see the last time you did this transaction, you used your account number 123. We’ve retrained them to ask, what account would you like to use today? So for the client, what we’re asking seems to be repetitive, but we’re really trying to protect them. So you’re looking for that balance. You want enough controls in place in fraud prevention tools so it’s not overly cumbersome for clients and our people. And you know what’s kind of interesting? From a business perspective, controls around money movement are often considered inefficient. And in one sense, clients might consider security a waste of time, at least while they’re in the middle of dealing with it, but at the time our clients just assume that we’re going to secure their assets and we’re not going to let any of their money out the door fraudulently. They just expect that and that implicit trust is table stakes.
I’d like to shift and talk to you a little bit our journey from what we’re seeing with more fraud attempts to what we’re doing about it today. In 2015, we saw so much growth and started talking within our organization to get people onboard. We were advocating for a change in the process, starting with compliance, lawyers, and leaders in the processing areas. Each team had been working independently in silos and they were using their own tools. That changed later on in 2016 when we pulled together a committee to address fraud. It’s a cross-functional team that sets strategies and objectives for the whole organization. As I was saying earlier, there are so many possible ways to get at a company and launch an attack these days. You need to have multiple tools and these are some of the tools we use today.
As I mentioned for decades, we had not been a target for fraud. For the areas that did experience fraud, we focused on training those employees to identify red flags during their calls. We realize that our mind set had to shift. Only through diligent and ongoing efforts can an organization protect itself against significant acts of fraud and this includes educating all employees to understand that the external environment is changing and we all need to think of ourselves as a target. One could ask, does it really need to be everyone? And the answer is yes. You just never know what the entry point is going to be. External threats and external protocols are tied closely together. When clients call, being able to authenticate that they are who they say they are is key. For decades, the information we’ve used to validate client identity, things like address, Social Security number, mother’s maiden name, have become readily available because of the large number of breaches taking place in the world today. At the same time, the external environment in the fraud space is very organized and run like a business and attackers are continually evolving their skill sets. For example, we recently saw a fraudster who was able to hack into one of our client’s email accounts. They watched the conversation with their financial representatives, who are our agents. They knew that the client was leaving the country so they took over the conversation with the financial rep and requested a loan.
While that in itself is not new, we found out later after the fraudster got the money, he continued to monitor that client’s email account. Wouldn’t you know that when the client returned and attempted to resume the conversation with the financial rep, the fraudster had set up a spoofed account for that rep so that the fraud would not be detected as quickly. Think about it. From a payments perspective, we’re trying to speed up the payment satellite process which means that the window of opportunity for us to identify, hey, something went wrong, and either stop the transaction or get to the bank that it went to put a hold on the account, that time window is shrinking. So the longer it takes for to us realize there’s a problem, the more likely it is that the money will not be recoverable.
>>Jinee: Ann, thank you. As you point out, attackers are continually evolving their tactics, techniques, and skill sets. So I think this a good time to check in with a brief poll again. How prepared is your organization to protect itself against new and emerging types of fraud threats? Please choose the best answer for your organization. Your choices are very prepared, somewhat prepared, or not at all prepared. We’ll give everyone just a moment to make their selection. All right. Let’s see how prepared your organization is for new and emerging types of threat. We have 74% who are reporting that it looks like you are not completely confident in your preparation for new and emerging threats.
That’s not a surprise given the nature of fraud today and how pervasive the threat is.
Let’s now look at some of the tools that Northwestern Mutual is using to track fraud attempts and breaches and to protect against both traditional and emerging threats. Ann, back to you.
>>Ann: Sure. Thanks, Jinee. Let’s talk about some of those tools we’re using. We found at Northwestern Mutual that not one tool can guard against all threats with so many holes that criminals can slip through. So we take a layered approach to using fraud tools. When you add enough slices of cheese to that sandwich, each layer covers the next one so you fill in the tools. As we layer multiple tools together, hopefully, none of the holes line up for the fraudsters to slip through. Let’s start with multifactor authentication. When a client calls, how do we prove who they are? Multifactor authentication is one way to reduce risk by authenticating different factors, something you know, something you have, or something you are. Some examples may include sending a voice text or email delivery of a one-time passcode. Maybe a device or phone or application that you have. Maybe even biometrics, such as fingerprint, facial and/or voice recognition. To be effective, multifactor authentication should be used at every entry point clients have into your organization. You may use different factors for different entry channels but many of these factors can be leveraged across the channels. Basically, you want to some sort of authentication to occur at every entry point so the fraudsters can’t jump from channel to channel. At each entry point, you may choose a different form of authentication but once the client gets past that first hurdle, then you try to make it frictionless from that point forward. There might be some points where you definitely want to authenticate against such as maybe if they’re asking for a loan or a large dollar amount. Then it might be appropriate to ask one more time to be safe.
The next tool I’d like to talk about addresses emails. Hopefully everyone’s organization listening today has technology to filter out spam with their firewalls and education and testing to help employees identify phishing scams.
There are other tools that can be implemented, too. These tools can identify imposters and they can analyze the language in patterns and emails, and they can also identify potentially fraudulent activity. As you can see, we’ve implemented a tool that sifts through all the emails within our organization and performs this analysis, looking for patterns that are red flags, and what you see here is our First Quarter results for this year. We scan approximately 300,000 emails every day and basically someone follows up on every email that’s flagged, but most of these, unfortunately, result in false positives. But when you think about it, that’s like half a percent of all of our emails that are reviewed daily.
>>Jim: Ann makes a very important point about how important it is to track email because of its potential as a breach point. I would like to breach point. Spear phishing is the most popular path for infection by groups planning targeted attacks. Spear phishing is fraudulent sending of emails from a known or trusted sender to get a person to reveal confidential information. Whether your customer base is consumer or business, you’ve got the potential to be hit with an attempted fraud by email and in particular, by phishing.
>>Ann: Phoneprinting is another tool that we found to be very useful and we’re in the process of implementing companywide in our call center operations.
what is phoneprinting, you might ask? It’s a technology that flags suspicious calls based on a device, a geographic location, voice prints or behavior. It does this by analyzing subtle audio characteristics and using machine learning to assess calls in real-time. So it’s looking for anomalies in the caller’s phone numbers, in their voice, what they’re saying, that type of thing. An interesting thing with the tools that we use is that the vendor has shared a blacklist among clients of known fraudulent phone numbers. We’re finding that a lot of the fraudulent calls that come in our call centers are generated from the same group of phone numbers when calls from those numbers come in, they’re identified and flagged by the tool right on the service rep’s desktop so they know immediately that there is a problem.
The slide transactions go to a research area and they review each one. Their goal is to review the transaction within 15 minutes and of the 2,500 flagged, they identified 48 potential fraudulent transactions that they were able to stop. Now of those, you can see that 57% of those were identified by the phoneprinting tool. That’s the kind of needle-in-the-haystack technology that we need to fight fraud.
It used to be that we mainly relied on our people on the frontline to detect these anomalies that happened in the phone calls. Now they’re no longer the only frontline defense and averting fraud is seamless in their process. Besides the 57% of phone calls identified by phoneprinting, there were other calls that the customer service reps noticed as suspect and flagged some of those, too. It’s really a combination of people and technology to make this successful.
Like I said, each of these tools is a layer in that Swiss cheese sandwich to close off the holes.
>> Jim: Let me jump in again to share a statistic that stresses the importance of this kind of tool. Call center fraud attacks have increased by 113%. This stat is based on an analysis of more than a half billion calls to investigate the latest fraudulent call center activity data from around the world by a company called Pindrop that provides phoneprinting technology. According to the study, 45% of fraud calls are coming in over voice over IP. That’s an increase of 7% over the year before. 43% from level devices and that’s 25% more compared to the prior year. Typically, if your customers are consumers, you’ve got a lot of customer accounts, a lot of fraud is actually coming in over the phone.
>> Ann: the last tool I want to share with you today is bank account validation. Account validation uses a third party to verify that a bank account exists and is in good standing and for those banks who contribute ownership information, it allows users like us to validate if a client is a designated owner on that account. Account status or status in ownership can be queried for ACH, check, or wire transaction on deposit accounts by that, I mean checking or savings account. With account status, you confirm that a deposit account is open and valid and assess the risk of items being returned. With account status in ownership, you can also determine if your client is authorized to transact on that account. We started our account validation journey in 2016. Our treasury team was actually driving this particular effort. We implemented our first system in 2017. We started with a disbursement systems because they pose a higher risk. With the service we use, there are 26 banks that contribute account ownership information which is what we use to validate that our client owns the bank account we’re making the payment to or from. What we do is each time a client provides a new bank account, we validate that the client owns that account by matching it to our records. For our First Quarter results, we checked 40,000 accounts. 39% of them were valid meaning that the name matched the signatory on the bank account. 8% of them were a partial match. 51% were unknown where unknown means that the bank does not contribute the ownership information so we could find out that the account status but not who owns the account. And lastly, roughly 2% came back where the ownership name on the account does not match our client’s name. For the most part, we have rules for each of the business areas to know whether it’s a green light and go ahead and make the payment. For a partial match, we double check to make sure we have the right information and that we’re talking to the right person. What makes it more complex for an insurance organization is there are different roles on the different policies. And certain roles can only do certain transactions. So it’s important to make sure that we have the right person that they’re speaking to.
Account validation is unfortunately not much help for the unknown accounts because we don’t know more than before we had this tool. Obviously, the ones that are invalid, we did not proceed with the electronic transaction. If everything else seems valid and if we’re sure we’re talking to the right client and that they’re making a valid request, we will still disburse money to them. Just not electronically to that bank account.
We started off our account validation journey by building a foundation. We used our ACH system as a hub between our internal payment administration systems and the vendor. What we quickly found out is that getting the results back is great but if it’s not a clear match, then we need to take a deeper look. Basically, we needed more data to analyze in order to make the decision of whether or not to allow the transaction to process. Unfortunately, in our company, data is decentralized making it very difficult to compile.
Our company sponsors hack-a-thons each year which allows teams to identify and solve a problem in a two-day period. Our I.T. team participated in two of those events to help us with our issues.
One was to provide a solution to gather data across multiple systems and compile it in such a way that we can organize it around the scenario around the transaction. An example would be when someone is trying to take out a policy loan and there’s a partial match to their name on the bank account. We want to gather more information about the client and how they typically interact with us. For example, do they pay their premiums electronically to this account? How long have they been using the account?
The other event was to add in machine learning to build in a set of rules and let the process teach itself to identify possible problematic transactions and that’s the value-add process that we’re aiming for. We’re using the account validation tool as a starting point to determine whether our client owns the bank account, but then we want to compile additional information about that client is transacting with us that we pull from our different systems because, as I said before, nothing here is centralized. Then we can identify exceptions. So instead of people trying to look for where the problems might be and manually gathering more data, we want to build a system that has the set of rules and that uses machine learning to better tell us, hey, here are the things you want to be looking at. Then ideally, we want to get to a predictive analytic state, but again, we’ve got to learn to crawl before we can run. The next step in our journey will be to get this information up front, similar to what we do with phoneprinting. We want to identify a red flag right away as the service rep is processing a transaction.
That’s our ultimate goal to get all the tools up front while they’re processing. But, first, we have to gather the data, learn how it use pit expose it to the people while they’re on the phone real-time. That’s the challenge and that’s still in the process of developing and implementing those ideas.
We have had some internal challenges along our journey that I’d like to share a little bit about with you. The first challenge was sharing our client data with outside parties such as the vendors. Now we overcame this obstacle several years back but in talking with others, many companies still consider this an issue. For companies that have been around a long time, you’re likely to have many systems which may or may not talk to each other or may be difficult to connect or change. We have many payment systems and it takes quite a while to implement the process with each. We started our first implementation a year ago in April and I still do not have all our systems implemented and it’s probably going to take yet another year. Part of the challenge is that we have many high priority efforts. Therefore, not only are we competing for the same technical resources but against other types of priorities as well, such as product development.
Another impact we saw was to our client servicing teams. The challenge is to provide them talking points and guidance for their calls with the clients and to find the right balance between them understanding enough about the process without providing too much detail in the event they want to overshare with clients. We don’t want them to give away our new prevention protocols. We do need to prepare them for pushback, though, from the clients. Additionally, the time and effort to produce training material and conduct training was way more than we originally expected.
Another issue we faced is the various roles that existed at insurance companies. There’s an insured, there’s an owner, there’s a payer, there’s a beneficiary, trustees, and many others. In understanding who has the authority under each of these roles for payments is difficult enough. Now we need to know if that eligible party actually owns the bank accounts. For example, we have a payer role on our policies who is normally the person who makes the payment. If for some reason, the payer doesn’t, the owner may step in to pay to make sure the coverage doesn’t lapse. Our systems need to be flexible enough to allow for client reps to pick an eligible role and be able to validate that the bank account belongs to that person.
Another challenge we face is we have a lot of existing clients. Historically, we have not been able to validate who owns the bank account. We’ve always trusted that the person who sets themselves up as the payer does, indeed, own the bank account. Well, with this process, we found out that it’s not always the case. So now the challenge is what to do with those clients whose accounts we have been debiting for many years who don’t own the bank account that we’ve been using. Now please note that in most of these cases, it’s the family member’s account or trust account where the titling between us and the client’s bank doesn’t quite match.
The last thought I want to share with you regarding challenges is that this product is not all-inclusive. Unfortunately, not all banks contribute yet and names may not be a perfect match. There is some subjectivity. Therefore, there’s still some risks. But the fraud risk has been reduced overall. I’m often asked if we can only validate 50% of our accounts, is it worth implementing this now? My response is always, yes, because we are able to validate 50% more than we were without it.
>> Jim: So, Ann, what would you say are some of the key take-aways from your fraud prevention adjourn I?
>> Ann: That’s a good question, Jim. Why are we doing all of this? It’s partly to protect our company assets and also protect our clients. While clients may want to interact with us in a similar way that they interact with Amazon and phone provider, they also expect us to keep their assets secure. That strong authentication is key to protecting our clients. Safeguarding their assets is essential to our strategy. It’s pretty much table stakes from a client perspective. That means we need to strike the right balance between ease of doing business with and security using strong authentication, fraud prevention tools, and good control. Again, you want to have a combination. You don’t want to rely only on people.
We also always need to adjust our strategies and to continually need to invest in technology and resources. It’s ongoing and iterative process that includes actively planning for prevention as we implement new systems, new entry points, and new processes. You do want to have tools out there and you’ll need to constantly monitor and upgrade them and look for new tools as new threats emerge.
In addition, everyone in the organization really must have that fraud prevention mind set. It’s not just the people who deal with fraud on the back end. It has to be a preventative nature on the front end. Especially as you’re expanding systems and capabilities. Getting and staying ahead of fraudsters will continue to be challenging for all of us. Again, it’s a process that we started but it’s not one that is going to be done anytime soon or that you can just sit back and finally say, we’re done.
>> Jinee: Thank you very much, Ann and Jim. You’ve offered some very helpful strategies and insight. That brings me to our final poll before we share a few closing thoughts. So let’s see now how our audience is feeling after hearing Ann share Northwestern Mutual’s fraud prevention journey. The question is, what is the one thing your company could do to better protect itself against fraud? The choices are continually adjust fraud detection and prevention strategies, strengthen customer authentication, safeguard customer information and assets, improve organizational mind set around fraud protection or the last choice is, invest in fraud technology and resources. Please go ahead and select the answer that best fits your organization and we’ll take a look at the results in just a moment.
All right. It looks like the number one response is 44% of you have selected continually adjust fraud detection and prevention strategies. That is a strategic mind set and the second highest response is 30% at improving organizational mind set around fraud protection. Thanks, everyone. You’ve been great participants in our polls today. So we’ll go ahead and move on to our closing remarks and then we’ll take questions from the audience. I’m going to pass it over to Jim.
>> Jim: Thanks, Jinee. I think the Northwestern Mutual fraud prevention journey ties well to our perspective here at Wells Fargo on the top three ways companies can think about fraud. That is people, process and systems. From the people perspective, potential for fraud occurs across the company’s infrastructure and you need to have buy-in from senior leadership but also cross-functional oversight. Cross-functional oversight has buy-in from across the organization so that it helps to identify processes that are potentially at risk. Since the opportunity for fraud can come from any direction, being inside or outside the organization, and then you’ve got to be sure that you’re hiring the right people, training them, and providing incentives for them to recognize fraudulent activity. Implementing policies and rules enforcement are critical to the process. They definitely make sure that folks are focused on fraud and that if someone is not catching something they should, you’ve got to make sure that you provide extra coaching. Around process, because of the changes that many companies are going through relative to either technology or faster payments, process is extra critical. How do you change your process to support a faster environment? It involves depth of training, implementation of it, and then oversight. When we think about process, part of that tracking is fraudulent activity. Both attempted and real. So that you can build process improvement around your experiences where you’ve been able to prevent fraud or where you’ve experienced fraud loss. I cannot emphasize enough the importance of tracking fraudulent activity and historically, organizations have not tracked because they might have been embarrassed if they had a fraud situation. A department may not have wanted to share and kept it hush-hush. But in an environment of where we are seeing increased fraud risk associated with either account takeovers or breaches or general fraud, it’s important to track activity, share it broadly so the that whole organization can work together to have the right fraud prevention process and strategy. Finally, around systems. From a technology and system perspective, it’s identifying the right tools for your organization that allows you to build a process that is comprehensive and has the ability to continually evolve based on new fraudulent risks that are being identified. You have to pull all three of these levers together to effectively combat fraud.
I’ll wrap up by summarizing some of the key themes we presented today. The story Ann shared about Northwestern Mutual’s journey shows the magnitude of the fraud risk that companies are facing.
The key to changing the way you respond is getting organization wide buy-in and support. Increasingly, the fraudsters have transparency of the organization and not only do you not understand who they are and what they’re up to, but you may not even have transparency into your own organization and to all the interconnected systems in ways that your organization can be breached. In a game of chess, where all the pieces are laid out in front of you, the number of moves are so complex, the number of ways that you can move the pieces to take the opponent is so vast that the winner has to be strategic. You can’t just be reacting to your adversary’s last move. You have to think ahead and that requires new ways of thinking and new ways of approaching fraud. This new way of thinking shifts from the transaction, from a narrow focus on payments only, more broadly to your entire operations. It takes a strategic view. It’s a shift from the silo to the enterprise as a whole. This is a continuous effort. It’s not a once-a-year strategy and then you do testing quarterly. This takes a constant vigilance that’s baked into the organization. The Swiss cheese analogy, the Swiss cheese is piled high and becomes a solid foundation so less and less of your adversaries can see through the holes and certainly have a hard time finding their way through them. Because there will always be holes in any organization. That’s why you have to stay vigilant and continually adapt your strategy, your tools and your techniques.
>> Jinee: Thanks very much, Jim and Ann, for sharing your knowledge and experience with us today. I would like to remind everyone that if you spot an unauthorized transaction or unusual activity, immediately contact your dedicated client services officer or call 1-800-ATWELLS. If you would like more information on strategies and best practices for fighting fraud, I’d invite you to visit the fraud and security section of our Treasury Insights website by clicking the gray link icon at the bottom of your screen, or you can contact your Treasury Management representative. Now before we move on to questions, if you attended this webinar online today for 50 minutes or longer, you’re eligible to earn 1.2 CTP credits from the association for financial professionals. You’ll receive your confirmation of attendance certification as well as a link to the replay of this event by email within three business days.