When it comes to Fraud and AML strategy in today’s climate, nothing is static. On the contrary, organizations have had to adapt their approach while remaining flexible amidst uncertainty and change.
In 2021, we sat down with several of our customers to get their take on how they’ve scaled their fraud and AML strategies over the last year.
Throughout all of these discussions, a few areas of focus surfaced. As such, we’ve broken this post down into the following sections:
- The Evolving World of Fraud and AML
- How to Hire Great Fraud & AML Professionals
- How to Maximize Operational Efficiency with Your Tools
Here, we’ll outline the seven most important key takeaways from our conversations, featuring insights from risk and compliance leaders from organizations like Intuit, Chime, Crypto.com, and more.
While each organization offered a unique view of how they set up their program for scale, a few things are certain: The stakes of this fight against fraud have never been higher, and with every passing day, this endless game of criminal whack-a-mole must be played by an evolving set of rules.
Let’s dive in.
The Evolving World of Fraud & AML
With the profound amount of change we experienced over the last year, risk and compliance professionals in the financial services industry had a lot on their plates.
Rapid digitization, a trend that is likely to continue for years to come, has made digital a leading focus, creating new standards for organizations to live up to and opening new opportunities for fraudsters and scammers to exploit.
Risk is just as much about growth and customer experience as it is about loss mitigation.
Something that has been weighing heavily on the minds of risk and compliance professionals is where to focus amidst the shifts occurring in fraud and AML. One of the first questions we addressed in our webinar with Chime was on the topic of the most significant risks needing to be mitigated from a risk and compliance standpoint.
What it boils down to is that, from a fraud perspective, the biggest risk is on the issue of fraud loss, which is an inexact process. Weaknesses in this area can open an institution up to increased fraudulent activities.
For Compliance, it is about ensuring a good program to identify and manage suspicious activities has been put in place. Failure to create and maintain an effective risk management program could lead to expensive operational losses down the road.
However, what we learned from Acacia Rey, the Head of Financial Crimes and Identity, along with Gwen Gilkey, Senior Risk Analyst at Chime, is that, for them, mitigating losses should not be the only objective as a focus on risk tends to hurt customer experience. The main goal of their risk organization is to keep their members safe and provide customers with the best experience possible.
And in our webinar featuring Rob DeCampos, Head of BSA/AML at Intuit, he speaks fervently about his approach to setting up his BSA/AML program with the customer in mind.
In the webinar, he reflects on his strategy, and he presents the scenario as a rhetorical question to the audience to showcase his path of reasoning.
He ponders, “how do we set ourselves up from an AML/BSA office perspective to make sure that when a regulator is outside looking in, we can say that we are abiding by all the pillars that are necessary to have a compliant program, but at the same time, are building in a kind of agility, to be able to apply the best techniques from a risk-based perspective that are going to serve the business and our customers best?”
Members want a pleasant experience, and so for brands like Intuit and Chime, they must be customer-obsessed. In that way, their focus is just as much about maintaining high levels of growth through the lens of customer experience as it is about loss mitigation.
Surges in synthetic fraud and unemployment fraud were and continue to be prevalent because of the pandemic.
Another hot button topic was how 2020 was different from years prior and how the pandemic, in general, has impacted risk and Compliance.
After speaking with our customers, what it comes down to is that there were significant increases in synthetic identity fraud and unemployment fraud due to increasing digital transactions and an economic climate laced with uncertainty.
At the outset of the COVID-19 crisis, consumers began using digital channels to make purchases. They relied more heavily on other contactless services like Venmo and Zelle, which opened up the door for criminals to commit more theft and identity fraud.
For those unaware, synthetic identity fraud occurs when someone uses a combination of real and fake information to create an identity which they then use to commit fraud. For example, a fraudster might steal one person’s social security number (or buy it on the dark web) and then combine it with another person’s name and then another person’s address to create a new identity associated with the first person’s social security number.
They then use these fake IDs to build credit over time and then borrow a large sum of money and disappear. Or, they may use the fake identity to apply for government-issued benefits like unemployment, which acted as a lifeline during the pandemic for those unable to keep working or who lost their jobs.
Because the government issued unemployment benefits using prepaid debit cards without chip protection to distribute these benefits, they became a target for scammers looking to make a quick buck.
According to a report from Aite Group, the predicted cost of synthetic identity fraud will reach $2.42 billion in 2023, so organizations must be ready to implement a layered approach to secure their digital channels and continue mitigating risk.
How to Hire Great Fraud & AML Professionals
One of the categories we explored in great detail with all of our customers in webinars this year was the topic of hiring and building out the perfect team.
Hiring creative, strategic problem-solvers for risk and compliance roles is imperative.
As noted earlier, the world of Fraud and AML is continuously evolving. As new opportunities for criminal exploitation arise, risk and Compliance teams must be vigilant and intelligent about identifying ways to shut them down and block them out.
In our webinar with Chime, we covered why today’s organizations should empower the people closest to the data by taking a bottom-up approach. It used to be that higher-ups would dictate what to look out for, and the operations teams would flag and review based on what they were told. But without being empowered to try and understand where the potential attacks are coming from, the process isn’t as adaptive or effective.
This means that the people hired into these roles cannot be paper-pushers who are measured on the number of alerts they clear out every day as their main KPI. Instead, creativity and strategic thinking are paramount to the continuous testing and optimization of rules. Today’s fraudsters are smart; the risk and compliance operations team must be smarter.
As Rob DeCampos from Intuit explains, “Part of our hiring process is to give someone a problem statement: something that they will come back and present a solution for. And it doesn’t matter what the answer is. It’s more about how they got there. So as long as the candidate can unpack and explain their beliefs, there is no wrong answer. So really, it's an exercise where I want to understand, what is the thought process of the individual to get to the solution that they're trying to drive at the end of the day.”
And as BitPay’s General Counsel and Chief Compliance Officer, Eden Doniger, notes in our webinar, “How Crypto Companies Fight Fraud & Stay Compliant,” the most important thing for them is “hiring people who are creative problem-solvers, because every day, something's going to come in the door that there is no precedent for, and everyone's got to work together quickly to figure out the right risk-based solution.”
Measuring the health of a program requires different metrics than measuring the effectiveness of an individual contributor.
As we know, hiring the right people is critical in Compliance and otherwise, but how do you know if things are on the right track?
When it comes to measuring the health of a program, you will be looking at things like the number of deployed rules, the number of alerts generated, false-positive rates, true-positive rates, how often the rules are modified, and fraud loss rates.
Then, you might also be looking at metrics that determine efficiency. These would include time to resolution and overall investigation time. Finally, remaining in Compliance with SLAs at all times is the driving goal of the program, so any missteps here would demonstrate an unhealthy program.
This, however, is slightly different from the metrics an individual contributor might be measured against. Rob DeCampos from Intuit notes that it isn’t always the quantitative data that is most important when measuring the success of someone on his team.
He prefaces this by stating that at Intuit, “We're beholden to the regulations. It's critical that we have every pillar and component of the BSA AML program in place, that independent reviews are done in a timely fashion, and provide the scope and clarity that they need to.
But beyond that, you can meet an SLA. You can submit an audit report. You can do all of these things, and you can be an extremely deplorable person. You can be a complete jerk and still get stuff done. But specifically with myself and at Intuit, the ‘how’ matters. And so, it's also about our brand at the end of the day and how we are interacting with our stakeholders, and how they perceive our working relationship.”
And along the same vein, new concepts are being introduced that can help organizations understand the power of their people. Going back to hiring for creative problem-solving, instead of thinking about how many alerts an individual contributor is clearing out of their to-do list, consider how well they can make decisions based on how a fraudster thinks.
If they can demonstrate that they can think like a fraudster, they're able to know what they need to put in place to catch them.
FRAML is an important part of breaking down the silos between teams fighting a common foe.
Aside from hiring individuals who possess a certain creative problem-solving ability and defining the metrics that determine high performance, the way the team is structured also plays a large part in the success of the program. In traditional financial institutions like banks, Fraud and Compliance have different arms where different people are working simultaneously (but not together) to achieve similar goals.
In this type of system, the left hand isn’t necessarily talking to the right hand, so to speak, and they may be using entirely different technologies. This lack of a holistic process opens the door for inefficiency, which is both costly and dangerous.
However, many Fintechs (like Chime, for instance) have adopted a FRAML approach which means that Fraud and AML teams can work in tandem using the same software and customer data to do their jobs. This allows for the free flow of information between the two groups and gives them an advantage over financial criminals.
How to Maximize Operational Efficiency with Your Tools
So far, we’ve covered the changing landscape of Fraud and AML and how to hire the best team for the job. But no team is complete without a robust set of tools to help them achieve their overarching goals.
Businesses need to measure the effectiveness of their risk and compliance tools consistently.
The purpose of any business technology is to make a job easier or more scalable. But selecting the right tools isn’t always a simple process. Sometimes a business will invest too early in software that they can’t yet get value from; other times, they may outgrow a solution and have to go through the uncomfortable process of testing out something new.
But when it comes to technology, effort must continuously be placed on making sure that the current tech stack aligns with business needs.
In the same way that team members are measured for performance, tools must also be consistently monitored and measured. And sometimes, it’s just as much about the vendor and their level of investment into their customers’ success as it is about the technology itself.
Intuit has a comprehensive system in place when it comes to vetting and selecting new risk and compliance tools and maximizing the operational efficiency of their current tech stack.
When asked to explain how Intuit thinks about this, Rob DeCampos uses his partnership with Unit21 as an example.
He states, “It's all about putting in place a process for continuously assessing value and assuming that Unit21 checks that box. How do we ensure that their team is going to continue to do what they are currently doing to help us? What do we expect for good, continual performance from Unit21 in that regard? And then making sure that there is an open-ended conversation with their team; it’s not a set it and forget it situation, and once you implement the tool, it’s done.
And you know, and these are the conversations that we continue to have in terms of Unit21’s value. Is it still providing value? It is? Fantastic. So let's continue with Unit21. Let's continue to bring them along in terms of Intuit's growth to scale on money, movement products, and how they continue to help facilitate us with their data and what we need to do to become better automated and to leverage AI because that's the mission of Intuit.”
Weigh options when deciding whether to “build it vs. buy it” carefully to avoid making costly mistakes.
The question of whether to “build it or buy it” with regard to software came up in a number of our customer conversations.
Rob DeCampos of Intuit took us through his thought process, and for him and his team, it all comes down to the business’s priorities.
He questioned, “Does it make sense for the business to spend the time/money and the initiative not only to build, but to continue to maintain, or are we better served by going to market? And this was exactly how we began talking about Unit21. Part of the conversations and the request for proposal process that we initiated with your company was on that basis where we had that exact conversation with our business.”
To break this down into simpler terms, the main reason that companies build internally is that they have highly customizable needs (unique data variables, specific rules, specific workflows) which aren’t easy to customize from off-the-shelf vendors.
However, there is an opportunity cost of building in-house. Expensive engineering resources are not going into core product development but building internal risk and compliance tooling. As the salary of an engineer combined with benefits and equity continues to skyrocket, this is an expensive investment.
And then there’s even the question of, “should we automate it?”
In our webinar called “How Sponsor Banks Ignite the Fintech Revolution,” Brian Fellows, Director of Risk Management and Compliance Officer at NBKC Bank, mentioned that he sees automation around product simplification as an opportunity worth exploring.
Rodrigo Suarez, Head of Innovation at Piermont Bank, had similar feelings but went on to say that, “Other things will always require human judgment and a person looking at something, providing input and making sure that things are done the right way.” And this speaks directly to what we discussed earlier about hiring people who know how to get creative so that nothing slips through the cracks.
Ultimately, there are pros and cons associated with any of these decisions, but there are several reasons why our customers have chosen to implement and grow with Unit21.
Crypto.com’s Chief Compliance Officer, Antonio Alvarez, speaks to the benefits of using a solution like Unit21 in our crypto-focused webinar: “Partnering with Unit 21 who can start developing tools, who understands my business and my challenges, and who has a tool that is flexible enough to start introducing those components into the program is wonderful.”
At the end of the day, that’s the reason Unit21 exists.
We want to marry the customizability of in-house engineering tools with off-the-shelf software. After the initial integration, our goal is that you don’t need to pull in engineering resources to modify your statistical models or workflows, and you can redirect the focus toward reducing fraud losses, avoiding non-compliance fines, and keeping customers safe.