3 Top Priorities for Risk & Compliance
I'm really grateful for you guys to join us today to listen to some of the thoughts, opinions, and conversations we're gonna have with some of our panelists from Unit21, Treasury Prime, as well as Bangor Savings Bank, and "Fintech Business Weekly."
So real quick before we jump into it, I wanted to cover a few things. My name is Aditya Vempaty, and I am the Head of Marketing at Unit21. And for those of you who know us, you probably know we're the risk and compliance infrastructure, and we help a lot of people in this space fight fraud as well as stay compliant. And for those who don't know us, you'll get to know us better today. With that, I want to kick off a few things pertaining to the topic at hand today, which is around combating fraud.
In about last year, late August 2022, we conducted a survey across 231 fraud and AML and compliance and risk professionals. And we did this survey because we wanted to understand what are the key challenges, problems, and priorities that our potential prospects, as well as customers, have.
And we wanted to make sure we were a resource for people to understand what they need to prioritize and what they need to tackle. In doing that, we found a few key things were top priorities in the next 12 months for compliance and fraud and risk folks.
The biggest one was 78% said meeting compliance requirements and the ability to rapidly alter rules was a big priority. The next one was reducing the impact of fraud on revenue as well as reducing false positives. And then the last one was onboarding users more securely.
And a lot of these, if you look at the themes, it's a lot of enabling compliance, fraud, and risk professionals, to have control back to be able to make changes rapidly. A lot of the situations that we found through the survey were most people are relying on engineering, and most of the time, they get less than 15 hours of engineering resources a week to make changes as they need.
And with that, it comes to the key challenges that these compliance, fraud, and risk professionals are tackling. And the first one was identifying new fraud schemes. This is the biggest thing. They may be able to find it, but they're not able to tackle it right away because they're often waiting for an engineering backlog or they can't change the rules themselves or the vendor has to make the change versus them.
The next one is getting the actual engineering resources to make the changes to the systems. Again, going back to fraud doesn't wait for your quarterly roadmap. It comes when it comes. You gotta be able to tackle it when you can and right away. And the next one is decreasing false positives, and this goes back to updating your rules, being able to know what rules to deprecate versus which ones to prioritize as well as make aware for the entire organization.
And the last one is modifying the current tech to catch new fraud schemes as they're hit by it. And as you can see, the theme goes back to the priorities are being able to make changes, being able to address things rapidly. And the pain points that are evolving are not being able to address things rapidly, not being able to make changes.
So with that, I wanna kick it off here and give some introductions.
Hello, everyone, for those who don't know me, my name is Jason Mikula. I spent about 12, 13 years in the consumer credit space. Currently, I research and write a weekly newsletter, "Fintech Business Weekly," as well as advising and consulting with early-stage startups.
Hello, everyone, Diane Porter. I'm from Bangor Savings Bank. I am a senior vice president there, I am the director of financial crimes, and I am a 25-year veteran banker.
Hi, everyone, I'm Jeff Nowicki. I'm with Treasury Prime. We are a banking-as-a-service operating system for banks to expose out a new business line or a new opportunity into the embedded finance or banking-as-a-service space. I am a former banker, so I come from the banking space. I spent many years with Radius Bank before the LendingClub acquisition, and then a few other community banks. So know this problem, know this problem very well.
Hi, everyone, Alex Faivusovich, Head of Fraud Risk for Unit21. Been in the fraud prevention space for about 15 years, fraud operations, fraud analytics, managing teams, and creating fraud strategies. And today, I lead the fraud strategy with Unit21.
So one of the key things that I also want to touch base on, we were recently looking at fraud and understanding why it's become such a key, key issue to a lot of companies, right?
I talked about the survey, but the biggest thing is, in 2019, consumers reported about $1.8 billion of fraud had taken place to them. At the end of 2022, that number has gone up to $8.8 billion, so you're talking about almost a 7 to 8X increase in four years.
So fraud is a big issue across consumers and businesses, and that's one of the big reasons we're here today. And the first question I have to the panel is, how have you seen fraud evolve in the last two to three years? And definitely, as I point out, it's growing.
I'm sure our audiences wanna know what are some of the common types of fraud you're seeing and how much impact have you seen on your business or customers? Alex, you wanna kick it off here?
Yeah, sure. Thank you, Aditya.
I think the main point is fraud became mainstream. 15 years ago, being a fraud analyst was the coolest job in the world. Now being a fraudster is the coolest job in the world. So what a time to be alive. But I think what we've seen in the past three years is really people are realizing that entry to the fraud market is so easy.
You can watch three hours of YouTube videos and you can pretty much get started of taking your first steps as being a fraudster. But also, we see that the hackers, the veterans who've been in that space for many, many years, they understand that they have new customers. So they migrating from offering their stolen information from, you know, the dark web, migrating back to the deep web. So now you have all those marketplaces.
Now you have platforms like Telegram, who pretty much offer fraud as a service. So fraud is here, fraud is mainstream, everybody's doing fraud. And I think the biggest point is that the fraud is not very sophisticated because those fraud service that come by the masses, they're taking their first steps, but the volumes of fraud are insane. Some institutions report 3x, 5x, 10x fraud than what they've seen before the pandemic.
So I think this is the biggest point for me.
We need to realize that fraudsters, criminals, you know, operate in many cases like a business, and they respond to incentives and they respond to opportunities. I mean, it's not gonna be, you know, any big news that fraud expanded dramatically over the course of the pandemic because record amounts of money was being shoveled out of the government towards small businesses, towards consumers.
And that was a very, very rich, and more importantly, easy target, you know, in the case of PPP, for example, the trade off between speed and friction. And the imperative was, you know, get these funds to consumers quickly, whether it was PPP or expanded unemployment. But, you know, the trade off of that, of speed, particularly when it comes to the government, is, you know, not always doing it with efficiency or the necessary care, right?
So I think that really supercharged the kinds of problems we're seeing. And even with the drawdown of some of those programs, I don't think that that problem is going to go away absent, you know, the different players in the ecosystem putting in place the adequate controls to mitigate those risks.
There's new fraud coming every day. New themes, but a lot of it is old and recycled. So the biggest suggestion I have for folks out here in the Fintech space, take advice from your friendly banker. A lot of them have seen it, a lot of them have put use cases in place before within the banks.
So now these fraudsters are seeing new opportunities to enter into the market. They're taking the same playbook and coming after you in those cases. So listen to your bankers, listen to what they have to say. And that's my biggest advice.
I think to Jason's point, when we talk about government fraud, I believe the last number I saw was $140 billion that was misappropriated. So these are big numbers. From a banker's perspective, I've seen fraud change in the last three years in terms of card fraud. With EMV being deployed, it went to card not present. That's about 92% of the fraud losses that my bank is seeing.
Check fraud is tried and true, that they go back to check fraud every time. Now they are stealing mail out of those UPS boxes. UPS is telling you not to use their secure boxes because they're stealing the mail, they're stealing checks, and then they're creating them.
So that is also something we're seeing. And then also synthetic ID, so a mixture of true identity theft along with some false information, creating sort of a new ID to create accounts, I think are probably the top three that we're seeing right now.
Okay, so clearly fraud's evolving, but it's also tried and true and what's old is new. It sounds like everything is coming full circle. So I have a question for you, Diane.
How are you trying to get a holistic view of fraud and its impact on your business and customers? What are the tools you're using or processes or technologies or just alignment?
So one of the biggest assets I think I have at hand is I have a lot of peer networks. I rely on those in the business to work with me. When it comes to fraud, we're all on the same team. We don't want the fraudsters to get the money, so we work together.
Maine Bankers has a security team, so we meet monthly to talk about fraud trends. Maybe my bank isn't seeing it, but another bank is. So they will let me know what they're deploying, what they're seeing so that I can be proactive.
I'm also a certified fraud examiner, so I partake in all of those conferences and I'm networking in that space. So maybe Maine isn't seeing it yet, but there could be other places that are seeing fraud. So I'm really leveraging all of my networks along with leveraging the expertise of the vendor partners that I work with and leveraging the tools that I have at my disposal, so my transaction monitoring system.
In the banking-as-a-service space, the customers split a little bit. The Fintech is owning the user experience, the front end, the talking to the client, and stuff like that. But at the end of the day, the bank is behind the scenes tracking a lot of the transactions.
They're seeing a lot of the fraud opportunity. So it's about working together, and a tool like Unit21 and the product that they have out there with the parent-child relationship and giving the bank and the Fintech really that opportunity to investigate and look at fraud cases and transaction monitoring together as a team is the best tool available on the market, in our opinion right now. And it helps folks really beat, the client beat the fraudster from trying to take over the accounts.
Yeah, and I think from a Fintech perspective, as I was leading a fraud program at a neobank during the pandemic, definitely going to your partner bank and really having an honest conversation with them about what are the KPIs that the Fintech is expected to meet, what the bank expects you to monitor in terms of transaction monitoring, and then go to your vendors and really your fraud stack and see what your vendors can offer to you in order to meet those KPIs.
Clearly there's a lot of coordination that needs to happen, at the same time, education to be aware. And not just yourself, but from your peers as well as the entire company needs to be on the same page is what I'm hearing a lot. And tools help you do that, but you also have to have that mindset to go about it.
So the next question I wanna ask is, in your opinion, can you prevent fraud if you've never experienced it? I'm gonna give it to Jason here to start off here.
The short answer to that is yes. The longer answer is, you know, even if you are an early-stage, newly launched Fintech, which is kind of the audience that I tend to spend a decent amount of time with, when you go to market, we were chatting before we all came out here, you don't want to be that fresh meat and be the target in the eyes of potential fraudsters.
And as I said before, it's like an incentive opportunity. When you have a newly launched company, you know, in the Fintech space, in the financial services space, you will immediately be probed for weaknesses in your fraud risk, in your KYC, AML, credit risk underwriting, et cetera, so you are a target.
You need to be ready from day one to monitor, detect, and mitigate those risks. Is it gonna be perfect? No.
No, of course it won't be. I remember when I started, and this is more on the credit risk side, but when I started at LendUp, I think our repayment rate was 50%, which is not very good if you wanna be a profitable business. So it's not that there isn't gonna be a learning curve of refining those models, but if you just sort of turn the lights on and say, "We're open for business," without, you know, any sort of reasonable approach in place, you're going to lose your shirt.
That's where vendors, and to your point, networks come into building those fraud defenses as well as the other sort of areas I mentioned, risk controls in from day one, from day zero, really.
What do you think about that, Diane?
I definitely agree. I think it's a matter of leveraging the expertise of the vendor partners, like Unit21, on what they're seeing, what they recommend maybe as your starter rules for fraud. I also think it's leveraging the knowledge and expertise of your sponsor bank. They are seeing this, they're living this, they know this, rely on them, leverage that expertise. And we might not get it perfect, but we're gonna at least set you up for success.
It's a numbers game. So any startup wants to come out, be as efficient as they can with their money. And fraud prevention isn't necessarily a profit center, right? And that's not what folks are thinking, but it can definitely be a company killer.
So startups or founders need to really think hard, do they wanna wait and sit back and wait to invest in fraud monitoring tools until they start losing money and potentially start losing a lot of money and put their company at risk? Or do they want to get ahead of it, start up front, never have that concern, never have that conversation, and spend a little extra money upfront on this and do it safely and soundly?
If you are a risk manager at a early-stage Fintech, you should really have an honest conversation with your product team. You see, product teams, they have the tendency of thinking about the perfect customer taking the perfect path, but they don't realize that the perfect fraudster will also take the perfect path.
And if you help them design the product in a way that it's, on one side, allow growth and allow the very good experience for the customer, but on the other side really keeps bad actors out and really making sure that only the customers who deserve to get certain products or certain features really get those, I think you can really go ahead, and like you said, Aditya, prevent fraud before it happens and before you experience it if you have a smart product with the risk taken into consideration.
So basically, the mindset has to be there, that like, I can prevent it and I'm not gonna be fresh meat, as you guys said.
Well, think about it that way, everybody say, you know, fraud is evolving, but fraud, before it evolves, it shifts. And it'll continue to shift until the opportunity is exhausted. But since new Fintech companies come up every day, it'll just keep shifting. You know, new Fintech offers ACH, they offer check deposits, they offer all those type of product that fraudsters love. So there is no need for fraud to evolve as long as it can can keep shifting.
That's a great point, 'cause that means, as more companies get funded or more Fintechs open up and they don't think about prevention and they think of it as an afterthought, they're just, instead of shifting your fraud, or sorry, evolving your fraud, you just shift to the next vulnerability and the next company.
So that's leads us to our next question, 'cause it's a valid point, how can organizations be prepared to tackle fraud? What type of team have you guys built versus where, one, it does well, or where the team hasn't done so well? Like what are the differentiators here? And maybe kick it off with Jeff.
The teams that have done well are the ones who think about it at the very beginning. They think about their go-to-market strategy, they think about the number of eyes that they're looking to get into the door, and then they have a an equation of, okay, how many of those good eyes, how many bad eyes will come with it?
And then they're gonna build a team around it, put numbers around it. And the best teams that they built are folks who have seen it before in another space. I said at the beginning of this talk, listen to your friendly banker, go hire one too. Folks that have been in the banking space have seen this before. So as you're starting a Fintech company, honestly think about someone who has done it in the banking space before. So that's one of my biggest pieces of advice.
I will echo Jeff and I'll say that a very good collaboration between the growth team and the risk team, really understand who are your organic customers, who do you expect organically to onboard to your Fintech?
Understand the different acquisition channels that you will be operating in, and help the growth manager understand that, when you talk about lifetime value, you need to take risk into consideration. And really, don't look at how long the customer had been with me, how much money they put in, how much money is spent, but also realize that that customer might be a fraudster, might be a money mule, might be a bad actor, and help the growth team take risk into consideration when they go to market.
I would certainly echo that point, as well as the one you made about collaborating with and clear lines of communication with product management teams, right? So I mean if you sort of think about that as a life cycle or as a funnel, it's like, okay, what are we building? Who are we expecting is going to use it?
Where are we going to acquire those users? And then once we've acquired them, are they performing in the way that we thought they would and are they profitable?
And I think, particularly in smaller startups, it can be easier to have that kind of close collaboration and data sharing almost organically, right? If you're 10 people or 15 people, you know, everyone kind of is gonna know what's going on.
As companies get bigger and the people become siloed into departments and potentially the data becomes siloed, it can become less clear, particularly if KPIs or OKRs, and especially if there are bonuses attached to those, they're like, "Oh, well, you know, my goal this quarter is to drive so many users at this CPA, and that's the only thing I'm paying attention to."
And if you're not actually looking at what is happening to this cohort I've acquired with this awesome $50 signup bonus, what is the quality of these users, how many are real, how many are signing up for the bonus, and then, you know, churning, and how many are just straight up fraud, like you're creating a really poor incentive structure.
So likewise at the bank I work with, all of our business line leaders, we do risk assessments. Where are our gaps, where can fraud potentially be exploited, and making sure that we have controls in place.
Also on my team, I oversee the AML division, the account fraud division as well as the card division. So we have prepaid debit and credit cards. So it is one team under my leadership. So there's a lot of collaboration, there's a lot of communication.
We may not have caught the fraud initially, but money laundering is money from an illicit source being moved through the financial system. So we may not have caught the fraud, but we can catch on the money laundering side, and those teams are communicating and making sure that they're talking and that we're catching things as early as possible.
So you get prevention because you have everything under one.
So you see one side and it pops over to the other side is what you're saying, over time.
I just wanna touch on what Jason was saying too, where I think that's so important where it's not just a fraud team, it's the entire company, so having the entire company bought in to really understanding the risks of fraud and really how it could be a company killer, potentially, and everyone bought in and looking at those numbers just like they're looking at weekly sales numbers or whatever top-line KPIs that the company is holding valuable, fraud should be up there too.
So, we've heard a lot about fraud, how you can stop it, prevent it, how you need to build teams for it. And so one question that, as we were preparing for the panel, I wanted actually to get real examples of fraud. And one of the examples that the panelists shared, I'm gonna give it, transfer to them, and it was really interesting, so with that, Diane, do you wanna share one of the examples I recently experienced?
That's a nice segue in from what I was just talking about. So Jason had talked earlier about the unemployment fraud that we saw. The government may have really pushed to get money in the hands of our consumers and our neighbors at a very interesting time.
What we found was we were actually one of the first banks to report to the state of Washington that their unemployment insurance had an issue. We found that because the money was coming into one of our customer's accounts. This gentleman lived in Maine and he was receiving unemployment insurance into his account in the names of other individuals, and he was immediately trying to wire the funds out.
So that is their classic money laundering. There was a fraud conducted. He thought he was getting money from his mother's brother's uncle, from someone he met online. And in turns, it was actually fraud. We called the state of Washington.
They had no idea that they were being exploited. It was already in the millions by the time they dug into it from our tip. We immediately got on the phone with Secret Service, we worked with FBI, and then the number I shared earlier, it ended up being $140 billion lost between PPP and the unemployment insurance. And it started with knowing our customers, having a reasonable expectation of their activity, what made sense for them.
And it simply didn't make sense that this gentleman was getting money from the state of Washington when he was a Maine resident.
That makes me laugh 'cause I'm not sure how else to respond. 'Cause that's just like mind-boggling. I live in Maine, but I'm getting unemployment from Washington. So I mean, it comes back to all the things we said, knowing your customer, being aligned so you can find these trends, find these issues.
I was at a time at a neobank seeing pretty much the same thing. You know, the state of Florida is always at the top. We've seen pretty much the same thing. But I think, in general, what I realized during the pandemic is that, before the pandemic, I was always looking for those compromised identities.
I was looking for synthetic identities. Now I realize that a legitimate KYC application where everything looks great, everything is correlate, it really, the person who they say they are, they will end up as a money mule or first-party fraud, and they will do the unemployment fraud.
I would also point out that this stuff isn't always, it doesn't always need to be high-tech, right? Multiple lenders I worked for, you know, we had an income verification flow where, you know, we would try to ping TWN to verify their income.
If that failed, we would do some other things, and one of those would be the option of uploading a pay stub or a W2, a very classic, old-school way of doing VOI. And it was like, you know, one of the first things you find on Google if you type in like pay stub is fake pay stub generators.
You know, and this was the case with some of the companies I worked for where, you know, you have a potentially young or not super experienced CSR who's reviewing some of this documentation in the loan application, you know, they may not know the right signs to look for unless they're trained to look for that.
And that's a very, you know, unsophisticated kind of fraud, But it still happens.