Fraud against bank deposit accounts cost the industry $1.9 billion in 2014—the latest data available—which was up from $1.7 billion in 2012, according to the American Bankers Association.
That’s a lot, but it could have been much more. ABA’s survey concludes that bank prevention measures stopped $11 billion in attempted fraudulent transactions, in 2014.
The association’s biennial benchmark statistics serve to underscore the continuing onslaught of cybercriminal activity even as ever-improving security technologies and procedures continue to ramp up.
Banks, by law, regulation, and pure self-interest, indisputably lead the way in cyber security, protection, and defense. Still they fell victim to almost $2 billion in losses in 2014, and there’s little doubt the victimization continued in 2015.
All of which points out that banks depend on “all hands”—their stakeholders, particularly commercial and retail customers—to ramp up their own security technologies and procedures.
Cybersecurity’s “second front”
There are some indications bank customers are moving the issue to their front burners.
However, there also are indications that these same customers have a lot more to do.
Back to the ABA announcement. “We saw an increase in fraud losses in 2014 most likely due to the number of large-scale retailer data breaches, which resulted in a significant increase in attempted debit card fraud,” says Doug Johnson, senior vice-president, payments and cybersecurity, ABA.
Debit card fraud accounted for 66% of industry loss, followed by check fraud at 32%. Online banking and electronic transactions such as wire and ACH fraud, reached only 2%.
Note: Online banking saw a significant drop in losses in 2014, even as attempted online fraud increased. ABA’s Johnson points out that banks “have invested billions of dollars to create very effective online fraud prevention systems.”
So payments-related fraud—debit cards and checks—take top dishonors. Experian released survey results recently that once again show that consumers love the new payments capabilities; yet while they are concerned about cyberspace vulnerability, they do little to protect themselves.
A few findings:
• 93% feel identity theft is a growing problem.
• 91% believe people should be more concerned about the issue.
• 80% would be even more connected, if possible, than they are today.
• 36% review privacy policies by institutions they do business with.
• 28% review privacy policies of mobile apps before downloading them.
Such findings echo similar surveys of consumers taken in years past. One could surmise that the pure convenience and ubiquity of digital gadgets, and their increasing utility, are just too much for consumers to ignore. Along with this, one could conjecture that, as the technologies get so much more advanced, consumers may assume that the security technologies that accompany them also see accelerated effectiveness.
On the other hand …
Yet that may not be true. ACI Worldwide recently surveyed 200 retail industry professionals on the subject and found decidedly mixed results. Again, some findings:
• Only 8.5% had implemented EMV capabilities since last year’s liability deadline, while 48% are somewhat prepared but with some work to do.
• Payment security was listed as the top feature associated with mobile apps and mobile wallets.
• 70% cited online sales as their top channel, followed by online shopping in-store via a tablet or other device (45%). (They could choose more than one option.)
“The proliferation of retail digital channels demonstrates the trend that clicks upstage bricks, but even consumers shopping at traditional brick-and-mortar stores are increasingly using in-store browsing capabilities,” says Lynn Holland, vice-president, ACI Worldwide. “Regardless of the channel, our survey results demonstrate that payment security is a core area of concern, particularly around tokenization and point-to-point encryption.”
Cyber in the Csuite
Going up the ladder from consumers and retailers to corporate management, several recent studies indicate that cybersecurity concern, at least, has penetrated the top offices. What they’re doing about it remains to be seen.
KPMG LLP polled nearly 400 financial executives—mainly CFOs—about what keeps them up at night, beyond their financial reporting responsibilities. They could have said tax compliance or other regulatory compliance. Instead:
• 31% cited internal controls over financial reporting.
• 26% said they were most worried about data infiltration and IT security.
“Outside influences and potential disruptions pose risks to financial information and a company’s operations,” says Thomas Duffy, KPMG global chief operating officer. “As executives involved in the financial reporting process consider risks, they need to look beyond the numbers to consider how security breaches, supply chain interruptions, and other operational risks could impact the financial statements and other disclosures.”
In like vein, a SANS Institute survey finds that IT and security budgets generally are on the rise and, more important, seem to be aligning with the business needs of their organizations.
“Results show that respondents are positioning security as a business enabler,” SANS said in a summary. “According to the survey, 80% use regulatory requirements to justify their budgets and expenditures, while 78% align spending with business objectives. It reflects the primary business driver for security spending—protection of sensitive data—as well as the operational area that accounts for most current security spending—protection and prevention.”
Sounds good, but there’s always yet more research. Another survey, from Protiviti and the Economic Crime and Justice Studies Department at Utica College, concludes that “companies are not well-positioned to prevent corporate fraud nor conduct investigations, creating a significant potential liability to their executives and shareholder value.”
The study found that 48% of companies responding fail to conduct a formal fraud risk assessment on at least an annual basis.
Taking a step further, these researchers advocate that companies not only increase traditional security measures—which tend to be reactive, once crimes occur—and invest more in proactive measures, that can anticipate vulnerabilities.
“Despite the resource constraints that many organizations face, it’s essential, now more than ever, that they do away with the outdated reactive measures they have in place and embrace a proactive, preventative approach to fraud risk management,” says Scott Moritz, managing director, Protiviti.
In yet another survey, it seems like this notion of proactivity actually is catching on in boardrooms here and abroad.
EY surveyed 665 executives globally, including some in financial services, to gauge interest in investing in what’s called forensic data analytics, or FDA. In a nutshell, this employs various tools to interpret trends in social media, web monitoring, data visualization, and other sources, both structured and unstructured, to identify rogue activities, patterns, and trends.
Results of this survey indicates that three out of five say they plan to spend more on FDA in the next two years in order to respond to growing cybercrime risks and increased regulatory scrutiny. Sixty-three percent of respondents say they want to invest at least half of their FDA budget on proactive monitoring activities.
Lots of potions, where’s cure?
So, lots of people at lots of levels—consumers, retailers, corporates—are at least paying lip service to the idea of increasing cybersecurity measures. Still, it is the banking industry that’s losing billions of dollars to deposit fraud, despite their efforts. So what more can banks do?
Accenture, in a recent report, puts it pretty succinctly. The firm finds that 67% of banking executives say their organizations experience significant cyberattacks weekly, or even daily; 65% expect cyber risk to become more severe. In this environment, Accenture counsels the need for resilience, embodied by these broad elements:
• Embrace a digital ecosystem. C-suite executives are seeing the advantage of robust digital capabilities and technologies outside the enterprise.
• Manage digitally. Multispeed business and multispeed IT requires real-time orchestration of myriad internal and external services.
• Institutionalize resilience. Resilience cannot be added after the fact or on a sporadic, discretionary basis. It must be part of the fundamental operating model, ingrained at the outset into objectives, strategies, processes, technology, and even culture.
Frank Sorrentino, chairman and CEO, ConnectOne Bank, guest writing on Forbes.com recently, says it as well as anyone:
“As we look to 2016, cybersecurity threats continue to prevail, particularly with the rise of fintech and the growing push to develop faster methods of payment and innovative ways to transact. While these advancements are undeniably valuable, new technology breeds new security and fraud risks—thus, we should all make sure to carry over this sense of vigilance and responsibility regarding cyber protection into the new year.”
Sources used for this article include:
- PPP: SBA Issues Guidance on Changes in Ownership and Full Forgiveness Eased for Smaller Loans
- First Citizens, CIT Plan Merger to Create $100bn Bank
- OCC Levies Third Major Fine This Month
- ABA Urges DoJ to Update Market Data to Help M&A Governance
- JP Morgan Chase Outperforms, Good Sign for the Banking Industry