The last line of defence

From online fraud to data theft, the range and incidence of fraud are growing: UK-based identity theft alone has soared some 20% during the past year, according to Cifas, the UK's fraud-prevention service. Exacerbated by a range of long-term socio-economic and commercial developments, including globalisation and increasing workforce mobility, an exponential growth in data volumes and a surge in the range of delivery channels and data storage mechanisms, the battle against fraud is more complex and challenging than ever before.

According to estimates by the UK's National Fraud Authority (NFA), the growing trade in fraud costs the UK economy some £30bn ($43bn) annually. Although the financial services industry accounts for just £3.8bn of this total, it bears the greatest burden among the private sector: indeed, as lenders, insurers, and custodians of customer funds, the financial services industry represents the last line of defence in the wider battle against fraud - much of which is now industrialised, perpetrated by highly organised and extremely well-equipped criminal gangs. What's more, the onset of the recession in several Western markets is unlikely to help matters, argue market-watchers, as individuals and organisations under severe financial pressure resort to both major and minor fraud in order to shore up their finances.

For banks and insurers, a critical question relates to detection: how can the industry be sure it is adequately detecting fraud where it occurs, and what counts as fraud in any event? Who is ultimately responsible for preventing fraud, and should other agencies, in particular the public sector, play a more active role in fraud prevention?

At a lunchtime round table, hosted by FT Business Events in conjunction with The Banker magazine, and sponsored by business analytics software provider SAS, a range of senior information security and fraud prevention specialists discussed these and other pressing issues. Michelle Price, business editor of The Banker, chaired the debate.

A nuanced picture

Recessions have historically prompted a surge in the rate of fraud, with inflated insurance and expenses claims, falsifying of accounts, cheque fraud and invoice fraud, among others, tending to rise during recessionary periods. UK fraud prosecutions peaked in 1995, for example, reaching £1.2bn following the recession in the early 1990s. Based on such historical data, professional services firm KPMG last year forecast another major surge during the present recession.

But this forecast does not appear to be ringing true, said participants, who went on to outline a far more nuanced picture. According to the general consensus, the industry has not yet seen a direct correlation between fraud patterns and the trajectory of the recession. This is partly borne out in the latest industry figures from industry body Financial Fraud Action (FFA), added Katy Worobec, head of fraud control at UK Payments Administration (formerly Apacs), which show card and cheque fraud to have declined by an impressive 26% and 23%, respectively, for the first half of 2009, compared with the same period in 2008.

This welcome drop in some very well-established fraud practices reflects a significant improvement in fraud controls during recent years, argued some participants. "I think one of the keys is that as an industry we have probably all got better at detecting fraud because we have all invested over the past few years in a lot of technology and an awful lot of people," said one participant. As the issue of fraud is increasingly escalated up to board level, financial services firms are investing more and more in fraud prevention controls, added another head of fraud control at a major European bank.

The bad news, participants agreed, is that fraud mutates, favouring the course of least resistance. This trend was also illustrated by the FFA figures, which showed that the incidence of online banking fraud - a relatively newer type of fraud whereby a hacker intercepts an online banking session in order to divert customer funds elsewhere - soared by some 55% during the first half of 2006. This surge reflects the increasing sophistication of industrialised internet-led fraud, rather than any recession-related pressure, argued Ms Worobec. "A lot of the fraud is perpetrated by organised criminality. As far as they are concerned it is business as usual despite the recession. The bulk of the fraud that we are seeing is coming from there rather than the opportunistic person fallen on bad times who is turning to crime."

In some areas, the incidence of fraud is also increasing due to changes in definition and classification. "If we look at the scale of credit losses in commercial and retail banking, how successful do we think we are as an industry in actually acknowledging what is fraud? It comes down to your definition of fraud," said one banker. Banks are working hard, for example, to identify and reclassify losses that have traditionally been recorded as loan impairments or credit losses, where it transpires that the information on which the loan or credit card was originally issued was in some way falsified or misleading: this might be the case, for example, if it transpired that a customer that has defaulted on a loan inflated their creditworthiness upon application.

Reclassification of loan losses is one example where the financial strain brought about by the recession may not necessarily be leading to fraud but is helping to reveal historical fraudulent applications and transactions.

Recessions, however, have long tails, as one participant observed, and KPMG warns that a large proportion of frauds that occur during recessions take years to emerge. As such, the worst may be yet to come.

Learning to share

Improved detection, investment in controls and a closer examination of the nature of what might otherwise have been perceived as impairments or credit losses have undoubtedly improved the industry's capacity to address fraud. But the forces in favour of fraud are accelerating at high speed. In particular, the number of non-bank organisations dealing with sensitive customer data and financial information is growing. As a result, the financial services industry is often forced to account for fraud losses that were in fact made possible by other parties who have been careless with customer information.

"The supply chain is becoming elongated, so you have lots of third parties coming in and handling data, for example, sometimes without the knowledge of the bank involved," said Ms Worobec. "You start getting into very dodgy ground about whose responsibility it is to secure the data. That sort of complex supply chain is becoming a big issue, particularly for retail banking." This supply chain is also frequently spread over a number of legal jurisdictions, added another participant, making it even harder if not impossible to pursue a claim against that party.

Encompassing a greater range of parties - such as retailers, internet service providers and government agencies - in the fraud prevention process would be a more equitable and constructive division of labour, agreed participants. In particular, comparing notes with government agencies and sharing data between the financial services industries and the public sector, would help identify potential and existing fraudsters, said David Williams, managing director of claims at AXA Insurance. "Data sharing across our industry and industries generally is important, and it is not just about organised crime. I think if somebody is likely to be committing fraud in one area they are probably committing it somewhere else as well."

While some 58% of fraud losses take place in the public sector, according to the UK's NFA, public sector agencies have been slow in collaborating with their more experienced private sector counterparts. Benefit fraud could be more easily identified and prevented if formal mechanisms existed to share information on bank accounts found to be supporting an unusually high number of claims, for example. As Paul Eagles, principal fraud consultant at SAS, pointed out, however, data sharing is not as simple as it sounds. "This means ensuring that the right information is in the right place at the right time. Furthermore, it must be possible to use that data to support business-focused decision-making in appropriate timeframes, whether this be real time or other, longer periods."

Even within the financial services industry, data sharing is not as advanced as it should be, however. Data sharing between banks and insurers, for example, could be dramatically improved, said one participant, since there are strong similarities in the methodologies used to defraud both types of institution. As all participants agreed, however, that the industry is beginning to move on this issue, if at a slow pace.

The issues

- The impact of the recession

- How fraud is classified

- The important role of non-bank third parties

- The benefits of data sharing