Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Research Report
Sponsored by
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Table of Contents
Introduction......................................................................................................1
Part I – Planning an Enterprise Fraud Strategy...............................................2
Enterprise Fraud Management – The Vision.................................................2
Driving for Increased Effectiveness...................................................................3
Increasing Operational Efficiency......................................................................4
Enterprise Fraud Management – Today’s Reality.........................................5
Challenges to Achieving Enterprise Fraud Management..............................6
The Business Case for Enterprise Fraud Management.................................7
Level and Type of Investment...........................................................................8
Savings from Loss Avoidance..........................................................................8
Savings from Operational Streamlining.............................................................9
Validating the Business Case.........................................................................10
Part II – Executing an Enterprise Fraud Strategy..........................................11
Data Integration..........................................................................................11
Fraud Detection Methods and Models........................................................12
Business Rules..............................................................................................12
Anomaly Detection.........................................................................................13
Predictive Models...........................................................................................13
Social Network Analysis.................................................................................14
Alert Management......................................................................................14
Evaluating Results......................................................................................15
Budgeting and Control................................................................................16
Implementing an Enterprise Fraud Strategy...............................................17
Enterprise Fraud Management – The Future.................................................18
i
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Introduction
Financial institutions of all sizes are discovering that they need to rethink their
approach to managing fraud. The rapid expansion of new products and new
channels for customer access has opened up new opportunities to satisfy customer
needs. However, this expansion has also opened up the opportunity for fraud that
cuts across an institution’s product lines, channels and even geographic regions, as
fraud rings attempt to exploit any vulnerabilities they can find.
One key vulnerability that fraud rings always try to exploit is the difficulty of trying
to match and correlate data from separate product or geographic silos within an
organization. The sophistication and size of fraud rings is rapidly increasing, and
so is their ability to “hide” elements of a coordinated attack in diverse products
or channels.
Domestic gangs and organized crime rings have become big players, able to
mount attacks whose scale and sophistication dwarfs those of just a few years ago.
Crime rings in foreign countries pose an even more serious threat, as they launch
widespread coordinated attacks, often with the tacit approval or even the active
cooperation of a sovereign state.
Spotting fraud early and moving aggressively to deal with it requires a solid
organizational infrastructure that can support these efforts. For many institutions, this
means an “enterprise fraud strategy” that coordinates fraud detection and interdiction
efforts across the entire enterprise.
1
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
This white paper discusses both the vision of enterprise fraud strategy that
many institutions find so attractive, and the reality they face in implementing an
enterprisewide strategy effectively. It is based on interviews we conducted with
financial institutions ranging from $50 billion to more than $1 trillion in assets, as well
as government agencies. We will also discuss where organizations want to go, how
far they have gotten, and the major challenges they face in making further progress.
Finally, we’ll outline the steps that organizations can take in determining the value of
an enterprisewide move for their own organization.
This white paper consists of two parts. In Part I, we discuss the concept of an
enterprise fraud strategy and the challenges that organizations face in pursuing
a strategy. Part II discusses the implementation specifics related to making the
strategy a reality. We conclude with some remarks on the future of enterprise fraud
management.
What is an enterprise fraud strategy? What are its components? What does it offer?
By and large, the institutions we interviewed shared a remarkably common vision
of the elements that make up an enterprise fraud strategy. In brief, the long-term
goal of an enterprise fraud strategy is to establish a framework for enterprisewide
deployment of fraud resources, including both material and human resources. This
framework should make it possible to:
• Gather and cross-match fraud-relevant data from all product lines, organizational
units and geographic regions of the enterprise.
• Analyze this data to “connect the dots” and spot large-scale fraud attacks early in
their life cycle.
• Prioritize alerts based on the level of risk that they pose to the entire enterprise.
• Develop and support highly skilled and motivated fraud teams who can carry out
these tasks quickly and efficiently.
Institutions differ, to some extent, in their view of the best organizational structure to
utilize. For some institutions, this means grouping all fraud functions into a single,
centralized organization that is responsible for all fraud-fighting activities. For other
institutions, it means leaving most of the fraud-fighting resources in individual units,
with centralization of certain functions (e.g., data integration /data warehouse) and
overall direction by a centralized authority.
2
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
There are two key business drivers that are causing organizations to give serious
attention to an enterprisewide strategy. These are:
Nearly all the institutions we interviewed expressed the need to prioritize their fraud
interdiction efforts in terms of the risks posed to the enterprise, rather than the risks
posed to individual products or individual accounts. Implicitly or explicitly, these
firms are making an important distinction between enterprise-level risks and lower-
level risks.
Lower-level risks typically stem from single individuals or small, localized fraud
rings. These fraud attacks can have a serious impact on individual accounts, and
can result in significant fraud losses, sometimes amounting to millions of dollars.
Although it is important for an institution to counter these attacks, their scale is
not sufficient to pose a serious threat to the institution as a whole, or even to a
specific product line. For financial institutions, limited countermeasures such as
blocking specific transactions, closing affected accounts and reissuing comprised
cards are typically sufficient to counter the threat. For government agencies, limited
countermeasures include terminating benefit eligibility, instituting recovery efforts and
levying civil fines.
Fraud attacks that represent enterprise-level risks typically start small and increase
slowly in their early stages, as the attackers test different strategies and points of
attack, searching for the avenues that will afford maximum payoff. This is the stage
at which interdiction efforts are likely to have their maximum impact, if applied
promptly. Effective data integration and tools that can match cross-channel and
cross-product events, such as social network analysis and point-of-compromise
analysis are particularly important at this stage, where accounts may be tested using
a variety of methods. It is exactly this sort of integrated analysis that an effective
enterprisewide strategy is designed to support.
3
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Many institutions are aware that the scale and scope of enterprise-level fraud
threats are likely to increase over time, as fraud rings continue to grow in resources
and sophistication.
Institutions that are growing rapidly have a special interest in managing their
enterprise-level risks. As firms increase in size, they become a progressively more
attractive target for larger-scale, coordinated attacks as the fraudsters seek their own
“economies of scale.” Some growing firms have already experienced this escalation
in fraud attacks, and are eager to find ways to identify the new and larger threats.
Operational efficiency is also a compelling business driver for many firms. Fraud
management efforts have always faced limited budgets, and in the current economic
environment, those budgets are coming under even more intense scrutiny. A truly
coordinated, enterprisewide strategy offers many potential savings as both technical
and human resources are pooled and applied for maximum impact.
4
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Firms that have experienced recent growth through acquisition of one or more other
institutions find these opportunities especially attractive as they seek to eliminate
duplication while they integrate existing operations.
Nearly all the firms we spoke with are taking some steps toward an enterprise fraud
strategy. In most cases, the initial step is the establishment of informal cooperation
among individual lines of business. The immediate goal of this informal cooperation is
to share information on current and emerging fraud threats, as well as best practices
for addressing these threats.
The longer term goal of these cooperative networks is to begin the all-important
process of breaking down the silos represented by differences among lines of
business or regions of the globe. As we shall see, these differences represent the
primary challenge that must be addressed in moving toward more formal cross-
enterprise cooperation.
For most firms, the ultimate goal of an enterprise fraud strategy is to manage
the detection and handling of all fraud alerts at the enterprise level, where anti-
fraud efforts can be prioritized and scheduled according to the needs of the
entire enterprise.
Some institutions have already begun moving in this direction. Among financial
institutions, fraud detection for online banking (especially international online
banking) is one of the most frequently mentioned candidates for enterprisewide
alert management. Other applications that have attracted interest for enterprisewide
integration include:
• ACH transfers.
• Check fraud.
• Employee fraud.
In the government arena, areas that have attracted attention for agencywide and
cross-agency coordination include:
5
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
• Taxes and revenue (e.g., individual and business income tax, real estate tax).
• Differences across regions. Different regions of the globe, and even different
regions of the US, experience different fraud profiles, requiring different tools and
levels of investment.
• Differences in regulatory culture. Agencies and programs can also differ with
respect to their overall approach to regulation, including the point at which to
intervene, the appropriate level of intervention, and the aggressiveness with which
investigations are pursued.
The challenge posed by these differences can be multiplied when one or more local
unit exhibits a “silo” or “turf” mentality, which can result in inadequate sharing of
information or resources.
6
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
One organization we spoke with described an innovative method for helping to break
down the silos associated with these differences. One unit’s system was tested with
the other unit’s data, and vice versa, to yield apples-to-apples comparisons of the
capabilities of each.
• Adopting a common standard for measuring and valuing losses avoided that
extends beyond just losses recovered (see “Evaluating Results” below).
• Setting metrics and goals for each line of business that align with enterprise
objectives (see “Budgeting and Control” below).
7
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
The planned level of investment in any enterprisewide program should ensure that
these capabilities can be realized and supported in ongoing operations. It would be a
mistake to sacrifice any of these common capabilities in the name of cost efficiency.
Every institution expects to include some estimate of the savings from loss
avoidance in their business case. However, they vary widely in the practical details of
making these estimates. Best practices that we have identified in estimating potential
fraud losses include the following:
• Use most likely fraud savings scenarios. When basing estimated fraud loss
savings on current experience, it is important to select cases that most closely
resemble the results that will be achieved when the enterprise fraud strategy
becomes operational. Estimating savings based on approaches that will soon
become obsolete will tend to understate the true savings to be achieved. The
best approach is to base savings estimates on a “proof of concept” or “proof of
value” that uses the new technology in representative situations. See “Validating
the Business Case” below.
8
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
In short, developing an accurate business case requires making sure that the
estimates of fraud loss savings are not excessively conservative. It is, of course,
important to avoid excessive optimism as well. Estimates should be based on solid
historical experience, projected for the changes that will take place in the time frame
allocated for implementation of the strategy.
• Platform replacement. Establishing a single platform and tool set across the
enterprise will inevitably make it possible to replace older legacy tools. When
third-party tools are replaced, the licensing and maintenance fees associated with
those tools represent potential savings. These savings magnify when a platform
can be eliminated in several lines of business. When in-house applications are
replaced, the expenses associated with maintaining those applications represent
a savings.
The key to operational savings lies in removing areas of duplication and redundancy,
whether the redundancy occurs in data integration, systems and platforms, or
staffers performing the same function in different organizational units. Each of these
areas represents a potential savings, and each should be considered when building
the business case.
9
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
As we’ve mentioned already, a business case should be based on hard data from
actual experience, but the experience chosen should be representative of the wider
results to be expected once an enterprise fraud infrastructure is in place. The best
way to ensure the accuracy of an estimate is to base it on a proof of concept effort
that puts real, up-to-date enterprise fraud technology to work in a small- to medium-
scale application that will reliably extrapolate into enterprise-level expectations. The
proof of concept can be in many forms, including actual implementation for a line of
business, a historical analytic look back, or an architectural feasibility analysis.
Developing a solid business case is an important first step in the move to true
enterprise fraud management. Whether the business case is based on a proof of
concept, or on peer experience and evaluation, it helps to set both short- and long-
term expectations for the emerging enterprise strategy, as well as frame the criteria
for more detailed implementation decisions downstream. The business case approval
process itself should also be an effective tool for aligning resources and preparing to
move forward with the strategy.
10
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Data Integration
An effective enterprise fraud data warehouse needs to capture and integrate data
from a wide variety of sources. These include:
• Transactional data. Data on product line transactions form the heart of any fraud
detection effort. Ultimately, all product lines need to be included.
• Organizational data. Job-related data such as title, location and supervisor are
also important components of any attempt to detect employee collusion.
• Plant, branch and location data. Location data on branches and ATMs can be
important for point-of-compromise analysis, as well as mapping the geographic
extent of potential fraud threats.
This data needs to be integrated for very fast retrieval and cross-matching.
Aggregates related to accounts, account holders, employees and geographic regions
need to be pre-computed if they are to be useful for real-time risk scoring.
11
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
In building their fraud detection methods and models, firms are using all of the
following approaches:
• Business rules. Individual rules that score or define alerts based on intuition and
general experience.
• Anomaly detection. Alerts are defined based on events that represent statistical
deviations from normal or expected behavior.
• Social network analysis. Alerts are based on the level of association (through
shared or similar attributes) between the current event and individuals or accounts
that are known or suspected of fraudulent behavior.
The choice of which methods to use often depends on the particulars of the
application and the institution. In general, there is a trend away from the use of
business rules as the lone method for defining alerts.
Business Rules
Business rules are individual rules that are based on the experience or judgment of
skilled analysts. They can be used to specify an action, or compute a score based
on points for each rule that applies. Business rules have the advantage that they
are easily developed and deployed, especially in an emergency situation to counter
imminent attacks.
Smaller firms tend to show a greater reliance on business rules. Even in larger
firms, business rules are still the preferred method to use for simple applications,
or for new applications where sufficient data is not yet available to support more
rigorous methods.
12
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Anomaly Detection
Anomaly detection rules are attractive to some firms because they are often easier
to maintain than arbitrary business rules, but they don’t require the development
expense associated with full-scale predictive models. The motivation for each
anomaly detection rule is often quite clear. Since anomaly rules are always defined
relative to statistics captured over a recent window of activity (e.g., the last three
months), they automatically keep up with changing conditions in a way that business
rules do not.
Predictive Models
13
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Social network analysis estimates the degree to which a single individual, account or
transaction is related to other individuals, accounts or transactions that may indicate
a large, coordinated fraud effort.
Alert Management
Nearly all firms are moving toward higher levels of integration in detecting and
responding to fraud alerts. However, firms vary widely in terms of where they
stand right now with respect to this integration. Many firms, especially the largest,
continue to handle alerts separately for each line of business and each region
of the globe. In some of these cases, the alerts are integrated into a single case
management tool (see the SAS white paper Enterprise Case Management,
www.sas.com/reg/wp/corp/13056), but other firms continue to use or allow
different case management solutions to be employed.
Two institutions, both large regional banks, reported that they integrate alerts into
a single queue. In this configuration, alerts are raised by a variety of fraud detection
tools, and then integrated into a single queue, which is worked by a single,
dedicated enterprise-level team.
When a dedicated team is used to triage alerts, the team may be given written
guidelines to govern the triage process. Typically, these guidelines describe “red flag”
situations that automatically receive high-priority treatment.
• Account verification.
14
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
The fact that some transactions require real-time decisions, however, does not mean
that alerts are not generated. Typically, some fraction of the rejected transactions
are serious enough to warrant offline research and investigation. These alerts can
be generated as part of the real-time decision making process, or separately via an
offline batch process.
Some institutions are already deploying approaches that provide for some amount
of enterprise-level alert management. In one case, alert processing occurs at two
separate tiers. “Ordinary” alerts are processed as usual, with separate alert queues
for each line of business. During triage, however, some of these alerts are identified
as having enterprise-level significance, and are passed to an enterprise-level alert
management team for further processing.
Evaluating Results
The key metric used by all of the organizations we talked to relied upon some form of
“losses avoided.” Most typically, this was defined conservatively as the face amount
of interdicted fraud. If a transfer of $500 out of an account were interdicted, this
would count as losses avoided.
This conservative definition has a weakness, however. Taking the dollar amount of
the first interdiction does not account for the additional losses that would likely have
occurred if the first transaction had not been interdicted. To remedy this situation,
some organizations also use historical expected losses per account as a way of
estimating the loss potential of an account on which fraud has been attempted.
Some institutions also use total exposure as a metric. Total exposure is defined as
the total account balance at the time that fraud is interdicted, and measures the total
loss to the account if a fraudster were to drain it completely.
15
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Several firms identified the importance of considering the tradeoffs between losses
avoided and other business metrics, especially those related to customer loyalty
and attrition. It is a fairly simple matter to reduce losses avoided by reacting to more
alerts. But this will typically have unwelcome side effects in terms of lost business
and unhappy customers.
Any of the metrics we’ve just discussed can be used as the basis for budgeting
decisions. In order to accomplish this, the raw metrics are typically adjusted in
two ways:
All institutions use some form of “hurdle rate” in assessing the potential value of
new fraud initiatives. One institution in particular uses a hurdle rate of 400 percent in
determining whether to undertake or continue a project. In other words, the actual
or potential fraud savings must be at least four times the project cost in order for the
project to be deemed viable.
16
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Some form of centralized oversight and control is essential to any enterprise fraud
strategy. Institutional approaches tend to vary over the degree to which all functions
need to be centralized. In general, there are three models:
• Centralized fraud function. In this model, all fraud functions are centralized
in a single team. This team performs all fraud functions from data analysis
through investigation. This model is particularly attractive to small- and medium-
scale institutions.
Regional Centralization
Region 1 Region 3
Data Alert Alert Data Alert Alert
Analysis Analysis
Integration Triage Processing Integration Triage Processing
Region 2
Data Alert Alert
Analysis
Integration Triage Processing
Regions/Lines of Business
17
Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality
Centralized Oversight
Line of Business 2
Alert Alert
Analysis
Triage Processing
Regions/Lines of Business
Each of these models can have other variants, depending on the specific
circumstances of the institution. All, however, rely on some form of centralized
oversight in order to maintain effectiveness across the enterprise.
Nearly all financial institutions will continue to move in the direction of greater
integration of their fraud efforts, with progressively more fraud work being done at
the enterprise level. This progress will occur incrementally, and organizations will
be very selective about the applications that warrant enterprise-level treatment.
Online banking and employee fraud are two prime candidates, followed by ACH
transactions and remote deposit capture.
The quality of the business case will continue to be critical to all decisions in this
arena. Firms who wish to prepare for the future will need to give significant thought
today to the form and content of the business case for moving in this direction.
A successful proof of concept is the best way to build a strong business case.
Institutions wishing to pursue this approach should carefully evaluate a vendor’s
track record of helping customers with proof of concept efforts that provide reliable
indicators of future project success.
18
SAS Institute Inc. World Headquarters +1 919 677 8000
To contact your local SAS office, please visit: www.sas.com/offices
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA
and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies.
Copyright © 2010, SAS Institute Inc. All rights reserved. 104593_S58423.0710