Sunday, February 13, 2011

Are You a Proud Dad?

My dad gave me one dollar bill
'Cause I'm his smartest son,
And I swapped it for two shiny quarters
'Cause two is more than one!
And then I took the quarters
And traded them to Lou
For three dimes -- I guess he don't know
That three is more than two!
And then I went and showed my dad,
And he got red in the cheeks
And closed his eyes and shook his head--
Too proud of me to speak!

- Shel Silverstein
People working in anti-fraud live and breathe money: losses, recoveries, write-offs. If it costs $1,000 to investigate and recover $500, we all intuitively know that would be a waste of time. We might as well just write off the $500 and move on. And yet...

The following conversation is hypothetical, but its strikingly similar to what I've heard from several clients in recent weeks:

Client: "Our detection systems are solid, but we're always on our back foot! We want to prevent fraud, not just detect and chase it! We need some sort of prevention system to cut our losses.”

Me: “You might not need a new system. Does your existing technology really ensure your team looks at the biggest risks first?”

Client: “Of course! We do the big transactions first. We have a ‘red’ queue for stuff that requires immediate action.”

Me: “So I imagine if there was a $50k wire, way out of normal for the customer, it would pop into the ‘red’ queue and get looked at right away.”

Client: “Right.”

Me: “And if, at the same time, your systems saw a different account with a series of unusual log-in and balance inquiry events, it would put that in a lower-priority queue?”

Client: “Yeah, unless it was linked to a financial transaction.”

Me: “What if those logins were for the CFO of a very profitable business banking client?”

Client: “Well, the system wouldn’t really know that. We’d see it during investigation.”

Me: “What if the CFO had online access to draw on a $1m revolving line of credit without secondary approval? What if he hadn’t logged in since 2008, but then one day logged in several times, browsed all over your Business Banking portal, and changed wire instructions for an approved beneficiary?”

Client: “Hopefully that would set off alarms! Probably not a ‘red’ alert, but we’d notice for sure. I know we get reports from the wire room every morning. We could call the client and verify the change.”

Me: “What if, at 3:55pm Eastern Time that same day, the CFO logged back in, drew down the line of credit and wired $1m out?”

Client: “NOW there would be a ‘red’ alert!”

Me: “And you'd be on your back foot. How much would you have to spend to drop everything and investigate in order to get the money back?”

Client: “Well it might not be our loss. We can't prevent the client from having a criminal at the CFO spot.”

Me: “How much would you spend to determine if it was really the CFO or an identity thief? No matter what, the client's not going to be happy. Odds are, they're going to close their account. What kind of heat would you get from the banker in charge of the client? Maybe they even drag you to court. What would that cost? ”

Client: “Welcome to my daily nightmare! It's the hassle of a lifetime!”

Me: “Wouldn't it be better if your systems could just prevent the wire in the first place? What if my team could get your existing technology to do that?”

Client: “When can you start?”

Just like Silverstein's "proud dad" in the poem, this client was a bit red in the face with frustration. His technology and teams clearly had some growing-up to do.

The problem is that, just like Silverstein's "son," nearly all of today's anti-fraud technologies and business processes misunderstand the real objectives ... through no fault of their own. They've been tasked with monitoring a narrow set of intermediate metrics like transaction size, out-of-profile behavior, or unknown IP address.

The key is to take the blinders off and refocus the technology on the true business metrics. Tell them what you're really trying to achieve. Is it minimized losses? Is is minimized operational cost? Is it minimized customer defection? Is it some balance of these? Then empower them with enough contextual data to make an intelligent determination of what's at stake, and what to do about it.

In upcoming blogs, I'll go "down in the weeds" to examine how technologies and business processes can be transformed in this way. Stay tuned!