• Money mules are the logistic network upon which Fraud Inc.’s value chain is built. Mule networks are the fraudster’s circulatory system. Their economic model is dependent on money mules, and that dependence makes them vulnerable.
• If the saying “infantry wins battles, logistics wins wars” is true, then so long as fraud fighters target fraudster “infantry” but fail to go after mule “logistics personnel”, the fraudsters have the superior strategy.
• I have not yet come across a fraud professional who doesn’t acknowledge the value of this rationale, nor have I come across someone who doesn’t genuinely want to take the gloves off and ramp up their efforts to more deliberately and proactively go after mule networks in their institution.
• Despite the willingness and motivation to shift to a war footing on mules, many fraud executives do not pursue a proactive mule hunting regime because they lack the time, resources, and formal prescriptive provisions for doing so. In short, current incentives to proactively hunt money mules exist outside of a formal mandate, whether that’s in the form of regulation or strategy.
• There are a small and growing number of financial institutions (FIs) that recognize the value of incorporating proactive mule detection into a more wholistic fraud risk management strategy, but unless and until these strategies are the norm rather than the exception, fraudsters will continue to enjoy a logistics network that runs largely free of disruption. And they will continue to win.
• No one wants them to win.

Fraud Trends Shifted During the Pandemic

Over US$280 billion in fraudulently obtained stimulus money flowed through the U.S. financial system during the pandemic. As this realization emerged, many, myself included, thought that it would be a matter of time before legislators and regulators began asking U.S. FIs a lot of uncomfortable questions about how they failed to recognize this enormous quantity of illicitly obtained money flowing through the system.

Things certainly seemed to be building in that direction in 2021 and 2022, but, as time wore on and the uncomfortable questions failed to materialize, the C-suite’s interest in proactive mule detection waned, and demand for proactive mule detection solutions seemed doomed to accompany it. And then came scams and the trend among regulators across multiple markets to want to place a portion of the reimbursement burden on receiving banks.

This trend was curious when it emerged, and it remains curious because we’ve been left to speculate about the nature and the origin of this impulse. Much of that speculation orbits around two considerations:

• The full scope of the fraudulent nature of the scam is unlikely to be revealed until information about how well the beneficiary’s behavior matches known patterns of mule personae is made clear. Since that information is not likely to reside anywhere comfortably outside of the receiving FI, it would make sense for the receiving FI to bear accountability (in this case, in the form of a portion of the liability for a reimbursement) for filling in a necessary piece of the puzzle.
• This approach creates an incentive with tangible, market-driven monetary penalties for FIs that fail to invest in know-your-customer (KYC) controls that do more than just check the compliance box. This approach adds teeth to KYC obligations, and it does so in a way that is proportional to the effectiveness (or ineffectiveness, depending on how you look at it) of the FI’s KYC controls to detect and control for mule activity.

One wonders about the degree to which this approach was engineered in consultation with the industry vs. in isolation by regulators. Either way, it seems to be well aligned with a trajectory among regulators  to transform risk strategies into more wholistic plans that are better orchestrated in how they seek to control for the ecosystem of criminal activity spanning cybersecurity, fraud, and money laundering.

It has also revived demand for proactive money mule detection and inbound transaction monitoring controls. This demand is beginning to form a new market segment that is likely to mature as more markets adopt changes to scam reimbursement regulatory guidance and obligations imposed by payment networks. This new market segment will coexist with other emerging market segments, such as those oriented around detecting and treating scams by way of outbound transaction monitoring.

To learn more about how changing regulations for scam liability and evolving types of scam activity, including mules, are impacting FIs and necessitating changes in fraud strategies, please join me on Tuesday, June 27 at 11am ET for my upcoming webinar, Find the Mules, Stop the Fraud.

The post How Mule Activity Is Changing Financial Institutions’ Fraud Strategies appeared first on Datos Insights.

While this is a troubling development in and of itself, what concerns me most is that as more consumers are targeted by fraudsters, a growing number of people are coming away from an already traumatizing event with an amplified sense of violation. This feeling may become even stronger after they discover that by initiating the fraudulent payment themselves—even if they were deceived into doing so—the treatment of the event is transformed from an unauthorized payment fraud to an authorized payment fraud.

This distinction means that the FI is not required by law to reimburse the consumer if the payment was initiated by the victim. This fact, along with the well-rationalized origin for why the policy boundaries were established, is frequently left out of contemporary narratives about the subject.

Unfamiliarity With Reg E Causes Problems

While the origins and boundaries of the policy are relatively well known among fraud professionals familiar with Reg E, it comes as a devastating realization to the victim—one that leaves them feeling profoundly wronged.

The worst part, of course, is that such a dramatic outcome, which hinges on a poorly understood nuance in policy, makes an irresistible narrative for journalists and legislators. Both of these groups, in their eagerness to be seen as taking bold action to protect consumers, run the risk of mistaking motion for progress.

Examples of this are popping up with increasing frequency and include:

• Two articles (here and here) in a prominent global newspaper that distort the nature and application of Reg E protections and the CFPB’s guidance on the matter
• A stirring letter from prominent politicians that was carefully engineered to go long on an appeal to sentiment but short on a realistic understanding of the reg
• A well-meaning but hastily assembled legislative proposal that, if passed as-is, would lead to unintended consequences and might end up harming the public more than protecting it

To be clear, the Scampocalypse is a serious problem for the financial services industry, and much needs to be done to improve the industry’s resilience. But as I said, motion is not always progress. Actions need to be taken—but it’s vital to thoughtfully analyze the nature of the actions and carefully craft and execute those actions. 

Collaboration Is a Powerful Tool

All of the aforementioned narratives ignore or distort the reason the regulation distinguishes between “authorized” transactions and “unauthorized” transactions. Specifically, there is no explanation or defense of why FIs lobbied to ensure that both the FI and the consumer share some degree of agency in assuming responsibility for maintaining the security of the consumer’s funds.

If this omission persists, and public opinion continues to be guided by such an unbalanced escort, I fear it will wander into outcomes that are likely to produce unwelcome consequences. It is (and will remain) absolutely necessary to avoid laying liability for the event exclusively at the feet of any one actor in the ecosystem.

To do so would, in my estimation, only serve the criminal community. So long as FIs and their customers not only share the responsibility of securing themselves against attacks but collaborate on integrating their security countermeasures, it will be possible to keep scam attacks relatively controlled.

In partnership, FIs and their customers can overcome the criminal element. I have little doubt that it will be necessary to adjust consumer protection policies in order to ensure greater consistency in providing victims with reasonable recourse to reimbursement under specific circumstances. Perhaps the most important step will be acknowledging the need to make the terms of consumer protection coverage abundantly clear to everyone.

This will include making it clear to consumers that the risks of being victimized by scammers are real, that those risks are growing, and that consumers themselves need to step up their security game to adequately defend themselves. The FIs that communicate this successfully will find it is an opportunity to demonstrate their commitment to their customers’ financial well-being, and their customers will repay them with brand loyalty.

FIs that fail to meet this challenge may save themselves some trouble in the short run, but they run the risk of endangering the industry’s reputation in the best-case scenario and the birth of poorly thought-out legislation in the worst-case scenario. It’s time to begin having important conversations with consumers about their security, about the crucial role they play in protecting themselves, and about where the boundaries of protections stop so that their expectations can be properly adjusted.

To learn more about how fraud executives at FIs are combatting the growing number of global scams, read my recent report Scams: On the Precipice of the Scampocalypse.

The post How Financial Institutions and Customers Can Battle Scams Together appeared first on Datos Insights.

This is prompting many fraud executives to sit up and take notice for a variety of reasons. Two stand out as particularly notable:

1. They’re an edge-case type of fraud. Scams are like synthetics and mules in that the manner in which they fit into the business unit’s mandate to balance fraud losses with client experience, operational efficiency, and regulatory compliance is inconsistent from one financial institution to the next. This inconsistency is borne from diverging perspectives on the circumstances for distinguishing between an authorized payment vs. an unauthorized payment when it comes to policies for reimbursing victims.

   Given the pattern of greater regulatory (and legislative) scrutiny in response to the increase in scams in the U.K. market and given recent signals from the CFPB about Reg E compliance related to reimbursement policies for unauthorized payments, many fraud executives are understandably concerned about how widespread increases in scam activity might result in potentially significant disruptions to their balancing act.
    

2. There are no satisfying ways to stop them (yet). Despite a sincere desire to protect their customers, most fraud executives are pragmatic (to one extent or another) in resisting unconstrained reimbursement policies for the simple reason that most have seen a lot of examples of abuse and collusion between bogus claimants and fraudsters. Most, therefore, are keen to find ways to separate the wheat from the chaff in a more effective manner but are frustrated by the relatively primitive state of the art in scam detection and prevention.

   Deputizing the customer through more robust awareness and education programs is a noble idea, but most fraud executives are quick to point out that it has not been a terribly effective strategy in terms of reducing the impact of attacks. 

To make matters worse, and to note yet another example of the negative impact of a lack of standardized reporting for non-card fraud types, it’s challenging to get an accurate read on the contours of the problem or on the pace of its expansion. As a result, many fraud executives look to the U.K. for indications not just of the scale and rate of growth in scams, but also for patterns in how the market and regulators might respond to such increases.

Unfortunately, neither are terribly encouraging. Katy Worobec from UK Finance, the U.K.’s primary industry association, declared that scams are a national security threat and underscored this by pointing out that losses associated with authorized push payments exceeded card fraud losses in 2021. Recent research among North American fraud executives reveals that 94% report growth in consumer scam activity and that 67% report growth rates of more than 10%.

On the matter of scam detection and prevention, there is growing interest in technologically oriented capabilities with a particular emphasis on those that seek to selectively prompt the customer into revealing additional contextual information surrounding high-risk interactions. Many of these types of solutions are gaining traction in the U.K. market under a program known as Confirmation of Payee that mandates minimum criteria for matching the payee’s information with the beneficiary’s account title, but they are also drawing attention from North American financial institutions interested in demonstrating an effort to proactively control for what they fear may be the next big fraud trend for 2022.

For a more detailed overview of how financial institutions are combatting scams, please read my latest report Scams: On the Precipice of the Scampocalypse or reach out to me at tfooshee@datos-insights.com.

The post Preparing for a Global Scampocalypse appeared first on Datos Insights.