The Fraud Squad

Whether it's done by customers, employees or organized criminals, fraud takes a bite out of business's bottom line. Here's what CSOs can do about it.

1 2 Page 2
Page 2 of 2

To drive down the cost of fraud in its auto and home division, MetLife has teamed with Computer Sciences to develop an early fraud-detection system. The program, called @First, combines rules-based technology with predictive modeling to identify possible fraudulent activity. Previously, MetLife Auto and Home relied exclusively on the company's claims representatives to spot possible fraud. But picking up on many of the common red flags (for example, an individual who files a claim within the first 30 days after obtaining a policy) required that claims reps note every policy's inception datewhich didn't always happen. A claim that came through on a Friday before a holiday weekend, or at some other time when reps were unusually distracted, could slip through unnoticed.

John Sargent, manager of the corporate SIU for MetLife Auto and Home, wanted to provide a safety net. The @First system scours claims for signs of possible fraud: vehicle ID numbers and addresses similar to those of other claimants, drop boxes that could indicate a fictitious address, or the names of doctors and auto body shops that have been previously sanctioned. Using predictive modeling, the program looks at historical patterns of fraud and scores each claim for characteristics that in the past have indicated fraud. MetLife is currently using a test version of the technology and expects to have the software fully rolled out by the end of this month. To date, Sargent estimates as much as a 10 percent increase in the flagging of suspicious claims. But he cautions that even the best technology won't replace the skills of a seasoned claims rep. "No system captures a reluctant voice on the phone or somebody who can never be contacted by phone but is able to call the claim rep," he says. "We rely on their gut instincts."

Many fraud-detection tools use link analysis or neural networks to reveal the hidden connections between pieces of information that, in combination, may indicate fraud. Credit card companies rely on these kinds of tools to help spot suspicious transactions. One of the most famous such products is the Falcon Fraud Manager from HNC software (a subsidiary of Fair, Isaac & Co.). Falcon is a neural network system used by 85 percent of U.S. credit card issuers. It pools large volumes of historical purchasing data about cardholders and analyzes it to establish transaction and spending patterns so that exceptions to those patterns can be discerned. The software looks at how each customer spends against how risky that spending is. Using a mathematical algorithm, it computes the likelihood that a transaction is fraudulent on a scale from 1 to 999. For example, if a consumer historically uses her card once a week to purchase gas and groceries in a New Jersey ZIP code, a transaction posted for a gas purchase in Ohio would trigger a slightly elevated fraud score. Conversely, a big-ticket Ohio purchase of an easily liquidated item like jewelry would produce a much higher score. Each card issuer determines the threshold at which it will initiate a fraud responsefor example, requesting the sales clerk to check the cardholder's ID or referring the case to a fraud analyst.

Technology has made a huge difference in fraud detection for companies like MasterCard, according to DeLuca. "Before, cards would run seven, 10 or even 30 days before a customer got their statement and realized they didn't make a transaction," he says. "Globally, fraud as a percentage of our transactions is down in 2002 compared with 2001."Getting the Drop on FraudThe challenges of fraud are unending. Fraudsters are constantly alert for new and ingenious techniques. "As we get up every morning to go to our jobs," says Sargent, "they're getting up to go to theirs. And their job is to steal money from us." Given the broad spectrum of ways to conceal fraudulent acts across an enterprise, CSOs need to take high-level steps to strengthen corporate defenses.

The first is to be proactive rather than reactive. Frazzini recommends that CSOs get involved in industry groups and fraud-buster organizations to pick up best practices that they can bring back and share within their company. One such group is the Financial Services Roundtable, a Washington, D.C., trade association for the banking, insurance and securities industries that has a technology unit known as Bits. Within Bits is a fraud working group where member companies can share experiences and glean advice. In addition, the Association of Certified Fraud Examiners runs seminars and offers continuing education for fraud examiners.

Technology can also help make you more proactive. Systems that provide better real-time visibility of fraud and fraud losses can allow the business to get the jump on fraud before problems escalate. At Citizens Financial Group, Mercuri depends on his fraud-management system for an actionable view of the fraud landscape. With big-picture information, he says, "you can do the trend analysis, see the root causes and act on them."

Having clearly communicated processes and procedures is an essential accompaniment to technology. CSOs should spearhead a fully developed fraud plan that gets input and buy-in from all the business units and top executives. "You would be shocked to find out how many companies don't have protocols for reporting illegal or improper activity," says Ed Rial, a former federal prosecutor who led the Brooklyn U.S. Attorney's fraud unit and is now a principal with the Forensic & Investigative Services Group at Deloitte & Touche in New York. "You've got to get the information to the right people as quickly as possible. I've been on investigations where we've been given the name of a fraud point-person and they'll say, 'Oh, I don't do that!'"

CSOs may want to strategize with the general counsel and other executives over what the company's electronic records retention policy should be, paying particular attention to the system log files that track all network activity. The resulting policy should be worked into the fraud plan. Additionally, whatever plans the company develops must be tested. "You need to war-game and test against the system," says World Bank's Kellerman. "You can't presume that you are invulnerable."

Assembling the right staff for a fraud investigation unit is critical; having a keen understanding of finance or the forensic skills to track down a security breach are not enough on their own. "All the technology in the world is only as good as the people who use it," says MassMutual's Bonsall. "Most of the work is done by people thinking outside the box, following hunches and carefully following procedures." Mark Rasch, former head of the U.S. Justice Department's computer crimes unit and currently senior vice president and chief security counsel with managed security service provider Solutionary, recommends that CSOs look for people who have experience conducting internal investigations, are knowledgeable about the various guises that fraud can assume and are discreetideally with some law enforcement experience. Individuals with that background are good at interviewing people and making assessments based on body language and other subtle cues. Just because somebody specializes in pulling information off a computer network doesn't mean that they are qualified to pull that same evidence and information out of a suspect.

Investigative units need clout as well. They'll be ineffective if they're made up of low-level managers who lack decision-making authority. Mercuri has seen companies where fraud working groups or committees sit around and discuss ideas and possible solutions, but then must run to their managers before anything can be approved. At Citizens, the fraud committee consists of senior executives who can implement their decisions. Giving the group further credibility is the fact that it is chaired by the company's vice chairman. Mercuri credits the seniority of the group with the company's success in reducing fraud. "If there's a difference of opinion, we hash it out right there in that room," says Mercuri. "And once we come up with a recommendation, we can act on it quickly."

Beyond the fraud investigation unit, the CSO can make a positive difference by evangelizing to employees about the threats fraud poses. At companies like MassMutual, where most employees don't encounter fraud on a daily basis, Bonsall often acts as the harbinger of caution and awareness. Even when fraud occurs at another company, he talks to MassMutual employees about it, making sure they understand the vulnerability that was exploited and the preventive measure that should be taken in response. "We need them to stop thinking like good, honest people and to start [thinking like] the bad guys," he says.

The other challenge that Bonsall often encounters is that employees who suspect fraud is being committed are reluctant to bring their suspicions to the fraud-investigation unit. To counter this reticence, he markets the fairness and discretion of his unit to the company at large, hoping to ensure that people will come forward. "People like to try and take care of their dirty laundry on their own," he says. Often, employees will attempt to prove an instance of fraud themselves before bringing it to Bonsall's groupa habit that he is trying to stamp out. "I would rather that people bother us and have it turn out to be nothing than have it be something and then not have the evidence maintained to prove it."


Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)