How is the current COVID-19 pandemic affecting fraud levels, and what can firms do to protect their employees and customers? Below, we talk to Omri Kletter, VP, Cyber Crime and Fraud Management at Bottomline, about best practices for managing risk and cyber threats in the payments process more broadly.
Security magazine: What is your title and background?
Kletter: I am VP, Cyber Crime and Fraud Management at Bottomline, after a decade with NICE. I started my journey in crime fighting in the global counter-terrorism unit of the Israeli NSA. Fighting bad guys there included consuming large amounts of data and communications, while pivoting constantly through ongoing change. Key learnings across that experience shape my feelings on fraud and financial crime and data consumability. At Bottomline, our mission is to help corporations and banks pay and get paid, making complexity simple, smart and secure. Because our group looks across all of the different junctions of payments flow, we see the interconnectedness of fraud and financial crime. For example, we aim to break down thinking and organization that sees fraud as a P&L and anti-money laundering (AML) as a regulatory-driven agenda. We encourage looking at the convergence that exists there.
Security magazine: How is the current pandemic affecting fraud levels?
Kletter: It’s quite critical to identify all of the avenues of fraud — each of which has accelerated in the age of pandemic. There’s first-party fraud — those situations where the “customer” is the fraudster. For example, an individual or entity filing fraudulent loan applications through the PPP program. There’s third-party fraud — where the customer is the victim. One bank customer of ours had a hospital client duped in to changing how one “doctor” was paid, directing funds to a prepaid card versus payroll deposit, via seemingly legitimate email. Finally, there’s internal-fraud — where an employee becomes partner in bad-acting.
The pandemic has seen three main forces converge to create a perfect storm. First, circumstances created by lock-downs and the like have increased the operational pressures brought on to both corporates and banks — the forced shift to remote working while attempting to maintain cost savings and efficiencies. Second, a dynamic and shifting regulatory environment. New account sanctions and regulatory changes that are more stringent and with expansive parameters. Third, technology advancements which provide businesses full visibility to leverage data, sophisticated analytics and investigation tactics.
Therein, lies the challenge. These same forces are being exploited and used by bad actors for their own advantage. And that’s across the ecosystem of fraud and financial crime. So, whether it’s business email compromise (BEC) — one of the fastest growing trends in fraud threat worldwide, insider fraud, invoice fraud, authorized push payment or money-laundering, bad actors are on the move. Fraud attacks are moving higher and as they become more profitable for criminals, they’ll continue on an upward path.
Security magazine: What can firms do to protect their employees and customers?
Kletter: As with mitigating any other type of fraud, training, controls and robust policies and procedures need to be coupled with sophisticated technology to be able to enforce controls to prevent and deter fraud. This is especially true with Insider Fraud where the enforcement and discipline resulting from policy violations acts as an effective deterrent against would be and acting malicious actors.
Organizations are at a higher risk for fraud given the extraordinary socio-economic conditions of the times. And that’s internal and external fraud. And, while education and training help with both managing internal and external risk, we must use the power of technology in the fight. For example, as we use more machine learning and AI to fight external crime, we must think of how these technologies apply to internal threats. Why is that person, in that role, requesting this? Or, is that the regular process that is followed by the department, on that day, at that time?
Security magazine: What are some best practices for managing risk and cyber threats in the payments process?
Kletter: Best practice is driven through a much more balanced approach to covering the whole fraud and financial crime landscape. I think of it in terms of stop, act, reflect. First, consider those forms of fraud we discussed — first-party, third-party and insider. Consider all of the junction points of transaction across each of those for a more whole picture of crime across the lifecycle. Communicate across forms and junctions and continually pivot based on intelligence.
One powerful best practice is to build and foster a fraud and financial crimes hub within your organization. Bringing together all of the disciplines that lead initiatives and operations across the landscape of compliance, fraud and global risk management needs is critical in a cloud-led, data-rich world. We’re seeing new paradigms in data and analytics, their application and value in the fight on fraud and financial crime. It increasingly will be best practice to be more communal in our approaches to managing risk and threats, just as the bad actors do in perpetrating them. Financial institution, corporate, regulator and vendor, communicating, sharing and thinking together to create better practices and solutions in an exchange.
Security magazine: How can finance teams that are facing potential internal and external fraud attempts prepare and adapt from both a US and global perspective?
Kletter: First, for the purposes of cash flow management and optimization, demand for faster, more frictionless commerce and payment remains unchanged. Just as payments have become faster and more seamless, so to have the efforts of financial criminals. They no longer look simply at a payment’s point-of-exit. They’re taking a multi-pronged approach to attack to create as much gain for themselves as possible. That means that organizations and finance teams must protect the lifecycle of the transaction, not just the portal or the potential weakest link. It requires teams to monitor every payment before it leaves, surrounded by tight implementation of controls.
As more data and more flow present more challenge, many organizations have simply thrown more people in to the flow. This isn’t scalable. It’ll be more about how we look across the expanse to speed up things like investigation, which I’ll talk more about. I also think we need to encourage that communal thinking, especially globally, so that corporates, financial institutions, regulators and vendors are working in the collective interest of protection.
Security magazine: What are your expectations around payments fraud for the rest of the year, including new threats and technologies to combat them?
Kletter: It’s very hard to forecast by the nature of the challenge. A few things remain critical in the fight across the landscape. While it’s begun in earnest, I expect to see continued developments over the next year. First, there’s data. We must continue together making data more accessible. The focus there is on consumability — making the data more consumable. This includes the structure of data and the opportunity of data scientists to do more with it, faster. Second on the technology front, we’ll continue to see more use of machine learning — and increasingly combined with artificial intelligence. These technologies, which were once considered “experimental”, will become more accessible across the financial industry, even for smaller financial institutions and corporates. The third expectation I have is that we’ll see some truly disruptive change on the investigations front. How we investigate, the speed with which we investigate will see transformational change. We’ll be working to reduce 8-minute investigations to 3-minute investigations, optimizing costs and accelerating efficiencies as teams look across the entire payment lifecycle.