The latest news about Yahoo's massive 2013 data breach – which impacted more than 1 billion users – is a reminder to credit unions that there is no end to crooks (cyber or otherwise) trying to compromise consumers' data in hopes of stealing cash, credit and identity. And while preventive fraud solutions at CUs can combat many of these dangers, new threats are emerging nearly every day.
According to a 2015 Deposit Account Fraud Survey, last year saw a 74% increase in fraud attempts over 2014, and news headlines reflect this trend. Throughout the year, many credit unions experienced high levels of debit card fraud due to malware that was successfully designed to extract member card data. Merchants also continued to deal with attacks, including the fast food chain Wendy's, which experienced a significant data breach that even led to one credit union blocking all member transactions at the restaurant.
According to Michelle Shoop, director of payments at Cornerstone Advisors, retailer data breaches can be on a grand scale like Target or Home Depot, or be targeted strikes at the local convenience store. CU executives, she added, should be on the lookout for "common-point-of-purchase" fraud and "card-not-present" fraud, both of which she thinks will increase in 2017.
"Standard fraud solutions look at an individual card holder and the way that they spend, and try to identify an anomaly, but they don't do is necessarily identify which merchant it is coming from or the location of that merchant or the device," said Shoop. "Sometimes these alerts are a little too little and little too late."
For credit unions to adequately protect against fraud, she said, organizations must have risk management processes consolidated across all credit union product lines.
"There should a formal or informal information sharing forum so that the people who handle check fraud and the people who handle account opening fraud and card fraud are all talking to each other," she said.
Fraud Solutions, but No Silver Bullet
While there are plenty of fraud solutions on the market, there is not yet a silver bullet. But that isn't stopping credit unions from continually refining their approach to fraud prevention and detection.
Shoop noted that examples of popular vendors include FICO Falcon Fraud Manager and Verafin. The latter's FRAMLx is a cloud-based fraud detection and anti-money laundering software that reports in real-time and is utilized by $3.7 billion-asset University of Iowa Community CU.
For UICCU, which supports 146,000 members at 15 branches, the lack of a substantial fraud solution hindered the CU's ability to track fraudulent trends.
"We had no BSA or fraud software, so we were extremely limited in what information we could access easily," said Bank Secretary Act (BSA) Officer. Kris Ockenfels, adding that the credit union was unaware of potential ATM and debit card fraud risks until after deposits were returned via the Fed.
"We now have ready access to transactions data in ways we never dreamed of before. I can find and tag high-risk accounts based on multiple criteria," said Ockenfels. "Now, instead of thousands of dollars of new account ATM fraud losses, we can often pinpoint accounts at the highest risk for that type of fraud and drastically reduce our losses, sometimes even to zero."
Logix FCU in Burbank, Calif. has also adopted Verafin's solution, and Matt Overin, manager of fraud risk management, said that the credit union avoided more than $10,000 in fraud losses within just a few weeks of launching FRAMLx.
Overin explained that he was hired in 2013 after Lockheed Federal Credit Union was rebranded as Logix FCU. As a result of the name change and open membership enrollment, the CU realized an uptick in fraud attacks.
"In 2013, the Fraud Risk Management department was founded and was split from the security side of operations," he said. "We were seeing a lot so new account fraud through the online channel, check fraud and a little bit of card fraud at the time."
Due to increasing fraud attacks, the department today has four analysts, an investigator and Overin. Card fraud has grown significantly in the last year, so now one employee is assigned specifically to those cases, he noted. On average, there are five card fraud reports each week.
Overin said the manual data reports became cumbersome and costly, especially with the number of false positives, which led the credit union to implement a fraud solution.
"The reports were doing a good job and keeping losses down, but it was taking a lot of our day going through these false positives," said Overin about the need of Verafin. "We couldn't always follow up with real fraud reports with law enforcement." He estimated that prior to adopting the solution there was eight to 10 hours per day of work per investigator on these reports.
"We needed to reduce the false positives and put a behavioral piece behind it," said Overin.
Searching for Solutions
When looking for fraud solutions, Ockenfels, who said the CU vetted three vendors before selecting Verafin, said executives shouldn't look at costs alone, but rather at the potential savings.
"We are now proactive rather than simply reactive and the solution is a raging success," said Ockenfels.
Cornerstone Advisors' Shoop said that organizations that can't afford to staff a fraud/risk department should still have one point person on staff who can work knowledgably with the vendor on fraud-based issues and concerns.
"Not every credit union needs to write their own rules and many vendors don't let credit unions have access to these systems," said Shoop. "But credit unions need to know what is going on so that they have oversight over these vendors."