December 5, 2024 • 21 mins
How do financial institutions combat the ever-evolving threat of identity fraud? In this episode, Naureen Ali, the US Head of Fraud at TransUnion, sheds light on this critical issue, underscoring that while 69% of institutions express concern, all are indeed affected. We analyze the rapid advancements in technology that have accelerated the speed, scale, and sophistication of fraud. Why might some organizations not voice their concerns? Noreen suggests it could be robust mitigation strategies or perhaps a concerning lack of awareness. The discussion navigates the complexities of fraud management in today’s digital age and the necessity of proactive strategies.
We also spotlight the human side of fraud, exploring schemes like romance scams that prey on vulnerabilities. Financial institutions play a pivotal role in protecting their customers, and we dive into the concept of "responsible friction." This involves implementing layered defenses, much like the Swiss cheese model, where each layer helps shield against potential threats. From step-up verification to direct interventions, these proactive measures are essential. Listen in as we stress the importance of consumer education and the vital responsibility of financial institutions in preventing victimization, ensuring a safer financial future for all.
Follow us on LinkedIn
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Rachel Morrissey (00:07):
Welcome to The Money Pot coming in live from
Las Vegas, Nevada.
I am Rachel Morrissey, US Headof Content at Money 2020 and
Executive Producer of the show,and today we are talking about
one of the hottest topics infintech identity and, in
particular, identity fraud.
Now speaking of identity notspeaking of frauds, but speaking
of identity.
Not speaking of frauds, butspeaking of identity.
Ian Horne (00:29):
I'm gonna identify my co-host I'm really glad you
qualified that ian horn.
Rachel Morrissey (00:34):
Ian Horne is our EU Head of Content, one of
the great MoneyP ot producers,and when was the last time we
discussed fraud?
Oh, we discussed fraud at TheMoneyP ot in the EU.
Ian Horne (00:43):
Back in amsterdam we did.
Rachel Morrissey (00:45):
So this will tie, this is a nice tie.
Thank you, Naureen.
You got us to tie our showstogether, so we ended up making
some loose plan to call it Fraud2020.
Ian Horne (00:58):
Yeah, our interviewee for that episode was talking
about how fraudsters arebecoming so sophisticated they
could create their own show,much like ours.
So we went on a kind of flightof fancy and started creating
Fraud 2020, which isn't a realevent, but who knows, maybe one
day, if we really turn to thedark arts, we can make it happen
.
Rachel Morrissey (01:14):
Maybe, maybe.
So today I'm going to introduceour guest, noreen Ali.
She is the US head of fraud atTransUnion and she is a
self-confessed banking veteran.
You're going to actuallyconfess to being a banking
veteran.
Is that a thing you actuallyconfess to Noreen, you know?
Naureen Ali (01:34):
it's one of those things.
It's a blessing and it's not,so you have to take it with a
grain of salt.
Rachel Morrissey (01:40):
And she has seen the entire evolution of
both fraud and fintech firsthand.
So, noreen, welcome to theMoney Pot.
Okay, well, I'm going to turnto my non-fraudulent co-host to
start talking about this.
Ian Horne (01:57):
So, ian, yeah, I haven't gone rogue yet.
I haven't done fraud 2020 yet.
So for now, yeah, as thosewho've read the session
description will know, 69% offinancial institutions are
concerned about fraud.
That actually feels low to me,to be honest, but that still is
getting across the fact thatmost people are concerned about
fraud.
Why has it become such a bigproblem now, Noreen?
Naureen Ali (02:18):
Two things very quickly.
I think 69% are concerned aboutfraud doesn't mean 69% are
experiencing fraud.
I think 100% are experiencingfraud.
I think that's an importantdistinction, right, and it's you
know.
Fraud has always been a bigissue.
I've been in this industry forover two decades and it's always
been an issue.
But what feels very differentnow is that think of the massive
(02:44):
technology shift.
Think of what the pandemicaccelerated, right, in terms of
the digital explosion, which wascertainly happening before the
pandemic and it's certainlycontinuing after, but the
pandemic did accelerate that youknow.
Think of the advancements andthink of our insatiable appetite
for instantaneous things likeinstant decisioning, faster
payments.
(03:05):
That keeps getting faster andfaster.
So you have a situation wherethe scale of fraud, the speed of
fraud and the sophistication offraud is very different.
It's unprecedented.
I love it.
Rachel Morrissey (03:17):
The three S's, the three S's, the three S's
Speed, scale and sophistication.
So let's talk about those.
So we obviously scale.
You're saying 100% experiencingfor us.
I have a question for you 69%are concerned about it, but for
sure, 100% are experiencing,which I totally agree.
(03:38):
Why aren't the others concernedabout?
Ian Horne (03:42):
it.
I was going to ask the exactsame thing, yeah.
Naureen Ali (03:45):
I think two things.
One could be that they feelthat they have sufficient
foundational critical mitigationin place.
Because if you approach fraudvery deliberately fraud
mitigation as a strategy andyou're very deliberate about
that right and you actuallycross off on your basics, I am
convinced right and this isthrough practicing fraud for
(04:06):
many, many, many years I'mconvinced that it's not a
whack-a-mole strategy, thatevery time you have an emerging
attack or a new fraud vector,you don't actually have to go
scrambling to find a newsolution.
So if you're one of those veryfew organizations where you have
taken the pains to be verydeliberate about setting up your
fraud strategy which, by theway, takes years, if you do it
(04:27):
well, then I don't think youhave a reason to be concerned.
You're combating it, but youmay not be concerned.
The other reason is the moreobvious one where you may not be
concerned is because you simplydon't have a grasp of what's
attacking you, right, or it'sgetting hidden in other types of
(04:51):
losses, so you're losing lineof sight into what's true fraud.
Rachel Morrissey (04:54):
So either you're ignorant or you just feel
like you've planned ahead.
Naureen Ali (04:58):
I was trying to be nice about this.
Rachel Morrissey (05:00):
Yeah, nice is not really something I'm
credited with, so I'm not goingto worry about it.
But that is really interestingbecause the idea about
mitigation, though like we'retalking about these three S's
right, so speed, is mitigation afactor when you're dealing with
speed as well as scale.
Naureen Ali (05:19):
Yeah, oh, absolutely Right.
Think about it.
Think about the world ofdigital issuance.
Let's take cards, for example.
A lot of your attendees arefrom the financial institution
world.
They deal with credit cards.
There was a time right, therewas nothing called a digital
instant issuance.
You had to actually wait forthe card in mail.
It was an inherent fraud.
(05:46):
Check that the address that youprovided on your application
was authentic, or is authentic,because ultimately that's where
you got your card and that'swhen you started spending.
Fast forward many years totoday.
You have a situation where youcan do a host of different
financial transactions at thetime you're approved instantly
approved, right Like balancetransfers without ever getting
your physical card.
And there's a vast populationof our consumers where they
(06:09):
never even use an actualphysical card.
It's a digital card that theywill use all the time, right.
So the speed definitely makes adifference in how we are going
to mitigate it and at what pointin that consumer journey do we
mitigate it?
Because if we are waiting tomitigate the actual monetization
, I would argue we are alreadytoo late.
We have to mitigate it at notallowing a fraud account to be
(06:32):
booked to begin with, or notallowing that account to be
taken over to begin with.
Rachel Morrissey (06:37):
So nip it at the bud, See that seems like a
good pivot to what you guys weretalking about about wanting.
How is TransUnion looking atthis whole thing?
How are you guys looking atcombating fraud?
Naureen Ali (06:49):
So before I answer that, let me give you a little
bit of context, becauseotherwise my response will kind
of not really make much sense.
So, in the industry, even ourmost sophisticated clients, I've
noticed this about them is thatat best, they have a very
fragmented view of two thingsthe identity and the identity
risk profile and the actualfraud event.
(07:12):
Right, so it's a veryfragmented view.
And why is it fragmented?
It's fragmented because, overtime, as fraud attacks have
evolved right, what haveorganizations done?
They have implemented an ACHsolution or a wire solution or a
debit card solution.
Right, what have organizationsdone?
They have implemented an ACHsolution or a wire solution or a
debit card solution, right?
Or just an originationauthentication solution, but
it's in piecemeals, right, sothese solutions are on disparate
(07:35):
platforms.
They don't necessarily speak toeach other.
So what happens to the view ofthe fraud event?
It's very fragmented.
What happens to the identity asit traverses across these
different platforms?
It's siloed, it's disparate andit's fragmented.
So, given that's where theindustry is at, and given that
you cannot really triage whysomething is happening unless
(08:00):
you have a holistic view of theevent and you cannot actually
baseline authentication withouthaving a very comprehensive view
of identity risk.
Because of that, transunion'sapproach to identity is very
powerful.
So what we have done atTransUnion is we have brought to
bear the breadth of our dataright and we have a lot of
(08:22):
critical data assets we have,both organically as well as
through acquisitions right Likewe have one of the most
well-established, one of themost mature device risk
consortium data, patentedforensic technology because we
are a phone carrier ourselvesJust things like that Marketing
footprint of hundreds ofthousands of devices and
addressable households.
So think about this massiveamount of data we are bringing
(08:46):
together to form that veryholistic identity risk profile
and that single view of what isactually happening, the fraud
event itself.
Ian Horne (08:54):
Yeah, can I get into the siloing thing as well,
because obviously that seems tome like it's possibly a result
of just the gradual evolution offinancial services and the way
that people build out theirpropositions.
But from your perspective, whatis the reason why people are so
siloed?
And for those who are, what canthey do to kind of mitigate
that risk?
Naureen Ali (09:12):
Very good question, but not an easy-solving, like I
said, because we address whatwe must.
If you're bleeding millions,you're not going to say, oh wait
, I'm not going to put a stop tothis, I'm just going to follow
my strategy.
Now you can't do that.
If you're bleeding millions,you address that right then and
there right.
So that's a function of whyit's siloed, because it didn't
(09:35):
all get built at the same timeand it's an impossible task to
do right.
So a very important part fororganizations, particularly
financial organizations wherethey have a lot of legacy
systems, is to have a technologystrategy that unifies these
siloed systems and fraudsolutions engines right and
bring those solutions in onecommon ecosystem and, perhaps
(09:59):
even more importantly, bring thedata behind these solutions to
inform what I'm talking about.
You know that continuousidentity, that continuous view
of that fraud event.
Rachel Morrissey (10:09):
So if you're looking at that like, what do
you guys see as the majorchallenges banks face as they
try to implement this technologystrategy?
Naureen Ali (10:19):
That they have a massive amount of legacy, very
expensive platforms.
That takes years to retire,that takes years for conversions
to happen, because it's awfullydisruptive as well, right?
So the thing to remember isthat you should define your
strategy.
Take inventory of all that youhave.
(10:40):
Where do you see the industrybeing here today and where do
you predict it will go?
Predicting fraud trends is veryimportant in strategy building,
right?
So you predict that, and thenyou say this is my five to
10-year strategy.
However, you have to do it inpiecemeal, but you can't define
the strategy piecemeal.
Does that make sense?
(11:00):
Yeah?
Rachel Morrissey (11:01):
But that brings us back to those three
S's, because we're talking abouthow the fraudsters have become
extremely sophisticated.
So the banks are almost hobbledby this legacy and the fact
that they can't move as quickly.
So how would you mitigateagainst the sophistication?
Naureen Ali (11:22):
There is no two ways around it that they will
have to try, unless they alreadyhave, which several
institutions I guarantee youhave already started, but the
vast majority haven't, right, Atleast not from what we observe.
They have to start on thistransformation journey.
They just have to, Because,think about it, If we have AI
(11:44):
and ML tools and so many of yourtopics today are about AI and
ML right, and we think of datasophistication and connecting
dots and discovering hiddenlatencies Fraudsters have the
exact same things at theirdisposal, but the massive amount
of data that's out about us andpublicly, and not just about
breaches right?
(12:05):
So they have all the tools wehave.
They have all the data we have,right?
That adds to thatsophistication.
So we have a fragmented view.
Guess what If we don't solvefor that?
They'll have an upper hand inthere as well, and I frankly
believe that we have everythingthat we need to have to combat
that.
So the transformation has tostart.
Ian Horne (12:26):
If it hasn't, yeah, and what sort of data are we
willingly giving away that'shelping people do these more
sophisticated crimes?
I mean, you mentioned databreaches.
I know that over a billionpublic records have been
breached this year alone, andwe're not even at the end of the
year.
So what kind of data is it thatfraudsters are now using that's
being particularly effectivefor?
Naureen Ali (12:46):
them.
So you have everything that'sPII right.
That kind obviously has alwaysbeen at high risk, which is why
we have so many rules andregulations being very strict
about what we have to win dataat rest, data transit and all of
that you know are very strict,particularly in the financial
industry.
It's that kind add to that datathat fraudsters are able to
(13:14):
convince the actual consumerfrom.
You know they convince theactual consumer to share about
themselves and socialengineering Fraudsters calling
into call centers where it'sbeen underinvested for years, by
the way, call center fraudmitigation right, and convincing
the call center agent whothey're just doing their job
(13:35):
right, to give up a lot of thatinformation.
So the power, using tools thatare very sophisticated as well,
the power of bringing togetherPII, everything about your
social life and everything aboutthat you use, you know that you
happen to use for youridentification at your
institution, bringing all thattogether.
So it's not one or the otheryou know, one or another
(13:57):
particular kind of data.
It's actually about a number ofdifferent kinds and very
quickly I just want to mentionsomething here is that this is
where we also see a convergenceof fraud types.
So, with scale, speed andsophistication, a convergence of
fraud types is a very distinctphenomenon that has become very,
very intense over the past.
I don't know, maybe seven toeight years.
Rachel Morrissey (14:21):
When you're talking about combination, it's
like you're using two differentkinds of data.
You're using something like afake personal relationship or
something and you're usingfinancial data from somewhere
else.
What do you mean by that?
I mean just clarify that for me.
Naureen Ali (14:36):
So what I mean by that is that years ago it used
to be that credit card fraud andfraud rings used to just kind
of have an expertise on creditcards and they used to just do
credit card tax, and then youhad ACH fraud and then you had
fraudsters who would do skimmingright.
Years ago skimming was a bigproblem.
Now it's not one or the otherthey have.
(14:56):
You can open a new account.
They have all the identityinformation, sometimes to
entirely fabricate newidentities like synthetic
identities, then open up anaccount enough from your card
information to even have a fakecard right and then do an ATM
fraud.
It's all these different kindsof frauds coming together,
(15:18):
converging almost in a singlefraud event.
It's something that is not justabout data, though.
It's about data, it's about thesystems, it's about a
continuity, like the dots getconnected very fast and at scale
.
Ian Horne (15:33):
Wow.
Naureen Ali (15:36):
Because they have access to different avenues that
they now bring together thefraudsters.
Rachel Morrissey (15:39):
Yeah, that sounds terrifying.
Actually.
I'm actually sitting here going.
I kind of wish I didn't havethis conversation.
Ian Horne (15:48):
That always happens with fraud, I mean.
Another thing is you mentioned,you know, the social aspect of
fraud and convincing peoplethey're speaking to someone who
they know or love or so on.
You know a lot of fraud preyson human vulnerabilities, like
romance scams, pig butcheringand things like that.
So, I'd like to ask what canfinancial institutions do to
protect their customers aboutthat, you know, especially if
(16:11):
they believe they're engagingwith someone who they trust?
Naureen Ali (16:13):
So I think one thing that I see financial
institutions do well and most do, most do and most do well is
consumer education.
But here's what happens inconsumer education it's only as
good as the consumer gettingeducated and actually being able
to execute on that awarenessright.
So it shifts the onus to aconsumer who doesn't think like
(16:37):
those of us in the fraudprofessional.
You know, in the fraudmitigation world we look at
everybody suspiciously, not youtwo, but you know it's like
second nature to us.
I don't know, I'm prettysuspicious.
But you know, a consumer, anaverage consumer, no matter what
we throw at them in terms ofeducation, they'll only be able
to retain so much.
They'll only be able to retainso much.
(16:58):
They'll only be able to protectthemselves so much.
So the onus needs to shift backto financial institutions.
So two very quick things there.
One is that often inimpersonation scams, in these
romance scams, the actual loss,of the liability of the loss
lies with the end consumer,because they are the ones who
willingly, inadvertently,willingly, but inadvertently
(17:21):
authorize that right.
It doesn't matter, it shouldn'tmatter where the liability lies
For financial institutions.
It should be critical that theytreat it and take it as a loss
period that they are responsible, that we as an industry are
responsible for preventing,right, because this is about
preventing the victimization ofhundreds and thousands of people
(17:42):
.
The second thing there is what Ilike calling responsible
friction.
Right, step up things.
If you see somebody doing a$500 transfer out of their
account, maybe not step it up.
If it's $5,000, maybe step itup because it does two things.
Maybe not step it up If it's5,000, maybe step it up because
it does two things.
When you send, say, aparticular message that says are
(18:06):
you sure you want to transfer?
You want to do an ACH transfer,say, for instance, to a new
recipient, right, are you sureit allows?
I said two things, right, so itallows the consumer.
Pause.
At least you are forcing apause.
That's one.
Also on the background.
You're also running thesehundreds of strategies and rules
that should be able to pick upon that anomalous behavior in
(18:27):
that account.
So you push out a verificationand a step-up call and that
allows you.
The second part of it isintervention.
It's a proactive interventionTogether.
I call that responsiblefriction.
So I think we need to bringthat together, we need to
promote that.
We need to actually have thatapproach if we seriously want to
(18:47):
prevent consumers being takenadvantage of.
We have that in the UK.
Ian Horne (18:54):
If I'm sending a significant amount of money, I
will get a bank notification.
This could be a scammer andI'll see a significant amount of
money.
I will get a bank notification.
You know this could be ascammer and I'll see that it's
my girlfriend.
So, yes and no, you neverreally know.
Rachel Morrissey (19:05):
Anyway, but it is useful.
That's on you, yeah, yeah, no,she's not.
Ian Horne (19:10):
But it does work.
It is actually quite.
Yeah, I think it works in theUK for sure.
But are there any other kind ofversions of responsible
friction that you think areeffective?
Or is it as simple as just anotification that says are you
sure about this?
Naureen Ali (19:21):
There's a notification, but remember,
there's also the outbound call.
You're doing the verification,so you're actively intervening
to say, hey, this doesn't looklike you, it doesn't fit the
pattern that we see with youraccount, Are you sure?
So there's a passivenotification, but there's also
an active, proactive call made.
And again, these are not silverbullets, these are not panaceas
, but these are methods to tryto bolster and do whatever we
(19:46):
can to prevent this right.
Rachel Morrissey (19:48):
Yeah, and it feels like you know.
It's funny because we've alljust gone through a pandemic
right and as we were looking atmeasures to prevent getting sick
, it was not.
There is a silver bullet, itwas.
These are layers that can helpyou prevent getting sick, sort
of like Swiss cheese, but if youlayer enough of them, hopefully
you cover all.
Naureen Ali (20:07):
I love that.
Rachel Morrissey (20:08):
Yeah, and I think that's exactly what you're
talking about here.
That's the only way you can dothat is to kind of layer, layer
your Swiss cheese people.
Ian Horne (20:18):
Just more European inspiration.
I'm delighted, happy to be here, okay.
Rachel Morrissey (20:23):
Well, I think we have to wrap up.
You want to take it, Ian?
You want to do the closer?
Ian Horne (20:28):
Yes, I am, and I'll skip the bit about us being out
of time because you've coveredthat.
Noreen, thanks for joining uson the Money Pot.
It's been a real pleasurehaving you here and a great
insight into the world of fraud.
We've talked about all sorts ofthings.
We've talked about, well, Imean, the many, many ways in
which we can now be defrauded,which is always wonderfully
terrifying, but good to know.
So, yes, thank you, and thankyou also to our live audience
(20:51):
for listening.
Thanks to anyone listeningonline, wherever you are.
As ever, if you have a goldenpodcast idea, send your pitch to
podcast at money2020.com anddon't forget to follow us
wherever you listen to podcasts.
This has been the Money Potlive from Vegas.
We'll see you next time.
Welcome to The Money Pot coming in live from
Las Vegas, Nevada.
I am Rachel Morrissey, US Headof Content at Money 2020 and
Executive Producer of the show,and today we are talking about
one of the hottest topics infintech identity and, in
particular, identity fraud.
Now speaking of identity notspeaking of frauds, but speaking
of identity.
Not speaking of frauds, butspeaking of identity.
Ian Horne (00:29):
I'm gonna identify my co-host I'm really glad you
qualified that ian horn.
Rachel Morrissey (00:34):
Ian Horne is our EU Head of Content, one of
the great MoneyP ot producers,and when was the last time we
discussed fraud?
Oh, we discussed fraud at TheMoneyP ot in the EU.
Ian Horne (00:43):
Back in amsterdam we did.
Rachel Morrissey (00:45):
So this will tie, this is a nice tie.
Thank you, Naureen.
You got us to tie our showstogether, so we ended up making
some loose plan to call it Fraud2020.
Ian Horne (00:58):
Yeah, our interviewee for that episode was talking
about how fraudsters arebecoming so sophisticated they
could create their own show,much like ours.
So we went on a kind of flightof fancy and started creating
Fraud 2020, which isn't a realevent, but who knows, maybe one
day, if we really turn to thedark arts, we can make it happen
.
Rachel Morrissey (01:14):
Maybe, maybe.
So today I'm going to introduceour guest, noreen Ali.
She is the US head of fraud atTransUnion and she is a
self-confessed banking veteran.
You're going to actuallyconfess to being a banking
veteran.
Is that a thing you actuallyconfess to Noreen, you know?
Naureen Ali (01:34):
it's one of those things.
It's a blessing and it's not,so you have to take it with a
grain of salt.
Rachel Morrissey (01:40):
And she has seen the entire evolution of
both fraud and fintech firsthand.
So, noreen, welcome to theMoney Pot.
Okay, well, I'm going to turnto my non-fraudulent co-host to
start talking about this.
Ian Horne (01:57):
So, ian, yeah, I haven't gone rogue yet.
I haven't done fraud 2020 yet.
So for now, yeah, as thosewho've read the session
description will know, 69% offinancial institutions are
concerned about fraud.
That actually feels low to me,to be honest, but that still is
getting across the fact thatmost people are concerned about
fraud.
Why has it become such a bigproblem now, Noreen?
Naureen Ali (02:18):
Two things very quickly.
I think 69% are concerned aboutfraud doesn't mean 69% are
experiencing fraud.
I think 100% are experiencingfraud.
I think that's an importantdistinction, right, and it's you
know.
Fraud has always been a bigissue.
I've been in this industry forover two decades and it's always
been an issue.
But what feels very differentnow is that think of the massive
(02:44):
technology shift.
Think of what the pandemicaccelerated, right, in terms of
the digital explosion, which wascertainly happening before the
pandemic and it's certainlycontinuing after, but the
pandemic did accelerate that youknow.
Think of the advancements andthink of our insatiable appetite
for instantaneous things likeinstant decisioning, faster
payments.
(03:05):
That keeps getting faster andfaster.
So you have a situation wherethe scale of fraud, the speed of
fraud and the sophistication offraud is very different.
It's unprecedented.
I love it.
Rachel Morrissey (03:17):
The three S's, the three S's, the three S's
Speed, scale and sophistication.
So let's talk about those.
So we obviously scale.
You're saying 100% experiencingfor us.
I have a question for you 69%are concerned about it, but for
sure, 100% are experiencing,which I totally agree.
(03:38):
Why aren't the others concernedabout?
Ian Horne (03:42):
it.
I was going to ask the exactsame thing, yeah.
Naureen Ali (03:45):
I think two things.
One could be that they feelthat they have sufficient
foundational critical mitigationin place.
Because if you approach fraudvery deliberately fraud
mitigation as a strategy andyou're very deliberate about
that right and you actuallycross off on your basics, I am
convinced right and this isthrough practicing fraud for
(04:06):
many, many, many years I'mconvinced that it's not a
whack-a-mole strategy, thatevery time you have an emerging
attack or a new fraud vector,you don't actually have to go
scrambling to find a newsolution.
So if you're one of those veryfew organizations where you have
taken the pains to be verydeliberate about setting up your
fraud strategy which, by theway, takes years, if you do it
(04:27):
well, then I don't think youhave a reason to be concerned.
You're combating it, but youmay not be concerned.
The other reason is the moreobvious one where you may not be
concerned is because you simplydon't have a grasp of what's
attacking you, right, or it'sgetting hidden in other types of
(04:51):
losses, so you're losing lineof sight into what's true fraud.
Rachel Morrissey (04:54):
So either you're ignorant or you just feel
like you've planned ahead.
Naureen Ali (04:58):
I was trying to be nice about this.
Rachel Morrissey (05:00):
Yeah, nice is not really something I'm
credited with, so I'm not goingto worry about it.
But that is really interestingbecause the idea about
mitigation, though like we'retalking about these three S's
right, so speed, is mitigation afactor when you're dealing with
speed as well as scale.
Naureen Ali (05:19):
Yeah, oh, absolutely Right.
Think about it.
Think about the world ofdigital issuance.
Let's take cards, for example.
A lot of your attendees arefrom the financial institution
world.
They deal with credit cards.
There was a time right, therewas nothing called a digital
instant issuance.
You had to actually wait forthe card in mail.
It was an inherent fraud.
(05:46):
Check that the address that youprovided on your application
was authentic, or is authentic,because ultimately that's where
you got your card and that'swhen you started spending.
Fast forward many years totoday.
You have a situation where youcan do a host of different
financial transactions at thetime you're approved instantly
approved, right Like balancetransfers without ever getting
your physical card.
And there's a vast populationof our consumers where they
(06:09):
never even use an actualphysical card.
It's a digital card that theywill use all the time, right.
So the speed definitely makes adifference in how we are going
to mitigate it and at what pointin that consumer journey do we
mitigate it?
Because if we are waiting tomitigate the actual monetization
, I would argue we are alreadytoo late.
We have to mitigate it at notallowing a fraud account to be
(06:32):
booked to begin with, or notallowing that account to be
taken over to begin with.
Rachel Morrissey (06:37):
So nip it at the bud, See that seems like a
good pivot to what you guys weretalking about about wanting.
How is TransUnion looking atthis whole thing?
How are you guys looking atcombating fraud?
Naureen Ali (06:49):
So before I answer that, let me give you a little
bit of context, becauseotherwise my response will kind
of not really make much sense.
So, in the industry, even ourmost sophisticated clients, I've
noticed this about them is thatat best, they have a very
fragmented view of two thingsthe identity and the identity
risk profile and the actualfraud event.
(07:12):
Right, so it's a veryfragmented view.
And why is it fragmented?
It's fragmented because, overtime, as fraud attacks have
evolved right, what haveorganizations done?
They have implemented an ACHsolution or a wire solution or a
debit card solution.
Right, what have organizationsdone?
They have implemented an ACHsolution or a wire solution or a
debit card solution, right?
Or just an originationauthentication solution, but
it's in piecemeals, right, sothese solutions are on disparate
(07:35):
platforms.
They don't necessarily speak toeach other.
So what happens to the view ofthe fraud event?
It's very fragmented.
What happens to the identity asit traverses across these
different platforms?
It's siloed, it's disparate andit's fragmented.
So, given that's where theindustry is at, and given that
you cannot really triage whysomething is happening unless
(08:00):
you have a holistic view of theevent and you cannot actually
baseline authentication withouthaving a very comprehensive view
of identity risk.
Because of that, transunion'sapproach to identity is very
powerful.
So what we have done atTransUnion is we have brought to
bear the breadth of our dataright and we have a lot of
(08:22):
critical data assets we have,both organically as well as
through acquisitions right Likewe have one of the most
well-established, one of themost mature device risk
consortium data, patentedforensic technology because we
are a phone carrier ourselvesJust things like that Marketing
footprint of hundreds ofthousands of devices and
addressable households.
So think about this massiveamount of data we are bringing
(08:46):
together to form that veryholistic identity risk profile
and that single view of what isactually happening, the fraud
event itself.
Ian Horne (08:54):
Yeah, can I get into the siloing thing as well,
because obviously that seems tome like it's possibly a result
of just the gradual evolution offinancial services and the way
that people build out theirpropositions.
But from your perspective, whatis the reason why people are so
siloed?
And for those who are, what canthey do to kind of mitigate
that risk?
Naureen Ali (09:12):
Very good question, but not an easy-solving, like I
said, because we address whatwe must.
If you're bleeding millions,you're not going to say, oh wait
, I'm not going to put a stop tothis, I'm just going to follow
my strategy.
Now you can't do that.
If you're bleeding millions,you address that right then and
there right.
So that's a function of whyit's siloed, because it didn't
(09:35):
all get built at the same timeand it's an impossible task to
do right.
So a very important part fororganizations, particularly
financial organizations wherethey have a lot of legacy
systems, is to have a technologystrategy that unifies these
siloed systems and fraudsolutions engines right and
bring those solutions in onecommon ecosystem and, perhaps
(09:59):
even more importantly, bring thedata behind these solutions to
inform what I'm talking about.
You know that continuousidentity, that continuous view
of that fraud event.
Rachel Morrissey (10:09):
So if you're looking at that like, what do
you guys see as the majorchallenges banks face as they
try to implement this technologystrategy?
Naureen Ali (10:19):
That they have a massive amount of legacy, very
expensive platforms.
That takes years to retire,that takes years for conversions
to happen, because it's awfullydisruptive as well, right?
So the thing to remember isthat you should define your
strategy.
Take inventory of all that youhave.
(10:40):
Where do you see the industrybeing here today and where do
you predict it will go?
Predicting fraud trends is veryimportant in strategy building,
right?
So you predict that, and thenyou say this is my five to
10-year strategy.
However, you have to do it inpiecemeal, but you can't define
the strategy piecemeal.
Does that make sense?
(11:00):
Yeah?
Rachel Morrissey (11:01):
But that brings us back to those three
S's, because we're talking abouthow the fraudsters have become
extremely sophisticated.
So the banks are almost hobbledby this legacy and the fact
that they can't move as quickly.
So how would you mitigateagainst the sophistication?
Naureen Ali (11:22):
There is no two ways around it that they will
have to try, unless they alreadyhave, which several
institutions I guarantee youhave already started, but the
vast majority haven't, right, Atleast not from what we observe.
They have to start on thistransformation journey.
They just have to, Because,think about it, If we have AI
(11:44):
and ML tools and so many of yourtopics today are about AI and
ML right, and we think of datasophistication and connecting
dots and discovering hiddenlatencies Fraudsters have the
exact same things at theirdisposal, but the massive amount
of data that's out about us andpublicly, and not just about
breaches right?
(12:05):
So they have all the tools wehave.
They have all the data we have,right?
That adds to thatsophistication.
So we have a fragmented view.
Guess what If we don't solvefor that?
They'll have an upper hand inthere as well, and I frankly
believe that we have everythingthat we need to have to combat
that.
So the transformation has tostart.
Ian Horne (12:26):
If it hasn't, yeah, and what sort of data are we
willingly giving away that'shelping people do these more
sophisticated crimes?
I mean, you mentioned databreaches.
I know that over a billionpublic records have been
breached this year alone, andwe're not even at the end of the
year.
So what kind of data is it thatfraudsters are now using that's
being particularly effectivefor?
Naureen Ali (12:46):
them.
So you have everything that'sPII right.
That kind obviously has alwaysbeen at high risk, which is why
we have so many rules andregulations being very strict
about what we have to win dataat rest, data transit and all of
that you know are very strict,particularly in the financial
industry.
It's that kind add to that datathat fraudsters are able to
(13:14):
convince the actual consumerfrom.
You know they convince theactual consumer to share about
themselves and socialengineering Fraudsters calling
into call centers where it'sbeen underinvested for years, by
the way, call center fraudmitigation right, and convincing
the call center agent whothey're just doing their job
(13:35):
right, to give up a lot of thatinformation.
So the power, using tools thatare very sophisticated as well,
the power of bringing togetherPII, everything about your
social life and everything aboutthat you use, you know that you
happen to use for youridentification at your
institution, bringing all thattogether.
So it's not one or the otheryou know, one or another
(13:57):
particular kind of data.
It's actually about a number ofdifferent kinds and very
quickly I just want to mentionsomething here is that this is
where we also see a convergenceof fraud types.
So, with scale, speed andsophistication, a convergence of
fraud types is a very distinctphenomenon that has become very,
very intense over the past.
I don't know, maybe seven toeight years.
Rachel Morrissey (14:21):
When you're talking about combination, it's
like you're using two differentkinds of data.
You're using something like afake personal relationship or
something and you're usingfinancial data from somewhere
else.
What do you mean by that?
I mean just clarify that for me.
Naureen Ali (14:36):
So what I mean by that is that years ago it used
to be that credit card fraud andfraud rings used to just kind
of have an expertise on creditcards and they used to just do
credit card tax, and then youhad ACH fraud and then you had
fraudsters who would do skimmingright.
Years ago skimming was a bigproblem.
Now it's not one or the otherthey have.
(14:56):
You can open a new account.
They have all the identityinformation, sometimes to
entirely fabricate newidentities like synthetic
identities, then open up anaccount enough from your card
information to even have a fakecard right and then do an ATM
fraud.
It's all these different kindsof frauds coming together,
(15:18):
converging almost in a singlefraud event.
It's something that is not justabout data, though.
It's about data, it's about thesystems, it's about a
continuity, like the dots getconnected very fast and at scale
.
Ian Horne (15:33):
Wow.
Naureen Ali (15:36):
Because they have access to different avenues that
they now bring together thefraudsters.
Rachel Morrissey (15:39):
Yeah, that sounds terrifying.
Actually.
I'm actually sitting here going.
I kind of wish I didn't havethis conversation.
Ian Horne (15:48):
That always happens with fraud, I mean.
Another thing is you mentioned,you know, the social aspect of
fraud and convincing peoplethey're speaking to someone who
they know or love or so on.
You know a lot of fraud preyson human vulnerabilities, like
romance scams, pig butcheringand things like that.
So, I'd like to ask what canfinancial institutions do to
protect their customers aboutthat, you know, especially if
(16:11):
they believe they're engagingwith someone who they trust?
Naureen Ali (16:13):
So I think one thing that I see financial
institutions do well and most do, most do and most do well is
consumer education.
But here's what happens inconsumer education it's only as
good as the consumer gettingeducated and actually being able
to execute on that awarenessright.
So it shifts the onus to aconsumer who doesn't think like
(16:37):
those of us in the fraudprofessional.
You know, in the fraudmitigation world we look at
everybody suspiciously, not youtwo, but you know it's like
second nature to us.
I don't know, I'm prettysuspicious.
But you know, a consumer, anaverage consumer, no matter what
we throw at them in terms ofeducation, they'll only be able
to retain so much.
They'll only be able to retainso much.
(16:58):
They'll only be able to protectthemselves so much.
So the onus needs to shift backto financial institutions.
So two very quick things there.
One is that often inimpersonation scams, in these
romance scams, the actual loss,of the liability of the loss
lies with the end consumer,because they are the ones who
willingly, inadvertently,willingly, but inadvertently
(17:21):
authorize that right.
It doesn't matter, it shouldn'tmatter where the liability lies
For financial institutions.
It should be critical that theytreat it and take it as a loss
period that they are responsible, that we as an industry are
responsible for preventing,right, because this is about
preventing the victimization ofhundreds and thousands of people
(17:42):
.
The second thing there is what Ilike calling responsible
friction.
Right, step up things.
If you see somebody doing a$500 transfer out of their
account, maybe not step it up.
If it's $5,000, maybe step itup because it does two things.
Maybe not step it up If it's5,000, maybe step it up because
it does two things.
When you send, say, aparticular message that says are
(18:06):
you sure you want to transfer?
You want to do an ACH transfer,say, for instance, to a new
recipient, right, are you sureit allows?
I said two things, right, so itallows the consumer.
Pause.
At least you are forcing apause.
That's one.
Also on the background.
You're also running thesehundreds of strategies and rules
that should be able to pick upon that anomalous behavior in
(18:27):
that account.
So you push out a verificationand a step-up call and that
allows you.
The second part of it isintervention.
It's a proactive interventionTogether.
I call that responsiblefriction.
So I think we need to bringthat together, we need to
promote that.
We need to actually have thatapproach if we seriously want to
(18:47):
prevent consumers being takenadvantage of.
We have that in the UK.
Ian Horne (18:54):
If I'm sending a significant amount of money, I
will get a bank notification.
This could be a scammer andI'll see a significant amount of
money.
I will get a bank notification.
You know this could be ascammer and I'll see that it's
my girlfriend.
So, yes and no, you neverreally know.
Rachel Morrissey (19:05):
Anyway, but it is useful.
That's on you, yeah, yeah, no,she's not.
Ian Horne (19:10):
But it does work.
It is actually quite.
Yeah, I think it works in theUK for sure.
But are there any other kind ofversions of responsible
friction that you think areeffective?
Or is it as simple as just anotification that says are you
sure about this?
Naureen Ali (19:21):
There's a notification, but remember,
there's also the outbound call.
You're doing the verification,so you're actively intervening
to say, hey, this doesn't looklike you, it doesn't fit the
pattern that we see with youraccount, Are you sure?
So there's a passivenotification, but there's also
an active, proactive call made.
And again, these are not silverbullets, these are not panaceas
, but these are methods to tryto bolster and do whatever we
(19:46):
can to prevent this right.
Rachel Morrissey (19:48):
Yeah, and it feels like you know.
It's funny because we've alljust gone through a pandemic
right and as we were looking atmeasures to prevent getting sick
, it was not.
There is a silver bullet, itwas.
These are layers that can helpyou prevent getting sick, sort
of like Swiss cheese, but if youlayer enough of them, hopefully
you cover all.
Naureen Ali (20:07):
I love that.
Rachel Morrissey (20:08):
Yeah, and I think that's exactly what you're
talking about here.
That's the only way you can dothat is to kind of layer, layer
your Swiss cheese people.
Ian Horne (20:18):
Just more European inspiration.
I'm delighted, happy to be here, okay.
Rachel Morrissey (20:23):
Well, I think we have to wrap up.
You want to take it, Ian?
You want to do the closer?
Ian Horne (20:28):
Yes, I am, and I'll skip the bit about us being out
of time because you've coveredthat.
Noreen, thanks for joining uson the Money Pot.
It's been a real pleasurehaving you here and a great
insight into the world of fraud.
We've talked about all sorts ofthings.
We've talked about, well, Imean, the many, many ways in
which we can now be defrauded,which is always wonderfully
terrifying, but good to know.
So, yes, thank you, and thankyou also to our live audience
(20:51):
for listening.
Thanks to anyone listeningonline, wherever you are.
As ever, if you have a goldenpodcast idea, send your pitch to
podcast at money2020.com anddon't forget to follow us
wherever you listen to podcasts.
This has been the Money Potlive from Vegas.
We'll see you next time.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com