Fraud Technology Podcast

Episode 6: Not everything reported as fraud by customers is fraud !!

Mehul Vyas Season 1 Episode 6

Explore the nuances of distinguishing disputes from fraud in this enlightening episode. We delve into common scenarios where customers suspect fraud but discover it's often a simple dispute due to miscommunication. Highlighting the importance of empathetic customer service, we stress the need for clear communication to maintain trust. Discover insights into fraud investigation, using credit card fraud as an example, and learn how banks determine whether it's a dispute or true fraud.

Thanks to Mehul Vyas from Bread Financial (https://www.breadfinancial.com/) for the insights. In conversation with Ravi Madavaram from Regulo (www.regulo.ai)


Welcome back listeners, Sravi from Fraud Technology Podcast. We have with us Mehul from Ohio, from the US. Lovely to have. Mehul himself comes from two decade long experience in financial crime and compliance. He has a lot of, a lot of experience handling fraud in different companies. Really, I have the pleasure of having him here. Welcome Mehul. We'd love to know how your journey started. And I also see some of the certifications that you have. So I would love to know how your journey started and some of the certifications that you got. Thank you Ravi for having me. It's really an honor to be on this podcast. I was a team lead in India in Wipro and the call center there. So I started from there. So we were, I was a team lead for the dispute and fraud process for Capital One. Wipro had an outsource there. And so I was Pretty much interested in frauds and disputes because it's not the same day every day. You know, every case is different. And that made me more inclined towards it. So I did my cyber laws again while working there. And then I had an opportunity to come down to the U. S. I kept my domain. I continued with the same domain fraud and disputes, basically credit cards. And then I worked in different platforms in here in Discover and Faisal. I got to know all those RuPay and the normal platforms, the famous ones. I worked on all of them. And at one point I thought I know everything about this, I hate to do something more, you know, so meanwhile, I also did a RPA like process automation. I learned that I can bring SQL and some data mining and all that I thought was we need to learn all that because. Things were changing, it was getting more techy kind of thing, and I didn't want to phone back. So when I used to be in meetings and hear things, I'm like, okay, I need to pick it up. Fraud people are curious, you know? So if you stop hitting your head, you are not in fraud anymore. Then I came to know about ACAMS, and then I did my ACAMS. ACAMS is a tough, tough, tough exam, and I fortunately did that. So now I work with a company called Bread Financial. It was earlier known as Alliance Data. I do work with the fraud department or it's called the account protection department there. I investigate fraud and I'm also end of the subject matter expert. People reach out to me with questions and Almost 20 years journey now, same domain, but now being an ACAP member, I also look into money laundering and fraud has changed a lot. So yeah, in different way, I get to cover. Okay. Enjoying my job. So you talked a little bit about learning SQL and how that started becoming a thing, right? So can I understand a little bit about how it was in the previous time? And then how you had to pick some of these technical tools to... Yeah. So earlier, like it was not that digital when, back when, like maybe 10, 15 years back, since the common frauds were like phishing fraud and the spams, and they were not so technically, like, sophisticated, you wouldn't be able to do that. Like then it started evolving more and then you came, the internet became more accessible to people. And then. Things started changing, techie guys became fraudsters and learning new things to do the fraud. So, that is when I started doing more of, and my, as I told you, my wife is a data scientist so, she kind of used to, you know, listen to what I'm doing and give me more ideas and. Then, I came into, uh, this RPA thing, and, uh, SQL, okay, but we had Excel and SQL, so that was a part, but RPA was interesting, kind of, because credit card disputes is kind of, uh, more of a repetition, uh, process, like, uh, RPAs are generally the bots, they, you just, uh, give them a flowchart, and, hey, if the card owner says, if they check the boxes, you just follow the rules. So, that worked and I made a presentation in my office and I showed them that this can be automated. The chargeback was just for the credit cards and it worked. And so, that was when I really, I got, like, before that I was certified for the RPA and it worked. It saved a lot of money, I guess, and for, because naturally, automated, so you'll need less people looking into it. And, so that really helped. And sometimes I make fun of like, I would also automate the bot to check the rates of the groceries in different stores and see where I'm going to go there and buy. Oh, wow. Yeah. I've actually personally never heard about RPA being used extensively in the fraud space. That is really interesting. I mean, I've not really heard, is this like a very common practice or was there a specific practice? No, it's pretty common. Like, you know, most of the tools are all automated tools department that things that looks at what can be automated and the main point is there are less errors in that human errors are all eliminated. And at a point, then you need a human brain like this or this. That's what it stops there. So that's really a good idea. You, a bank, like there are so many transactions per day and so many disputes coming up. So an automation can work it on like quickly, like this, in a matter of some time. While it's just a manual process. It might take the whole shift or a couple of days to, that's it. So yeah, automation is very common now and definitely in all the industries. I mean, if you go for like, I'm just going and lifting up a little bit. Like if you want, if you're in a hotel business, you can automate that process as well. Like, okay, when should we eat it till this time and then turn off the gas? The automation can do that. So it's pretty, you just need to know what doesn't require a human brain can be automated. Awesome. Awesome. Awesome. I also heard about your experience getting your certification. ACAMS, I remember is personally, I actually tried ACAMS and I just didn't go through the exam itself because it's just too hard to go through. So congratulations on like, I know it's been some time, but still congratulations on actually getting through the certification. So what I want to understand is ACAMS is more a anti money laundering. So how come, how did it help in your fraud space? How does it work together? So a cams and frauds are, I believe twins. So I can say it's kind of fraud, like it's money running. So fraud, you do fraud and then you need, you get the money. You need to launder that goes hand in hand. So like you come in the fraud first and then. You have the money and then, so, ACAMS is a very good certification as you already said that it's tough to practice. It's not like going to school and, yeah, just memorizing things. You have to use a, use a logic. They don't even tell you which answers are wrong and right. So, I can just tell you at the end of the exam that this portion you got, you scored this and you didn't score well here and you scored well. So, it's like that and it's tough. So, when studying for ACAMS, I came into, ACAMS was really kind of fun. But give me a more broader view or like understanding financial crimes and like terrorist financing. And they have four chapters on human trafficking and many different things than normal fraud that happens. So it's a very, very evolving thing. And you can, there's a university itself, like it's who's wrong all around the world. It's everyone knows what he can just, and basically the different methods and the different practices that people do, like region wide, like in Mexico, these types of fraud that come in. So you can take care of that. And now banks being universal banks, you know, there are, they are all around. You have to have that knowledge of which area, how to deal with what kind of fraud happens there. And he can gives you a kind of platform where you. Who regularly go to their website and you go to seminars and you get yourself updated. So, I mean, I never had a lot of politically exposed people before I did ACAM. So that, that is something that now banks follow. So you get to learn new things. And if you're in this job, you have to keep yourself updated. You have to be ahead of those fraudsters. So you have to, so this really helps a lot. I'm not sure if I answered your question because I start thinking like I'm just tipped off. No worries. I think one of the key concepts that you talked about was about anti money laundering and fraud being a twin, basically. That one has to happen, fraud has to happen, and then money laundering has to definitely happen. So that's a key that I got from that, right? So with also so much experience doing this, right? Can I understand from you, for a financial institution, or let's say a new fintech that is starting out? Absolutely. What are the key foundational layers that you need to have effective fraud fighting function? So earlier, the first thing is you have to be informed, like you have to know what you're doing. You have to be adaptive. You have to change according to your customer base or, you know, according to the business you're doing. And then you have to have the You have to be open to technology like you cannot. It's difficult to do anything without technology. So like data analytics or AI, artificial intelligence, you have to have make use of these to stay safe. Again, the most important thing is customer education. You have to educate your customers on. Common fraud schemes that are going on, like send them emails, send them brochure, like, Hey, you know, it's Christmas season. This might happen. Santa Claus may come say, Hey, I'm going to give you this. So you have to, customer education is the basic. You have to have that. You have, you have got your employees trained. They are, most of the banks have this, like they have annual quotients that the employees have to clear out. And then you have to like, the training should be ongoing, continuous monitoring. You have to keep monitoring. We have those systems in place that. Keep checks on what's going on and if there's something suspicious, like the file of a suspicious activity report, or you need to reach out to some, some flags should be, there should be some red flags in place. Okay. And then there have to be due diligence. That's very important. You have to periodically conduct due diligence on not only your customers, but even the third party vendors, like who your customers deal with. To have an idea of like what's going on. And then you have to, usually law enforcement has to. Yeah, data like there are laws, regional laws, different regional laws, like every, they might have to submit some reports to the law enforcement and again, data privacy is very important. Insider dating or insider breach should not happen. You have to be very careful. Like, your people are not selling the data or sending customer information in any form. So data privacy is important for that. You have to do regular audits, get them like external auditors should come and they should have audits, machine learning and all is very important. Again, usually by all the banks who have the use of sylvan oil. lines, or you know, where they, if your cashier thinks, okay, this is something suspicious. So without the person knowing, they can just dial a number or some kind of alert. And this is really helpful in all. You talked about knowledge and being on top of the topic, right? And also talked about educating the customers. You also talked about employee management. So all these sound like. AML functions. AML, like literally you're supposed to do money laundering training to all your employees, et cetera, right. So it's also a common practice to do that for fraud as well. Yeah. As I told you, it goes hand in hand. So if there is anything suspicious kind of this person depositing only 9, 900 bucks or 10, 000, why does it come three times a week? So that's something like that's because. Maybe he's laundering money, but where did this money come from? What's his business? Why is this payroll, you know, went down figures all the time? Why doesn't it come in decimals? If it isn't human trafficking, is it prostitution? Like, so the training helps people to find out and then fraud again, I said, customer education. So you have to know the difference between a dispute and a fraud. Basic for the customer. Everything is for that. That donor is a fraudster. He's not the red sofa. He gave you a green sofa. So he's not a fraudster. You had to dispute. So that's customary vision. So everything goes hand in hand. And then your employee should. Hey, sir, this is not fraud. This is, we can dispute it, but it's a different train that we have to catch. This won't work. Okay. Okay. Got it. Got it. And in your fraud investigation process, right? Can I understand what are the different stages like and what are the different steps and how do you, so one, how does a. Case come to you and how do you go about investigating it and then how do you what is the closure? What are the decisions and what are the implication of those? So are you talking about credit card fraud? Oh any of the process you can pick Let's talk about it because I've worked more on that. So a credit card what happens like the general like customer sees a statement And he says, hey, charge from X, Y, Z, S. I don't know. So he called the bank, credit card bank, and say, I don't know why this came on my account, my charge. So the cost, it will go to the call center in the bank. That person is just, his job is to just make a note and send in a form. He'll send them, okay, you don't know this child, okay, I'll send you a form. And then they'll send the form and temporarily he'll block the card. He might change the card number just to be sure. They follow the general procedures they need to. And once the customer gets the form, we fill out from that form, I mean, it will go to the fraud department or the, or whichever department is that handles those complaints and then these individuals are trained on disputes and frauds. So, they will determine if it's a dispute or a fraud and then all the banks work on these platforms like Visa, MasterCard, Amex. They all have to follow those rules. So, there are different rules for every kind of fraud and every kind of dispute. So, once that is determined what kind of dispute it is, or like, you're charged twice, or you're charged a different amount, or maybe that's a dispute kind of thing. And if you're, if you know what this charge is for, it's a fraud. So, that individual representative who is in the bank will determine it and he'll file. So then it will go to the next department where the investigator will come. So the investigator will, if they have more access, more tools to the cardholder data, say they can go in and they can reach out the merchant. They can try to figure out. They think that this is still, we cannot get back our money. So they'll find a dispute or a fraud dispute. And it will go to the platform they're working on, like, if it's, let's consider it. So MasterCard will follow the MasterCard rules. MasterCard will, uh, they'll send the disc to MasterCard. Hey, this is, the customer says it's not theirs. MasterCard will reach out to the merchants and say, hey, this has come down to you. Do you have any evidence showing it? Do you refute it? If you, if yes, give me evidence. So again, it's, there is a time limit, like 30 days, 60 days, 45 days for every process. So it's not like it happens like this. It's not like that. The merchant bank will send it to the merchant. Hey man, this is a problem. So no, no, I know this guy. I have a signature. Okay. He sent a copy of that signature. He had signed it. So that again, we'll come back to our bank or the cardholders bank, and then the cardholders bank will show, Hey, this is your signature. Oh, the name was different. I remember. So, okay. It's fiscal cases. Okay. You, the person gets back his money. Meanwhile, the money is on hold with with MasterCard or the case is if the cardholder says, no, I still don't know. This is not my signature. And then we go back. Nope. And then if it's a high donor amount or high Then the banks unit through a third party, and then they will be the people who decide fine, I like the quote, that's how it works. But then once there are many parameters again, that if the merchant is not responding time, he loses. If the condom does not respond in time he loses. Every bank have their own, but basically they are the same type of, they can do go back twice and if it's up and again, the bank will decide again, if some banks have different kind of thresholds, some bank might say, hey, 50 rupees or 50 child doesn't, it is not worth, I just write it off, I just give it back, because the bank has to be the platform, he wants non money, so they want money from the merchant and the banks. So, you think for 50 if I have to pay 150 it doesn't make sense, they'll just write it off. Okay, I understand. For the last two days, personally, I've been trying to buy something using my own card, right? And then I've tried... Two, three different cards with the same merchant, and it's still rejected. Now, obviously the merchant says, go check your bank, right? I'm traveling right now, so I can't really go back to my Singaporean bank to call them up and ask them, hey, what's going on, right? Now, typically there are some companies which do provide declined transactions and stuff, but it is not available. So I actually don't know, and it goes to the OTP level, and it's like, after that, it's getting rejected. And I keep checking. Is it being charged? It is not. So I'm like wondering what exactly is going on here. So I'm sure this is not the process that you talked about, which is basically I get the report later and then I report it as a consumer. That's a problem, right? In this case, it's a genuine transaction. But there seems to be a fraud, fraud check somewhere that is happening. Now I'm trying to wonder, is it on the merchant side? Is it on the platform side? Is it on the bank side? So I wanted to understand a little bit more of how, in this situation, what is happening? So like, again, every bank keeps checks and like they have their own, according to the bank and the region there, they, and the customers again, they have checks like, okay, so if I am in Columbus and tomorrow I make a charge from Australia, it's going to block it. Man, you never told us you're going to Australia. How do we know it's you? Yeah. The same thing might be happening with you if you have not informed your bank. So ideally, you should tell your bank, Hey, I'm traveling. Okay. I'm traveling to these places. So there might be a charge for me. So when you call them, they will make a note and they will say, Hey, don't block the charges. Okay. Or maybe nowadays, usually like the OTP, the some banks, they have automated callers. You just get a call. Did you make this child? You say, yeah. Okay, fine. He said, no, your card is blocked. Someone is using your card. So usually you have to inform them in advance that it's usually written in the terms and conditions of the fine print, but people normally don't read it. But it's for your safety that the bank is blocking it. So it is on the bank side. The bank has a fraud prevention kind of thing. Yeah, right. And the transaction is going into that particular tool. Yeah. And there is some rules as you talked about terms and conditions. And then overseas is, let's say, one of the. Parameters that's going in and there's probably a flag that is coming out there. it could be kind of anything. I never, you're getting charged a couple of times. You hit my block, like if the other day I'd been to a casino, actually, I con for my session, but I tried some games wrong, but they were showing us the, how money laundering happens in the casino. So I thought, I never betted money, but I said, let me try. So I was playing a game, but 7 each time. So once I played, I lost. I should have killed it. The third time, my, my card got blocked. I got a message on my phone. Is that you? I'm like, yeah, yeah, okay. So, thank you. My bank has stopped playing. I'm okay. It's again, uh, it's up to, uh, the bank. And sometimes even you proactively, you can for your safety. I would say you should see if there's any transaction over this limit, will give me a call first. Even if I'm making it, I want to make sure like, you know, if you have your authorized user, that you have a card with your wife, your kid, your family members, someone might lose it, but you want to still be safe. Like, okay, I take care of my card, but if they don't take, I still want to be safe. You have to let, my wife should not do shopping over 50. But you can keep checks on that. And there are many things that the banks have now in place that to save. Okay, understood. So we talked a lot about, so can I understand a little bit more about other types because credit card seems like a very structured investigation process. This doesn't seem to be too much of investigation because you're relying on the processor, right? Because they are the ones who is like arbitraging between you and them. I guess you are investigating. You're probably deciding what type of entities, but you're probably not really doing much of investigating. Right. So I wanted to understand how this would work in a non credit card fraud. Let's say, for example, account takeover. Somebody takes over my account and then cleans the money from me, right? And I may or may not even realize for a few days that actually happened. Because that's not a standard process. I'm not sure, right? So I wanted to understand how a fraud investigation trigger. I'm guessing it still starts from the consumer. How would it go in a non credit card scenario? And as you said, it would come off from the customer. You get a letter asking you to pay some dues. I never know this person. I have never done this job. So you call up your bank and say, Hey, why did this money go to this person? And then we back to say, Hey, you did that. And then we started investigating. Then we. Understand that somebody called up on this date, they had got your information like your birthdate or whatever is needed in the bank to make changes on your account. If you go change or maybe... From some place and they call up and they change the address, they change the phone number and they have taken over your account now because it's everything different now and then they go by usually account takeovers, the people they buy electronic things or things that can be resold again and they get a good price and then they have those temporary addresses usually it's a Postbox, even if we try to go back and figure out where the merchant has left, we find it difficult, temporary boxes we have, and then at that time, when you reach out to the bank saying that it's not me, I had never called up, so it would be the bank's fault that they did not verify your information correctly, usually the banks, they take up the loss, okay, we didn't verify your information, but again, that also needs investigation, so then at that point, we are going to reach out to the merchant, right, we're going to get evidence, I don't know. Yeah. So we have to just verify that. If the colonel is lying, we say, no, man, it's you. So, or maybe it's a family member. Usually a lot of things happen with family members. They do that things. But I'm seeing a lot of, uh, contact was happening with, uh, senior citizens because they are not that tech savvy. And they, you need these spam callers. They call them and they, Hey, what's up? You're nowadays AI, like they have voice takeovers and all they just say, uh, I'm stuck here. We can't send this money or something. They can just get information from them and boom, online. They're already logged in. Why are you talking to your account? That's all. Yeah. Yeah. Understand. Understand. When you're also doing fraud investigations, right? Can I understand a little bit more about what kind of tools that you've used and what are some of the tools, cool tools that are available? To fighting fraud, there are many, many tools. Every bank have different tools that some of the common tools are accurate. And I said, they're nice tools are there. We have tools for different purposes. We can listen to calls and every call that customer makes to bank is being recorded. So, they must get up, might go to the statement and you say, hey, I don't know, ABC company, and then 6 months away, ABC charge. Which you have not disputed. So now you don't know him, but now you know him. So I'm going to listen to calls and I might get some point that, oh, okay. And I actually got, hey, this is not fraud, okay, in your life now. So I know that is only, every investigation is different. It depends on. Every case. Again, we have access to investigators have access to data that we can go deep into your account. We can go see your family members and we can see who are they, where they stay. We can get your address, phone numbers, everything. We can work with law enforcement. We can, if we don't have access to some data, we can reach out to them. Or maybe they can, if a police complaint is filed, they can reach out to us and we talk to them and figure out. So many of tools, it's not difficult to fool bags nowadays. Yeah, I would say that. So apart from time constraint, if there's anything that's nothing comes in between like it's the time that sometimes because everything has a time limit, you have to close a case by law in that time. If we are out of time, we just have to write off. So. What's the typical time frame like? 120 days, usually. From the date, from the statement date actually. Again, it depends on the bank, sometimes 15 days plus minus. Sometimes, some banks they say date of the charge or some date of the statement. But not, 120 days approximately, like 3 months. Okay, okay. Got it, got it. And when you're using, so as an investigator, right? So, there may be a situation. So you did talk about for credit cards, let's say. If it is 50, sometimes it is probably not worth even. Investigator, right? So what are typically the cases that even come to investigation? Maybe there are some situations where the customer service, they themselves clear it out, saying this is not even worth investigating, right? Not even worth going to the investigator, right? So I want to understand what is this? What type of cases actually go to investigation? dollars every month. Then the point when they come back, then we are not dealing with you anymore. So even if you're not investigating, even like, well, we'll send you a pay cut later. Happy? Yeah. So when you keep disputing charges, supporting Amazon charge every time, uh, although we write it off, but we do let Amazon know that this being disputed, Amazon keeps marking you and then when finally Amazon will tell you, they're not doing business. So you don't have to do this. And again, the third thing, mostly people don't realize is that you keep disputing charges, keep setting your credit score. Sometimes when you go to banks to get loans or anything, your credit score is going to, that's going to be a problem for. For the customer, they, and then they don't know on these basic rules. And then at that time, Oh my God, this is a problem. Yeah. Yeah. The size of the dispute, is that the only consideration or there are other things that could play into. A case going into investigation is the amount of only consideration usually the amount from I understand, but again, it's completely the investigators case, like, on the backs case, and they kind of like, for example, if it's holiday season and a lot of disputes coming in and you, again, you have to follow the timeshift to, you have so many disputes, but you will pick the higher dollar one or higher amount one first, because that's a bigger loss for you. Okay. And so it's not a fixed rule, but it keeps changing, but basically the amount does matter a lot. Oh, okay. So this brings me to the point. So let's say you cross the 120 days. What exactly happens? Let's say you have not concluded anything or you don't have enough information to say whether this is actually a fraud or not. Right. What happens at one 20 days? You have to take the loss, the bank takes the loss. Ah, so you just pay this, you just close the case. You just assume that the customer is right. The account. Yeah. We, and then it's a c r A law that every bank in the us I work in the us I know about that law. Mm-hmm. So I've been able to take this some kind of law for everyone. You cannot like keep plug in the customer. What if he's right and he's just, you know, tired, and I'm calling you almost every and do it. Okay. Okay. Understand, understand. And. This probably would be the last question that I want to go through is, so having been through this ecosystem and being in the fraud space for so long, what are some things that you would like to see to happen or what kind of technology or a practice or a process that should have happened, but has not happened that you will look forward to happen? That this, I don't have an exact answer because I. Being a fraud investigator, I want the same job, so I'm smart, apart from this, but it's like a circle, a vicious circle. You keep making new technologies and fraudsters are going to get better off that one. Every lock is going to get a key somewhere that they are. You won't, one part of time, you won't need to carry your credit cards. You can just do a bomb, a cookie, something else. So technology is getting better, but I'm sure the bad guys will figure more ways to that. Well, the best part is, uh, more. The more digital transactions you do, the more, I think, because they're easy to track down, they're easy to keep control on, and they will, the more digital, like in India, it's happening all digitalized, so the bad guys, they don't want to come into the books, so they, it becomes difficult for them to do money laundering kind of business or anything, because You to get caught and yeah, moving forward. Yeah. As I said, everything is getting automated. Everything. Yeah. You are helping the automation by learning RPA. Yeah. So again, I said, question of my job, new things, new things. You have to stay out of the forest. Yeah. Okay. Awesome. Thank you so much. That was a lot insightful. I really loved some of the things that you talked about. I mean, some of the things that I actually didn't know in the as much detail as well. So thank you so much and lovely to have you and have a nice day. Sure. Thank you. Thank you for having me and I love talking to you. I can go on and on. Definitely. If you have any more questions, definitely reach out to me and have a great day. Bye bye. Thank you. Thank you. Thank you.