Episode 9: Why are US companies reluctant in implementing MFA?

Show Notes

This episode delves into the risks influencing US merchants and issuers' reluctance toward MFA adoption, uncovering the realm of passive authentication and the pursuit for user-led security. Gain insights into the weight of fraud-related losses, predominantly affecting merchants and issuers in this engaging podcast discussion.

Thanks to Gauri Gopalakrishnan from Mission Lane (https://www.missionlane.com/) for the insights. 

In conversation with Ravi Madavaram from Regulo (www.regulo.ai)

Transcript

0:00

Hello. Hi listeners. Welcome back to the fraud technology podcast. This is Ravi. And with me, we have Gauri who comes from quite a bit of experience in the market and welcome Gauri. And I would love to know a little bit about, listeners also would love to know more about how your journey has been. Hey all. Hi Ravi. Thanks for having me. I'm glad to be here. Yeah. My name is Gauri Gopalakrishnan. I have spent almost 25 years in the financial services side of things. With the last maybe eight or 10 years in managing fraud and AML KYC risks, spent a lot of time in a big bank and in the credit card business. And now I'm working for a much smaller credit card business, trying to become a much bigger credit card business. And, um, core part of my role amongst other things is to manage a fraud and KYC risks. Okay. Awesome. Welcome, Gauri. You mentioned, uh, a small credit card company. Uh, can I understand more about, I mean, because I see that there's quite a bit of. Credit card companies in the market, right? So can I understand how you are positioning or what is the opportunity that you see that you can address? Effectively through this credit card again. This has nothing to do the fraud itself. I'm just curious about how you guys are positioning yourself Yeah, it's a fair question. So I'm admission lane and admission lane. We are trying to provide free and Fair credit, low cost and fair credit to customers that are typically not served by larger banks, which you can call them subprime, you can call them underserved, you can call them FICO less than 660, whatever you want to call them. And what we've seen that there are one or two large, really large players in the market. And outside of that, uh, most of the remaining credit card lenders are generally very high fees, or you might call them fee harvesters or, or whatever term you want to use. And at Mission Lane, we are leveraging our expertise in credit underwriting to be able to give folks who normally won't get credit or get credit at, um, much, much, much exorbitant rates at, at stuff that's more reasonable to, more reasonable regards their risk. So, okay. So you're basically going for that, uh, underserved market. I mean, in Asia, we call this the underserved market. Unfortunately, in this part of the world, the credit card. Or credit bureau penetration is not very high. So in the U S it's pretty high, but, uh, I see the, you're going with that market. So can I understand a little bit more about how this is subprime, right? So how do you manage the risk versus your underwriting? Is there like a secret sauce at your, that you have that, or the, or an insight into the market? That's pretty much it. Ah, okay. That is, that is really it. Understanding risk and being able to, uh, just decision better than others. It's all about the risk versus the return, right? If you have a good handle on risk, then you can price accordingly. And, uh, just doing that in a mass scale. Okay. Awesome. Awesome. The other thing that I noticed, I mean, that's something that's staggering when I look at your profile is, you spent almost 20 years in Capital One, right? I mean, that's a long, long time. So I would love to know how your journey has been in the bank itself. It doesn't need to be specific about Capital One. But how you progress, because I think towards the end, you have more predominantly focused on fraud itself. That's right. I had the opportunity to take multiple roles every two or three years, you know, depending on the kind of stuff that I was doing at Capital One. That's, that's pretty standard practice. And, uh, and that gave me the opportunity to work in different parts of the business all the way from, you know, originating new accounts to managing customers, uh, existing customers, managing the yield on them, retention, you name it. I've had the fortune of having all that. experience. And in one such rotation, I found myself, uh, leading a fairly significant part of our credit card fraud business. And I've never looked back since. Oh, wow. I mean, how did you like fraud? Because you've stayed back in the fraud space itself because you've changed multiple roles. It's fun. It's, it's, it's, it's ever changing. It's fun. It's stressful at times. And yeah, you just have to. Keep doing things well consistently and, uh, get comfortable with the fact that you will, uh, pretty much lose every day and that's okay. You've got to be able to, uh, you know, stand up and fight again. And that's what we try to do. Okay. So when you say we lose every day. Uh, is you're talking about fraud losses itself, correct? Okay. Okay. So it's what you're mentioning probably is, uh, like we have a, you have a threshold for fraud loss itself, or is it like when you're mentioning that, is it like a strategic decision or is it like, uh, operational that you encounter, uh, losses itself in any lending business, uh, especially consumer lending fraud is a, is a cost of doing business or fraud losses are a cost of doing business, whether it's, uh, more the first party credit fraud. Or it's the more operational transaction fraud. In a credit card, you have ongoing usage. Uh, and, uh, the more one uses the credit card, the more likely that they will get that information stolen. So, so if you combine those, there's a risk. Since we, you know, grow and we generate, originate accounts on a daily basis, and those customers go and spend on a daily basis on our credit cards, you are going to have fraud every day. Right. The key part is it's forecastable, it's budgetable, and then you try to manage within that forecast. Okay, I understand. And you probably touched upon this a little bit. So you talked about different phases in the client lifecycle itself, right? I guess, uh, when you're talking about first party. So can I understand a little bit about what are the different phases, client life cycle, because personally, I really understand the onboarding side of it and probably the account takeover part of it. Can I understand more structurally how you view the different phases and what are the different prevalent frauds at those different phases? Yeah, in any lending business. You have obviously the origination fraud risk that the applicant for your product is either not who they say they are or they are manufactured an identity. That's one of the biggest risks. And for a personal loan or an auto loan or, you know, a personal loan where the money comes up from the lender up front, that's one of the biggest risks. You have some, some fashion of an ongoing risk, which is typically called, you can for efficiency sake, call it account takeover risk, where someone Well, it literally takes over someone else's account for their own benefit. And then more specific to trans, that's obviously more pertinent for a product that has ongoing utility, like a credit card. And then to that, I will add two more kinds of risk, which is, um, a transaction risk, which is, you know, a credit card gets stolen. Like I said, if you've used your credit card means it's likely going to get stolen. And so there's that risk, how do you manage against that? And then there's a fourth broad category of risk, which again is not only not specific to credit card, but it's any lending product is what I would generally call payments risk, which is the risk that when someone's making you a payment, is that a good payment or is that a. fraudulent payment, right? In other words, does a customer steal, customer, whether a fraudster pretending to be a customer or a customer on their own, use money that's not theirs to pay the lender. That's not heard about a, uh, account takeover scenario for it. So how would that work in, uh, uh, in credit card itself? It's pretty huge actually, so account takeover is basically that I, let's say you have a credit card account, I gain access to that account. Now, two or three things I would need to be able to then monetize that. One is I would probably need a card, right, either physical or virtual. So the The ways I could, um, so any, I would try to, you know, deflect any physical, I would request a physical card before that I change the address or, uh, route your emails to myself or change the phone number on your account such that any alerts or any information that you would expect to get as the true customer, you don't, and I do. As a fraudster, and then I divert the card. If it's a virtual card, I get a virtual card sent to myself and then go to town with it. There are some card products which are inherently more, you know, allow a fraudster to monetize without even necessarily having a card. For example, if you can, if it's a rewards card, a customer can pile up rewards and the fraudster can go steal that rewards and say, you know, convert that into gift cards and steal that. And so there are various ways account takeover works. But, uh, that's pretty much it. Okay. Okay. Awesome. Awesome. So, and also I noticed that, I mean, uh, as I mentioned, I predominantly have worked in Singapore, India and the Malaysian markets or the Asian markets. Right. What I noticed specifically when I travel quite a bit to U. S. is the practice of MFA itself. Again, maybe it is anecdotal to me. But I find that most of the Asian credit cards would require me to enter my OTP or a 2FA to ensure that the transaction was done by me. But I've not seen that in even websites that I go and, let's say, book my ticket in the US. Typically it'll just go through the moment I give the credit card info, right? I'm just wondering about, does that bring a lot more risk? And I want to understand specifically about how this is viewed in the US itself. I can't speak in an informed manner if that brings much more risk because I don't know what. The credit fraud or the fraud risk scenario or rates are in Asian markets, but I do know what you're saying is correct, even in Europe for that matter, where it's much more common and much more acceptable or accepted to consumers to expect to have an MFA, whether it's a PIN or whatever, a face ID or things like that. In the U. S. there is general resistance to that because of real or perceived, I would say it's, it's a combination of both impacts on actually completing the sale or actually, you know, the friction is considered very high friction. And so I would like to believe that that's one of the biggest drivers of, of not requesting a MFA. I also think that there's an element of, you know, both the merchants as well as the issuers. Having tools to detect when they need MFA or not, when they're basically they, they do the math to figure out that, uh, I would rather lose this sale and therefore, or rather I can afford to ask for an MFA. And if I lose the sale, that's, that's not a bad loss. Now I don't know those models, detection tools are better in the U S than anywhere else. I actually don't think they are. I'd like to believe, you know, Visa, MasterCard, whoever the networks are, they're the ones that create and sell those tools could sell it equally across the world. But it's just, I think it comes down to a broader Acceptance for things like MFA in markets outside of the U. S. Okay, I understand, I understand. I also noticed that, uh, there's a particular word, this is also something that I had posted a week ago, because I've heard this word of passive authentication multiple times in the last one month. And I was like curious about it, where basically the practice is without causing any friction to the customer, how much certainty can I get that this transaction or this customer is a genuine customer without actually adding any more friction? And my The thought process there was, I was trying to think if I'm frauded, I am in any way going to be losing money, but might as well be participant and decision maker in deciding whether a fraud or not. And so I'm probably talking at a philosophical level where, as a user, I would rather be in control or have an option to be in control. Like, for example, I could have a toggle somewhere to say, hey, I want to be involved even if there is a slightly higher risk. I want to be, I don't mind the friction itself. But I don't seem to think that there is an option either. It's like a financial institution takes the responsibility on their shoulders to decide that, hey, these users, users are probably, Don't want friction, but that's probably a spectrum of people right? Maybe I mean again I don't know. I think from a credit card perspective the rules may be the same and I with a completely US Specific set of knowledge, you know I think the issuers end up being on the hook for a lot of your fraud not all of it But a lot of it right this credit It's either the issuer or the merchant that end up with a lot of the fraud, right? While it's definitely inconvenient for customers, for the most part, they get their money back. For the most part. They don't always get the money back, but if it's a true customer, good chance you get your money back. Again, it's not easy, but it's, uh, it's pretty painful, but, but they can get it back. So, that doesn't mean the customer doesn't have skin in the game. You know, if you think about a debit product or a bank, bank account, you know, if I have money in my bank account and a froster cleans it out, Yeah, it may take me two or three months to get that money back, but I have to pay bills in those two or three months. And so it is incredibly inconvenient. So yeah, you're right. You like to believe that customers would be consumers rather would be more likely to participate. And maybe they are, but then, you know, there is a lot of that passive authentication that you talked about going on. That's. That's what we do. That's what any lender, any bank, any issuer does, right? Where we always look to assess that if a customer is transacting, if a customer is interacting with you, what's the likelihood that this is a good or a risky transaction or risky interaction? That's constant. That's, like I said, what we do. Okay. Okay. And can I also understand a little bit about one is false negative itself is a transaction is rejected while it being a still genuine transaction itself, right? Because this topic for me is very impactful because in the last one month, I have been traveling like crazy and a lot of my transactions have been rejected and I was like, I want to get this SaaS tool because I need to do something else, right? And I tried for a week and I called the merchant to figure out what the hell is going on and it never worked, right? So I was like thinking, I'm a genuine person here trying to reach out multiple times to figure out what's going on to get this transaction through and it was not happening. And I was like frustrated with that, that how is somebody deciding that I'm not the right person? And that's where probably positive authentication also came in and that's the topic that I was running on my head. So I wanted to understand the false negative side of things as well. I think those would be well from a from an issuers point of view those false positives to me But yes, so I can see from consumers point of view. It's the one minus false negatives that happens I mean that that happens and again, you can scientifically figure out at what false positive rate Again, I'm calling the same thing as disallowing a genuine customer or declining a genuine customer. I can figure out through extensive testing and data, what's the right level of decline, what's the value of a decline with asking someone to provide their documents. So all that you have to assume that that's, that you could do that. And you reach that, you know, optimization. Now there is a disconnect here in that. Yes, I can, I can test and learn my way through and figure out what's the right balance between, you know, uh, customer friction versus, uh, value gained. Uh, I do, I do realize in saying all that, that turns a customer into numbers and profitability and as in, and misses the customer angle of it. And so that's the fine line we have to balance as practitioners of defending against fraud, which is what amount of friction is right. What amount of trade off between ease and customer friction or customer experience is correct. And yeah, people get caught in the loops of, uh, you know, like you, the example you pointed for yourself, where they just get caught in the loop and can't get out of it. And, uh, that happens. Does it happen too often? Probably statistically not, but those are also cases where consumers get stuck in loops where, especially if it's their own money that gets stolen, if it's a bank account or debit account that gets stolen, people, you know, it's very painful. And those, uh, I won't say those make for good stories, but those are genuinely painful stories that deserve the attention that they get. And that construct, yeah, it is, it is, uh, it is pretty painful for a customer. So this is where I'm like thinking that maybe the angle of a user having a control. Because at the end of the day, the financial institution is deciding that this transaction is not worth going through on my behalf when I am willing to take that risk. And this is where I'm thinking that the user is not involved in this decision at all because the issuer, the merchant, The rails, either mask or visa, they are the ones who are deciding, and the user is just basically. And, to me, it felt like, this is an existing system, this is a set system, this is how you use it, and what I mean is, this is how we use it, and then it's set, like that. And nobody seems to be even thinking that, hey, maybe there's a better way, maybe you can include the user in this. And I was like, uh, again, uh, this is a topic that I have been... I mean, yes and no. Yes, it is a set way, but you know, if it wasn't you and if it was someone else using your card to buy stuff, you might, you might feel differently about it. The commonality in both is that, and I agree with you that there probably isn't room for more user. Participation, right? If it's like you're buying software for your company and, uh, you know, you're willing to, I'm assuming it's a reasonably high, relatively high dollar amount to your regular credit card spend, then yeah, you should be able to authenticate or participate in the authentication versus spending your time trying to defend a decline or get over a decline. So yeah, I agree. While our positions might be different being from the issue side versus consumer side. There is room for more consumer interaction. I, I'm open for that because of the way I look at it. If I can get a customer to help me out, then I have, uh, one more person or one more resource fighting fraud that can go down a very slippery slope of, well, do you really know who that person is? Yes. That's kind of what the point is. Yeah, yeah. So, uh, basically, uh, a couple of years ago, one and a half years ago, DBS from, uh, Singapore came up with this whole page, like you have a profile page on your bank account, right? So, then they came up with a, a controls page where they had a toggle, by default it was switched off, or the default settings, like a financial institution, and they had a toggle where I could take control. It's like in aviation world, where Boeing versus Airbus differ is, where does the pilot sit? Is he in between the controls and the computer? Or does he sit outside? In Airbus scenario, the philosophy is, controls, computer. And then the pilot, the pilot gives the inputs to the computer and then they decide, right? So in the Boeing scenario, the pilot is in the middle and the computer advises the pilot what to do, right? So there's a philosophical difference and what DBS had done is and I like that approach and I would love if that was a Common practice is there is a toggle for the user to say I want to be in control and I know what risks I'm getting into And then I can set, like, okay, my PayWave credit card transaction outside the country of my origin is not allowed, da da da da da. And I could set all these controls, and I could change it any time. And, uh, that's how they had given a lot of control. I like that. Even then, my credit card was rejected. That's a different matter. But I like the control that I was getting, essentially. Yeah, that's fair. It's not terribly uncommon for, for issuers to do that, right? I mean, yes, there will be various shades of it. And, you know, you can set alerts on your account, disallow transactions greater than a certain amount, or get alerted when certain set of things happen. And, you know, a lot of people do that. The full control is a bit tricky to give because... Essentially in the scenario that if, if I were DBS or if I were any bank, then it gives you full control. That also means that if there's genuine fraud on your account, sorry man, you're out of luck. You, you're on the back and I don't think you can do that. I don't think you can do that because the customer expectations are different and I think the regulatory expectations are different, right? The regulatory expectations are indeed very different. Where. A bank, or a banking system, or banks in general, are, have much more resources, much more capabilities to protect customers. Yeah. Or at least the argument goes, and I buy into this argument, and therefore they should, right? So if you look at cases where, on Zelle, which is, you know, peer to peer money transfers, a lot of times people would get, you know, socially injurious, mish twished, whatever you call it, phished, too. Uh, actively approve of transfers that turned out to be fraud fraudulent and the bank's defense was look The customer said they want to make this transfer and they actually approved it Here's all the record for it and the argument back You can argue whether you like it or not Is that all that might be true you bank are still liable because you have better resources to prevent this from customers And you should have prevented it Right. What do you do in that case? So in that construct, if I'm a bank, my incentive structure or a bank or any, when I say bank, I mean any lending institution, the incentives aren't aligned with me to give control to the customer because end of the day, I'm left holding the bag. Yeah. So I'm doing it myself. Yeah. So if you help, that's great. If you don't help, that's fine. I still have, doesn't change what I need to do. So, so yeah. Yeah. I understand. I understand. So I, I understand that aspect of it. I mean, uh, the false positive suspect of it or. Basically a fraudulent transaction being going through and actually the owners of that coming to the bank is probably the one that is driving to the behavior right now. Okay, I also wanted to understand a little bit about, you talked in your profile about fraud defense infrastructure that you built up for one of the national payments, right? So I wanted to understand from your perspective when you're thinking about infrastructure or defense or a fraud prevention infrastructure, what are the key elements? And how did that even come about? I mean, how, how does even one go about thinking about how do I lay my defense infrastructure? For example, let's say there's a startup who is just starting to issue lending or any type of financial products to the market. What are the, what are the key components that they should think about? And what is the first one that they should just go about and build? I mean, it's fairly simple, uh, in concept to describe, you've got to have stuff real time. You've got to have all the possible data that you can get, whether it's internal or external data. And by external, I mean, you know, vendor intelligence, especially if you're starting up, you don't have any of that customer intelligence, you buy it. And, um, you know, you try to make decisions that are as close to real time as you can. And then the last piece, uh, which I think happens quite frequently is just you test and learn your way through things. Right, uh, you test various thresholds, you say, if I decline so much, if I approve so much, what is my, what is my, what are the outcomes I see and what outcomes are within my expectation, within my tolerance, I accept those and build my strategy around that, right? Now, obviously, if I'm starting off from scratch, I want to have an incredibly high bar for fraud. I probably want manual decisioning for the first, uh, Months, years, whatever, depending on my growth. And as machines learn, as humans learn, you can keep feeding that back into the machine to be able to get, you know, into better models and better information that can further fine tune and refine your, your cuts and thresholds. And yeah, that's what you would do. But again, the infrastructure really is having the right information. The right data to make the right decisions, ideally as close to real time, because speed is normally of the essence of fraud, right? And so, the more you do it in the moment, the more you decide within the moment, the better it is. Okay, so what you're talking about is basically data or the input to your fraud infrastructure itself. And then, I'm assuming you're talking about a monitoring tool as well. Uh, and then the decision itself, which is either a machine learning or a human that is actually doing the decisioning and all of it, your suggestion is to basically do in, uh, real time, uh, itself to the extent possible to the extent relevant, right? If your product is complicated that, uh, like a mortgage, I know you're not, we're not talking about mortgages here, but for example, as just an example, you're not looking for a real time decision. It takes long. It takes time. And then I don't, I can, you don't have to have stuff real time, right? Credit cards, the standard is instant decisioning. So you, if you're decisioning for credit risk real time, so especially for some products, some lending products like credit cards, the line between fraud and credit risk is semantics. You might as well decision them all together. So. Okay. Okay. And I noticed also that in your You are also, your role spans across fraud collections and recoveries as well. I was like wondering about, is this like an independent portfolio? Is it like, or there's like a synergy between all of this? They are, they could be, I mean, they have to be synergistic in some ways, but really they're independent processes, uh, given, and that's just as a function of my role. You can call it risk ops, you can call it whatever you want, but it's, uh, collections and recoveries is more on, you know, when you're in a lending product, some people have difficulty in paying you back. How do you help them pay you back by giving them products and tools, or just even reaching out to them and seeing what they, how you can help. That's more on the collections recovery side. Okay, okay. Understand, understand. Whatever the fraud models that you've built, right? What are some of the key challenges in... You talked about testing and threshold, right? What are the key... Because when you're doing the first test, you probably don't have any data. So, how do you go about testing and how frequently would you... Um, test basically, and then set this, uh, adjust these thresholds itself. You may not have data when you start off, but you do rely on something which is experience. You do rely on your vendor scores and vendor's experience, and there's a lot of that to go around. And you can, from scratch, with a, let's say a credit card product, you can craft up a fairly simple but effective fraud policy, right? You get device risk, you get ID risk, you know, you get... Email risk and so on. So we can get all sorts of risk indicators and you can put together to say generally, you know, if the score is beyond a certain threshold, that's normally bad news. And if I don't know what I asked the vendor selling me that score is like, Hey, what's a good score to cut? And, you know, they'll give you reasonable estimates. You start off like that. And you always test, right? If my threshold for a particular score is, I'm just making it up enough. 10 is bad and 0 is good. You can set the threshold at 9, but you let, you know, or maybe set the threshold at 8 and then, but you let some apps between 8 and 9 come through and see what happens, right? And, uh, the testing is, I think needs to be always on, right? You test on your margins always, right? And, you know, as, as to how often one should refresh, ideally the technology exists today. To refresh automatically and you can set a threshold refresh every month or refresh if your certain thresholds go beyond a certain point, you can do that and we do some of that, but the appetite and requirement to refresh depends. Obviously, when you're new, you're learning things much quicker. And so you want to keep changing and looking at your policies, maybe refreshing it monthly, quarterly. But then you get into a cadence of whatever, you know, every year you refresh your policies, right? That's just a policy refresh. There's nothing that stops you from putting in flash rules. You see a certain trend, you want to kill it, you put a rule in right now. And so that, that's, that's daily. Pretty much. Okay, got it, got it. And, uh, this probably is my, uh, last part, uh, and this is also something that I ask all my guests is, based on your experience right now, what's something that you feel that has, should have happened, or you feel that in front of your eyes, like, this is something that should have happened? Long time ago, but has not happened or what's one of the frustration that you think that should happen, uh, hasn't happened. It can be anything about technology or the product itself or the market itself fairly broad question. Yeah. Yeah, it is a very broad question in the u. s. Specifically. There's still a lot of reliance on um, You know, on individual pieces of information to identify a customer, like your social security and date of birth and all that. And that's fine. It makes sense, but really, I mean, why don't we have a national digital identity or an international or a global digital identity? I mean, you've seen success stories in India where that. That's, you know, rolled out pretty quickly and I would say fairly well, though I'm not, I don't know when the actual reality is on the ground. I wish we could do that and get rid of all this, you know, social security, this, that nonsense, right? Where it's more biometric or more behavioral based. That's, I wish we could do that. Uh, what else? I wish there were, you know, you talked a lot about customer, uh, the customers accepting more friction. I wish we could do that and, you know, on a risk based, in some risk based manner, get customers more engaged in authenticating their transactions. I have a sense that the friction may be a bit more perceived than it actually is. That's just me. I might be an outlier on that front. Yeah, I think those are a few things which I hope we could, we could do right away. Yeah. Okay, awesome. Awesome. I mean we can talk more about others or even Singapore has done something called SingPass. And other countries have done similar stuff as well. But yeah, that's also something that I was definitely wondering about, uh, in the U. S. and the reliance on SSN. But one thing that I do respect is most people seem to be conscious and clear that SSN is something that shouldn't be shared. And they keep it tight to their heart. But in India... They try keeping it tight to their heart, but... Yeah. It's all out there. Yeah. So in India, especially, right, people just share other numbers, just like that. Or even in Singapore, uh, they share those, uh, identities. So Singapore is a lot more tighter, but India with the numbers has been a lot of fraud, uh, that's been happening around that as well, but thank you so much for the insights and the time. And, uh, we'd love to catch up when they're in person as well and probably do this in person, uh, sometime again. Thank you. Yeah. I'd be happy to. I'm, I'm bummed that we couldn't meet when you were here last month. So yeah, I look forward to it. Thank you. Thank you. Awesome. Thanks. Thanks for the time and thanks for having me. Thank you.