Episode 12: Understanding the Rise of Fraud as a Service

Show Notes

Dive deep into the complex realm of fraud prevention with Brian Siegel, Barclays' global head of fraud risk and Ravi Madavaram, co-founder of Regulo. Unraveling the intricate layers of modern fraud, Brian sheds light on the alarming surge of "fraud as a service" and the relentless pursuit of balance between customer experience and security. Explore the shifting tactics of fraudsters in exploiting advancing technologies and the pivotal role of customer education in thwarting emerging threats. Join us for an illuminating journey through the evolving landscape of fraud detection and risk management.

Transcript

0:00

Hi, welcome everyone. Welcome to the Fraud Technology Podcast. We have with us Brian Siegel today. We had a chance to talk to Brian a few months ago. Unfortunately, we lost the recording, but we are so happy and thankful to Brian to join back again. Welcome to the podcast, Brian. Nice to see you here. Nice to see you again, Ravi. Awesome. And just to give a short introduction of Brian. So Brian is the global head of fraud risk at Barclays, and he has about almost three decades of experience in the risk space and the last 10 years, especially in the fraud space. So that's a wealth of experience that a lot of us could benefit from listening to his insights in the industry itself. Welcome again, Brian. Yep. Thank you. Yeah. So just to start, so I wanted to understand, because I think in the last one, two years, There's been a humongous growth in fraud itself. So I want to understand what is essentially driving fraud today. That's a great question. And one, we would probably need three hours on our podcast to go through. There's so many factors, but when I really think about it, there are three main drivers for me, right? And the first one is. ease of entry for the fraudsters, right? You know, the sophistication and availability of tools, you know, fraud as a service are making the ability for people who might not have had the technical expertise you used to have need to have to make this behavior easier, right? Data breaches, availability of PII data, right? That's the first one. The second one is what I call the need for speed. And As we shift to faster transactions, quicker, better customer experience, fraudsters are learning to exploit these processes, right, for their gain. So, for example, in Europe, with faster payments, instant settlements, unless there's a robust fraud detection program, It's going to be impossible to recover those funds, right? The third big one is really customer education, right? Customer education needs to be improved. Customers need to be better aware of fraudulent signs, particularly around scams, particularly. around how they secure their mobile devices, how they secure their tablets and things of that nature. I don't think we as an industry are doing as good a job as we can, but those are really the three big ones that I see as a driver. Awesome touches a lot of nerve for me, because I think I do have questions specific to each of them as well. So one, I think you did talk a little bit about fraud as a service, and I've heard about this before, would love to understand what this essentially means. Sure. So what this is, is there are organizations, people out there, what have you, that will provide you with the tools necessary to commit fraudulent activities, specifically financial fraud. So if you want, or even cyber fraud, like a denial of service attack or something, there are organizations that will give you coding necessary, will give you detailed instructions, how to embed this coding. They will give you, for credit card fraud, you can purchase. Card readers and cloning devices. They're even as sophisticated as they have call centers with help desk lines. So it used to be in the earlier years of credit card fraud, right? In the eighties and nineties, you had to be fairly technical to be able to pull off something like this to defraud an organization like a bank today. You just need to be smart enough to follow a list of instructions. So it's definitely something to be aware of. It's anyone can do it. I remember seeing, I think last year there was somebody who in the UK was arrested because he was managing a SAS platform, essentially. For fraudsters to buy, let's say in the U S S S and data, essentially, because you cannot buy like a 10 million data set. You want to buy like thousand and see whether such a fraud model is apparently works or not. Right. So that was pretty interesting. And I think most of the people don't know how easy it is for a fraudster to actually access this. I think you're spot on. I think people need to realize that it's not a matter of if it's a matter of when their data will be compromised or somebody will attempt that, right? All of our data is out there, particularly here in the U S with all the data breaches and what we see this worldwide. We can go on and get your personal information, my personal information and pay maybe a few us dollars for it. Right. And we can do it in about 10 minutes if we wanted to. So yeah, I think you're, you're spot on. Yeah. I think the going rate for now, SSN from the US is apparently 10 SSN that you buy in this platform. Telephone numbers and emails are much cheaper. You can buy them at like a dollar or two. Awesome. So you also talked about the second point was about need for speed. That sounds like the game that you play, but essentially the expectation of customers that we want the services to be fast, right now, at the same time, you need the fraud also to be in real time as well, to be able to counter that. Right. And the expectation on not. tampering down, right? I mean, it's getting even more and more demanding from the customers and the market is also getting very competitive. So how do you manage this balance? Because the more fraud controls you have, the more friction you have, which goes against the customer experience objectives that you're going with. So how do you balance these two conflicting priorities? It's not easy. Yeah. Yeah, I look at, and that's the key word conflicting. It's not easy to do, right? You can, I tell my CROs all the time, I can guarantee you no fraud loss for the bank. I can guarantee it. Zero. We'll also have zero customers, zero revenue. There has to be that balance, like you said. And the best way to do that is, is to have a partnership with the business, right? We need to be aware of their roadmap. Hey, here's where we're looking to take our customer experience. Faster payments, quicker application processes, and it's then behooven on, on the risk teams, but particularly the first line teams to be able to then start to build the technology or to enhance our technology to be able to keep up with that. Right. And so that comes down to resources, right? And that's a big constraint for a lot of people. And that's, again, that balance, right? You have to be able to keep up with the technology. I understand. I understand. And how do you manage this in a I mean, your experience of expectation of customer experience is fairly standard across the globe. Everyone wants it in instantly real time payment. I mean, us is still a little bit behind in that customer experience, but the rest of the world pretty much is in real time payments ecosystem. Right. And because such a large company with so many different countries. So many different risks that you have. How do you manage that in a large company like Barclays? The way you manage it is number one is communication, right? We need to understand where the goals are of the business. Like I mentioned, partnership with the business, communication, but it's a two way street, right? It's We can't have customer experience being the most important thing, right? Above all others. And it's the same thing with fraud prevention. We can't keep all the doors locked. There needs to be a balance, right? And you need to have that conversation, right? So for example, faster payments that's starting to come along as you know, here in the U S but like you said, outside of the U S that's been the standard for quite some time, or at least the bigger part of it. And that's being okay. So we have instant settlement. So then that means. What is our pre settlement fraud controls? Are they adequate enough to be able to catch everything? But are you going to be able to catch the majority of fraud? Right? So it can't be like in the old days when you would catch something you weren't sure, then you wanted to delay the payment. You can't do that. Right. In that case, you needed to be able to focus there. So again, that goes back to communication. It goes back to understanding the plan that your stakeholders have. And being able to put something into place, having the resources to put something into place. Awesome. Awesome. And the last point that you talk about in the trends to increase a fraud itself was around customer education itself, right? So I want to combine this question with something else, which is on the APP fraud in the, in the UK itself. So the UK regulations for came up for PSPs in December last year, saying that you have to reimburse whenever somebody claims that they have been a victim of. So this goes a little bit counterintuitive to customer education, because I could be naive and I don't need to be educated to claim that I've been, because I have no loss essentially, right? Because I will be reimbursed if I can prove, right? Personally, again, you can correct me here is my view is that that such regulations are probably going to be a mainstay in majority of the countries. They started in the UK. But most of the countries are likely to adopt something like that, right? So when that happens, right? One is customer education. You want to teach them that you have to be cautious, but on the other hand, there is no incentive for them to learn, right? Because you're going to 100 percent inverse, right? How is this going to play? I think the way this is going to play out is ultimately. That's where the PSR is moving, like you called out, that it's going to a preventer pay model, right? And we'll see more, you know, as it's implemented Q4 of this year. I think the important thing is customers don't want to go through this in the first place, right? The banks have to be able to show that we have provided that, hey, are you sure you want to make this payment? This is going to someone you've never done business with. You know, there are certain things the bank is putting into place, but I think if we can get the customers educated enough, right? That They can sort of help themselves, right? Yes. Ultimately, if we prove that we couldn't prevent this, then we're going to reimburse. But I don't think there are many people that are going to want to do it in the first place, right? So that also helps us. That helps our prevention process, right? We're really helping. The banks are helping themselves with that. Not only the customer, it's everybody wins, right? So, you know, it's a win win situation. Somebody calls you up and has a great investment opportunity. All we need is, you know, a million pounds, you know, in cash or something ridiculous like that. Well, maybe to take a second step, call your bank, talk about it. I think that just sort of helps the general environment, but it is going to be challenging. I won't say that it won't be because I think it's a, it'll be a very challenging process, not just for fraud, but then you have money laundering, money mule, things of that nature, too, is going to get very difficult. I understand. I want to understand a little bit more on that one. For example, let's say somebody asked me, Hey, Lavi, invest thousand dollars every month in this particular scheme and you're going to get, let's say triple the money by the end of the year. Something like that. Right? Previously, I used to, there is a saying which goes by, if it is hard to believe, then it's probably not true. Right? So I will always have that common sense. But when I have a safety net that I can always go back and say, this was APP fraud because he convinced me that. This would give me three times I didn't realize at the time. So when it provides that safety net I may become a little more risk prone. I may take that risk because I have a safety net now. So there is this conversation in the market when this particular regulation came in about saying that this incentivizes fraud rather than it stops fraud. So I wanted to understand how banks see it. At least for us, the bank's responsibility is to protect their customers. That's number one. And I think they're certainly trying to do that, right? All banks are trying to do that. And they're doing that in a lot of different ways. So, you know, if you're going to make that payment and it gets flagged and we're looking at it going, Huh, is that? And we contact you and say, Ravi, are you sure you want to do this? And you say, Oh, yeah, absolutely. I'm going to get tripped my investment. And we say, well, that's a very difficult thing to be able to do. You know, the market only averages X and you're talking about what we would advise caution and maybe, and then if you say, no, no, no, I'm going to do this. Right. You move forward. Obviously I think the banks need to show that. We're trying to help you, right? I think that's the important part for us to be able to make that claim that, Hey, we did all we could look at the end of the day. It's going to be the customer's decision what to do with their money. Right? That's. Everybody's right. But I think if the bank is able to provide enough information to make you think twice about it, I think that could help. Look, is it going to prevent all of it? No. Is it going to help some customers? Absolutely. I mean, there's always going to be people to your point going, I'll just tell him it was fraud, right? There are people that believe that way. But, The majority of people really want to do the right thing. They really don't want to gamble. Yeah. You know, people understand how hard it is to earn money. They don't want to let it go as easy. So I think you are going to, for the majority, that education is going to help. And some of the stuff that the bank is trying to prevent is going to be beneficial. So one use talked about, you know, protecting the customer, which is the main objective of the behind the regulation itself. I agree. Second one was about, you know, providing. that education so that the customer can make that call because at the end of the day, it's their call. Okay. Fair point. So I also noticed that with this particular regulation, right, there is a very specific fraud regulation, which comes into now compliance and fraud itself. For fraud, you are supposed to comply, basically. Typically, compliance departments have been predominantly AML. Fraud has been typically more bottom line or which impacts the business itself directly. Compliance has been more like, you know, I need to show my auditability and explainability to my regulator, right? So now, when these regulations come in, I was wondering, because fraud and complaints are now getting merged, how are banks or PSPs preparing to comply to this? I always look at fraud and AML as, as just right next to each other. Like they're so close, right? There's a different focus. Like you said, particularly AML is concerned with money coming in, money coming out, fraud is a little bit more focused on loss to customers, loss to the bank, but. A lot of the same data, a lot of the same analysis sort of goes together. So I think it's a natural progression. It's something that they've been doing for a while, right? Sort of sharing information and things of that nature. It's just for a different goal, right? So what the AML folks in compliance, like to your point around the regulators and things like that, but I think banks will start to prepare to say, look, what kind of interaction do we have? Where do the touch points in the processes? And if we don't have them, then we better get them, right? That's where I think they need to focus. Yeah. So predominantly the compliance teams and fraud teams have been different, right? Traditionally. I'm aware of some banks that it's fraud is in compliance, right? Along with AML, sometimes you're broken out, right? There could be different operating models. Now the individual groups, like I said, have different narrow little goals, but in general, it's the same bit of information, right? So if the fraud team is picking up on account takeovers and increases in deposit applications, for example, the AML team's going to want to know all about that as well, because what are they doing that for the fraudsters are opening up these deposit counts to then move money through and then out, right? So there should be natural collaboration through both teams. And if there isn't, then. that's something that group needs to work on. I understand. I understand. I remember in my previous role, where I was doing KYC is a compliance requirement, but KYC also had a lot of elements of anti fraud itself. Because if you're doing sanctions, there's also sanctioned salvation, which typically has fraud elements into it as well that I am pretending to be somebody else to get into the system, which goes into fraud as well as sanctions itself. Okay. That reminds me that yes, I think it has always been there. It's just that traditionally have been different teams, but I guess the interaction would increase going forward. That's right. Awesome. I also want to understand how you are fraud modeling, the machine learning or the data within a large bank like backlist is structured. For example, different countries may have one different products, obviously. And also you may have different data coming in and different markets also have different external data sources as well. So you may have a very disparate requirements from business units. I know you talked about. Talking to business units and being in sync with what the business teams want. But with a company like as big as Barclays, you will have so many different business units. One there is benefit in centralizing it because you can then learn a lot of things and cross leverage a lot of techniques that you have developed. But at the same time, you also need to be specific to each of the businesses itself. So how do you manage this centralization versus customization to each of the businesses itself? It's not easy, right? And I think you were hitting all the high points there. You have different regions with different data requirements. You also have different privacy laws. They're in certain regions. You can only take data from customers, certain data points versus others. I think it comes down to where are your risks and your requirements, right? So it's always good to share data, right? The ultimate setup, at least for me would be one single data Lake. I know we hear that term a lot of data Lake. Everything goes into the data, like all the data from login to payment. Anytime a customer interacts with you, you'd want to get all of that together. And I think that's probably the ultimate goal, particularly of our data scientists. I wouldn't want to speak for them. I think it's about as we move towards that, right, which will take time. It's about risks. Where are your key risks, right? So My risk, I'll just make it up. My risk is in applications. Application fraud, right? A lot of, well, okay, do we have the right amount of authentication? Like what's our authentication process look like? Do we have the right data points? Are we validating customer identity correctly? Well, we're not. Okay. Do we need to be pulling into your point, right? KYC. More from the compliance side. Are there more data points we need to pull in there? I think it's about looking at it risk based to address your key risks. Do you have enough data for that? So that to me is more tactical. And then the strategic view is exactly what you were saying. And we were talking here about having everything all together. I that's definitely a goal. I think it's look, there's resources, there's different, and you said disparate systems regulations, but I'm sure move that way. But I think it's right now for us. Right. Or at least the way I would say it is, it's risk based. I understand. With your experience, not just in Barclays, the last 10 years in fraud, and probably even previous to that, right? Can I understand what is a framework that you use in fraud prevention itself? Is there a framework that you use that has worked very well for you? So for, I'll take a step away from Barclays, you know, I have experience on the merchant side, implementing and running fraud departments, investigations, analytics, things of that nature. I think the framework, to me, it's, it's sort of, Pretty simple, right? There's a couple of things. Number one, and it's what we were talking about before, balance between customer experience and fraud prevention, right? You need to find that right balance. It's all about appetite. How much appetite does your business, your leaders have for loss versus their customer experience? That's number one. Number two is right. Risk based assessments, right? Do we know where our pain points are? Right? So I used to work for Sirius XM, which is a US based satellite radio company, very similar to like Spotify. But Sirius was US based. So the big pain point at Sirius XM is credit card fraud, right? You know, they were predominantly a card not present merchant. So we were very concerned with Card fraud. So we know what the top risks are for card fraud or what we're concerned with. Are we mitigating those risks, right? The other one, two more. The third one is, are we leveraging our tools and platforms adequately, right? So you have a fraud decisioning engine, you have a device ID, biometrics, whatever it is. Do we have it leveraged correctly? Are we using the right tools in the right way, the right data? And then that goes to the last one is analytics. Do you have the data to be able to have a constant process of review and improvement, right? So do you know what a good customer looks like? Do you know what a good day looks like from a transaction perspective? Do you have real time analytics, right? I think you need to have all of those things working in tandem. To be able to have a successful framework. That's sort of how I think about it. Wonderful. Wonderful. That's really helpful. Right. I also want to understand one of the points that you talked about was about business units have a objective, like from a growth point of view, I want to grow this much for this year. And then they probably have a budget for a loss as well. When they're making that business plan itself. Right now, when I see the FTC data. And even data from outside as well is that the number of fraud is not growing. The instances of fraud is not growing as much as the value of the fraud. Right. Even if one fraud happens, there is a much bigger value of loss that is actually happening. So in such a scenario, has there been issues of budgets being overshot? Like, for example, I remember this case from three weeks ago, a Hong Kong financial employee was brought into a zoom call and then all other employees were actually deepfakes and then he was asked to transfer about 20 million, right? So while the overall business may not have. More than average fraud, but there may be one or two specific business units just by chance because the number is not high, but the amount is higher and it's so. So has this been a problem or is it a manageable problem at the moment? I think it's just constantly evolving, right? And it's funny that you mentioned that deep fake because I read that same article and I was just shocked and it's horrifying to think about just how easy they can do that. But the way I look at it is I think fraud is constantly evolving, right? It's also, we always say it's like water. It always finds its lowest level. Hmm. You close off one area and then they'll circle back and figure something else out. And you can see a spike in your credit card for it to your point, but then deposits fraud has dropped off to nothing. They're constantly moving. I know speaking with my peers in the industry, there has been an increase in check fraud, you know, within Not for Barclays, but for our peers in the U. S. In the U. S. You know, they've been dealing with a lot of those issues, and it's sort of surprising. You think about it. You say, Well, who writes checks anymore? Plenty of people do, right? And the front is are pivoting, right? So maybe a bank has spent a lot of time and money on them. Implementing or upgrading their authentication process for credit cards or, and they've put in biometrics and they got rid of one time pass codes and they're using push notification, whatever they're doing, they've got it to where they think, Hey, we're best in class now, the fraudsters are going back a little bit. More old school and they're attacking checks, right? So manually adjusting checks, fake checks, pulling things out of the mail, things like that. So I think it's just cycle, right? And you have to be constantly vigilant and that's where your data and your monitoring comes from. There is this framework that by education, I'm an aerospace engineer. So I do know a lot of risk models within the aviation industry. So they have something called the Swiss cheese model. They have layers of cheese, Swiss cheese, Swiss cheese has holes basically, right? So each Risk control that you have, it can go to fraud at any of the risk control, right? So let's say fraud control, you have one fraud control, it has holes in it. And so you have multiple layers to be able to protect yourself from, and you have fraud when all the holes in the different switch layers kind of align. And I always imagine you use the analogy of water and then where it tries to figure out the lowest point, right? I always keep imagining that the fraudsters Keep poking holes at each of them and then finding which one actually goes through and then try to make it put your finger and you make it bigger and bigger. Right. Until somebody comes up and puts another controls. Right. I love that analogy. It's a very visual for me, at least when you're thinking about controls. So you also talk a little bit about a merchant fraud. I remember you are also part of a merchant risk council. We'd love to understand what the responsibility of this scheme itself is it most predominantly fraud or is it a generic merchant risk itself? I would say the Merchant Risk Council, which I think is a fantastic organization. They're focused on payments, fraud, chargebacks. That's really their space. They put on conferences, both in the US and in Europe. And the reason I think it's a wonderful organization is because it gets people like us together and sharing ideas, which is not something we do very well. In general, right? You're able to sit down and have a cup of coffee or cup of tea with someone and who has your job Or 10 people that have your jobs and say well, what are you seeing in terms of fraud? Well, we're seeing this sort of fraud vector and you think to yourself. Wow. I have I don't even knew that You're learning new things you're sharing ideas. I think it's a really great put, you know, they have uh education They put on webinars and things like that. I think it's There needs to be more of that. It really is. Right. Because it's, we really are, I know it sounds all in this together, right? So, you know, I'm getting attacked with a credit card fraud. It's only a matter of time before they go down the street and they try it with you, Ravi. Right. It's sort of that constant, like I said, finding its lowest level. So I shut my door, they're going to go down the street and try it with somebody else. Yep. Totally agree with that. Right. And again, I always think that people assume that it is only the uninitiated who typically get. Attack more about fraud, which is probably true, but there have been instances, even though I am within the ecosystem of fraud, and I know majority of the models of brand of fraudsters, but I still, there was an instance where I was almost, and the last moments the, because one of the words that the fraudster used kind of triggered me. I'm like, huh. But I had come along way until then. You know, I knew, and it still happens for us. I do want people to be aware that it can happen to anybody, even if. If we are fully aware of fraud itself, it can definitely impact us. So one last question itself before we close the session is, I see that your experience has been predominantly in audit in your first part of your career, like almost 18 years in internal audit, and then you shifted to a fraud, right? So I want to understand how that shift is and how that came about and how you're enjoying the fraud side itself. So, look, I love what I do, and I'm not, this isn't a public service announcement for working at Barclays. I mean, it is a great thing to work for and great people. But, for me, I love what I do because it's always something different. It's everything that we've been talking about. So not only are the fraudsters always changing, but the methods for prevention and detection are always changing, right? It used to be rules based systems. That's all you ever needed. Now, machine learning models, how we stop degenerative AI, things like that. It's always something different, always something to learn. So that's always appealed to me. And that's really what it originally appealed to me with internal audit, because audit, it's always something different, right? So, you know, if you're doing a financial audit, maybe you're learning about accounts receivable, or you're learning about this manufacturing, or whatever it is, you're always sort of picking and you're getting a nice view of the organization, right? Moving over to fraud again, sort of appealed to me. I get bored very easily, right? I always need something new, something different to learn. And I'm always very careful when somebody will say, well, I'm a fraud expert. And I sort of cringe because yes, you can know a lot about fraud and there are people. We both know I'm sure that have an unbelievable level of experience and knowledge, but there's always something new to learn. There's always a nuance. There's always something different. That's what I like about it the most, right? It's no two days are ever the same working in fraud, as I'm sure you know. Yeah, wonderful. So on that note, I think the really thank you, Brian. And again, I do echo a lot of the points that you did talk about fraud seems very dynamic. And it feels, it appeals to my nature as well, that it's always something new to learn. There's a new fraudster. There's a new type of fraud. And also, it also impacts a lot of people. I see a lot of victims and, uh, it also has a lot of societal impact and also the impact on the victims itself. And I do think people like you being in this space is a humongous help for banks as well as the end customers as well. And thank you so much, Brian, for the insights and also your time and would love to have you again on the podcast sometime. Thank you so much, Brian. Absolutely. Thank you, Ravi. This was great. I love talking about Freud and catching up with you. Yeah. So happy to do it again. Thank you, Brian. Nice to see you again. Bye.