Episode 14: Evolution of Fraud Detection and Prevention Strategies Across Industries

Show Notes

The podcast explores the transformation of fraud detection and prevention practices, tracing the shift from delayed to real-time measures in response to the accelerated pace of transactions facilitated by digitalization. Reflecting on historical banking norms and the contemporary landscape, it underscores the persistent challenge of evolving fraud tactics. Through the speaker's varied industry experience, examples ranging from cheque fraud in manufacturing to identity fraud in pharmaceuticals are discussed, highlighting the importance of understanding specific business models in addressing fraud risks. Additionally, the podcast emphasizes the need for proactive measures, including the incorporation of fraud awareness into boardroom agendas, to effectively mitigate fraud across diverse industries.

Transcript

0:00

Welcome back listeners to the Fraud Technology Podcast. And today we have somebody who has so much experience in the fraud space that I'm super, super excited in talking to her. The guest today is Sally Felton. And as I mentioned, she has about 40 years experience in the fraud industry. It's a great pleasure to have her. On the podcast. Welcome to the podcast, Sally, and also a happy women's day today. Thanks. It's good to be here, especially on international women's day. Yeah. So does this day mean special to you? Have you ever celebrated this? How do you even celebrate this? There's lots of good life affirming messages that comes from my team and from my contacts. And I guess I'm fortunate enough to work for a firm who are. Pretty good as far as a lot of the work that the International Women's Day is striving for, but the importance is about where industries and countries are not so good where there's work to be done. And I was talking to somebody earlier and said, actually, it'll be good when we don't have to have International Women's Day because we don't need to worry about that sort of thing anymore. So yeah, I'm looking forward to that day too, but I think that'd be a little while off. Yeah. I mean, I totally agree. Right. I mean, my lifetime, I'm not that old either, but still in the 40 years that I've I've seen a tremendous growth in the opportunities. I think we need to celebrate that. I'm sure there's still a long way to go, but yeah, so still happy. I'm not sure about, you know, about this, but in Vietnam today is celebrated very differently. And for example, in Asia, at least. International Women's Day, Valentine's Day, all these ones are not that culturally popular. They're not in the culture of the country itself. Vietnam, in that sense, is very different in that. They have specific Happy Women's Day messages. Like in Valentine's Day, you have cards and stuff like that. So there is specific wishes that you do in Vietnam. One of my best friends is a Vietnamese, so I always send her. And that's how I also remember this day. Awesome. So one thing that I want to mention again is about your experience in the fraud space and which is something that stuck out to me is like you have 40 years of experience in the fraud space. Yeah, coming up to it about 38 now. It's I'm so old. Yes. So I want to pause for the audience. for a second, 40 years. See, personally, right, whatever I know about AML or fraud industries is probably maximum 20 years. I know AML is probably after the US Patriot Act is when it became super popular globally, but you've been doing this 15 or 20 years prior to that. So I wanted to understand what was the industry even like? I mean, I've never met anybody who has that kind of experience. I was thinking about this earlier when I was preparing for the podcast and thinking how much has changed. And actually, I would say the biggest evolution has absolutely been in the digital space. So I think back to, I started at Midland Bank, which became HSBC, obviously a massive global bank and did 25 years there. And I started there in the 1980s and we were heavily reliant on customers telling us that they had fraud. Then we had no ability really to monitor transactions or anything like that. And not only were we relying on customers telling us about fraud, it was usually by letter or they'd go into the bank to say, Oh, I've just had my statement, which obviously came in a paper form. Yeah. So sometimes the fraud that had happened would be four weeks prior or longer. And we were heavily reliant on customers saying this is fraud. And I worked in a credit card environment because I've worked so long I worked since before debit cards were a thing. So in those days you had a cash point card to get your money out, a check, and your cash point card was also a check guarantee card, and then maybe a credit card. So the only way you could interact was taking cash out and buying things with cash or writing a check. And then obviously that then evolved into debit cards, which people had to get their head around a debit card that was the same as a cash point card, which was also a check guarantee card that they could pay for in shops. But again, even at that point, we weren't really very good at proactively monitoring for fraud. And then in the 90s, when I say we, I mean the banks, we introduced real time fraud detection systems. Some of them were 10 minute delay, some of them were a day delay, some of them were real time. And that. gave us the ability to say to customers while they were having, going through the transaction, we think this is strange activity based on what we think normal should look like for our customer base. And I'm not sure in those days whether we were even individual enough to be able to say, this is what Sally usually shops like. We kind of were like, this is what our customers, we expect people to behave like this. And in those days, you would get three responses when you went and paid for something with your card. You'd swipe your card, you'd sign it, and then the merchant would say, Yes, it's been approved. Here's your, here's your receipt. No, it's been declined for one of many reasons. Or there'd be a referral. And in a referral, the cashier, wherever you were, let's say you were in Marks Spencers buying some shoes. The cashier would go, I've got to ring Sally's bank and Sally might need to speak to her bank to give us authority because it looks suspicious. It was very, very manual. It was heavily reliant on human interaction. And I guess for me, the morph from the eighties through to the twenty twenties is, all about the speed with which we can make decisions, the layers of which of fraud prevention and fraud detection that we have within the banking system. And until 2012, that was my experience. So I was HSBC Retail Banking. So that's what I'm drawing on when I talk about fraud and how it's morphed. So for me, the biggest change has been the move to a technically automated solution driven fraud detection and prevention model, as opposed to waiting when your statement came each month in the post and checking it and making sure there was nothing that was, you didn't recognize because that's how it was. It was paper based. We used to have telephone teams People could go, Oh, I've had my statement. Could you have a look at something on there? I don't recognize. But we also had huge, we used to call them Corrie teams, correspondence teams, who basically just worked the letters. And my mom worked in the post room, HSBC, opening letters and putting the letters into the various departments slot to be delivered by hand to humans who read the letters and responded to them. Oh, wow. And it was called curry teams? Curry? Like as in Indian curry? Corrie, that's my accent, C O R R I E, and that might have just been an HSBC thing, but we call, it's short for correspondence, because we were lazy and we couldn't be bothered to say correspondence. So, we said the Corrie team, and the Corrie team was paper based, and then you had the phone team who dealt with phones, and then obviously years later you had telephone banking and internet banking and all of the other things that come with it. And imagine now, not knowing what's on your bank account, unless you go into the bank and ask for them to print you a statement, or literally waiting for your statement to arrive each month. We can all see exactly what's going on hourly on our bank account if we want. Yeah. So one thing that I wanted to clarify is when you're talking about these transactions at that time, the transaction itself in the happy path, in the first one is approved case is real time, right? The transaction itself was real time, but the detection was not real time. Right. So in some fraud detection systems, even up to 2014, I was working with some banks who had a 10 minute delay. So that first transaction is gone, because it's about cost. So a real time fraud detection system for a bank is expensive, whereas having a 10 minute delay is a little bit cheaper for some players. I think in the 10 years since I've worked with a company who had a 10 minute delay, I think most people would report now that they have done it. real time fraud detection because the speed of traffic is so much more, it's so fast now. And the other thing to remember in the 80s and 90s, it was very unusual to have cross border transactions because international payments were quite unusual. You used to ring the bank and say, Oh, I'm going to Spain for two weeks. Can you put a flag on my account so that I can use my credit card while I'm in Spain? And more often than not, that flag caused more problems than if you hadn't rang them in the first place. Yeah. Because it was, it was all a bit clunky in those days. It was all a bit old fashioned. Yeah, I understand. So one, the transaction was real time. The detection was probably not real time at the time. But now, obviously the transactions have remained real time. Detection has become real time. Or prevention has also become real time. But how come the fraud has grown up? So I would assume that when you have transaction real time and fraud detection delayed, you have more opportunity time sense wise to do fraud. But as we see more statistics about fraud, the fraud is higher now. So I want you to understand what are we missing here. That's a really good question. And if I knew the answer to it, I'd be very rich because I would have invented something that would stop it. That's, fraud risk professionals like me are constantly asked, what's the next big thing? What's coming? What should we be stopping? What should we be looking out for? And the very simple answer is, we don't know. The reason we don't know is because we're not criminals. When I work with my client, I'll say to them all the time, I'm a good person trying to think like a criminal. I'm trying very hard to put myself in a criminal's shoes, but the criminals have. They've got bills to pay, right? So this is their job to them, but they don't have budgets. They don't sit in silos of their own industry. They don't have governance processes to sign off. If they want to try a new scam, they don't have to go to the board and go, well, I've just thought of a new way to scam people. Let me, is it okay? They just get on with it. And the banks are constantly reacting to that. I think the opening up of the borders with the internet, the digitalization of banking, the way in which money moves now, and the speed with which it moves, faster payment. If we click to say, I want to pay my plasterer for the money, for the plastering he's just done next door, I want that money to go straight away. Whereas 30 or 40 years ago, he would have a check and that check would take four or five days to clear, or I'd take the cash out and he'd have cash. And it's just, it's a much faster pace that we live in now. And I'm not saying the glory years of the eighties and nineties were right. There were other things going on. I'm not saying that It was better than it at all, but it's different. And the speed with which we can transact now and the customer expectation for payments to be immediate means that there are more opportunities for criminals to abuse the system. I understand. I also noticed in your experience itself that the first part of your almost 20, 30 years of Fraud detection was in the bank, which you talked about Midland Bank and HSBC. And then I believe we briefly spent some time at Metro Bank. And then after that, you've been predominantly in the consulting space. I'm assuming. Consulting clients, right? How has the last 10 years been for you? It's been really interesting because I haven't just worked with bank. Since I've been a consultant, I've worked with loads of different firms. I'm still in touch with lots of people that I used to work with 20 or 30 years ago. And lots of them are still in the banks. And when I talk to them about the types of work I do in the non banking space, they're like, Oh, that sounds interesting. I work with industrial manufacturers. I work with farmers. I work with pharmaceutical companies. I might work with local councils, that kind of thing. And fraud happens in all of those industries. So for me, Having left the retail banking space when I did in 2012, and I had obviously had the brief stint at Metro which was fine, and then the consulting world since then, the last decade of my career has broadened my CV. I'm not necessarily sure I've become any more of a subject matter expert on fraud. vertically, but actually what I have done is broadened my industry experience and been able to go, okay, so credit card fraud as an HSBC would say, isn't a problem for a bathroom manufacturer because a bathroom manufacturer might see some kinds of other fraud. So consequently, I have an appreciation of what fraud might look like for individual clients, as opposed to just having this kind of really deep subnet matter expertise in one type of fraud. Understand. So would love to understand. I mean, I've never personally explored fraud. I probably would have experienced it, but never thought at that time. So what are some interesting fraud modalities in let's say farming or pharma or industrial automation that you talked about? Any interesting types of fraud that happened there? Well, it's funny because some of my clients who are not in the banking space, and it's very easy when you're in the banking space to think everybody is digital, technically minded, and you come away from that. And I worked with a client. 15 months ago, my clients come to me and say to me, can you come talk to me about fraud? And that's a really broad sheet, right? So I'll say to them, okay, tell me what type of fraud you're thinking. Have you suffered a fraud? Has one of your peer groups suffered a fraud? So this particular client had come to me and said, actually, I just want to do some really general fraud training to our finance team on invoice financing, fraud, email, compromise, fraud, that kind of thing. We were chatting about their clients and I won't be too specific about the industry that they're in. But I said to them, what type of fraud are you most concerned about? And they said, actually, most of our clients still pay us by cheque, right? So it's 2023, I think it was last year that I spoke to them. Their biggest concern was cheque fraud. So that is still a valid way to pay money in the UK. Lots of businesses still choose to use it, or some certainly do. And for this particular client, their biggest worry was cheque fraud. So there you're kind of like, okay, right. So this is an old fashioned type of fraud. They also had an issue, another client of mine who are in a manufacturing environment, they're a business to business company, and they're worried about identity fraud for the people that they trade with. So let's call them a closet manufacturer. So they're manufactured closet. They sell to carpenters and then the carpenters come to you and me and fit, fit the wardrobes. Right. Okay. So my client who make the wardrobes and closet are worried that the carpenters are using stolen identity to get credit with them. And that's what their fraud, that's where their fraud problem is. So kind of saying to Sally from 25 years ago, Oh, you're going to be working in these sorts of environments. I don't know enough about it, but you learn and you put your criminal hat on and you kind of say to these people, right, what would you do? How would you solve the problem? How can we find some controls that will ensure that the carpenters that you on board as clients and give credit to because you're giving them credit. Wardrobes on and expecting them to pay you 30 days later. How do you ensure that they are who they say they are when you're on board them? It's not really very different to you're applying for a loan, but in that space they've got to kind of think to themselves, right, okay, we need to be sure that we are bringing carpenters in. in this environment that are who they say they are and that they're good to pay us in the 30 days when we invoice them, for example. I understand. So yeah, it's been really interesting. And then, you know, you've got lots of other types of fraud in different industries in housing benefit, the NHS type frauds, internal external supply chain fraud. So I've worked with clients across all of them, and have had some very interesting conversations with senior stakeholders at the clients who I work with. Okay, wonderful. I mean, that sounds fascinating. diverse set of problems, but pretty exciting as well, I guess, to be solving so diverse set of problems. I don't know. I'm not sure I solve very much. I think I talk a lot, but I'm not sure I solve very much. I usually just move on and I never know whether it's worked. I'm sure your clients come back to you with feedback. Yes. I have some repeat business, which is good. That's always good. That's a good sign. Obviously, almost 20 years or so in specific industry, now working with different clients, how do you go about adopting some of the strategies that you probably adopted in the banking space? How do you adopt this to solve these problems? So let's say when you hear a problem, an interesting problem, how do you go about solving these problems for different clients? Very often, as I say, I'm given a very general remit sometimes with some of my clients, and we kind of have to whittle it down as to what they really want me to talk to them about. And that's about having conversations early in the project to say, okay, you're worried about internal fraud. Do you think your staff are stealing from you? Or do you think that actually your customers are the way that you're losing money? Because when we talk about fraud in a business, for example, let's not talk about the banks, but we're talking about non banking. So if we're talking with a sizable company in the UK, for example. The way in which you need to think about fraud risk management with those guys is, how does money leave your business? So if money leaves your business through you paying your staff, you paying your suppliers, you giving your suppliers credit, potentially your customers, potentially abusing the refund system that you have. All of these ways in which money might leave your business. So I will have conversations. And the most important thing I can do with my clients is understand their business model. Rather than trying to go in and solve the fraud problem for them without having a conversation, I need to understand what the money flow looks like and all the time thinking, how would I take it out of the system? How would I remove it from the system? And very often when I deal with clients, I deal at quite a senior level. I might deal with internal audit teams. I might be invited in by boards to come and do some board training. But actually, what I also want to do is have conversations with people on the ground floor. So if I'm doing a framework review for a client, for example, to understand what fraud approach, what prevention and detection they've got. within their business. Not only do I want to talk to the stakeholders who set the policies, I actually want to talk to the operational staff who execute the policies and procedures. Because what they think is going on up here, quite often I speak to the operations staff and they go, Oh yeah, we don't do that. That's a pain. We do. this and this could be causing a problem. We also, I worked with a client years ago and I try to educate the clients about understanding where the fraud might be a problem for them if they don't know themselves. So just to tell you a quick story if that's okay. I was working with a client a number of years ago who wanted us to talk to them about fraud in the boardroom. So we did a training session, we went to this, it was like this James Bond themed lair, almost these huge chairs and screens everywhere, it was really flash. And they said to me, talk to us about fraud in the boardroom. So CEO fraud, low volume, high value fraud that might devastate a company. So one multi million pound transaction that causes them a problem. So we did that session and I said to them, have you thought about how fraud might affect you in other areas in your business? And they were like, we're not really worried about the low level fraud. So I said to him, okay, let me ask you a few questions and then I want to work through a model with you. And at the time, as I say, they're a manufacturer and they had about 16, 000 staff in factories around the UK making their product. And the factories were set up with old fashioned cards where you punched in and punched out each day. So you and I would have a card next to each other in the machine, punch in and punch out. And that's how you were paid, because you're paid hourly. So I'd go in at, you know, 8 o'clock in the morning, Sally's arrived, we start paying her, and at 5. 30 Sally's gone home, we pay her for her time. And I said to the head of finance who was there, the finance director, I said to him, okay, so let's say of those 16, 000 staff, 4, 000, so a quarter of them claim one hour a week they're not entitled to in overtime or extra pay by me saying, Ravi, can you clock me in on Monday morning? I'm going to be a bit late, but clock me in. And then you saying to me, Sal, I'm nipping home early tonight, can you clock me out? So let's say 4,000 of them did one hour a week overtime, extra time, however they're paid at minimum wage. Okay? Mm-Hmm, So I said to'em, I calculated that and I said to them, if a quarter of your staff are doing that, that's a million and a half pounds a year at wow. Minimum wage. So that's, at the time it was like seven pound 50, I think a week, about 30 pounds a month. The gentleman I was talking to said, I don't think anyone would bother. So I said to him, Why do you not think anyone would bother? And he said, I just don't think anyone would bother for 30 a month. So I said to him, Okay, so when you're on minimum wage, 30 a month is fish and chip money on a Friday, or it's a treat for the kids to go to the pictures, or it's just a bit of pocket money for the family. And he couldn't get his head around because he was so far removed financially, and yeah, he had lost touch with what was going on in his firm. And in the end the solution is very easy, it's a biometric face scanner or a thumbprint so that I can't log you in early on a Monday and you can't log me out late on a Friday because it's about facial recognition or whatever. And those units were like at the time about 400. So I said to him the result will be a number of things. You'll either have workforce who are giving you an extra hour a week because they're used to the money and they want it. Your wage bill will come down because people won't want to do it because they're lazy. Okay, or you'll have people leave because they don't want big brother looking after them with their fingerprint. Yeah, it's hard to see how the firm would be at a loss. He couldn't get his head around it. Yeah, when I work with a lot of clients, we might be talking about one thing, but actually once I get to know the business and understand the business model, I can start to think about how fraud might be occurring and it might not have been occurring. Yeah, but that comes up. That then in turn talks about the culture of a firm, because if you're treated really well, it's really hard to square off stealing from somebody. Whereas if you're treated really badly, rationalizing that fraud or that fraud triangle, rationalizing that when you're treated badly as an employee or as a customer or anyone else, it's easier to square it off when you're not being treated well. Yeah, totally agree. This reminds me also the case that you talked about is that if you let it go, let's say one person starts doing it. If you let it go. Over time more people pick it and even if there were people who never wanted to do it, they were principled in their approach how they want to do. You are essentially penalizing good people. Financially penalizing good people. Totally. Which replicates into culture that I am a good person. But I'm not appreciated is the ramifications of that can be in many, many ways. It can be quality. It can be just that I don't care about the company. Somebody pays me 2 more. I'm going to move on. Right? So it ramifies into many, many different things. So there was this theory about how cheating in any form, if it's left unchecked. How it impacts the culture of the overall company. Again, there were studies about this in universities. So this sounds like a proxy where I don't come to class on time, but I ask somebody else to give attendance on my behalf, essentially. Right. So that sounds fascinating. And also one thing that you did talk about, which I was very curious about is boardroom fraud. I'm curious about what type of boardroom fraud does that? I can understand inside of trading before a decision is made, you tell somebody else and you buy stock on some, on the company's behalf and you make money out of it, right? So that I can understand, but are there other types of boardroom fraud that happen? When we say about fraud in the boardroom, which particularly the training that I've been doing is making the board aware of what fraud might look like in their business, as opposed to boardroom in particular. Obviously, there are cases where fraud has occurred as a result of boardrooms behaving badly. But essentially, it's driven by culture. And I was asked to comment on a case a few weeks ago. months ago where a CEO was so belligerent that nobody wanted to challenge him. So it was a small company and he was approached by the funder of the company. I can't go into too much detail, but essentially it was a company that was funded. They had a funding company and the funding bloke, let's say, approached the CEO and said, Oh, I need you to release 400, 000 on Friday evening. at about four o'clock in order for me to fund another project, but I'm going to pay it back on Monday. Don't worry. So the CEO didn't do any checks then said to his finance director and the finance team, you need to release this money. The money was released on Monday. The funder said to the CEO directly, Oh, that wasn't quite enough. We need 700, 000 pounds and I'm going to pay it all back tomorrow. So the 700, 000 pounds was released and then nothing else happened. They never heard from the funder again. The money didn't get paid back. So roll forward a few months. We were asked about the case and we looked at the investigation that had happened. And there were lots and lots of conversations happening with the finance team. Saying, are we really sure this is okay? This sounds a bit dodgy to us. But the culture was so bad that no one was brave enough to say to the CEO, this is a problem. When further checks were done, the CEO had done no social media training, no social engineering training, no data protection training, had just taken the word from this random email that sort of looked like it had come from his funder, to the tune of over a million pounds. Which people knew underneath him was dodgy, but were too scared so fraud in the boardroom training So we talk about I train boards to be aware of fraud So I was asked a few years ago if you could have one question on a health check tool that we were designing You can have one fraud question. What's it gonna be? And I'm like, oh god, that's so hard I said I would like The question to be, is fraud a standing agenda item on your boardroom meetings every quarter, every half year? However often you meet, as a board or an ex co, whatever the top of the shop meeting is in your business, is fraud a standing agenda item on that meeting? meeting. Because if it is, great. What do you talk about? What frauds do you discuss? How do you deal with it? How do you articulate around the room? How do you filter those down to your business? And if the answer's no, that's a whole different conversation. Fraud is the most reported crime in the UK. 40 percent of crimes in the UK are fraud. Right? So it is a massive problem and any business of any size really, certainly of a sizable business, is going to be subject to fraud of some kind at some point in its lifetime. So why wouldn't you want to talk about it? Even if you go, have we had any frauds this week or this month or this quarter? Yes, we've had two. This is the control we've put in place. We think we've got it under control. We're doing a review. Fine, move on. The next month, you might go, Oh, no, we haven't had any that we know about, obviously that you know about, we haven't had it this month. Okay, good. Because what that can then do is give you some comfort that month on month or year on year, you're managing any fraud that might come to the surface in your business. You're not going to necessarily know about all of it. But at least if you can articulate it's on your agenda, and you know how you deal with it, when you do have that, if that happens, then that's half the battle. But what you don't want to as a business is to not do anything, suffer a fraud, because that's going to be far more expensive for you than just putting some fraud controls in in the first place. Okay, I understand. So when you talk about fraud controls, right? And again, you're talking about multiple industries, multiple types of businesses as well. So how do you approach this? What kind of technology do you even suggest? Because it may be so varied in their different ecosystems. That is there a standard technology that people do that you do recommend or how does that work? So no, it completely depends on the industry. So obviously in the banks, when you're looking at fraud detection and fraud prevention, there's not one tool that does everything. You've got one tool that monitors what my spending looks like. We've got another tool that looks at my location base. I've got another tool that looks at how I interact with my device. They all provide a score. When you check out or click or tap or whatever, right? So multiple layers, there's not one of anything. And the reason for that is because technology moves really quickly. A few years ago, I worked with a company who had come up with a really smart idea that when a card's used and it's suspicious, they'll ping their mobile phone of the customer as well. So if the card and the mobile phone seem to be in the same location, you're good to go. But if the card's in one country and the phone's in another, a bit suspicious. But we use digital wallets now. So that technology very quickly became obsolete. Not obsolete, I don't mean that. Because there are still people that use cards, obviously. But it's less attractive than it was 10 years ago. We now use digital wallet. Or lots of us do. So in the banking world, they have lots of different things. And the reason for that is some of them become obsolete very quickly. And you move on to the next solution. Or you plug the next solution on the top. And you plug another one on the top. In the non banking world, it's a lot harder because lots of firms aren't very digitally minded. Potentially, there are different types of fraud, but what you can be doing for internal fraud is monitoring email traffic, monitoring your expenses, policies, that kind of thing. And then when we talked about factory workers or people who have where there's a possibility of timesheet fraud, having those slightly more, you know, security conscious ways into the building, ways into logging in if you're paid hourly, that kind of thing. So there are lots of different solutions for the problem. Some of them do still rely on people. And when you look at a lot of fraud figures and the way in which a lot of fraud outside the bank, the way in which a lot of fraud is notified to businesses, a lot of it comes through humans. Whistleblowing. They'll go, do you know what, that looks dodgy what that bloke in the corner of the office does. Yep. And somebody might blow the whistle and an investigator will come in. So there is still, just for all the tech that we've got in place in 2024, going back to the 80s when I started at the bank, actually the humans sometimes can just sniff it out. Because it just sounds wrong, exactly that something doesn't add up and a computer will only give you so much until a human goes, I'm just going to scratch the surface a little bit because something doesn't feel right. Yeah, got it. So you also talked about working with banks as well. I'm assuming you still consult with banks as well. Yeah. So can I understand what are the two things? typical types of problems that banks come to you with? Because I would assume that they have most of the technology in place. I mean, most people have the technology, right? So I wanted to understand what type of problems do they come to you? External consulting teams, for example. So they come to us for lots of reasons. They come to us quite often because there's a problem and they need somebody outside the bank to help them. I get asked a lot in to work with the banks because of that broad breadth of experience I've got, because I can take what's happening in one particular organization and kind of apply it elsewhere. There's a client confidentiality piece there. I can't go into, I don't know, XYZ bank and go, Oh, ABC bank do this. But what we can do is say, actually, what's working in the industry is this. And we can advise on that. I work with lots of smaller banks who are starting up, who are coming new to the market, who maybe don't even have a fraud policy. In some cases, they know that they need something. So it can be everything from. Training. It can be anything, including writing policies, reviewing procedures, having a third party to come in and just say, just have a look. Tell us if we are, if we are industry standard or not. Now, that's not to say that the heads of fraud in the banks don't speak to each other. Of course they do. But actually, I get a lot of conversation, a lot of requests to talk about fraud, because, um, I talk to lots of industries within that FS bracket, the banks, the payment services, the insurers, all of them have different challenges in that fraud space, but they're all interlinked. So very often I'm asked to provide some training to boards who just want to be a bit more aware of what's going on out there. Cause it's very easy. I spoke to somebody this week, funnily enough, who said, if I get an external email, an email from someone outside of my bank, it's a bit weird because everything is done within the banking world, within your own world, within the bank. So when I worked at HSBC, it was unusual to get emails from somewhere outside, but actually now I get all sorts and that's the beauty of it. So that's what I can bring some richness to that independent thought. Okay. Got it. Got it. So basically you're leveraging your experience talking to so many clients. And kind of building your own best practices essentially in different parts of the business so that you can share that knowledge to different teams. Yes. And that's always overlaid with the regulator, you know, the FCA in the UK or whatever jurisdiction I might be working in. And then any legal and legislative changes that are coming. So in the UK, for example, we have the failure to prevent offense under the new economic crime and corporate transparency act that basically says if you fail to prevent fraud as a business, of a certain size within the UK, we might prosecute you, there will be criminal ramifications for doing so. So lots of companies are now thinking, okay, what does that mean? How do I interpret that? What are reasonable procedures look like? And that's where they engage with third party consultants like myself and everyone else that is out there doing great jobs, because we can add some flavor and richness to that and help them design some frameworks that will be robust enough to stand the test of time. Wonderful. So you just touched on the UK regulatory framework. So they came up with the new APP fraud reimbursement policy, and that's going to be coming live in October. So how do you feel about this new policy? So the contingent reimbursement model went live a few years ago, which basically said the banks that signed up to it said, we will give you your money back in the cases where we think you are a victim of fraud. The new regulations go slightly beyond that. So everyone's going to be required to do so by October this year. And the regs say that the paying bank and the beneficiary bank, in simple terms, you'll be jointly liable for any APP fraud. So that is a big shift for a lot of companies in the UK. I think it's a good thing. I do think it's a good thing. Because let's say I'm a scammer and I've sent out 20, 000 emails, which is easy for a scammer to do. They know what they're doing. 20, 000 emails saying, I don't know, I'm the Pope. Pay me 5, 000 pounds. I've had an email from the Pope. So I'm using this as an example. I'm the Pope. You're my special envoy. Send me 200 pounds and I will enlighten you or whatever. Right? Some people, As crazy as it sounds, some people will do that. Mm. And the money comes in. My bank is not doing anything there. They're just the money's coming in. So the paying banks are going, Ravi, are you sure that this is the Pope? Are you sure? Are you sure? Are you sure? And you've seen those messages a million times. Click, click, click. Yes, I'm sure. I'm sure. I just wanna pay the pope. Yeah. Comes to me. Now in the new regs, the rules state that there is an onus on the beneficiary bank to bank do some checks and also pay the money back. In the case where I'm still in the UK, this is all about the UK as well, let's not forget that. I'm not in the Vatican, I'm in the UK. So I've got all the money. So there is some responsibility on the beneficiary bank, sorry, to do some checks and say to the paying bank, I've got an awful lot of money coming into Sally from other people. Were you sure you want Ravi's money to go in? That is a good thing. I think there is a good thing. I still maintain that there is a long way to go in scam. There's a lot of data sharing that could happen. The social media companies see a lot, must see a lot of this traffic as well. We need to have conversations with them. I'm not a technical expert, right? This is a very simplistic brain. Remember, I came from the 80s where it was just humans, so I'm learning this stuff. But in my head, I'm like, okay, the Pope, obviously, you know, this is a crazy example, but there are people out there on social media. We've all seen the catfish scams. We've all seen Tinder, Swindler, all of those things. These are real life scams. And there's a certain amount of social media, the Facebooks, the Instagrams, all of that stuff, where there is data there as well, that in my view, we could be, leveraging and I don't know how we do that and getting through GDPR is obviously an issue. In short, I think there are going to be some challenges with the new APP rules. There are going to be some interesting case studies and actually some of the banks in the UK and the UK is pretty forward thinking. I know Citibank, I think it was Citibank, if I'm wrong, I'm wrong Citibank, but I think Citibank in the US had a fine recently for failing to prevent enough APP fraud or that they didn't protect their customers. There was something, I think, but again. Yeah, I think it's linked to Citibank, Zelle, and a few other, all of them were prosecuted together. Yeah, exactly. And I think so we're going some way to do that. And the UK is, is leading the way in a lot of this technology and a lot of the thinking. But some of the banks in the UK have started to reintroduce humans into the process. So to give you an example, years and years ago, There was a gentleman, let's call him Mr. Smith, and I was notified by the bank, one of the branches, many, many times over a couple of years, saying, Mr. Smith's back in the bank, he wants to send more money to the golf course in Spain that he's investing in. And we kept saying to him, Mr. Smith, are you really sure you want to send 2, 000 pounds to this golf course in Spain? Have you been, have you seen it? And when the time came, amount of money he'd sent got to 200, 000. He rang us and said, Oh, do you know what? I think he is fraud. Can you get me my money back? And we kind of went, well, no, it's gone for a start. But also we have told you many, many times. So I think In reintroducing humans into this process is going to be interesting because when a case gets to the ombudsman where the Mr. Smith says to the ombudsman, HSBC won't give me my money back or Barclays won't give me my money back and I've been scammed, if the banks can say, look, he's had five messages, On his internet banking, we've phoned him, we've spoken to him many times, we've spent three hours explaining to him that this is fraud and he still wants us to pay that money. What happens then? Is the bank really going to be held liable when they genuinely have done everything they can? And I don't know what the answers are going to be in those cases. And it will be an interesting couple of years to see once the regs come in and the banks have to get on board. It will be interesting to see how that works. I personally feel it's probably a little lopsided towards the banks. It's hard on the banks, probably, because now the onus of proving is on the bank. And most of the people working in the bank, it doesn't impact them personally, right? So somebody, let's say I'm fighting on the fraud prevention side and you have a timeline. that I have to prove within five working days. If not, the money is reimbursed, right? There's a timeline. There is a caveat on that. They will have 35 working days. They can stop the clock at some point. Okay. As long, yeah, there's going to be a, a slightly longer period. If there is any concern about the negligence issue, there is an ability to extend that five days. Okay. Wonderful. So that's what I felt when I read the regulations itself, that while for a person who is getting scammed, it's a very personal journey, It's my money. I would be very emotional, but for the people who are fighting it, it's not an emotional journey. It's a policy statement, policy document. That's also branding part to the bank itself, because if the bank says that I can't pay you or I won't pay you because it's emotional to me as a, as a, as a I could take to social media and keep talking about it. So there's a lot of things that I, as a bank would be worried about. I'm adjusting, uh, let me just pay it back. Let me not worry, right. It's really tough. And I've spoken to people from different parts of the industry and they are concerned about how this is going to go, because it's pretty clear that there is a requirement. I think it was kind of like. Hi, 98 percent of refunds are to be given to the customer. And there are lots of customers who are genuinely victims. They genuinely are. My worry is actually if customers become more aware of this, are they going to be slightly less careful with their money? Because they think, Oh, if it is a scam, I know I'll get my money back. And actually that's. Is there going to be, or am I thinking that people understand this stuff? And I work, I live in a fraud bubble. And actually the reality is that most people have got far more interesting things to worry about than you APP rules, right? So it does worry me for a number of reasons. I can see why they want to do it. They don't want genuine victims to be disadvantaged financially. By doing so, are we actually making it problematic for the banks and actually causing complacency on the part of the customer and actually easier for first party fraudsters to go, yeah, that wasn't me. Yeah. Yeah. I don't know. It's a work in progress. We'll see in the next few years how that rolls out. Yeah. So I think it's a, it's a great direction where we are going. I still think there is few fine tuning that's probably, uh, required. Right. So I also wanted to talk about social media that you talked about and how the responsibility of social media, they're also not very. Proactive in countering such fraud. And I wanted to share my anecdotal experience. And again, I wouldn't say this is the only way that happens. So I am pretty generally tech savvy. I'm also aware of fraud. I mean, I'm working on a startup in the fraud space, right? So I would assume, I would think that I at least would know how frauds happen, right? If something is happening, I can detect it. But one day I received a text on my Instagram from a friend of mine. Uh, it was a girl and I had a crush a long time ago with her. And we had never kept in touch or we were infrequently chatting basically, right? And then suddenly I get a text from her and it was a new account But it's the same face and most of the images being the same and then I was like, hey Why did you create a new account then? She was like, oh, I have a lot of people who I don't want to be friends with So implying indirectly, at least the way I understood it is I was one of that person that she trusts, which is again, because of my history, clicked well for me personally, in my emotional journey. Right now, the chat went on. I did not doubt what the intention behind it was. Eventually, obviously the mistake that the fraudster made was to ask to send, uh, Apple credit basically. And I knew instantly Apple credit is a dead giveaway for fraud. And so that's when I realized that it was a scammer. And I knew the. Kids names. So I asked him or her, who was a fraudster, how is, and I changed the girl and the kid's names and I asked her, Hey, how are they doing? And then they did not respond to the question. So I was like, wow, smart. But anyway, so you see, it depends on what place we are at as people. Doesn't matter how well knowledgeable we are and people do talk about education, but sometimes it's just that. You just don't see it. It doesn't click in your head itself. And I'm sure social media could have done something with this, because I'm sure Instagram knew that somebody was creating with the same name with the same photo. It is so easily detectable, right? So anyway, so I was like, huh, why didn't Instagram stop this, right? My grabs aside, one last question to you is, uh, Sally, you work with a company called CFAS or a community called CFAS. CyFAS. Yes. CyFAS. Okay. I was going to ask you how to pronounce it. CyFAS. So what is CyFAS and how does it work? Who is the community for? Is it for individuals or is it for financial institutions or is it for any companies? So CyFAS. Yeah, so SyFas is a lovely firm. So they're the UK's So the members are generally the banks, but there are some housing associations, there's some local councils, some insurers. So you can be a member of SyFas if you, it's based on a reciprocal model. So you give information and you take information out. And essentially you just, they have a database called the national database, which has is full of data about fraudsters and victims, known cases, and they have a standard of proof. So you can just, you can't load anything onto there. It has to be meet a certain standard. And then they have an internal for database, which is if members are. end up dismissing members of staff for fraud for, again, meeting a standard of proof. You can load that name into the SyFaS database and obviously you have to tell everybody that's involved, including the member of staff, that they'll be loaded to the SyFaS database. And that essentially means that when you apply for jobs, if I'm a bank, ABC Bank, and I'm a member of SyFaS, if I have you apply for the job, I can say to you, I'm going to run your name through the SyFaS database to ensure that you're not a fraudster, that you haven't fired from somewhere for fraud. And that's essentially what it is. When I was at SyFas it became very apparent very quickly that they are a really unique firm globally. I don't think there's anything else globally in any other territory that kind of has anything like it. And it's a very useful tool for that early kind of onboarding of accounts. So you can go, okay, we've seen if Sally loads, Combination of a dodgy address. If I'm a new customer, dodgy address, dodgy phone number and dodgy. And SyFas have seen it before. They might go back to that bank and say, do you want to think about this? Because this has come up with an alert for frauds elsewhere. Okay. Got it. That sounds like a kind of a consortium kind of a concept. Yeah. So it's about consortium data. Yeah, absolutely. And as I say, it's a reciprocal model. So I couldn't sit there just going, I'm just going to check everyone else's data and never put anything in. You have to reciprocate as well. Okay. Got it. Wonderful, wonderful. Thank you so much, Sally. I mean, that was really insightful. And almost, we spent 50 minutes talking about this. I just lost track of time as well. And a lot of insights around, especially different industries, some of the boardroom stuff that you're talking about, and in general, 40 years of experience in the industry. Wow. Yeah. Getting there. So really appreciate for you to take time to speak to us. I'm sure a lot of our listeners would love listening to your insights as well. And we'd love to have you some other time to have a further conversation as well. It's been really interesting. Thanks, Ravi. Thank you. Take care. Thank you.