Debbie Bianucci, ProSight Financial Association:

Hi, I am Debbie Bianucci, I’m President and CEO of ProSight Financial Association, and it’s a pleasure today to bring to you an expert panel that we have convened on a topic that is very important to so many people in our industry. The topic of fraud is one that is so important on many levels, and even in our most recent ProSight banking outlook study again came up in one of the top three concerns across all financial executive functions. To many observers, anti-fraud cooperation comes from aligning innovative defense frameworks, sharing data in real time while protecting privacy, which is an important balance. And even increasingly communicating with adjacent sectors such as telecom and social media, going beyond just financial services.

So there are questions that are looming and our expert panel today is going to be able to help us answer and debate some of the things that are being considered across the industry.

So that brings me to our excellent panel. I’d like to start by introducing the panelists. Staci Shatsoff is an AVP in the Payments Improvement Group with the Federal Reserve Financial Services. Staci, we’re so happy to have you with us today. Welcome.

Staci Shatsoff, Federal Reserve Financial Services:

Thank you.

Debbie:

We’re also joined by Patrick McDade, who has prosecuted fraudsters and now leads fraud risk management for EverBank. He also serves as Vice Chair of the Fraud Management Committee of the Consumer Bankers Association and is a delegate to the Aspen Institute’s National Task Force on Fraud and Scam Prevention. We’re so glad to have you with us, Patrick.

Patrick McDade, EverBank:

Thank you, Debbie.

Debbie:

Finally, my colleague, Isio Nelson rounds out our panel. Isio brings decades of financial services experience to ProSight. And for us, he has been a leader in listening to the industry’s call for a better way to collaborate in all ways that we tackle this fraud fight. We’ll be bringing more support and capabilities and tools to the industry in the coming months. So stay tuned on that. So Patrick, Staci and Isio, let’s get this conversation going.

Staci, I’ll start with you if I can. The Federal Reserve has been engaging with an industry work group to create best practices and to promote the adoption of what are known as FraudClassifier and ScamClassifier models. This is very important work. It’s all voluntary, but as we understand it, it’s meant to ease real-time interpretation pressure on the banking front line, promote consistent classification, uncover mule accounts and disrupt scam tactics.

So for anyone who isn’t totally caught up on the progress that you’ve made and the work that you’re doing, can you bring us up to date?

Staci:

Sure, absolutely. Let me start from the beginning just for those folks who may or may not be familiar with our team and the type of work that we do.

So just to give a little bit of background, our team works with the industry essentially to help ensure the safety and security of the US payment system. So we work a lot on fraud-related trends. The ScamClassifier and FraudClassifier are a perfect example of how we do that. So what we have heard consistently from folks in the industry is that there’s a lot of inconsistencies in the classification and reporting of fraud data, both within organizations as well as just within the industry as a whole. And what that does is it creates a lag between the reporting period when studies can be done. It creates inconsistency in the way the reporting is done. So what we did to address this challenge that we kept hearing about was the Federal Reserve put a team of fraud experts together that came from various segments of the payments industry.

And what we established was what we were calling the Fraud Definitions Work Group. But essentially this is the work group that created FraudClassifier. And the objective of the work group was really to create a classification model that enabled consistent fraud classification across the industry. So again, the thought being that if everyone is speaking the same language, the way that we can tackle fraud becomes more accurate, the reporting becomes more accurate, the data that gets fed into models becomes more accurate. What’s interesting, as we started to focus more on scams and have conversations with folks in the industry around scams and challenges that exist with scams, we kept getting asked about FraudClassifier and if we had plans to extend FraudClassifier, essentially adding more detail from a scam perspective. So what we did is we did just that. We put another work group together. The work group kicked off in summer of ’23 and concluded around this time last year.

So we spent about a year really talking about scams. And when we started, we weren’t sure, were we going to extend FraudClassifier, were we going to create a new model? And what came out of that work group is ScamClassifier. And again, it works very similarly to FraudClassifier. You can use them together. You can use them each as a standalone. But ScamClassifier, again, is really meant to create that consistency in categorizing different types of scams that helps you get to the root cause of account takeovers, for example, if it’s a scam type that was the root cause. And really with answering, again, the ask of the industry to have more consistency around scam classification.

Debbie:

Well, Staci, this has been terrific work. How do you view the importance of broad participation in the work that you’ve done? Can you describe who are the types of participants that are working with you?

Staci:

Sure, absolutely. Great question. So we work with different folks within the financial industry. We have banks and credit unions. Obviously we’re participating in the work group. We have service providers who participated in the work group. We have different fraud vendors who are participating in the work group, industry groups that participated. So really, it’s not just banks and credit unions. It’s folks who service the financial industry as well as folks who are advocating for better reporting for fraud and scams and more consistent and accurate views in that.

Debbie:

To date, have you had some from outside the sector, in telecom for example, or law enforcement, have they been part of this as well?

Staci:

So they have not been part of the work group, but I can say that they are part of larger efforts that are going on around information sharing and classification of fraud and scams. And really fraud does not discriminate. So criminals are targeting people across multiple industries. Synthetic identity fraud is a great example of fraud that hits multiple industries. So we see and participate in a lot of other efforts that are bringing together some of those players outside of the financial sector as well.

Debbie:

I think the Fed has always done a great job of leaning out into other sectors that are related. And Patrick, with your legal experience and the work that you’ve done with the CBA Fraud Management Group, what is your take on how financial services can and should be interacting in a cross-industry way to have engagement with other sectors? What are your thoughts?

Patrick:

Well, the Aspen Institute launched the program that you talked about earlier, the National Task Force on Fraud and Scam Prevention. And I’m one of the CPAs delegates there. And the group that I’m actually involved in specifically on that effort is the information sharing group because we look at it not just as banking, but the Aspen Institute. I think everyone understands it. This is a problem that goes across industries. If you look at the evolution of a scam in particular, typically the scam, if you look at the FraudClassifier model, it’s a deception with the intent to have financial gain. And then there’s a variety of different things that you go. But the deceptions and scams typically happen outside the bank. The bank has its control environment where we have done a really good job as an industry to harden our cyber controls, harden our fraud prevention controls in the online portals and put together really good practices at the branches and the call centers using new technologies, in some cases, even artificial intelligence to try and detect fraud and scams when they’re directed directly at the bank.

But since so many scams are happening outside the bank, they’re not coming through the channels that we have direct control over and we can’t build fraud controls as effectively. So the information sharing is very important when you look at it from the point of view that most scams according to studies start in the social media world where someone is approached via one of the social media channels and then they’re often moved from that channel into a separate channel such as the telephone. And then after the conversations on the telephone, they’re convinced at that point in time to move their money, at which point in time the banks get involved. So the deception’s already occurred. The customer’s already decided that they want to move the money. And it’s really hard for the banks to detect because this is our customer logging into their bank account or coming into a branch and saying, “I want to move my money here.”

And really, that’s what our job is. To move money on behalf of the customer. But we do find red flags. We do find situations, especially when you’re dealing with an elderly population or another vulnerable population where you’ll take a look at it and say, “This is not your normal behavior.” When you look at the ScamClassifier model, the FraudClassifier model, fraud we look at as a little bit different because when a fraud is happening, bank fraud is happening, the bank is directly involved, and so we can put our control environment against that someone is logging on with someone else’s information. So they’ve gotten your login information somehow and they’re logging in. That is in our mind bank fraud because it is a bad actor attacking the bank’s infrastructure, deceiving the bank, saying, “I’m a person that I’m not.” That’s the deception. It happens within our control environment and we can build controls against that.

But to build controls against scams, we need the help of the telecoms, we need the help of the social media groups, we need the help of the other customers. And so we need to be able to share information back and forth and say, “These scams are happening within your control environment. They’re happening on your servers. They’re happening on your telecom rails. So let us help you with our fraud expertise, how we detect it so that you can leverage that and stop the scam before the customer becomes deceived.”

Debbie:

And it’s great to hear what the Aspen Institute is doing. When you think about their work and the work that you’re leading with the Consumer Bankers Association, the fraud management committee, much of that is driven by the larger banks. And like many things in our industry, the resources available to larger banks would be different than perhaps smaller community banks. And yet, fraud affects us all in every way. So when you think about the needs that so many banks in our industry have that are smaller with the varied fraud issues that they face, how does that affect your view about how we collaborate across the industry and your thoughts on how to involve the lion’s share of banks and credit unions that may not have the same kinds of internal resources as larger banks?

Patrick:

Well, I think it’s a great question. And I’m in a mid-sized bank. Our financial institution is in between $30 and $40 billion range. So we’re in that sweet spot in the middle where we can afford some of the better controls, but we clearly don’t have the resources of the G-SIBs and other large organizations that can really invest early and often. One of the great things though is we do share resources within banks a lot, through both formal channels and through less formal channels where the American Bankers Association has put together a resource where they’re just asking all the fraud professionals to get out there and put their contact information of somebody from their bank so that if another bank detects fraud in the ecosystem, they can go to the bank where they think that fraud is either coming from or going to and reach out directly to the fraud professionals.

So things like that, it’s a very simple zero cost, but if all the banks participate, it allows us to share if we detect something abnormally with our stronger tools or Wells Fargo it detects something with their even stronger tools, they can reach out to the credit union and say, “Hey, you sent us this transaction. You need to look at that account,” and have that direct contact. So even a really simple thing like just putting together an online Rolodex to the American Bankers Association can be really helpful. There’s other things that are out there that, there’s consortiums that we all work with is banks that gather information for authentication, that gather information for risk scoring, to gather information for a number of different things. And a lot of those are you have volume costs. So even a small bank can often afford to sign up for these consortiums and they get the benefit of the big data that the larger banks are putting into it to be able to do their risk scoring.

So even the industry itself around fraud protection is somewhat geared to share the wealth across. But the reality is there’s a small bank in the Midwest that’s mostly branch-focused, and they’re just starting their online account opening because they think that’s the way that they can grow. Well, that’s a whole new area of risk and it’s really hard to stack all the resources against that that a large bank has that’s familiar with the attack vectors. But the good news is as expertise is growing across the industry, there’s new tools being put in place that are allowing people to scale up those things very quickly. Because one of the problems is if a bad actor gets in anywhere within the banking environment, they can start transacting and transferring money anywhere else in the banking environment until somebody catches it. And sometimes the money’s moved through four or five institutions before somebody finally finds it as fraud. And trying to get that money back in the customer’s hands can be really challenging.

Debbie:

Yeah, great suggestions that you have there for how leaders in the banks can get involved. Isio, you’ve worked with fraud issues throughout your career, and one of the things that you’ve brought to ProSight in the work that we’re doing to support the industry is to understand the needs across the entire industry regardless of asset size or organization type. And we’ve spent a lot of time, I know you have, leading conversations about the importance of collaboration, being able to share information and yet balancing the importance of privacy along the way. Give us some of your thoughts about how we can move the ball forward on industry collaboration across the sector.

Isio Nelson, ProSight Financial Association:

And I think both Staci and Patrick have talked about some good points here. So it starts with some of the standards that are needed so that we can all speak the same language. I think the work that the Fed’s been doing with the FraudClassifier model and the ScamClassifier model is fantastic foundation to start with. Now we can start speaking the same language. We can have a lot of the same ways to compare things and talk to each other. And then as Patrick talked about, there’s a lot of industry resources that have been out there in different types of things that people can use. But how do we bring this all together? How do we collaborate as an industry? Whether it’s different associations, whether it’s the work that’s being done at Aspen, the work that’s being done at ABA, some of the work that we’re looking to do, and collaborate that way.

And ultimately, the banks have not had an issue with wanting to collaborate in the past. I remember running into you, Patrick, at the CBA, I don’t know, three or four years ago, and I think everybody in the room was saying, “How do we collaborate more?” And they needed somebody in the middle that could be trusted, somebody that could go ahead and bring it all together and be able to share information that is agnostic in a way that is not going to open up anything that’s proprietary or be able to put them in a place of compromise. And so a lot of the things we’ve been hearing from the industry, whether it’s from our board, whether it’s from the customers, whether it’s from surveys, whether it’s from law enforcement, I think everybody agrees collaboration, community is the way to go. But how do we go ahead and get that together so that we are speaking that same language, that we are able to bring things together that are consistent?

One example would be an incident report. Patrick talked about it. All banks are going through some type of incident, whether it’s a scam or a fraud incident. How do they go ahead and take that information and share it amongst the other banks in a way that isn’t revealing that it’s their institution that did it, but they can say, “Here’s what happened. Here’s what we did to identify it. Here’s what we did to fix it”? And then how can others learn from that so that they can proactively go out and prevent those same things from happening, they can make sure that they’ve got their controls in place and then they can go ahead and make sure that we’re not just pushing the thieves and the fraudsters from one bank to another and then just continuing to perpetuate? Which is ultimately costing the entire industry.

Debbie:

Patrick, Isio mentioned the CBA Live conference. You were a leader on the panel, The Public-Private Approaches to Stop Scams Against Consumers. What were some of the major takeaways from that dialogue that you had at the conference?

Patrick:

Well, we were very fortunate to have someone representing the telecom industry to share that panel with me. And it is really interesting because we’ve actually connected since then and it started some collaborations on ways that we might be able to work together in a bilateral fashion. So that’s always a benefit, whenever you’re at these conferences and you meet people. Like Isio said, he heard me talk and that sparked something in his mind. We’ve started a collaboration where the telecoms are going to come and work directly with CBA to see what can we do bilaterally in order to further the communication between our industries. I can tell you one of the things that banks have become very reliant on and a lot of other industries as well, is the one-time passcode that gets sent to your cell phone. And it’s also become a real vulnerability when the scammers are calling our customers and getting that one-time passcode from our customers and then pretending that they’re a customer when they’re interacting with the bank because they have that key to the kingdom.

It’s the thing that we use to really identify the phone industry points out. We never intended SMS to be used that way, so you’re using it differently than we intended. Now, we understand that our customers also want to be able to get these one-time passcodes, but we need to build up the technology there. And some of it is based on their regulatory structure. They’re very pushed towards from regulatory aspect, are very much pushed towards stopping spam. Scam sounds a lot like spam, but it’s an entirely different thing and it’s detected in a very different way. So we had the idea, sometimes you’ll get that “report junk” within your messages. Our point is how about “report scam” at the same time so that you can get direct feedback from your customer?

Or set something up that when we get intelligence about a phone number, what is the best way for us to get it to you and let you know? And the Aspen Institute is also bringing the telecoms and banks together and they’re also bringing the social media in. They’re bringing other parts of the industry in. The mail, US mail, everyone because the scams are hitting people everywhere. Mail theft and check theft has become one of the biggest problems that we’re running into.

Debbie:

Such great examples, Patrick, of how the cross-sector collaboration can really make a difference. And Isio, I mentioned earlier that fraud was one of the top three issues that ProSight studied as part of our banking outlook work. When you think about collaboration and how it affects the costs associated with mitigating fraud, which it’s huge for the banks, how do you see collaboration either adding to the costs that will be incurred or providing any efficiencies along the way?

Isio:

And I’m sure Patrick can talk to it too, but if you think about it, there’s only efficiency to be had from collaboration. They may take a couple of hours or some different time that is spent with collaborating, but you are getting so much out of that collaboration just overall as the industry helps to address the fraud issues and the scam issues, we should see that come down hopefully as we do that together, and then just within the individual conversations with the banks and with peers, the ability to be able to take some of those best practices, institute them within your institution, understand how to fight and mitigate for that fraud goes a long way, more than the hours that are spent.

So I think that as we think about collaboration, it continues to be able to be good for everybody that participates. And generally the cost that’s associated with is minuscule compared to the, whether cost savings on loss prevention. And even the other way we always think about fraud is what we can do to better have a customer experience from a retention and be able to have a better overall consumer experience too. And I think that’s one thing to remember through all of this is that really, the banks that are collaborating here are doing this for the consumers and the small businesses and the commercial entities that are getting hit with fraud. And overall, that’s what we’re trying to solve for is making sure that that consumer experience is a good one.

Debbie:

And Staci, back to the great work that the Fed is doing, not only with the costs associated with fraud, but the wide range of fraud that the banks face. Patrick mentioned if check fraud, the paper check is still one of the biggest problems in fraud management today, but across the continuum of evolving technology up through AI, it’s such a wide range along the whole spectrum that banks have to face. In the work that you’ve done at the Fed, how are you accommodating this wide range of the types of fraud and the fast pace at which the fraudsters are evolving?

Staci:

In terms of the wide range of fraud, our Classifier models were specifically designed to be payment and rail agnostic. So we really put a lot of time into making sure that they worked across different payment types again, to be able to have that consistency however the money is moving. There’s always new payment methods that are coming up, especially with all the apps, right? Yes, they’re running on similar rails behind the scenes, but if you’re looking at the front end, there’s new apps and way to make payments all the time. So we really wanted to make sure that they’re payment agnostic. Again, there’s an opportunity to maintain that consistency across the spectrum. And then they also offer organizations the opportunity to go into more detail should they want to. So if you think of the classifier models as the base of the classification, that gives the organization flexibility to then be able to take it to more detail to fit the need of the organization or the need of whatever part of the spectrum they may be in when they’re talking about the payment.

Debbie:

Staci, what would you say are your priorities over the next couple of years? What will you really be focusing on as we go forward?

Staci:

So as of now, of course this can change depending on what the trends are, but we’re really focusing this year on and we’re continuing to focus on scams. Check fraud is a big focus for us this year. So like you mentioned, the volume of checks decreases year over year consistently, but the check fraud increases year over year. So we’re working on a lot of educational material around check fraud as well. Information sharing is another focus that we continue to talk about and try to educate folks about and really rally the industry around information sharing. I would say five years ago when we wanted to have conversations around that, there definitely was not the interest. And now here we are, we came out with a paper on it last summer. So we follow the trend. We focus on where the industry is asking for help.

Debbie:

Such great work and so important. Patrick, we’ve talked about the importance of helping to make the industry more aware of the value of collaboration and all the good work that’s being done, but you have to think about our customers too and the importance of education of consumers who are at the front line of protecting themselves. What are your thoughts on what the industry could be doing there?

Patrick:

Well, I know each individual bank is doing work to educate their customers specifically in multiple channels. They have security websites, they do emails even with their smart SMS, they’re starting to send fraud warnings associated with some of the text messages that they send in. All of that is great. But the reality is I think we’re to the point where this fraud epidemic that we’re all dealing with almost needs a more centralized focus. If you look, Britain has had a great example. They have a ‘Take Five’ campaign where they put together something where it is a direct communication across industry and government to the customers where it’s a commonality. It’s ‘Take Five’ before you do a scam. And they have, for each number they have something that you should do, but it’s also take a little time before you send the payment. I really think we’re at the point where some sort of Smokey the Bear national campaign with government and the private sector working together to really come up with a collaborative message that’s educating our customers.

We talked about checks. There’s recently been some executive action to reduce federal checks going, but the reality is putting a check in the mail is a dangerous thing to do today just because fraudsters know it’s an attack vector. Education about that and say, “Hey, before you just put a check in the mail, should you think about, is there another way for me to move this money?” However, we want to put it together. I think it really needs to be something where it is a common and repeated message with engagement not only from the point of view of the banks talking to their customers, but a multi-channel campaign.

Debbie:

Another great example of collaboration at work.

Isio:

We hear the same thing, Patrick, from the industry, is that that is something I think that they want to do. I think we need to figure out how we organize. And I think to your point, whether it’s a private and government type of concerted effort together.

Patrick:

And I can just tell you from the bank’s point of view, every time we tell our customers about fraud, some of our marketing people might be nervous. We don’t want to overemphasize it and make it sound like we have a fraud problem. But from one of the things that we try to do, and I think working with our government partners is when the government puts out a statement saying, “Hey, the Federal Reserve is saying there’s a check fraud issue and they’re describing it,” or the OCC or whoever comes out and says, “This is a fraud alert,” the banks can grab that and say, “Hey, we’re informing you of our customers that the government agency has put it together.” So collaborating with our government partners, it makes it not say like the banks are saying, “Hey, we have a fraud problem.” The government is alerting you and as a service to our customers, we’re making sure that you get that information.

It’s a collaborative way to make sure that we’re not scaring our customers in a way that we don’t want to scare them, but alerting them to something that might be to their benefit.

Debbie:

Isio, you’re leading all that we’re doing at ProSight and the investments that we’re making to support the industry at a high level. When you look at what’s ahead for us, can you just give us an overview of what you see?

Isio:

So actually, a lot of the things that Staci talked about and some of the work that the Fed put out there in regards to how do we go ahead and do more information sharing and that call to action that was there in conversations, like we had CBA and with Patrick out there, how do we get the community together, we actually assembled a small subcommittee of banks and started talking to them about what they needed. And the directory concept was definitely one of those. And how do I get ahold of somebody else at the other bank to be able to clear a payment, to be able to have that conversation? But making sure it’s an authenticated directory so that they know that the fraudsters aren’t the ones that are in there asking to be able to get to somebody else’s contact information. How do they get a thread going around something that may be actively happening that they can talk to each other about? Again, behind an authenticated type of portal.

And then the incident report we talked about is, how do we share some of the incidents without oversharing? And the way that we can let each other know what we’re seeing and eventually get into what I would call a real-time bridge call like, “Hey, I am seeing this right now. Is anybody else seeing it?” And be able to come in together and be able to help each other out as they’re starting to see those same type of incidents. So we’ve been working on some of that with some of the banks and continuing to look to expand that out later this summer to make it more broader for the industry, bringing other industry associations in, bringing other industries in, continuing to build to get this concept of working together as industry.

It’s us against the fraudsters, not us against each other. And how does this industry come together to be able to really combat this? And again, eventually helping the consumer and the small business and the commercial entities that are ultimately having to pay for this.

Debbie:

This has been a great conversation, and I want to thank our panelists today not only for being part of this conversation, but also for the great work that you’re doing. The leadership that is needed in order to bring the industry together as a whole is impressive and needs to continue. So we appreciate all of your efforts. So Staci Shatsoff of the Federal Reserve, Patrick McDade from EverBank, and my colleague Isio Nelson. On behalf of the whole ProSight team, thank you for joining us today.