The problem of fraud today is the most urgent for banks due to the increase in the volume of stolen money of citizens. We asked an independent expert to comment on the most important issues – Razina Olga Mikhailovna, Ph.D., member of the SRO Association Sodruzhestvo, member of the Institute of Internal Auditors Association.
– Today the fight against bank fraud is one of the topics discussed in the media. A huge number of complaints is received daily by banks from affected citizens. How can you comment on this situation, what are the reasons for the growth of cases number of money thefts?
– As an expert, I receive this question quite often lately. It is very relevant indeed. According to various estimates, over the past year, the volume of stolen money of citizens in Russia ranged from 14 to 15 billion rubles. Compared to the previous year, the growth was more than 30%. For many years dealing with the problem of bank fraud, I associate this trend with two main factors.
Firstly, during the pandemic, many banks and financial organizations transferred customer service to a remote format, so remote banking systems for individuals became the main target for fraudsters. Secondly, the introduction of quarantine during the pandemic provoked an increase in contactless methods of payment for merchants and services (CNP transactions). The past pandemic has strengthened customer demand for the use of remote service formats, the habit of purchasing goods online has steadily entered the everyday life of our citizens.
At the end of last year and the beginning of this year, the main growth in fraudulent transactions fell on payment cards and electronic means of settlement, which was due to a change in the vector of intensification of fraudulent actions, which shifted towards the work of the largest marketplaces and online platforms (distributing products with significant discounts and actively promoting the products of foreign brands that left the Russian market). Why did this happen? The process of reorienting the business of the largest marketplaces under the conditions of sanctions was carried out in a very short time, the companies simply did not have time to modernize their own information security system, including the possibility of protecting customers from fraudulent actions of third parties.
– How do scammers get their customers’ personal data? Are there any features or characteristics of customers chosen by scammers?
– For the past fifteen years, as a professional auditor, I have been studying various characteristics of fraud in the banking sector. And if earlier the victims of fraudsters were more often elderly people, mainly of retirement age, now the social portrait of a potential victim looks much younger, as a rule – these are working citizens aged 25 to 45 with an average income, actively using online services.
Leakage of personal data can occur both under the influence of external factors, when attackers hack the client base in banks, retail chains or use phishing mailings, and internal factors – when information about clients is transmitted by unscrupulous employees with a personal financial interest. Often, external threats can be blocked using the latest fraud monitoring systems, and the fight against internal threats, unfortunately, continues constantly.
I will give one of the most recent examples. In 2021, a high-profile investigation was carried out on the leakage of personal data from Sberbank. As a result it turned out that the data of more than five thousand credit cards were uploaded to the network by the head of one of the direct sales departments. To do this, he needed more than ten hours of work and the right to administer the client base. Similar cases occur with enviable regularity in other equally large credit institutions, which is associated in most cases with the activities of unscrupulous bank employees. The main motive for such employees is personal benefit, revenge, fulfillment of business indicators, etc.
– Is it possible to identify unscrupulous employees who contribute to the leakage of information about customers?
– Speaking at professional platforms and conferences devoted to the problems of risk reduction in the banking sector, I have heard more than once the question of creating a universal internal monitoring system that allows detecting internal fraud. Indeed, large banks are developing similar systems that are constantly improving as fraud “schemes” and “scenarios” change. In addition, to prevent fraudulent transactions, they introduce specific limits for certain categories of cards and customers, modifying information security systems responsible for information leakage threats (DLP systems).
As a rule, to identify unscrupulous employees, internal audit specialists are involved, their task is to identify schemes of potential theft from customer accounts or cases of using customer information for its transfer to third parties. Banks should have the concept of “zero trust” for personnel whose work is related to accounts and personal data of customers. It is necessary to “know your employee”; this principle is aimed at possessing information about the attitude of employees of a financial organization to their official duties, the presence of possible problems, including financial, property, personal ones, which can potentially lead to actions aimed at violating the requirements for information protection.
However, there are no universal models for detecting fraud, it is always long-term work that requires a large retrospective assessment of information.
– Your years of internal audit experience allow you to assess and identify more professionally potential threats and risks. What new tools have you implemented to reduce cases of internal fraud?
– I have been doing this work for many years. The practical knowledge I have accumulated has been reflected in numerous works on banking risks published in leading financial publications in Russia. For several years, I have been conducting practical studies to assess the impact of COVID-19 on the activities of major credit institutions. As a result, an adaptive model was developed to obtain a digitized assessment of operational risks, including risks associated with internal fraud.
The main difference of the developed model is that it is based not only on the portrait of the client, but also on the employee when analyzing operations for a set of different criteria. The larger the set of criteria, the higher the accuracy of the model. The practical use of the model lets reduce significantly the labor costs of the bank when detecting cases of internal fraud, which is especially important for small credit institutions that do not have automated fraud monitoring systems. From my point of view, banks should be interested in using preventive measures to prevent the client from contacting the bank in the event of fraud in advance.
– Based on your practical experience, should the bank compensate for losses in case of money theft?
– There is no definite answer to this question, since when the client contacts the bank, it is necessary to establish the reason for the leakage of personal data. If customers transfer voluntarily information about their bank cards to fraudsters, then in this case they violate the terms of the bank account agreement. There are also reverse situations when money was stolen from an account without the participation of a client, and the bank will have to conduct an internal investigation into the causes of information leakage. The first steps towards protecting customers from potential fraud were already taken last year, several regulatory documents came into force at once, allowing banks to limit independently the size of a transaction or perform certain transactions of customers. A document has also entered into force obliging banks to identify all devices from which payments are made.
The topic of compensation by banks for losses from theft is now being actively discussed both at the level of the banking community and by the Bank of Russia. At the end of last year, a bill was developed that should decide the fate of customers affected by fraud. On the one hand, receiving compensation from the bank will resolve the issue of out-of-court settlement of losses from fraud, on the other hand, it will increase the cost of banking services and products, since the amount of compensation itself will already be included in the costs of maintaining a bank account. For example, in many developed countries, a mechanism for compensating losses on credit cards has already been implemented, and it is working successfully. Perhaps the legislator will follow the path of a comprehensive solution to this issue by analogy with compensation for losses through the deposit insurance system.
However, I am convinced that only the introduction of such an initiative without improving the fraud monitoring system in banks will not be successful. There are always operational risks that are difficult to counter in various situations.
Interviewed by Vladimir Kondratyev