Executive Forum on Fraud Mitigation
Fostering an Agile and Adaptive Culture to Fight Payments Fraud
By Mary Hughes and Amanda Dorphy, Federal Reserve Bank of Minneapolis
On April 26th executives from Ninth District financial institutions (FIs) participated in a forum on payments fraud mitigation. The theme was on how leaders can best foster an agile and adaptive culture within their organizations in order to empower staff members to effectively thwart payment fraud attacks.
The event, co-sponsored by UMACHA and the Federal Reserve Bank of Minneapolis, was hosted at the Minneapolis bank. Fred Laing, President and CEO of UMACHA, and Guy Berg, VP of the Payments, Standards, and Outreach Group of FRB Minneapolis, were moderators. The session opened with welcoming comments from FRB Minneapolis President and CEO Neel Kashkari and Niel Willardson, SVP of Corporate Services and General Counsel.
In the first presentation, Joseph Rivers from the Minneapolis FBI office reviewed various fraud crimes and schemes from a law enforcement perspective. He emphasized that fraudsters manipulate the human element by exploiting vulnerabilities in human psychology. Many victims believe they are engaged in a legitimate business venture or helping someone. FBI statistics show that smaller, rural financial institutions are most vulnerable to fraud attacks. Money laundering and other fraud scams are especially prevalent. Common schemes include business email compromise attacks, drug crimes, Ponzi schemes, payroll skimming, inventory and rebate scams, health care fraud, romance scams, and others. He encouraged attendees to develop a partnership with the FBI before a cybercrime or fraud event occurs, as recovery rates drop sharply the longer the wait to contact the FBI.
Mr. Rivers offered these guidelines to help shore up FI defenses, including:
- Develop a healthy paranoia – since scammers try to invoke an emotional response, suspicion is healthy
- Question authority – fraudsters often pose as authority figures such as senior executives, board of director members, or law enforcement
- Don’t fall for false urgency claims, such as “act now” or “help me” or other pleadings
- Never respond to any unsolicited “tech support” calls
- Rely on a two-step process (such as a text or phone call, but not email) to verify payment transactions
- Train FI personnel; encourage them to exercise judgement and rely on their experience in order to foster responsive and dynamic actions
The second presentation featured an executive panel consisting of Mike Bilski, CEO of North American Banking Company; Rodney Nelsestuen, SVP and CIO of Merchants Bank; and Bryan Wilken, SVP and Chief Information and Operations Officer of Bank Midwest. In their opening remarks, each shared the approach his FI uses to combat payments fraud.
Mr. Bilski’s stance is to “get out in front of it” by budgeting for software and personnel in advance. He noted that their policy is to close accounts immediately if the FI is at risk.
Mr. Nelsestuen said his FI has evolved to require customers to take needed security measures. He observed: “Preserving the reputation of the bank is huge. We need to play this game every day. We never say we won; we never say we’re done.”
Mr. Wilken noted his bank has pivoted to emphasize security from the top down, even including the concept in their new mission statement. They have an incident response team that quickly convenes in a war room when an attack occurs.
To create a culture in which FI employees feel empowered to protect against payment fraud attacks, education is key. One bank phishes employees monthly to test them and tracks the metrics. Industrywide, the average rate at which employees click on phishing links is 20 percent; through testing they have brought it down to two percent in their organization.
Bankers agreed that it is vital to educate corporate/commercial customers in order to foil business email compromise and other attacks that start at a business. The panelists observed that many commercial customers do not take fraud as seriously as they should. One bank addresses this shortcoming by requiring business customers to sign an indemnity contract showing that they will accept their fraud losses if they fail to take needed precautions.
FI employees need to know that senior management will back them up if they ask questions and question authority when they suspect something is wrong. Customer service goals, while important, should not be adhered to blindly. One banker said they share fraud attempts with customers and even report the losses, so others can learn from mistakes.
In conclusion, executives know that banks need to continually evolve their defenses to fight payments fraud. In addition to dollar losses, damage to reputation must be factored in, too. Empowering employees to take action and exercise judgment is key to fortifying defenses.
Executive Forum attendees indicated in their evaluations that they found the event to be highly informative and practical.