Persuading the bosses

Here are some ways to help convince your C-level executives - the CEO, COO, and the CRO - that managing fraud across your entire entity can result in a positive rate of investment in the long haul.  

Recently, I was invited to a strategy meeting with a group of C-level executives - the chief executive officer (CEO), chief operating officer (COO) and chief risk officer (CRO) - along with a couple of fraud examination managers for a large financial services company. We were discussing the issue of enterprise-wide fraud losses when the COO chimed in that fraud was only .05 percent of their operating budget, so their fraud situation was very much "under control." Heads were nodding up and down in agreement and everyone was ready to move on when I respectfully interjected my words of caution.

Certainly, if you look at the issue in terms of fraud "loss," it's hard to disagree with such a small percentage. However, fraud is very rarely only about immediate losses. For example, there are definite company-wide process issues that can quickly drive your profit potential south if you don't rein them in. In addition, with every new security breach and identity theft, consumer trust is degraded, which threatens business growth. So why is it still such a struggle to convince C-level executives that managing fraud across an entire organization has become an operational must?

It's apparent that the key to winning the boardroom battle is to arm fraud and security professionals with pertinent information and hard financial numbers that draw a direct correlation between fraud solutions and business risk.

Filling your information arsenal
Solicit 'corporate champions'
First things first: Because fraud has emerged and grown from so many areas of business contact, there's no such thing as one "large bucket" in which it can be placed. To illustrate this point, consider that according to industry statistics as much as 70 percent of fraud goes undetected because it's misassigned as credit losses (Financial Insights, June 2004). With this in mind, collectors in your organization stand to benefit from a solution that identifies potential fraudsters before a transaction and possibly eliminate their names from appearing on delinquent collection reports. Extracting fraudulent accounts from delinquent ones allows collectors to focus on legitimate late-payers who they can collect from.

This same notion can be applied to direct marketing because a successful identity thief could have been added to a marketing list. By uncovering and removing this individual from your marketing list prior to initiating contact, marketers will save on mailing costs and reduce the likelihood that the fraudster will respond and wreak havoc on the consumer and your organization.

Now, add another layer onto your task of calculating the business impact of fraud: regulatory compliance. With the introduction of mandatory compliance to such regulations as the USA PATRIOT Act, organizations continually scramble to bring their systems into compliance with explicit procedural stipulations meant to beef up customer identification programs. You can be your company's hero if you're able to turn a business process that's driven by compliance into a process that ultimately generates positive return on investment (ROI).

Your investigative efforts also may reveal process inefficiencies. For example, suppose you learn that customer service representatives are utilizing products from two different vendors during the account opening process to verify account information. Even though one process is in place to prevent fraud while the other is designed to comply with regulatory requirements, there may be significant overlap and duplication.

Or perhaps you feel that your process isn't as automated as it could be and still relies heavily on time-intensive and costly manual reviews. You may feel that by implementing an automated authentication process, decision "borderline" new accounts or other risky maintenance functions such as address change requests could create increased efficiency.

Connect the dots
Once you've met with various department heads and are beginning to understand their processes and procedures, you need to help C-level executives "connect the dots." In other words, your job now is to calculate hard numbers associated with operational inefficiencies that could be relieved by a comprehensive fraud solution.

For example, take a look at the following hypothetical scenario in the chart below. 

Note: Figures are annual costs/savings based on a business with 100,000 applications per year. 

As this analysis shows, if you had only relied on such factors as "direct fraud losses" and "cost of fraud detection tools" when formulating the return on investment message, the results wouldn't have appeared as compelling. However, when the results are examined from a big-picture perspective, the benefits of such changes are more obvious. They now serve as a driver for change, making it much harder for senior management to ignore the issue. If after this analysis you're still having trouble getting fraud prevention on your C-level executive's agenda, consider sending him or her news articles about the many companies whose reputations and stock prices are getting slammed due to a security breach.

One thing to note here before moving on - if you think "connecting the dots" by estimating lost time, salary and expenses related to potential internal process inefficiencies is a tricky task, know that you're not alone. There's a whole industry dedicated to process consulting. It's definitely a science, and if you're having a tough time "peeling back the onion," look for an outside fraud management consultant who has the capability to objectively look at your organizational processes.

Conduct validation trials
Once you've uncovered areas throughout your organization that may be affected by fraud - either directly or indirectly - it's time for you to begin building a fraud strategy.

How do you know what makes the most sense for your organization? If, for example, you're finding that the growth in the number of applications/transactions you manually review for fraud is higher than your overall sales growth, you need to take a look at your fraud decision rules and detection tools - or perhaps, lack thereof.

Decision and rules systems automate your internal review process. They also determine whether the application/transaction should be accepted, rejected or suspended for review. The efficacy of your decision systems has a direct impact on your fraud management efforts.

Therefore, before you decide on an outside consultant, request the possible provider perform a validation analysis to determine how predictive its fraud solution really is. The process is simple. After you establish agreed-upon parameters for the fraud model, the provider will process a number of recent applications/transactions that have already been reviewed by your organization.

By applying the provider's fraud model to the applications/transactions, you'll be able to see how much fraud was captured within the total population. You also should be able to determine if your manual review process was reduced, increased, or remained the same based on the model.

The results of the analysis can arm you with vital information about process efficiency and ROI when communicating to your C-level executives.

Educate yourself on the issues
There are a few key forces that have led to the rapid emergence of fraud and identity theft in recent years:

• Many business processes increasingly rely on technology and less on human interaction.
• There's increased pressure to rapidly acquire new accounts without a corresponding incentive to minimize fraudulent applications.
• Social security numbers have come to be used as the U.S. population's primary identifier and are more susceptible to compromise.

Also, with the rapid evolution of technology, there's no doubt that fraud attacks will continue to become more sophisticated, frequent, and menacing in nature. Your best bet is to arm yourself with current fraud trends and issues in regard to fraud and process management efficiencies and see how your organization's fraud management efforts measure up. It's easy to get caught up in running toward every new form of fraud attack in order to patch potential revenue leaks throughout your organization. However, don't let the potential hype of point solutions divert you from meeting your core business needs and addressing fraud as a total organizational solution.

By becoming an active member in professional associations such as the ACFE, you not only join forces with your colleagues, but you have access to current industry information and tools such as the ACFE Fraud Prevention Check-up. The key is to stay current and implement industry best practices.

What to look for in a fraud management consultant
A fraud management consultant should be willing to listen, listen, and then listen some more about your overall challenges. Narrow that list of consultants who are able to do these things:

Conduct validation analyses to justify your ROI expectations
Is the consultant willing to provide you with validation numbers that demonstrate how successful you will be by implementing that solution? If they don't have a program in place that puts their money where their mouth is, look for a consultant that will.

Create templates of business rules that are specific to your market
Certainly, no one knows your business like you, but how easily can the consultant provide you with rules that will help you with fraud management specific to your market and operational needs?

Customize your plans
It's easy for a consultant to develop products and services with the "one-size-fits-all" approach to the market. Does that mean you have to buy the product right off the shelf? It shouldn't. Find a consultant that will work with you to customize the solution to fit your organization's needs. Why buy tools you'll never access, yet do without the best tools on the market because it was not part of a package?

Provide a consultative partnership
Be certain to select a consultant who knows the "business of fraud." Look for a consultant who's able to work with you prior to any solution implementation to ensure you have the ability to put a process in place to be most successful. The firm should be able to help you with process consulting, and tools to make decisions and analyses that will help you demonstrate a positive ROI.

What to look for in a fraud management plan
Concurrent to looking for a strong consultant, match that relationship with robust solutions. No matter what industry, ideally your fraud plan should include:

Access to multi-sourced databases
Certainly, a deep database is a powerful weapon to combat fraud. Even better is a plan that provides access to more than one database that will enable you to verify and check for inconsistencies across a number of data points. Ask yourself if it's enough to confirm that a name belongs to a particular social security number. Is that enough verification? Would it be even better if you were able to confirm that a particular ZIP code belonged to an address that, in turn, belonged to that person and SSN?

OK, now you have verified that all the data is matching. With the prevalence of identity theft and the sophistication with which data has been compromised, a powerful fraud plan will take you even further than merely helping you connect the dots with the data provided. A robust plan will allow you to authenticate that information. So what's the difference? Consider this scenario:

You're presented with the chance to purchase the signed, record-setting baseball hit by slugger Hank Aaron for the bargain price of $1,000. Sounds like a good investment, right? But is it real? 

Would you feel more comfortable making the purchase if you recognized the seller from a reputable newspaper picture as the fan who caught the home run ball? How about if you personally witnessed Hank Aaron signing it? 

With those assurances that the ball is the "real" thing, just about anyone would jump at the chance to buy it. But what if you didn't have that authentication? What if you never even met the seller? What if the entire transaction took place over the telephone? Or on the Internet? Would it still be a good deal? How do you know that what you're buying is real? 

There are many tools available to quickly assess whether information provided by a prospective customer or borrower is "good." A better solution will enable you to determine if your customer is "real" - or authentic - by providing "challenge questions" that only that customer will know.

Further, how often are the solution's databases updated? Ideally, seek out products backed by multi-sourced databases that are organic, meaning that the information is updated on a consistent, regular basis. Issues of fraud and new attacks are changing rapidly. Eliminate loopholes for potential fraud activity by seeking out solutions with the freshest data possible.

Built-in fraud models
We already discussed the importance of reducing manual reviews in demonstrating business process efficiency, now let's take it to the next level: A good solution is built on providing the ability for your organization to determine what is a "good" customer based on potential risk. For example, is that customer actually who they say they are, based on name, address and/or additional points of data? A plan that can then present users with a "fraud number" will enable you to reduce manual review. Through your fraud strategy, you determine a number value based on the level of risk your organization is willing to take.

When users verify new applications/transactions, a scoring model will assign a numeric value. In general, higher numbers indicate low risk and will move the application/transaction further along in the process. Lower numbers will be flagged and will automatically require a higher level of review before or if they can be moved along your organization's process.

Flexibility
Competition moves. Markets change. Technology evolves. Your organization is tapping into every available resource to grow and continue to succeed. As your organization grows and changes, your fraud management plan needs to adapt. Look for a plan that remains flexible enough to grow and change across your organization.

In other words, there may be unique risks in a particular segment of your business that require increased protection or the integration of a specific third-party data source. An effective solution should be able to easily adapt and address your organization's disparate needs at the business unit, product, or delivery channel level.

An end-to-end solution
Typically, when speaking about fraud, many goals will concentrate on the "initiation" of applications/transactions. Since this is where a large portion of fraud occurs, concentrating your efforts on preventing fraud definitely starts here. However, don't forget about maintaining your fraud management throughout the entire lifecycle of your customers' experience with your business.

It's up to you to manage the potential for fraud in areas such as account takeover, identity theft, e-mail phishing - well after the customer has been a part of your business. Look for plans that will enable you to react to fraud as well as prevent it from entering your organization.

Finally, look for a plan that has capabilities to assist your organization in the unfortunate event of data compromise - either on your behalf or on the behalf of your customers.

Given the current inexorable nature of identity theft, consumers are seeking the protections available through after-the-fact identity theft remediation programs. By providing identity theft remediation services, you will give your organization a competitive advantage while garnering renewed consumer trust. Look for a solution that will provide those benefits to your customers.

In the instance of organizational data compromise, look for a plan that can mobilize your company quickly to respond to compromise concerns by preparing and distributing required notification letters, establishing a hotline, and assigning dedicated resources to restitution efforts.

Ready for battle
Recognizing that fraud management isn't a function best performed in a silo is absolutely key to your success in both the boardroom battle as well as the battle against fraud. Again, it's not just about the initial dollars lost due to fraudulent activity but about managing business processes that will enable you to prevent, manage, and mitigate fraudulent activities throughout your organization. To help you succeed, perform due diligence about business risk, industry fraud issues, and a possible fraud management consultant.

Once you help your C-level executives understand that the up-front investment is just that - an investment - they should begin to see that effectively managing fraud could result in positive ROI in the long haul.

Tim Keller, Associate Member, is the director of Fraud and Identity Management Solutions for TransUnion's Analytic Services Division. He was an instructor at the ACFE's 16th Annual Fraud Conference & Exhibition.