Heading back from Las Vegas following ICBA’s annual convention, I can’t help but think about that heist flick, Ocean’s Eleven, as I consider today’s fraud landscape. The movie’s premise is this: A group of guys set out to steal an exorbitant sum from three casinos. Somehow, they are successful in outsmarting security systems, and they walk away with a cool $150 million.
Contrast that with today’s cyber version of vault-busting thieves. Most often, these criminals don’t stray far from the digital comfort of sophisticated tech and the dark web, taking advantage of the weakest link in the financial transaction: the customer as a point of entry. In fact, the FBI reports that cybercrime losses in 2016 were $1.33 billion, with email account compromise the number one source of loss.
With threats continuing to emerge, I sat down with ICBA’s cyber expert, Jeremy Dalpiaz, assistant vice president of cyber and data security policy, to discuss what community banks can do to thwart cyberattacks. Our conversation uncovered three important tips for banks in navigating today’s cyber landscape.
1. Ensure the authentication procedures match the current risk environment. After the Equifax breach, hackers took hold of an enormous amount of information that, when cobbled together, can give thieves the keys to a person’s identity. Banks need to be one step ahead, updating their customer authentication procedures to ask for verification points that have not already been breached.
“Banks have to look at the type of information that was released and the type of information that they hold that they can use to authenticate customers,” Jeremy notes. “We haven’t seen the Equifax information on the dark web yet, but that really shouldn’t comfort anybody. If anything, that should raise the red flag.”
Asking the right authentication question, unique to your data, remains one of the best things a bank can do. More insights for how to strengthen internal processes can be found in the resource, “Tips for Community Banks Following the Equifax Breach.”
2. Elevate cybersecurity to an enterprise-wide initiative. Everyone within the bank has a responsibility to watch out for cybercrime. Because it often happens at the point of entry, every department from customer service to executive management needs to be on the lookout for anomalies in customer behavior or inconsistent requests.
“Cybersecurity is a field that has gone from a technical focus to a whole bank focus,” Jeremy shared. “It is in every line of business and in everyone’s interest that bank employees become familiar with how fraud can occur – whether that’s through hacking, phishing, spoofing or another method.”
As an enterprise-wide activity, banks also should test their incident response policy. Every year, FS-ISAC offers a free Cyberattack Against Payment Systems (CAPS) exercise that allows financial institutions to identify gaps in their processes.
This year’s exercises take place Oct. 9-10 or Oct. 16-17, and it’s worth considering for your institution.
“These exercises are good not only for cybersecurity resiliency but for business resiliency in general,” Jeremy says. “We receive great feedback from banks that participate.”
3. Share information with one another—and with your customers. One of the simplest ways to counter cybercrime is to participate in information-sharing with other banks. When banks communicate with each other, each entity strengthens. Individual financial institutions get to know hacker tactics, techniques and procedures and identify ways to address potential vulnerabilities.
“With FS-ISAC, you can share information in a trusted environment,” Jeremy points out. “Everybody is sharing information about how to better protect each other’s systems. It’s a pretty unique opportunity.”
In terms of sharing with customers, ICBA is involved in Operation Stop It! which is a joint initiative between the International Association of Chiefs of Police, the Identity Theft Council, and the Identity Theft Resource Center, to help protect communities from identity theft and to make sure victims get the help they need. This group is a great resource for your customers as issues arise, and there are opportunities for community bank involvement as well.
While these tips provide support in updating your fraud mitigation procedures, financial institutions must stay vigilant against cybercrime in ways that align with their organizations’ strategic direction.
No matter the approach, today’s cyberattacks call for something more sophisticated than the surveillance found in an old-school casino caper. A bank’s job is to identify ways to outsmart cybercriminals and stay a step ahead to safeguard customer accounts.
Cybersecurity Resources for Community Banks
ICBA Cybersecurity Resource Center & ICBA Data Security Resource Center – Provides tools and resources for community banks to stay up-to-speed, including a data breach information center and a cyber and data security toolkit
FS-ISAC – Offers a Community Institution Council for information-sharing
Operation Stop It! – Community-based identity theft initiative
Verizon Threat Intelligence Report - A comprehensive analysis of breaches and incidents investigated by Verizon personnel or reported by one of their 65 partner organizations.
FireEye - FireEye is an intelligence-led security company.
Fraud Mitigation for the Win
I recently came across a Harvard Business Review piece titled, “Do You Play to Win—or to Not Lose?” At the surface level, these choices seem like the same thing, but the article goes on to discuss that the difference lies in individual motivation. Simply put: If you’re playing to win, you’re taking advantage of opportunities; if you’re working to “not lose,” your focus is on preventing the other team from dominating.
In banking, a lot of times, we err on the side of “not lose.” And that reaction is justified. For example, the newly released 2017 Financial Institution Payments Fraud Mitigation Survey from the Federal Reserve Bank of Minneapolis revealed three out of four FIs experienced fraud losses in 2016, and 96 percent of debit card issuers faced card fraud losses. What’s more, 63 percent of banks reported increased fraud loss over 2015.
With fraud continuing to rise, losses growing, and new types of attacks emerging, sometimes it feels like we need to lock down our vaults and throw away the keys. But if we do so, we cease to improve our game and strengthen our competitive edge. So, in this mode of prevention, how can we, as community bankers, switch our focus from losses to wins?
To me, the answer rests in how we protect our house. It’s the systems we put in place to bolster our defense against fraudsters. And it’s in how we work with our partners.
For starters, having the right mix of multi-layered tools is a must. The Fed Minneapolis survey found that for debit and credit card transactions, 70 percent of respondents use seven of 11 fraud screening and scoring tools—yet they still suffered losses. Why? It may be because they don’t have the right mix of tools in play.
In addition, banks expect their customers to be their last line of defense. The Fed report concluded that there is “some reliance on customers detecting fraud when other methods did not block the transaction from occurring.” The problem with this? At this stage of the game, the fraud has already occurred.
Yet the solution is within our grasp. By working with trusted partners to assess our areas of vulnerability and recommend solutions to strengthen our infrastructure, we can lessen our reliance on the customer as a last-stop tool in combating fraud.
To that point, there are many reliable sources out there who can help banks better safeguard their systems and grow fraud detection programs. So, talk to your current providers and ask them to evaluate where there may be gaps in your protections. Research new entrants to the market to ensure you’re on top of the latest technology and how it responds to ever-changing attacks. Reach out ICBA Bancard to learn about solutions that can augment existing channels, like its new partnership with Cardinal Commerce on a card-not-present authentication tool. Take that next step to make sure you stay one step ahead of fraudsters.
All this goes to say, it doesn’t take an enormous investment to strengthen fraud protections. It just takes a shift in mindset—with the goal to play to win.
2018: The Year of the Community Bank
There’s something about the start of a new year that breeds optimism and fresh perspective. Challenges give way to opportunities, and obstacles become puzzles to solve.
That positive tenacity intensifies for me as I look at 2018, a year in banking like no other. From the digital revolution to the role of fintechs, a new day has dawned, and in its light, we see the sprouting progression of community banking.
The future hinges on one key ingredient: technology. Technology is upending traditional banking by standardizing what once was science fiction. From artificial intelligence (AI) and wearables to the Internet of Things, the marketplace has transformed from analog to digital in all capacities, leaving banking poised to reinvent itself in this new space.
By capitalizing on the changes in the following three areas, community banks can take advantage of these market shifts to position their services for the future:
- Digital Payments – Above all, community banks need to think digital-first when it comes to payments, starting with a rock-solid strategy (see my posts from last January and February). Gone are the days when the digital component was an add-on to an existing bank service. That won’t cut it in today’s culture where the norm lies in smart, connected solutions, a.k.a. the Internet of Things—a movement McKinsey Global Institute estimates could have an annual economic impact of up to $11.1 trillion by 2025. The good news? Community banks have a nimble mindset and corresponding infrastructure that allows them to adapt and drive a seamless, digital customer experience.
- Artificial Intelligence – Whether it’s Alexa, Watson, Bixby, Siri, Google Assistant or some other AI tool, this technology extends far beyond the digital assistant moniker. For community banks, the AI framework gives them a solution to collect and quickly analyze data that can support existing efforts around predictive analytics, fraud detection, service personalization, and workforce productivity. While most community banks lack experienced staffers to filter and evaluate the information at hand, many new fintech solutions can do it for them.
- Fintechs and Application Interfaces (APIs) – And just like that, former fintech competitors now offer a strategic advantage. We have seen a paradigm shift in fintechs realigning their strategies to partner with community banks to deliver innovative products and services to market. Just witness our partnership with linked2pay for real-time posting of payments to community banks and their small business customers. With core providers finally willing to open their legacy systems to APIs, community banks can offer cutting-edge, digital solutions faster than ever.
And the speed of change continues, but when this technology revolution syncs with the innovative, entrepreneurial spirits of community bankers, opportunity abounds. Mark my words: The rise of technology will signify the rise of the community bank.
That growth will start now, in the strategies we develop, the partnerships we cultivate, and the solutions we offer. It’s up to all of us to evolve with our customers’ needs, not just looking at what they’re asking for today but anticipating what they will need tomorrow.
With that in mind, I’m calling for one collective New Year’s resolution: Let’s make 2018 the year of the community bank.
Are You A Goal Digger? Six Professional Development Ideas for Payments Leaders
When I gaze back on my career, I see peaks and the valleys; the times where I knew where I was headed and the times where I felt I was driving at night without headlights. In my role as a community banker, in particular, things seemed to accelerate with lightning speed. Sometimes, I was clairvoyant, reading that market crystal ball like a road map, and sometimes, well, let’s just say that we adapted.
In our industry, that ability to adapt and change is what sets us apart and drives bank growth. But change can be hard; how do we know how to change, let alone when to change?
No one has definitive answers to those questions, but I can tell you from personal experience that staying on top of industry developments made me more nimble and gave me the courage to take calculated risks. I invested in my professional development to benefit me, but ultimately, also to benefit my bank. And this investment paid off, both in my career trajectory and in the bank’s offerings.
As I think back, there were a few key things I did that made all the difference. With that in mind, I’ve assembled a short list of development opportunities that may give you the same leg up and support you as you navigate this new world of digital payments.
- Find a mentor. I’m a big believer in learning from others. Having a mentor to brainstorm ideas with opens many channels and helps you see the world from varying perspectives. So, take a look back at your career and seek out your best leaders. Introduce yourself to others who share original perspectives at conferences. Reach out to professional organizations like ICBA. Do what it takes to find a trusted advisor who can help you to process ideas.
- Learn more and get involved. With such rapid change in the industry, you need a resource who can give you a quick version of what’s most important. Regional Payments Associations (RPAs) offer this knowledge and can keep you apprised of the most relevant changes for your institution. In addition, there are numerous volunteer opportunities with RPAs that help you grow as a leader.
- Join the FS-ISAC Community Institution Council. Having the right information is critical when developing business strategies, particularly when it comes to risk and fraud. To that point, it makes sense to consider joining your peers on FS-ISAC’s Community Institution Council where key topics include: attacks and technology issues, regulatory changes, changes to examination processes, and peer comparisons on topics of interest.
- Explore continuing education and certification programs. Investigate The Payments Institute; it offers an in-depth look at payments today. In addition, NACHA and the RPAs offer the Accredited ACH Professional (AAP) and the Accredited Payments Risk Professional (APRP) certifications for expert-level knowledge. ICBA’s own Community Banker University offers numerous online classes and workshops on a variety of topics throughout the year.
- Look to industry leaders for the latest tools and resources in digital payments. Simply staying up-to-date on what’s happening with major payments initiatives will give you insights into market direction. As payments evolve, those responsible for some of the changes offer free tools to support you. Visit the Federal Reserve’s Payments Improvement site, NACHA’s Same Day ACH Resource Center, and The Clearing House’s Real-Time Payments site for more information. For other topics, your RPA also can be a great source of support.
- Check in with the ICBA Bancard team. As a former community banker, I understand the unique position you’re in and can offer tips on things that worked for me. We also have numerous payments experts on staff who bring years of knowledge to the table and are happy to share their thoughts as well. Contact us anytime and follow me on Twitter @tnagiorgio.
With a wealth of resources, there’s no shortage of opportunity, just time to accomplish it all. So, as 2017 reflection gives way to 2018 goal-setting, I hope you can use these ideas to determine what aligns best with your professional development plan. Based on my experience, committing to doing just one new thing will have a profound impact.
What Does the Faster Payments Revolution Mean for Community Banks?
ICBA Bancard President and CEO Tina Giorgio discusses how community banks can deliver on the promise of ubiquitous real-time payments.
“My goal is not only to ensure that community banks stay relevant when it comes to real-time payments but ensure that solution providers are delivering affordable, integrated solutions for community banks that are easy for them to deploy," says Giorgio.
Listen to NEACH’s Pacing Payments podcast below:
Read the NEACH Podcast Transcript
Protecting Consumers After the Equifax Data Breach
Read the e-Book "Protecting Consumer Identity"