Fraud squad

2 November 2009

ACI Worldwide’s global card fraud survey found that one in five people had suffered card fraud in the past five years. HSBC head of group fraud risk Derek C Wylde tells Michael Jones that, with customers prepared to vote with their feet, banks are taking the matter very seriously.

Future Banking: Are you heartened by the level of industry cooperation in the battle against against fraud?

Derek C Wylde: I think that the UK has been a good model, particularly with chip and pin. France, quite a lot of Eastern Europe, Germany, Belgium and Spain are now coming on stream; these countries have either completed their chip rollout or are well down the line. I think Europe should be held as a model for industry cooperation in how to tackle card fraud.

There is a better transfer of intelligence and data on the internet banking side as well. I have a little experience of North America and Latin America, and unfortunately that level of cooperation is not as good. More work could be done. The obvious conduit for bringing countries in those regions together would be MasterCard and Visa because they run the card schemes, and their membership includes all the major card issuers and acquirers. They probably ought to be taking a stronger lead in one or two of these markets to get their strategy implemented.

FB How do you manage fraud risk in a large corporation such as HSBC - do you take a purely holistic approach?

DCW In head office we maintain and own fraud risk policy and strategic direction in terms of technology and that is translated across the group. We then split the management of fraud into six regional offices covering our 86 countries. They take those broad strategies and turn them into local, more detailed policies. It is impossible to have a one-size-fits-all fraud policy solution given the different cultures and legal remits in which we operate, but we are trying to ensure that, when it comes to fraud technology, we have standard group solutions across the company.

When it comes to the authentication of customers we set minimum standards. We determine the fraud checks we use for account opening but these will sometimes be supplemented with local flavours. In some markets they will be more controlled by local laws than others. It is holistic and follows a top-down approach. But it allows for local variations, dispensation and often enhancements to those policies.

FB Are you moving towards a full standardisation of technology across the group?

DCW We are but we haven't quite reached that endgame yet. We are at different phases depending on the technology that we are rolling out. We enjoy a relationship with a relatively small number of vendors in the fraud technology space. Part of our strategic imperative is to reduce the number of legacy systems that we have implemented around the group. HSBC has grown by acquisition and we have therefore inherited different banking systems and technology, not just for fraud. So it's a bit like turning a supertanker; it takes a while to remove those legacy systems, update them and migrate to the Group's standards.

The process has started but it will take a few years to finish. We are picking off the big businesses first, those that will give us the quickest return on investment. If we look at our solutions for card fraud, the SAS solution protects 80% of HSBC-issued cards.

So far we've implemented in the UK, the US and Asia, which has given us 80% of our credit card base. We will now extend that into the rest of our card base in the next couple of years.

FB How does HSBC prioritise reducing costs and inconvenience to the consumer while effectively managing security risk?
Is there a compromise?

DCW That's probably the most common challenge that any fraud manager faces because, as you increase security and try to prevent more fraud, inevitably there is an impact on customers. Whether that is through higher levels of customer security when a consumer is doing internet banking and logging on, making more checks when a customer uses their card or opens an account. It is a fine balance that we are constantly reviewing.

Most of the fraud team understands that balance very well but it does produce some tensions from time to time. We can get customer complaints when somebody is travelling and we have denied access to their card because our systems say to us it looks like fraud. But once a transaction is approved, that's our loss. It's a tightrope that we walk constantly, so if you can get the best solutions and the best predictive models that money can buy then the inconvenience to the customer is kept to a minimum. You strive to spot as much fraud as you can with the fewest false positives and that's something that I'm delighted to say SAS has been able to deliver to us. It's a market-leading solution, with some very smart models.

FB In practice, how does the fraud division of HSBC work in conjunction with the customer-facing sector of the bank?

DCW It is important that we communicate to our customers, that they understand that we are there and trying to prevent fraud on their cards or accounts. We don't want to plague customers with calls and alerts but equally we want to stop fraud before it happens and this often means speaking to a customer. There are checks and balances in the systems so that if you were to call us and tell us that you were going on a two-week holiday, we can record that on the system. But a customer could still lose their card on the first day of their trip, and that's a risk we take.

We try to use other types of technology and ensure that our database of contact numbers is as up to date and relevant as possible because this makes it much easier to contact a customer. One quick phone call or an SMS to a customer's mobile phone to check on their whereabouts means that we won't have to bother them again on their holiday. Our marketing and customer service people understand the need to prevent as much fraud as we can but it's about striking a balance. It's a continuous dialogue internally at HSBC and with our customers. We are, however, competing with other departments for airtime with our customers, so we need to balance our priorities.

I've been in the fraud space for a while and I believe that customers understand better today than five years ago why additional checks are sometimes undertaken or calls are made to check transactions. Card fraud especially gets quite a lot of media attention. Nobody likes to have their card declined. It's upsetting and embarrassing. We try to mitigate that by offering a 24-hour contact number for anyone encountering acceptance problems.

FB What are the typical trends in card fraud? What effects, if any, does the downturn have on the risk register for fraud?

DCW From a UK perspective, the success of chip and pin has greatly reduced domestic counterfeit fraud, but what is happening now is that the magnetic stripe data is being used in non-chip markets. We are seeing a lot of that fraud in Canada, the US and certain parts of Asia. Places in the world that are slightly lagging behind in
chip acceptance.

It's also moved to the non face-to-face channel, so we are seeing a significant upturn in 'card not present' fraud, cards being used over the phone or on the internet. There are still weaknesses in the infrastructure and we don't have enough of the 3D protocols that are being promoted by MasterCard and Visa. We still don't have enough merchants and customers who are really engaged

FB What are the implications for fraud in terms of low-value versus high-value transactions? Is there a difference or are they treated the same?

DCW We tend to prioritise high-value transactions but the danger of that is often a low-value transaction can be used to test whether the card is live before a much bigger transaction takes place. So if you ignore the $10 transaction you can potentially risk losing a much bigger amount an hour later.

Generally the score that we get is irrespective of the amount. It's based on the likelihood of a transaction being fraudulent. It doesn't matter if it's a dollar transaction or a $1,000 transaction, the score is not just derived from the amount. There are a large number of things that we look at.

We prioritise alerts according to a number of factors. For example, certain trends that we are aware of at the moment are high 'open to buy' balances. Some countries can be hotspots and then revert to normality. So if we are seeing an uptake of fraud in Canada, for instance, then we prioritise transactions from that market over others because they are more likely to be fraud and we can get to them quickly. We can also prioritise according to channel, merchant type, and whether it's an ATM transaction or point of sale. Those priorities will vary.

FB How has HSBC responded to the growth in online fraud and how are you working to secure the online channel? In particular, how are dynamic passwords set to develop?

DCW MasterCard and Visa are promoting a security technology that is generically known as 3D Secure. MasterCard promotes it as 'MasterCard SecureCode' and Visa as 'Verified by Visa'. At the moment, if you undertake a transaction online, all the merchant effectively needs is a card number and an expiry date, and they have enough to process this. We are endeavouring to implement additional security through the provision and checking of a password that is used with merchants that are signed up the service.
Customers can register their password with the bank while they are shopping, and then that new password is carried through in the transaction and checked by us. It's an additional control.

But, as we said earlier, this does impact the customer. They have another step to take when doing on-line shopping and another password to remember.