Some say baseball is not only America's Game, but also a metaphor for life in America. As a lifelong fan I have noticed that each year a couple of rookie players explode onto the scene in April, putting up terrific numbers and establishing themselves as the sport's next great icons. Usually by mid-May they have disappeared from the league leader boards as their numbers fall precipitously. Why? Because the league knows very little about the players' strengths and weaknesses in April, but as time wears on, pitchers make adjustments to exploit the rookies' weaknesses. Don Sutton, an announcer for the Atlanta Braves, says that baseball is a game of continuous adjustments. The rookie wunderkinds will only be successful over the long run if they are able to make the adjustments necessary to counter the pitchers' new approach.
In today's payments world, rookie fraudsters are having significant success penetrating corporate payroll and accounting systems using Trojan horse and key-logging software to insert bogus payments into the company's disbursement streams without the company realizing until it is much too late. So called "money mules," hired by the kingpin fraudster, receive the "stolen" funds in new accounts and immediately wire them to faraway places after taking their promised cut. Such schemes have been much discussed in the payments industry press over the past few months.
My wife's sister is the bookkeeper for a small firm, and in that role she is responsible for most of the company's disbursements, including payroll. Over a glass of eggnog or some acceptable substitute, I told her about these schemes and she listened, wide-eyed. We discussed the controls that were in place in the company that could detect and prevent them from becoming a victim, and I began to realize the problem we face as an industry in addressing such new threats. Like the rookie baseball player, we must begin to adopt a mentality of constantly adjusting to the ploys of the fraudsters to ensure our future success. For example, a company could add a new step to their disbursement process that would check payroll totals for reasonableness in terms of numbers and dollars, scan preliminary logs of payees, names or accounts, etc., before pressing the transmit button. The challenge is to figure out how to share threat information broadly enough to reach the point of common sense protection. There can be no remedy if there is no awareness.
A number of organizations are working on education and communications efforts within their industries, but the best protection is always a first-line defense at the point of greatest vulnerability—the corporate originator of payments. While we in banking view the depth and breadth of our industry as daunting, it is trivial compared to the universe of American business, from large mega-corporations who can invest millions in protection to small entrepreneurs engaged in realizing their lifelong dreams, totally oblivious to the dangers of the brave new world. What, then, can we do to address this seemingly impossible challenge?
The answer would seem to lie in harnessing the amazing technology present in the world today, the same technology being used by the bad guys. Just as nuclear technology can be used to pursue both good and bad objectives, so can e-mail systems, social networking, twittering, and other yet-to-be-discovered advents of the new century. My sense is that the problem lies in discerning how to connect the dots. In other words, how can we as a society create a massive web of "community of interest" associations that allows information to reach the eyes and ears of all (or most) of those who need to hear it?
From my background as a math major, I know that the shortest distance between two points is a straight line (actually, I think you can get this from high school geometry). Noting that every company needs a bank, my sense is that the straight line for this effort runs directly from the central industry sources of fraud knowledge, to the banking community, to a bank's business customer base. Simultaneously, another connection at the top of the chain runs from industry sources to other parties in the regulatory and law enforcement businesses.
Over the past few months, we at the Retail Payments Risk Forum have become aware of and frequently engaged with several organizations who are interested in and trying to enhance the current communications and education process. For example, a new interagency fraud working group, co-chaired by the Department of Justice and the Federal Reserve Board, has been created to share information between bank and nonbank regulators and the law enforcement community. An effort to construct an educational toolkit for banks to use to report fraudulent activity is being developed under the auspices of BITS. In an ideal world, we would all work together to harvest the unique capabilities of each of the many efforts under way and try to coordinate them in such a way as to minimize duplication, maximize knowledge, ensure accuracy, and expedite wide distribution of information. In the months ahead, the Forum will be trying to work across many interested parties to see if there is a model for accomplishing this goal that could be deployed to the benefit of all possible victims in the "fraud value chain."
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum