Resiliency is key to combating changing threats
Executive summary
Fraud is changing rapidly. Banks face rising risks from AI-powered attackers who are taking advantage of outdated defenses, unclear ownership of fraud controls and strained resources. A fraud resiliency assessment helps financial institutions identify gaps, test their ability to respond and build a culture of proactive defense.
Introduction
Banks face a changing threat to their mission of safeguarding customer assets and well-being: cutting-edge fraud.
Attackers have made a technological leap, using AI to target banks and their customers with more frequent, more sophisticated and more convincing attacks than ever before.
Meanwhile, banks are under pressure not just to secure their own systems, but also to stamp out vulnerabilities in third-party vendors’ platforms and ensure individual customers aren’t falling for fraud.
“A lot of people don’t know where to start,” said Grant Thornton Risk Advisory Services Senior Manager Julia Cobb. “They don’t yet have the resources, they don’t know what the steps are, so they just get lost.”
So what is the first step in dealing with a fast-moving threat that crosses the organization?
The answer, Cobb and other Grant Thornton professionals suggested, may be a fraud resiliency assessment. These assessments measure an organization’s ability to identify and respond to emerging threats — they identify defensive gaps and ensure the organization is ready for the future of fraud.
The goal is not perfection but maturity.
“Having an incident is not failure, but it’s important to learn from the incident to limit fraud moving forward,” said Grant Thornton Risk Advisory Services Partner Zach Snickles. “There’s no way you can stop fraud completely, but can you reduce your exposure and respond effectively.”
Banks must defend an expanding attack surface
Even the biggest and most sophisticated banks can struggle to defend effectively against fraud.
With growing technical and organizational complexity, many financial institutions struggle to efficiently communicate threats and risks in real time across the business. Their fraud responses can be fragmented across multiple teams, and the ownership of technology and security responsibilities can be troublingly unclear.
“Banks are being asked to do more with less every day,” Snickles said. “But many are not looking at fraud holistically. If you’re looking at it in pieces, you’re missing the big picture.”
Banks have historically taken a segmented, decentralized approach to fraud risk. One group may focus on fraud related to a certain product type. Another may focus on fraud related to a different product offering. And neither group may be connected in real time to the frontline staff who are reviewing suspect transactions and speaking with customers.
A proactive and sustainable fraud risk management program requires cross-functional and enterprise-wide collaboration among stakeholders. A fragmented approach is increasingly untenable as customer data is centralized, and banks continue to expand their services to consumers. The move to the cloud and web-enabled consumer services expands the “attack surface” — or the virtual and physical places where an attacker might attempt to compromise security.
“Your attack surface is every customer-facing business that exists across the bank,” said Grant Thornton Risk Advisory Services Senior Manager Paul Avinger. “Anyone who is customer-facing has some responsibility as it relates to how your institution defends itself from fraud.”
How we can help you
INDUSTRY
INDUSTRY
AI has made attacks especially potent
For example, unlike in the past, phishing messages may not be marked by typos and grammatical errors. Instead, they are increasingly tailored to specific targets. Fraudsters may even use “deepfake” audio and video to trick customers and employees into compromising accounts and systems. Attackers also are using automated systems to probe for weaknesses and burrow into networks.
“All of the existing fraud schemes that we are familiar with are getting supercharged,” Avinger said.
The elevated threat level poses a difficult strategic decision for banks. With so many threat vectors, or channels for executing malicious acts, where should they focus their resources, technological upgrades, training, staffing?
“Resources are strained as volumes tick up,” Cobb said. Too often, banks aren’t investing in fraud prevention until they suffer a serious breach. That leaves the institution on its back foot, racing to contain a catastrophe while trying to stand up new defenses. Even worse, banks that fail to prepare for fraud can lose the trust of customers — and in the current competitive environment, loss of trust can lead to loss of customer relationships.
“There’s a lot of expectation from the consumer side that banks are going to protect them,” Cobb said.
Effective fraud defense “can and should be a differentiator for banks,” Avinger said. Customers are increasingly agnostic to banks’ brands, instead wanting to know which institution is “doing their utmost to protect my money, and offering me easy access to services that I would expect from a modern consumer bank.”
The case for fraud resiliency assessments
Banks can make progress against fraud with a structured, informed and consistent approach across the organization, said Graham Tasman, who leads Grant Thornton’s Banking Industry practice.
“There’s hope here for institutions that struggle with all the complexities that go with remediating and building resiliency into their fraud programs,” Tasman said. “Developing an execution roadmap is an effective way to ensure an organization has line of sight to all that is required along their compliance journey, and even with looming gaps in the plan, having the placeholder to prioritize action is what matters. Maintaining awareness is central to everything else.”
That can start with a fraud resiliency assessment — a look across the organization at governance, risk assessment controls, and investigation and monitoring capabilities related to fraud. “Such an assessment relies on guidance from authoritative sources to evaluate the components of an effective fraud risk management program,” Avinger said.
These assessments take a distinct approach from the work of internal audit groups. While important, internal audits often examine how existing groups and programs are functioning. In contrast, Snickles said, a holistic assessment asks where an organization’s defensive gaps are, and how its strategies mesh together.
“What are you doing on monitoring? What are you doing across the enterprise? How are you making sure that you're getting that big picture?” Snickles said.
Fraud resiliency assessments often include a closer look at how effectively your institution integrates fraud risk within other enterprise and operational frameworks. For example, how well does the fraud team work with cybersecurity, privacy, third-party risk management and BSA/AML teams? To what extent is fraud risk incorporated into the risk and control self-assessment (RCSA) program?
“We want to see the fraud controls called out like any other control,” Avinger said. “It should fit seamlessly within that existing structure of other risks and other controls.”
Ground covered in fraud resiliency assessments
Some of the areas frequently evaluated include:
Governance: Banks may struggle to define the roles and responsibilities of different groups, especially when it comes to identifying and responding to systemic events. Who handles referrals from frontline staff? Who manages customer outreach? Documenting, refining, and training stakeholders on these workflows enables faster and more comprehensive responses to fraud events.
Taxonomies: Different teams within the bank may not be speaking the same language. One unit may log an incident as an “account takeover,” another as a “credential compromise.” Without a common definition, they may struggle to simply track and share knowledge about incidents.
Reaction time: Banks need the technology and the capacity to respond quickly when they identify fraud. “Just getting real-time monitoring and flags is one thing,” Cobb said. “But being able to analyze those results holistically, find patterns and act upon those identifications quickly is a critical next step.”
Some companies, she said, still take days to act on fraudulent activity — often too late to save customers from losses and leaving bad impressions of the bank.
Tech ownership: Fraud schemes change fast, requiring banks to adjust machine learning models and detection thresholds. But policy and communications roadblocks can slow those technological defenses. Sometimes, Cobb said, the fraud team may need to call a long list of people, looking for the person with a key to make an update, only to find themselves dependent on a vendor’s timeline.
Data: Having data on fraud prevalence and impacts allows banks to decide where and how much to spend. “There is no all-encompassing public database of fraud losses. Nobody wants to publish their fraud loss data,” Avinger said. “So it's very difficult to find a good benchmark that's perfectly comparable to your organization.” An assessment can help a bank select and implement key risk indicators (KRIs) such as detection rates and response times.
How can banks prioritize risks?
A fraud resiliency assessment examines a bank’s ability to identify, prioritize and respond to risks as they emerge.
For example, can the bank identify a pattern of fraudulent transactions from one location and respond appropriately? On the strategic level, can it implement new policies and technologies as a threat such as deepfakes gains popularity?
“Do you actually have something that is forward-looking, or at least real-time, so that you can identify these emerging issues?” Snickles said.
An assessment also can help banks to balance their defenses with customer experience. Poorly implemented fraud defenses — such as excessive authentication checks or lengthy transaction reviews — can annoy customers.
“There is this strategic element of balancing fraud risk mitigation with customer experience,” Cobb said. “What's the right amount of risk to accept?”
Ultimately, an assessment will identify quick wins that the bank can implement immediately. But it also will prepare leaders to make decisions about their overall approach to fraud, including through comparisons to peer banks.
The final product includes a prioritized roadmap of changes to come. Following that map will require ownership, accountability and a commitment to a culture that encourages the bank’s employees to be vigilant in their defense of customers.
“Technology is extremely important, absolutely. But there's no system out there that you implement, turn on and walk away,” Snickles said. “It needs to be a culture.”
Contacts:
Partner, Risk Advisory Services
Grant Thornton Advisors LLC
Zach Snickles is a partner in the Advisory Services practice. Zach sits in the Phoenix office and oversees Forensic Advisory Services for the West Region. He specializes in forensic matters, regulatory compliance, dispute resolution and litigation support. Prior to Grant Thornton he worked in the audit practice followed by the forensics practice of a Big Four firm in their Phoenix and Chicago offices.
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share