Criminals who stole a one-time passcode issued by an international bank used the information to initiate an account takeover, acquire someone’s sensitive financial records and obtain their access credentials. Once fraudsters have this information, they can make victims’ lives miserable by hijacking their online activity, installing malware on their devices or unleashing other destructive acts upon them.

This is a fictional scenario that Aaron Frye, founder and CEO of Lucid Point Consulting, used to illustrate the importance of layering fraud controls to reduce or prevent payment fraud during his session at the 36th Annual ACFE Global Fraud Conference. He discussed how controls such as voice biometrics, identity verification, device fingerprinting and a host of others help to safeguard companies from losing money to payment fraud.

Layering Controls

Whether payment fraud originates from bank transfers, card-based methods, cash, digital currency, checks or mobile payments, Frye said specific measures, policies, procedures and processes used to mitigate or eliminate potential fraud risks fall into three categories:

1. Preventive: proactive measures to prevent risk from occurring.

2. Corrective: identification and communication of risk events when they occur.

3. Detective: actions to reduce the likelihood that an incident will recur.

Frye explained that an effective strategy for reducing unauthorized access and transactions hinges on layering multiple controls within online, mobile and telephone payment channels. For example, a layered approach to online payment controls includes identity, document, business and address verification; device fingerprinting; identity and entity authentication; facial and fingerprint biometrics; fraud and device risk scoring; transaction monitoring; visual and audio deepfakes.

A fraud risk score is a numerical representation of the severity or likelihood of a potential risk, typically derived by combining probability and impact factors. According to Frye, verification determines whether the data exists, and authentication validates whether you’re interacting with the correct person or entity.

“These controls have got to be layered in a way that identifies high, medium or low risk to determine the amount of friction [any measure that adds complexity or difficulty to a user's experience] you want to add afterward. It’s not an overnight task. It requires a lot of internal testing and getting the customer experience team on board,” he explained.

Frye highlighted the goals and challenges of layering fraud controls: ensure a minimal-friction experience for good customers while preventing unauthorized access and payments. “What’s really interesting,” he added, “is the challenges of layering are exactly the same as the goals. But the challenges also include a limited budget. No matter what company I worked at, I constantly faced these challenges.”

When applied correctly, layered controls help to alleviate these challenges, resulting in flexible fraud risk management, higher ROI, and lower costs related to chargeback expenses, fraud operations, overtime and purchase order management.

Structure Matters

Frye stressed that the effectiveness of layering controls is at the mercy of a company’s fraud risk structure, which includes five key pillars:

1. Fraud risk leader who serves as the point of contact on fraud risk for the C-suite, board and product leaders.

2. Fraud analytics that manage fraud rules and reports exposure, losses and rules performance.

3. Fraud strategy focused on project prioritizations and needed program enhancements.

4. Fraud operations that handle investigations and manage alerts, cases and Suspicious Activity Report (SAR) filings.

5. Fraud governance to develop and manage policies and procedures and perform function gap assessments.

Frye added that “creating a fraud vendor management piece of a fraud strategy group is very important.” He says the fraud strategy component of a company’s fraud risk structure aids in identifying patterns and determining the best vendors to put in place to combat scams. “I feel like there should be a separate scams division now within every fraud strategy group that is able to look at the fraud-related losses,” Frye said.

Working With Stakeholders

Once a company determines the appropriate controls and structures its fraud risk model, Frye said it’s time to focus on communicating with stakeholders so implementation can begin. Key stakeholders include:

• The fraud management group overseeing operations, analytics and reporting, strategy, and governance.

• The technology group consisting of solutions architects and developers.

• The business strategy group that includes product owners, as well as the customer experience and marketing teams.

• The procurement group with responsibilities for vendor management, vendor risk management and legal considerations.

• The Finance group covering financial planning and analysis and is made up of cost center owners.

To set a company up for successfully implementing layered fraud controls, Frye said understanding the resources that each stakeholder needs is paramount. By taking a strategic approach to payment fraud controls, companies can reduce unauthorized access and transactions, decrease costs and improve ROI.