I have always been a believer in paying my credit card balances in full, every month. So when Mrs. Radical Compliance had a few minutes last Saturday afternoon, I was happy to see that she decided to do the same with a personal credit card she has, too.
This credit card is affiliated with one of the largest banks in the United States. And while I don’t know exactly what Mrs. Radical Compliance buys with the card—“it’s for all the stuff I don’t want you to know about”—I do know that’s code for knitting materials, makeup, and occasional craft supplies she snags on Etsy.com. She pays for those items through PayPal, and then settles up the PayPal balances with this card.
So when she logged onto her credit card account, we were both startled to see two airline tickets for Norweigan Air, plus some other fee from the airline (it looked like an upgrade out of economy class), plus a fee to some discount travel agency in New York.
This was news to us since we don’t live in New York. And on the day the tickets were billed to her account, we were on vacation in Florida. And cheapskate that I am, I’d never pay for an upgrade.
Our foray into fraudulent credit card charges was thankfully brief. My wife called the customer service line, and soon enough a service representative put a freeze on the charges (“we can understand this must be very upsetting”) and opened an investigation. Those charges, $665 in all, will lurk on my wife’s bill until the investigation is closed, which could take 90 days. But we have ample evidence we did not make them, so we’re more annoyed than we are worried.
Still, a refresher course in financial fraud is always useful for compliance professionals, so let’s discuss.
First, the entire compliance and audit community wrings our hands endlessly about online fraud, wondering why we can’t get ahead of the problem. Well, that’s because so often nobody feels the problem—at least, nobody in enough power or numbers to force the issue. My wife and I were put out for 20 minutes of time to call the bank, but we won’t suffer for this fraud. The bank will reverse charges back to the airline and the travel company, so the bank won’t suffer for the fraud. Possibly the airline might suffer for it if the perpetrators already flew off to Norway, but if not, Norweigan Air will cancel those tickets and resell them, so the airline won’t suffer much either.
I understand that when the fraudster is stealing goods or services that get consumed right away (stereo equipment or a massage or groceries), the vendor does feel the pain of the fraud. But those vendors are many and small, and don’t have much clout to fight the scourge of online fraud or change public policy. The banks have that clout, but the banks shove the pain of online fraud away from them. Consumers feel annoyance rather than pain. And if the fraudster’s scam can be caught early, before the theft is executed (say, before he boards that flight to Oslo), then we all move on with our lives.
Second, we all talk often about the need for sharper behavioral analytics, to detect potential fraud more quickly. I agree. I also wonder why our bank did not do this, because Mrs. Radical Compliance’s buying habits were rock solid predictable with this card: knitting needles, makeup, yarn, Etsy; and nothing larger than $50. That’s pretty normalized behavior.
Still, this bank never picked up on the unusual buying behavior until we called the bank. I’m all the more mystified because we have a joint account with a local bank near our home, with exactly five branches in the known universe—and that local bank is on my case any time I buy something from an unusual location. The credit card bank, which is a Systemically Important Financial Institution, and whose compliance officer I know, missed its cue.
I can appreciate that sophisticated bank fraud, such as those elegant knuckleheads who stole $80 million from the Bank of Bangladesh earlier this year, requires equally sophisticated anti-fraud procedures that won’t always. In fact, my next post later this week will look at complex cyber-fraud and how financial institutions and law enforcement can fight it. Those threats are real and growing sharply.
E-commerce fraud like this, however, seems more like hackers firing buckshot at every credit card and e-tailer they can find to see who falls for it. This was not sophisticated. Neither was our buying behavior. Yet we were the only ones who found the fraud.
I’ve written a bit lately about the need for better analytics to detect fraud—mostly about phishing scams to swipe valuable corporate information, but the same holds true for e-commerce fraud, or identity theft, or many other forms of cybersecurity fraud. Better analytics, and a better understanding of what’s “normal” behavior for any one person, will be cornerstones of anti-fraud in the future.
And as this one example from the front lines of fraud shows us, better analytics will be in the future for a while yet.