Contact Centers: The Fraud Enablement Channel

Transcription

1 Contact Centers: The Fraud Enablement Channel APRIL 2016 Shirley Inscoe Photocopying or electronic distribution of this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages of up to US$150,000 per infringement, plus attorneys fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.

2 TABLE OF CONTENTS IMPACT POINTS... 4 INTRODUCTION... 5 METHODOLOGY... 5 CONTACT CENTER LOSS TRENDS... 7 CURRENT FRAUD TRENDS TRANSACTIONAL FRAUD MOBILE WALLET FRAUD ORDERING ACCESS DEVICES SOCIAL ENGINEERING ACCOUNT TAKEOVER FRAUD CONTACT CENTER SOLUTIONS VOICE SOLUTIONS CALL AND DEVICE SOLUTIONS TECHNOLOGY INVESTMENTS TECHNOLOGY IMPLEMENTATIONS ABOUT APPLE PAY RECOMMENDATIONS RELATED AITE GROUP RESEARCH ABOUT AITE GROUP AUTHOR INFORMATION CONTACT LIST OF FIGURES FIGURE 1: SIZE OF PARTICIPATING FIS... 6 FIGURE 2: CONTACT CENTER FRAUD LOSS TREND... 7 FIGURE 3: FUTURE FRAUD TREND FORECAST... 8 FIGURE 4: PROJECTED ACCOUNT TAKEOVER LOSSES ASSOCIATED WITH CONTACT CENTERS... 9 FIGURE 5: FRAUD TRENDS IN CONTACT CENTERS TRANSACTIONAL FRAUD FIGURE 6: FRAUD TRENDS IN CONTACT CENTERS MOBILE WALLETS FIGURE 7: FRAUD TRENDS IN CONTACT CENTERS ACCESS DEVICES FIGURE 8: FRAUD TRENDS IN CONTACT CENTERS SOCIAL ENGINEERING FIGURE 9: FRAUD TRENDS IN CONTACT CENTERS ACCOUNT TAKEOVER ATTEMPTS FIGURE 10: FRAUD DETECTION CASE MANAGER VIEW FIGURE 11: STATE OF VOICE BIOMETRICS TECHNOLOGY FIGURE 12: PREFERRED IMPLEMENTATION METHOD OF VOICE BIOMETRICS FIGURE 13: STATUS OF VOICE AND CALL SOLUTION EVALUATIONS FIGURE 14: BUSINESS CASE ELEMENTS FIGURE 15: APPLE PAY FRAUD LOSSES

3 LIST OF TABLES TABLE A: VOICE SOLUTIONS TABLE B: DEVICE SOLUTION PROVIDERS TABLE C: CALL AND DEVICE SOLUTIONS TABLE D: CALL, DEVICE, AND VOICE SOLUTIONS TABLE E: SYSTEM INTEGRATION LEVELS

4 IMPACT POINTS Organized fraud rings are attacking contact centers more than ever before. These rings call repetitively, using data acquired from data breaches and social websites to impersonate customers. They do not mind calling over and over again, using social engineering methods until they successfully reach their goal. Much of the fraud that is enabled in U.S. financial institutions (FIs ) contact centers later occurs in another channel (i.e., occurs as cross-channel fraud). Examples include a debit card, credit card, or check order obtained by an impersonator, or online fraud that results from credentials being reset by the contact center agent. At many banks, the root cause of the fraud losses the contact center often goes unrecognized. As banks implement various contact center fraud solutions, fraud will move to unprotected FIs. Once the large institutions are mostly protected, fraud will move downstream to smaller institutions. As EMV continues to gain momentum in the United States, organized fraud rings will commit other types of fraud to replace counterfeit card fraud. Contact centers will be attacked more than ever before. At many banks, contact centers are the soft underbelly of the company because fraud technology investments have primarily supported digital channels in recent years. Some organized fraud rings are using automated attacks to keep their cost down while dramatically increasing market coverage. Automated attacks using bots are already targeting interactive voice recordings (IVRs). Most FIs have few, if any, protections in their IVRs, so this is an additional consideration in protecting contact centers. Apple Pay woke the industry up to the importance of including fraud executives in new-product and delivery-mechanism projects. Failing to consider fraud s impact on a new product often leads to poor initial results and unnecessary, time-consuming rework. 4

5 INTRODUCTION Contact center fraud has continued to grow substantially at many U.S. FIs in recent years. Armed with a wealth of data from breaches, organized fraud rings are probing FIs and using social engineering tactics to add to the information they already have to take over customer accounts. Fraudsters tend to look for the point of least resistance, and often that is the contact center. Account takeover fraud is so commonly enabled through the contact center that it should be renamed the cross-channel-fraud-enablement channel. This research presents the current environment and details what changes have occurred since Aite Group s 2013 report. 1 Attacks are escalating due to all of the breached data available and will continue to do so in a post-emv environment. FIs that do not track the source of fraud losses back to the root cause are often missing the link to contact centers; those that are performing root cause analysis find very high percentages of cross-channel fraud with a link to these centers. To thwart threats enabled by contact centers, technology investments will be required. METHODOLOGY The following analysis is based on Aite Group interviews with 25 executives at 18 of the 40 largest FIs in the United States by asset size. In some cases, multiple interviews were conducted at the same FI to gather responses to each question in the survey. For the purposes of this report, responses from representatives at the same FI were combined to represent one complete response from that FI. Telephone interviews were conducted to understand the current environment in contact centers and to determine what changes are anticipated or planned. Executives interviewed include those in charge of enterprise fraud management, enterprise loss prevention, or regional and enterprise contact centers, and enterprise authentication strategists. Given the size of the research sample, the data provide a good directional indication of conditions in the market. Figure 1 illustrates the size of the institutions participating in the research. 1. See Aite Group s report Look Who s Talking: Financial Institutions Contact Centers Under Attack, May

6 Figure 1: Size of Participating FIs Asset Size of Participating FIs (In US$; N=18) $31 billion to $40 billion 22% $1 billion to $10 billion 33% $21 billion to $30 billion 17% $11 billion to $20 billion 28% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

7 CONTACT CENTER LOSS TRENDS Overall, FI executives agree that fraud attempts at U.S. contact centers are at an all-time high. Since each institution is unique in terms of customer-authentication methods, contact center services, agent training, policies, and procedures, each experiences varying levels of fraud. Similar to the 2013 study, some FIs have little insight into losses originating in the contact centers, and there are different methods of assigning losses to the channel. One common difference is whether authentication failures that result in losses are charged to the channel. Some executives point out that having accurate loss data tied to contact centers is essential to creating a business case to support a technology investment. Other executives state that it would be unfair to hold the delivery channel responsible for a failure to detect customer impersonations when the majority of customer information is readily available to fraudsters. These executives favor only charging losses to the contact center when a violation of policy or procedure has occurred. The majority of FI executives agree that losses are trending upward. Only one executive states that losses are trending downward, and this is due to a complete overhaul of authentication and fraud prevention processes in contact centers as well as policy changes and agent training. Executives at 17% of FIs feel losses are flat but admit they do not have good insight into contact center fraud trends due to lack of staffing to perform root cause loss analysis. Over three-fourths of FI executives state that fraud losses are trending upward to varying degrees; 17% state that losses have increased 25% or more compared to the prior 12-month period (Figure 2). Figure 2: Contact Center Fraud Loss Trend Q. Are contact center losses trending up or down, or are they flat? (N=18) Flat or don't know 17% Down 5% Up 25% or more 17% Up 1% to 10% 28% Up 11% to 24.9% 33% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

8 The majority of FI executives (72%) state they expect the contact center fraud loss trend to continue on an upward trajectory, in part due to the U.S. rollout of EMV. Over US$4 billion in counterfeit card fraud has to find a new home, and at many FIs, contact centers are the weak link that will be increasingly exploited unless FIs install technology to thwart the bad guys. 2 Fraudsters who are unsuccessful attacking protected organizations are likely to shift their focus to FIs that are not actively planning to implement contact center fraud prevention technologies. Also, as the largest FIs take more protective actions, fraud tends to move downstream and target smaller FIs. One executive states he feels confident his institution s losses will continue on a downward trajectory due to the steps it has already taken and the implementation of a voice and phoneprinting technology solution, while four executives are unable to predict what the future trend would be, since they lack the data to know what is happening with fraud today (Figure 3). Figure 3: Future Fraud Trend Forecast Q. What is your forecast for the fraud trend in contact centers over the next 12 to 24 months? (N=18) Down 6% Flat or don't track 22% Up 10.1% to 25% 22% Up 1% to 10% 50% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February 2016 Executives from institutions that perform root cause analysis of fraud losses state that very high percentages of account takeover losses can be tied back to contact center interactions. One executive says that the link is typically in the 90% range, while another states that in 100% of the account takeover cases researched, a link to the contact center was discovered. Other executives state they are experiencing lower rates of contact center links in such cases, but all agree there is a strong correlation. Using an average rate of 61% of account takeover losses that relate to contact centers, Figure 4 shows the projected losses for this type of fraud and the portion enabled by contact centers unless FIs implement effective technology solutions to mitigate them. 2. See Aite Group s report EMV: Lessons Learned and the U.S. Outlook, June

9 Figure 4: Projected Account Takeover Losses Associated With Contact Centers U.S. Account Takeover Losses Enabled by Contact Centers, 2015 to e2020 (In US$ millions) $574 $632 $695 $775 $479 $ e2016 e2017 e2018 e2019 e2020 Source: Aite Group 9

10 CURRENT FRAUD TRENDS In early 2013, FIs were beginning to fully understand and measure the impact of organized fraud rings attacking contact centers. Some FIs were planning technology solution pilots, but the U.S. rollout of EMV cards caused many to move those plans to the back burner; multiple technology investments and major projects are difficult to manage concurrently. Now that EMV plans are in place and execution is well underway, sights are again set on contact centers, especially since attacks are ramping up. As the growing percentage of EMV cards and terminals in the market disrupts the use of counterfeit cards, more and more focus is moving to contact centers to enable account takeover fraud. The multitude of consumer personal and financial data available from data breaches and social websites allows fraudsters to use social engineering tactics to fill any data gaps necessary. Fraudsters do not mind placing multiple calls until they successfully impersonate a customer, because the payoff is worthwhile. TRANSACTIONAL FRAUD Executives at 17% of FIs state transactional fraud is not an issue because they do not allow transactions to be initiated in their contact centers. Executives at 33% of FIs state that transactional fraud is a minor issue, while 39% find it to be a major issue and 11% state that it is a critical issue. Executives at FIs that do not currently allow transactions to be initiated in contact centers state that their FIs would allow more activity if customers could be better authenticated in contact centers (Figure 5). Figure 5: Fraud Trends in Contact Centers Transactional Fraud Q. Please rate the trend of transactional fraud attempts as you are experiencing it in the call centers. (N=18) Critical issue 11% Not an issue 17% Major issue 39% Minor issue 33% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

11 MOBILE WALLET FRAUD Mobile wallet-related issues typically arise in one of two ways. First is the card registration process to associate a particular debit or credit card with the mobile wallet. This process can be rife with fraud unless strong authentication processes are followed to ensure the customer who owns the card is the one registering it for use. Second are the disputed transactions associated with a mobile wallet. Mobile wallet-related problems are not an issue at 39% of FIs, either because they are not offering Apple Pay (or any other type of mobile wallet) or because they have put processes in place that effectively prevent fraud during the card registration process. Executives at 33% of FIs state the card registration process or disputed mobile transactions continue to be a minor issue, while executives at 28% of FIs state they continue to be a major issue (Figure 6). Figure 6: Fraud Trends in Contact Centers Mobile Wallets Q. Please rate the fraud trend of mobile wallet payments as you are experiencing it in the call centers. (N=18) Major issue 28% Not an issue 39% Minor issue 33% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February 2016 ORDERING ACCESS DEVICES A wide variety of access devices may be obtained by fraudsters who are able to successfully impersonate the legitimate customer. Often these devices are debit or credit cards or even check orders. Executives at 28% of FIs state that ordering access devices to commit fraud is a minor issue, while another 28% state that this is a critical issue at their FIs. The remaining 44% fall in between, stating that fraudsters obtaining access devices constitute a major issue for their FIs. The high rate of concern over this category leads to the contact center truly being the crosschannel-fraud-enablement channel. Fraudsters are using the contact center to commit fraud in other delivery channels via the access devices fraudulently obtained, but the root cause lies in the inability to accurately authenticate the true customer and reliably identify fraudsters (Figure 7). 11

12 Figure 7: Fraud Trends in Contact Centers Access Devices Q. Please rate the fraud trend of ordering access devices as you are experiencing it in the call centers. (N=18) Critical issue 28% Minor issue 28% Major issue 44% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February 2016 SOCIAL ENGINEERING Social engineering is a technique used by fraudsters to obtain any missing customer data needed to allow them to successfully impersonate the account holder. So much data has become available to fraudsters due to recent data breaches, and consumers posting of personal information on social media websites, that most of the data elements needed are readily available. In addition to fraudsters willingness to call repetitively to compile missing data elements, contact center agents are under constant pressure to meet customers needs quickly on incoming calls. In this manner, agents become unwitting accomplices in allowing social engineering tactics to succeed. Executives at 28% of FIs state that social engineering is a minor issue for their FI, while half state that it is a major issue and the remaining 22% state that it is a critical issue (Figure 8). 12

13 Figure 8: Fraud Trends in Contact Centers Social Engineering Q. Please rate the social engineering fraud trend as you are experiencing it in the call centers. (N=18) Critical issue 22% Minor issue 28% Major issue 50% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February 2016 ACCOUNT TAKEOVER FRAUD Account takeover fraud occurs when an unauthorized individual is able to access a legitimate customer s account. Typically, this occurs in several ways. An impersonator who is able to successfully convince a contact center agent that he or she is the customer may request that his online credentials be reset so he may access his accounts. The contact center agent resets the credentials, and the fraudster may now access the entire relationship and initiate various types of transactions to remove funds from the account or bank. This type of fraud is similar to obtaining an access device in that it enables cross-channel fraud. Unless root cause analysis is performed, the resultant fraud losses will be attributed to the online or mobile channel instead of the contact center, where they truly belong (Figure 9). 13

14 Figure 9: Fraud Trends in Contact Centers Account Takeover Attempts Q. Please rate the account takeover fraud trend as you are experiencing it in the call centers. (N=18) Critical issue 17% Minor issue 28% Major issue 55% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

15 CONTACT CENTER SOLUTIONS Since organized fraud rings are attacking contact centers more than ever before, several types of solutions have been devised to protect this delivery channel. The primary purpose of some solutions is to detect fraud, while others focus on operational efficiency improvements with an element of fraud detection thrown in. Since different lines of business (LOBs) can benefit from these solutions, a project team of representatives from areas such as contact center management, fraud, and compliance discussing desired features and capabilities and evaluating various solutions will achieve the best results. A product that meets the needs of various LOBs represents a real win-win for the FI overall as well as a more sound investment. Fraudsters do not mind calling repetitively as long as they can fly under the radar and continue to gather data about customers or obtain access to a customer s accounts in some way. The screenshot below shows fraudsters calling in over and over again from the same number, detected by one solution provider. This screenshot shows the case manager view; here, an analyst works the cases, makes notes, and documents whether alerts represent fraud. Once fraud is verified, a voiceprint can be created from the recording and added to the hot file for future fraud detection efforts (Figure 10). Figure 10: Fraud Detection Case Manager View Source: Pindrop Security 15

16 VOICE SOLUTIONS Several companies offer voice biometric products, which can be implemented in either a passive or active manner. Passive implementations typically use call recordings to create voiceprints; often, voiceprints of known fraudsters are stored in a hot file, which is used to screen incoming calls. When matches occur, the call can either be transferred to someone well trained in fraud or reviewed after the fact to ensure any actions requested by the imposter are cancelled (e.g., a check, a debit card, or credit card order). Because an individual s voice is unique, a voice biometric can typically identify a voice even if the person is speaking in a different language or attempting to disguise his or her voice. Another voice product is voice or speech recognition. Rather than creating a voiceprint, this technology uses patterns in a specific language to recognize a voice. In many cases, the caller must state a specific sentence or phrase that the account owner has already registered for the technology to work. Some providers offer both a biometric and speech recognition capability (Table A). Table A: Voice Solutions Solution provider Headquarters Type of voice solution(s) Financial services products Agnitio Madrid (U.S. offices in Arlington, Virginia and Palo Alto, California) Voice biometrics, voice recognition Agnitio Voice ID; KIVOX Passive Detection; KIVOX 360 Auraya Systems Sydney (U.S. office in Boston) Voice biometrics ArmorVox Speaker Identity System Cellmax Systems Israel Voice biometrics Voice biometrics Convergys Cincinnati Voice biometrics On-Demand Voice Authentication CSIdentity Austin, Texas Voice biometrics VoiceVerified LexisNexis Risk Solutions Atlanta Voice biometrics LexisNexis Voice Biometrics; LexisNexis IVR on Demand Nice Actimize New York Voice biometrics Voice Biometrics Contact Center Fraud Prevention; Voice Biometrics Real-Time Authentication Nuance Burlington, Massachusetts and Merelbeke, Belgium Voice biometrics, voice recognition Free Speech; VocalPassword Pindrop Security Atlanta Voice biometrics Pindrop Fraud Detection System SpeechPro New York Voice biometrics VoiceKey TradeHarbor St. Louis Voice biometrics Voice Signature Service ValidSoft London Voice biometrics Voice biometrics Verint Melville, New York Voice biometrics Verint Identity Authentication and Fraud Detection 16

17 Solution provider Headquarters Type of voice solution(s) Financial services products Voice Biometrics Newtown, Voice biometrics Verification Service Platform Group Pennsylvania VoiceTrust Munich (U.S. office in Durham, North Carolina) Voice biometrics Caller Authentication VoiceVault El Segundo, California Voice biometrics Fusion Enterprise; Voice e- Signatures; IVR solution Source: Aite Group Not all FI executives are convinced that voice biometric solutions are ready for a production environment, particularly those who did pilots several years ago. The technology has improved tremendously overall; various vendors have to be scrutinized, but some are better at screening out background noise, recognizing a voice even when the caller tries to change it, etc. False negatives and false positives must be managed carefully so that there are not too many alerts. The same percentage of executives fall at both ends of the spectrum; executives who are not confident that voice biometrics will work at a call center and those who are very confident it will work each make up 22% of the group. Fifty-six percent of executives state they are at least somewhat confident the technology will perform as needed in their contact centers (Figure 11). Some executives differentiate that voice biometrics is ready for fraud prevention but not for customer authentication, which requires that most customers voices be registered and a lower volume of false positives and false negatives than is acceptable for fraud prevention. Figure 11: State of Voice Biometrics Technology Q. How confident are you that voice biometric technology is ready for prime time? (N=18) Not confident 22% Very confident 22% Somewhat confident 11% Confident 45% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

18 Beyond screening incoming calls to detect known bad guys, voice biometric solutions may also be used as part of the authentication process for existing customers. Customer authentication requires an enrollment process to create a voiceprint that can be used on subsequent calls. And speech recognition software requires a customer to register by repeating a specific phrase or sentence several times, then stating the same words on subsequent calls for the speech recognition software to make a match. These registration processes not only require that customers take part but also require that they take action. While consumers often claim to value stronger security, their actions often indicate an unwillingness to be inconvenienced or to do anything that requires additional effort. Lack of consumer education almost dooms this effort from the start. Executives have mixed opinions regarding the most effective way to implement voice solutions. In fighting fraud, FIs tend to often keep the systems they use private so that fraudsters don t know what products they must overcome. A customer enrollment process defeats that purpose, since customers must be educated and take part in the enrollment process. The enrollment process itself is actually the hardest risk to control in the implementation process; a fraudster who successfully takes over an account can create a voiceprint of his or her voice, which can be used until the real customer notices unauthorized activity on the account. Scrutinizing customers with a strong authentication process could also result in legitimate customers being hesitant to enroll. An investment in a technology that results in single-digit customer enrollment is never an acceptable result. For all these reasons, a passive enrollment process is often preferred. With this process, call recordings are used to create voiceprints for known fraudsters. These voiceprints are then used via a hot file to screen incoming callers. While this precludes using the solution for authentication purposes, it is very effective in fighting fraud and, at minimum, results in some degree of operational efficiency improvement. This approach is often viewed as phase one of the implementation project, with expansion plans at some future date (Figure 12). Figure 12: Preferred Implementation Method of Voice Biometrics Q. If you were implementing voice biometrics, would you favor an active (customer is engaged) or passive (transparent to customer) implementation? (N=18) Don't know 11% Active 33% Passive 56% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

19 While these various voice solutions can be very effective, other capabilities can add value in the contact center. Some leading FIs are planning their future authentication strategy around the mobile device. 3 Regardless of the delivery channel through which the customer interacts with the bank, the mobile device can be effectively used to help authenticate the client. For example, if calling the contact center, tests can be performed to determine that the mobile device being used is recognized and that it has been used by the same consumer in the past. Vendors that use mobile carrier data in their solutions to enable this type of verification are listed in Table B. In addition to associating a specific consumer with a specific device, these vendors can also verify when the consumer has upgraded to a new device, eliminating false positives in the verification process. Associating specific devices with customers can help authenticate customers, since a fraudster impersonating a specific customer must also be in possession of the customer s mobile device, decreasing the likelihood of a successful customer impersonation. Table B: Device Solution Providers Solution provider Danal Early Warning via Payfone Equifax Experian Socure TransUnion Zumigo Headquarters San Jose, California Scottsdale, Arizona Atlanta Dublin New York Chicago San Jose, California Source: Aite Group As with any authentication method, layers of security are necessary; there are no golden bullets. After authenticating the device is the correct one, the FI still must ensure it is the correct person actually using the device. Not doing so could lead to massive fraud as well as negative publicity, as Natwest recently learned with cases of SIM card fraud. 4 Even if the customer is using a different channel than the call center, an authentication strategy around the mobile device can be effective. For example, if the customer is using online banking and wants to initiate a wire transfer, the bank can send a one-time password to the customer s mobile device, which must be entered online to authenticate the customer. This multifactor authentication meets regulatory requirements and safeguards the customer s accounts as well as the FI itself. 3. See Aite Group s report Digital-Channel Fraud Mitigation: The Mobile Force Awakens, June Online Break-In Forces Bank to Tighten Security, You & Yours, BBC Radio, March 4,

20 CALL AND DEVICE SOLUTIONS Solutions that analyze the incoming call itself and/or the device the call is placed from help contain risk in the contact center. Analyzing the incoming call often entails understanding whether the call originates from a landline phone, a mobile device, or the internet. Often, internet calls or voice-over-ip (VOIP) calls result in a much higher rate of fraud than do landline or mobile calls. These solutions can detect spoofed telephone numbers, examine the geolocation of the call, analyze background noise, perform some behavioral analytics, and perhaps do some network analysis, dependent on having access to the service provider. Identifying or validating the device the call originates from provides another layer of security. Associating a known device with a specific customer allows another level of authentication (i.e., validating the known device and then verifying that the legitimate customer is using that known device). There are almost as many variations in capabilities as there are products on the market, and many of them offer operational efficiencies as well as fraud-reduction potential (Table C). Table C: Call and Device Solutions Solution provider Headquarters Call solution Device solution Agnitio Madrid KIVOX Mobile 5.0 Authentify, a part of Early Warning Chicago xfa SecureCallCenter Early Warning Scottsdale, Arizona Network solution via Payfone Device solution Nexmo San Francisco Number Insight API; Verify Request; Verify Check Pindrop Security Atlanta Intelligence Network; IVR Anti-Fraud Identity Assessment Engine TrustID Portland, Oregon Network solution Device identification Verint Melville, New York Device identification Voxeo (now Aspect) Phoenix and Chelmsford, Massachusetts Aspect Verify Source: Aite Group FI executives are familiar with many of the companies that offer solutions for contact centers. Many have strong opinions of the technologies offered as well as the most important aspects of the solutions needed. For example, some have strong confidence in the phone-printing capabilities of some solutions, while others may value the ability to create voiceprints to detect repeated calls from known fraudsters. Executives were asked to respond to a number of company names, indicating whether they are familiar with the company and the company s contact center solution, how they would rate the product offered, and whether they would recommend the solution to another banker. In general, executives are hesitant to rate products unless they have personal experience with them, so few shared ratings (Table D). 20

21 Table D: Call, Device, and Voice Solutions Solution provider Number of FIs that know company Agnitio 6 1 Auraya Systems 1 Number of FIs that know company s contact center product Average product rating (scale of 1 to 5; 1=very poor and 5=excellent) Number of FIs that would recommend product to another FI Authentify, a part of Early Warning (2 ratings) 3 CellMax Systems 1 1 Convergys 5 1 CSIdentity 1 1 Early Warning Services LexisNexis Risk Solutions Natural Security Alliance (3 ratings) (1 rating) (1 rating) 1 Nexmo (1 rating) Nice Actimize (2 ratings) 5 Nuance (1 rating) 4 PhoneFactor (1 rating) 1 Pindrop Security (6 ratings) 11 SpeechPro 1 1 TradeHarbor 1 TrustID (1 rating) 3 ValidSoft 1 Verint (1 rating) 3 Voice Biometrics Group 1 VoiceTrust VoiceVault 0 Voxeo 2 Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

22 Since such a wide variety of solutions are available to address various needs in the contact center, it is equally important that a solution present its alerts so that analysts can work them. Some solutions attempt this in real time, with suspicious calls potentially being transferred to specially trained agents or to fraud staff. Others provide the data in batches so that all actions taken are subsequent to the call. Sharing these alerts with an enterprise fraud or risk group can enable even greater fraud prevention and detection capabilities as well as enable root cause analysis of fraud losses, regardless of the channel where the loss occurs. TECHNOLOGY INVESTMENTS The huge project of implementing EMV in the United States caused many FIs that were seriously looking at voice and call solutions in 2013 to push those projects into the future. Once the technology aspects of the EMV implementation were completed, many FIs once again had some bandwidth for new technology projects. This is clear in the progress executives have made with voice and call solution projects. Executives at 39% of the FIs that participated in this research state that they have implemented one of these solutions or are in the implementation process. Twenty-three percent state they have done a pilot or have a pilot planned. Twenty-eight percent are monitoring other banks progress with these technologies and will decide whether to proceed based on peer banks progress. One FI executive shares that the pilot performed a few years ago in that institution was unsuccessful, so it decided not to move forward. Eleven percent state that they are not considering these types of technologies (Figure 13). Figure 13: Status of Voice and Call Solution Evaluations Q. How seriously is your bank considering the use of voice or call technology for fraud prevention or customer authentication? (N=18) Implemented 6% Implementing in 2015 or early % Planning a funded pilot Did pilot, plan to move forward Did pilot, not moving forward 6% 6% 11% Monitoring other banks' progress 28% Not considering it 11% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

23 Creating a business case for a technology solution is always key to obtaining required approval and funding. As mentioned previously, many voice and call solutions offer potential benefits for more than one LOB. While fraud executives drive many of these projects, 72% agree that the greatest benefit from implementing voice or call solutions can be the operational efficiency achieved by reducing the time spent authenticating the customer. In the largest banks, reducing the average length of a call by one second can save the FI US$1 million annually based on the aggregate full-time equivalent savings. The fraud reduction benefits that can be achieved are an important element of the business case, according to 61% of executives. Improvement in customer satisfaction is valued by 56% of executives, and half view compliance with the Federal Financial Institutions Examination Council (FFIEC) as an important factor in the business case (Figure 14). Figure 14: Business Case Elements Q. What are the strongest parts of the business case for voice biometrics or call solutions? (N=18) Operational efficiency of faster authentication of customers 72% Fraud prevention savings Improved customer satisfaction based on easier authentication and faster speed of service Compliance with FFIEC guidelines for contact centers Cost savings of eliminating or reducing knowledge-based authentication questions 61% 56% 50% 44% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February 2016 TECHNOLOGY IMPLEMENTATIONS FIs approaches to implementing contact center solutions vary widely. While only one FI interviewed has a fully implemented solution, several others are in the midst of an implementation project. Implementation approaches vary from very little system integration to fully integrated projects. One FI that desired a lot of integration advises that banks consider the system providers currently used in the contact center when evaluating products so that much of the integration will already be in place. Another executive states that the small amount of integration his institution performed for its proof of concept was essentially all it planned to do; the hardware had to be increased to handle call volume, and the product is expected to be in production in only 90 days. Another executive with an FI that desires far more automation for call agents and system integration with the fraud department states that the project takes longer than anticipated or planned. One reason is that the vendor requests data fields not normally 23

24 shared with any vendor, and that requires additional signoff from compliance and legal departments. Predetermining the number of systems to integrate with and the amount of automation desired is vitally important for the business case, or the resulting project may go over budget. As always, begin with the end vision in mind; ensure a complete understanding of all data fields needed by the solution provider and where all outputs of the system will go. Defining desired reports and changes to existing processes and procedures will help identify training needs and other costs that can disrupt a project if not planned for. Table E shows various levels of integration that can be considered and the pros and cons of each. Table E: System Integration Levels Integration level Integration examples Pros Cons Fully integrated Integration with platform may be used by agents (display screen) as well as fraud department, and it may include transferring suspect incoming calls to specialized agent or fraud team automatically. Info on incoming calls can be displayed along with customer and account data. Integration of fraud alerts into case management enables far greater fraud detection as well as a 360-degree view of all activity on accounts, and assists with root cause analysis of losses. Additional IT work lengthens time and expense of project. Semi-integrated Integration may be limited to one system, or only minimal data fields may be integrated. Project length can be controlled, and expense can be contained to a lower level than full integration. Some data that may be desired later will not be retained. Full benefits of technology will not be realized. Rework may be necessary to achieve greater integration in the future. Minimally integrated Alerts can be decisioned in vendor solution with no other integration. This is the fastest route to production with the least internal IT expense. Alert history is not available outside the vendor solution. There are no additional fraud prevention benefits. Source: Aite Group 24

25 ABOUT APPLE PAY Apple Pay hit the U.S. market with more excitement and publicity than ever seen for mobile payments. A number of very large banks participated in the first launch. Due to the secrecy and planning behind the launch, most fraud executives in those institutions were not part of the implementation project; one executive shared that he learned his bank was launching Apple Pay two weeks prior to it going into production. As a result, fraud executives had no input to the implementation plan. As is often the case, when fraud executives are excluded from such projects, fraud losses flourished initially. While losses averaged 600 basis points, some large issuers experienced losses as high as 800 basis points. Apple had a ton of data that could have been shared with card issuers, but a very limited number of data fields were sent back to the bank with each authorization request. But in reality, that was not the problem that led to fraud losses. Instead, the fraud was caused by weak procedures in contact centers that allowed fraudsters to register stolen cards. As with many types of fraud, the losses were caused by a poor customer registration process. Once FIs realized this, contact center processes were strengthened, new authentication measures were used, and losses plummeted to an acceptable level. Half the FIs participating in this research admitted to heavy initial losses with Apple Pay. Thirtythree percent state they had minor losses, and all say the losses are now manageable. The remaining FIs are in the process of implementing Apple Pay or are not offering it yet (Figure 15). Figure 15: Apple Pay Fraud Losses Q. Have you experienced Apple Pay fraud losses? (N=18) No 17% Yes 50% Minor losses 33% Source: Aite Group interviews with 25 executives at 18 of the 40 largest U.S. FIs, August 2015 to February

26 The following FI strategies help control Apple Pay losses: Additional authentication processes, often knowledge-based authentication questions or out-of-band to an aged phone A delay between registering a card for Apple Pay and being able to use it A limit on the number of cards a consumer can register A limit on the number of cards that can be registered per phone number or device Lower buy limits No large-dollar purchases within hours of registering a card While fraud losses are contained now, the industry can hopefully learn a lesson from Apple Pay. As payments continue to evolve and morph, and with additional mobile capabilities such as Android Pay and Samsung Pay entering the market, including fraud expertise on new product planning projects is essential. Not only can losses be averted, but it is more efficient and less costly to build in effective fraud controls during a project than to make major changes afterward. This will also lead to higher customer satisfaction and an improved customer experience. 26

27 RECOMMENDATIONS For FIs: For those who are installing technology solutions in contact centers, consider expanding to other internal contact centers. For example, if the solution is only used in brokerage or credit card, the organized rings will just focus on other contact centers. For those who are still watching what peer FIs are doing, consider scheduling a proof of concept. This is especially important for those FIs that don t track their losses back to the root cause and don t know whether they have a contact center issue. For those FI fraud executives who do not currently partner with their contact centers, consider introducing yourself and developing a relationship. Internal partnerships such as these will benefit both the company and its customers. For FIs that don t perform root cause analysis on fraud losses, consider training someone on staff to do this work. It truly can prevent investments in technologies that may be very good but do not address the correct issue. Ensure the vendor you select can meet future needs, such as moving fraud prevention to the IVR or supporting the mobile banking channel. For smaller FIs, watch this space carefully, knowing that as large and midsize FIs address contact center challenges, the fraud will shift downstream. For solution providers: Ensure that solutions can evolve as fraud shifts and morphs. Understand the cost structure in the contact center as well as the emphasis on the customer experience. While fraud may not be a huge problem for a particular bank, authentication is a challenge that must be addressed. If your solution focuses primarily on fraud detection, consider whether it can also be used for authentication and what changes are necessary to meet acceptable false positive and false negative levels in a production environment. Consider how your solution can be cost beneficial to smaller FIs or how you can partner with another provider to offer it to smaller FIs. Determine whether the solution can provide value in multiple delivery channels; FIs prefer to do business with as few providers as necessary due to time-consuming vendor management processes. 27

28 RELATED AITE GROUP RESEARCH Application Fraud Rising, As Breaches Fan the Flames, March Combating Fraud: Consumer Preferences, January Digital-Channel Fraud Mitigation: The Mobile Force Awakens, June Identity Theft: It Could Happen to You!, October EMV: Lessons Learned and the U.S. Outlook, June

29 ABOUT AITE GROUP Aite Group is an independent research and advisory firm focused on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, securities & investments, and insurance, Aite Group s analysts deliver comprehensive, actionable advice to key market participants in financial services. Headquartered in Boston with a presence in Chicago, New York, San Francisco, London, and Milan, Aite Group works with its clients as a partner, advisor, and catalyst, challenging their basic assumptions and ensuring they remain at the forefront of industry trends. AUTHOR INFORMATION Shirley Inscoe sinscoe@aitegroup.com CONTACT For more information on research and consulting services, please contact: Aite Group Sales sales@aitegroup.com For all press and conference inquiries, please contact: Aite Group PR pr@aitegroup.com For all other inquiries, please contact: info@aitegroup.com 29