Increase in Identity Fraud

A recent report from Transunion, https://tinyurl.com/TransunionFraudReport suggests a disturbing increase in credit fraud using both synthetic and stolen identities.  Here are my thoughts.

There is no more important rule in banking than "know your customer."  Unfortunately, this works against the pressure for new accounts.  Every banker must learn to balance these.  

My credentials folder begins with my birth certificate and my Social Security Card, but also contains my high school diploma, my military discharge, my college degree, my passport, RealID drivers license, my Global Entry Card, my health insurance card and Medicare Card, my certificate of retirement from IBM, my Naval Postgraduate School Identity card, my professional certification, and two Club Identity cards.  There is a spread sheet listing all the credentials with their issue date, and the name and address of the issuing authority.

Any and all of these documents are available to support any application that I might make.  While any of them might be forged, the chances that the collection is forged is vanishingly small.  While few people have all these documents most have some of them.  

Most of the issuing authorities can be queried to test the accuracy and authenticity of the document.  While some of the documents were issued in the analog age, most of the issuers now use digital systems and records.  They could all offer an online verification capability at low cost or even at a profit like the credit bureaus.  While it is unlikely that all issuing authorities will ever offer such a service, the numbers will increase as costs go down and value increases.  

These documents speak only to my identity and existence, not to my character, capacity, and collateral.  For those one must look to the plethora of data about me held by the commercial, financial, and other institutions with which I do business and can use as references.  Many, not to say most, of these are customers of and contributors to the credit bureaus that record and sell my credit history.

In short, there is a plethora of evidence that lenders can rely upon to know their customers.  There will always be some bad lending decisions, some the result of fraud.  Tolerating a small amount will always be more efficient than eliminating it all, but striking the balance is what bankers are paid to do.

    

 

Insider Risk (not Threat)

Over the last decade the media has been full of "threat," almost to the exclusion of "risk."  It should not surprise anyone that insider risk has been written of as "insider threat."  It is true there is a small threat from insiders but it has a very low rate of occurrence.  The real concern for insiders arises from consequences, not threat.  The high rate threat comes from outside, not inside.  Outsiders damage the brand: insiders bring down the business.  The threat is from the outside, risk from the inside.

Most of our employees really do want to do their jobs.  In the rare cases where they fail it is more likely to be accidental rather than malicious.  "The dummies have it, hands down, now and forever."  No matter how damaging, mistakes tend be overlooked, accepted as normal and unavoidable, and forgiven.  Even malice is more likely because of a management failure to train,  supervise, and reward, rather than a failure of motive on the part of the employees.  

Conrad Hilton, the founder of Hilton Hotels, used to display in his guest rooms what he called the  Eleventh Commandment, "Thou shalt not tempt."  My favorite ethical test is, "Nice people do not do that."  I learned my second favorite ethical test at Nortel in Canada.  When i asked my client to describe Nortel's ethical culture he said, "Behave as though your mother were watching."  Good managers watch like "Mother."  

Malicious insiders may be needy, greedy, or disgruntled.  The needy or greedy resort to fraud and embezzlement, while the disgruntled lean toward destruction.  Even the fraud may be rooted in part by a failure ot management to properly address error.  The employee makes a mistake; no one notices.  He repeats it and again no one notices.  He begins to think that a deliberate act, one in the direction of his benefit, may similarly go unnoticed.  

Watch for good numbers.  If the numbers are too good to be true, they are not true.  

The disgruntled employee is most likely upset because he believes that his worth and his contribution to the enterprise have not been properly recognized and rewarded.  However, that feeling did not occur suddenly,  He did not go home happy on Tuesday night and come in and take the place apart on Wednesday morning,  The disaffection grew slowly over time.  It likely did not go unnoticed.  His managers likely knew that he was not happy but had delayed taking action until it was too late.   Perhaps please, thank you, and attaboys are the most efficient controls.  While not a substitute for proper compensation, they do not cost much.  

Speaking of proper compensation, the higher up the management chain, the more important it becomes.  It must take into account the economic contribution of the scope managed.  It must also take into account the economic discretion that the officer exercises.  One of the reasons that we see corruption in government is that officials are not compensated in proportion to the power and influence that they exercise.  While such compensation may be hard to justify politically, it does work to limit corruption.

While management tends to worry about IT, and IT failures get the media attention, most fraud takes place in business applications.  Workers steal where they work, e.g., accounts payable and receivable, payroll, goods, inventory, credit.  IT people are more likely to convert capacity than to manipulate business applications.  

While management tends to focus on those engaged in low level routine, think clerks and tellers, the real damage comes from officers and professionals.  Tellers steal small and are caught early.  Officers steal big and may not be caught for years.  However, one must take into account the power and fragility of IT, when managing employee satisfaction and morale.  

Few embezzlers started out to steal big.  They started small but it was not detected: temptation. It became habitual and grew in magnitude over time.  Early detection and correction is essential.  

One last thought before we go.  The most effective control over insider risk is management supervision.  Everyone deserves to be supervised by someone who knows enough to understand and appreciate what they do.  On the other hand, automated controls and procedures are often more efficient than expensive supervision.  While we use them because they are efficient, they are effective only in the presence of good management.  They are hardly ever effective in controlling managers and executives.  

In summary, think risk not threat, error before malice, business before  IT, managers and executives before tellers and clerks, supervision before automation.