KYC or Know Your Customer is a very familiar term within banking; all aspects, sectors and people involved in banking from local branch employees right to the top dogs. Banks, investment firms, mortgage and loan companies all apply KYC policies, procedures and technologies to ensure they know who they are dealing with to help protect the client’s assets and help in the global fight against organized crime with Anti Money Laundering (AML) business practices.
In light of the vast shift of business activity to the internet, the majority of banking is now conducted online for both retail and commercial clients and with that, an incredible pace of online fraud and theft has followed suit. Some highly publicized examples of online fraud include businesses such as Patco Construction and Experi-Metal – two firms who have had significant amount of money stolen from their bank accounts.
Now what I find so intriguing when you read into the details of some of the breaches is how blatant the fraud truly is. Here’s an excerpt from a Bank Information Security article that clearly demonstrates what should have been a dead easy pattern to detect:
“A total of 47 wire transfers were initiated from EMI’s account between 7:30 a.m. and 10:50 a.m. on January 22, 2009. “
What important to note is that Experi-Metal’s history of executing wire transfers is pretty telling…. ”while Experi-Metal claims that Comerica should have realized that a large number of wire transfer requests within a few hours was suspicious, especially considering it had only done two wire transfers in the two years prior to this incident.”
So, we have 2 issues in my opinion. #1 banks do a very poor job of performing KYC or transaction behavior profiling on the most used channel of all (online) today and, #2 when they do detect suspicious activity it takes them several hours (in the Experi-Metal case) or even several days ( in the Patco construction case).
And, from my view, there is no excuse. Solutions to detect variations to typical user behavior (KYC) or suspicious activity in general have been available from Entrust and several other vendors for many years. The technology exists, it’s proven, it’s robust, it’s scalable, and it’s available at a very reasonable cost ( a few dollars per user or less in larger deployments) and, it can be done in real time! Maybe it’s time the banks take advantage of this technology to keep pace with the criminals who seem to be winning time and time again when it comes to online fraud.