Companies that didn’t already have distributed teams or work from home policies have struggled to transition to going fully remote amidst the pandemic. Cybercriminals and fraudsters are taking advantage of this unexpected disruption, leading to a spike in scams and cybercrime. Google reported seeing more than 18 million daily phishing and malware emails in April.
The elderly are particularly vulnerable to these crimes, but the combination of weak cybersecurity and the treasure trove of personal information that’s available on the darknet makes anyone a potential victim.
I spoke with fraud prevention and compliance experts at various financial institutions about how businesses can combat fraud and cybercrime without harming their customer experience. Their insights are particularly helpful amidst this pandemic, but as cybercrime continues to grow, every organization should be thinking about these lessons.
Consider bucketing your customers into different levels of risk
Not all risks are equal. For most organizations, it’s impossible to manually scrutinize every single transaction their customer makes. BitFlyer’s chief compliance officer, David Zacks recommends separating customers into different “buckets” based on their risk profiles, and then creating appropriate compliance procedures for each level of risk.
Since BitFlyer is a cryptocurrency exchange, the biggest determinants for their buckets are whether or not the customer is a corporate entity or a normal retail customer, as well as the anticipated transaction volume.
“If it’s a corporate entity that doesn’t want limits, we’ll do a pretty extensive manual deep dive to really know our customer. We always make sure we know our customer, but you don’t need to require as much information from retail customers with a low transaction volume because that risk is lower,” explains Zacks.
Like other exchanges, Bitflyer, has standard limits in place to minimize their risks. However, their customers can answer a detailed questionnaire if they want to exceed them. Bitflyer utilizes automated identity verification software to review their customers, but Zacks notes that it’s “important to always have a fallback in case one tool or process doesn’t work.”
“We prefer to prevent the problems from arising rather than utilizing legal resources later. That’s why we try to really know our customers and carefully monitor for unusual activity,” says Zacks.
Could “liveness checks” solve the compliance and usability tradeoff?
According to Deloitte, 37% of financial customers will abandon signup if they feel that an onboarding process takes too long. Another study from Digital Banking Report also said that financial customers will abandon an application if it takes 30 minutes of their time.
Greenlight’s fraud prevention manager, Derek Archambault explains one of the top challenges of a compliance professional is balancing the tradeoff between compliance and usability. He says this is an ongoing process, that is “both an art and science,” which requires analytics and creative thinking.
For example, you could have “very tight compliance, but only a 50% pass rate. While this may be very secure, you’re also turning down tons of legitimate accounts. And then there’s the other attitude: let everyone through, and catch the fraudsters on the fraud side,” says Archambault.
Archambault is a fan of identity verification solutions that use automated “liveness checks.” These checks utilize facial recognition software to compare a quick selfie video to a customer’s photo ID during onboarding. According to Archambault and other fraud prevention experts I spoke with, this is a highly effective fraud deterrent that doesn’t tend to bottleneck customer onboarding.
Use data to create more delightful compliance for customers
Preventing fraud and money laundering is important, but clunky or confusing compliance policies can also accidentally chase away legitimate customers.
Having a PhD in anthropology helps chief risk and compliance officer, Chris Lewis, be a highly empathetic compliance leader at fintech startup, LendUp. Lewis is a strong believer in proactively using data to improve customers’ lives. He and his team monitor LendUp’s Key Performance Indicators (“KPIs”), paying special attention to what topics drive customer support calls and emails. Lewis believes compliance should “meet regulatory operations, but also drive efficiency.”
“We like to anticipate customer needs; not sit and wait to react to them,” says Lewis. Because LendUp’s “mission assisting subprime consumers, who literally live paycheck to paycheck, in meeting their financial needs,” Lewis wants to make sure they’re not preventing people from getting the financial assistance they need.
Similarly, Lewis recommends close collaboration with customer success to ensure compliance and fraud prevention policies don’t harm customer experience.
"To be successful at compliance, you want to keep the consumer experience, use case, and friction points at the forefront of how you design policies...Put yourself in the shoes of the customer and have deep empathy.”
Great compliance requires strong collaboration and communication
Fraudsters are preying on organizations’ communication challenges amidst the pandemic. BitGo’s chief compliance officer, Matt Parrella told me, “[Compliance] is not a lone wolf. It needs to communicate with other teams, and have the attention of other teams.”
Parrella recommends strong external communication with both regulators and other companies in your space that may also be experiencing the same issues. He advocates that cryptocurrency companies should especially “welcome scrutiny from regulators” in order to build deep trust, “so they can give you the benefit of the doubt when situations come up.” Parrella believes this type of external communication is especially critical for handling the new FATF ( “Financial Action Task Force”) travel rule, which requires cryptocurrency companies to collect and disclose information on transactions of $3000 or more.
Similarly, Cara Gressen St. Martin, the vice president of compliance at Ladder Life Insurance, explained how compliance professionals can’t write effective policy “in a bubble.” “Some things work in theory, or in the book, but when you try to apply it to real life it doesn’t work. You have to take laws and regulations and make it workable for the people who have to implement them,” says St. Martin.
Early in her career, St. Martin wrote a policy that she initially thought was great, but after sharing it with the 10,000 people who worked at her company, she was told it was unusable in reality. Afterwards, her colleagues gave her feedback that helped her make her policy more useful and relevant, and she’s been continuing this collaborative practice for developing effective new policies and procedures ever since.