An Interview with David Mattei
Vantiv Fraud and Security Expert
From an interview with PYMNTS.com, 2012
Good morning, this is Alex Walsh at PYMNTS.com. I'm joined by David Mattei, the vice president and product manager for financial institutions at Vantiv. David, how are you?
I'm doing well, thank you.
We're so glad to have you. We've read your paper, "Fraud Management: Are You Really Protected?" about security for financial institutions in the United States. The statistics on attacks on financial information across the globe might be startling to US-based FIs. Tell us about the trends that have been taking shape over the past few years and where it's all headed.
One of the trends that we're seeing right now is a shifting of fraud to the US. England switched to chip cards and EMV technology in the mid-2000s – and just a few years ago, Canada made the switch as well. But we still have a magnetic stripe-based payment technology industry in the U.S., and the mag-stripe is much easier to compromise than the EMV chip cards.
What we know about fraudsters is one, they are very smart – and two, they go the path of least resistance. And if you look at the most recent statistics, almost 80% of fraud is now being conducted on cards from US-based institutions.
The other trend we're seeing is a change in the nature of those card compromises. In the late 2000s, there were card compromises that affected hundreds of millions of cards. The number of events was small, but the number of cards compromised was huge. But now we're seeing an increase in the number of breaches in which smaller numbers of cards are compromised. Small, independent merchants are being targeted because of the ease with which fraudsters can compromise those payment systems. Organized crime groups, particularly in Asia and Eastern Europe, have figured out that the combination of more and more debit transactions at smaller or local financial institutions equals big opportunity. Unfortunately, again, the United States is leading in this trend as well. And they're beginning to use these stolen card numbers immediately – not waiting like they have in the past, but rather hitting those card right away.
So beyond the data we do have, other information is hard to glean even after the fraud has taken place – how specific a picture do you think financial institutions have of the money they're losing to card fraud?
There's a lot of variability from one institution to the other, in terms of the levels at which they track fraud losses. Most institutions have a General Ledger accounting system for recording fraud write-offs. But this is only part of the overall fraud picture. There is fraud that the FI recovers through the chargeback process that is less well known. We see FIs focused on just the write-off component of fraud instead of total fraud, but there is money to be saved by reducing the number of chargebacks an FI processes. It is better to look at fraud in totality to manage all fraud downwards instead of focusing on one component.
The other aspect of the fraud landscape that needs clarity is Signature Debit fraud versus PIN debit fraud. The main card networks have requirements for financial institutions to report their Signature Debit fraud, but there isn't a corresponding requirement from the EFT networks for institutions to report PIN debit fraud, so PIN fraud is less understood.
The bottom line is that institutions everywhere are reporting high fraud losses, yet they're often at a loss to know why. As a result, they have no idea how to mitigate them. And while large institutions can maintain a dedicated, full-time security staff, smaller ones often have just a single person, and this lack of resources and manpower lies at the core of why such a distressing amount of fraud goes undetected and unreported.
So let's imagine an institution has invested in fraud detection and prevention but is still victimized and a breach occurs – give us a picture of the resolution costs associated with that scenario after the fact, because your research seems to suggest it's more complicated than it may seem on the surface.
The costs are spread out in many different areas, and so to get a complete picture of what the total cost is, you need to look at each of them.
When a breach occurs there are strategies an FI can deploy to minimize their losses. Authorizations on suspected compromised cards can be monitored more closely without rushing to reissue. At some point the amount of confirmed fraud on a list of compromised cards may become significant enough to warrant a reissue. At that point there are several cost items to resolve the situation. You have the time required to close the old cards and generate new ones. You have the cost of getting those reissued cards out into the hands of customers. You have the plastic cost and the postage and handling in order to get it there. So those are just some of the costs associated with what happens after the breach has already happened.
Perhaps the most costly event of fraud though is when a bank loses a consumer. You cite a study that says 18% of consumers leave their issuers after fraud. How can issuers avoid being part of that 18%?
Well the statistics are not completely clear on that, but there is some evidence that suggests that Debit cardholders are more sensitive to card fraud than Credit cardholders. And there's a good reason for this since the Debit card is tied to checking accounts, savings accounts, things along those lines that really hit home for a cardholder. So institutions need to make sure they have good fraud prevention tools and strategies. There are tools that look at incoming authorizations and analyze them for the probability of being fraudulent – and this is the first line of defense where you can stop fraud from even happening. You're able to conduct a fraud analysis before you even respond back to the merchant either approving or denying that particular authorization request. And by being able to put those fraud tools up front like that, you're able to actually mitigate those fraud losses, and minimize the impact to cardholders. Because while restitution costs can be measured in finite amounts, the more worrisome impact should be the loss of customers' confidence in the very safety and security of your institution. And the worst-case scenario? If your institution first learns of a fraud incident when your own customers report them. This tells your customers that you are unable to protect them.
So these up-front fraud-fighting tools are really the best things that an institution can do to make sure that you're not part of the 18% statistic.
So your paper also talks about outsourcing opportunities in terms of fraud and security for FIs – let's talk about that.
At Vantiv, we clearly see the trend that fraud is changing so rapidly and becoming so much more complex – it's simply becoming more complex than what many FIs have the resources, ability or skill set to handle internally. And the fraudsters are smart, they know that most FIs are not monitoring fraud from Friday at 5 p.m. to Monday at 8 a.m. So many FIs are seeing the wisdom of hiring professional services to manage fraud for them. These services have dedicated staff who deals with card fraud day in and day out, so they know it very well. And they can provide 24/7/365 protection, which is nearly impossible for an institution to do themselves. Some even offer the FI liability protection to provide a complete peace-of-mind solution.
So there's a benefit to having an expert on your side in this fight against fraud. Let's talk about Vantiv specifically – what do you offer in the way of outsourcing services and what's unique about what you're doing in the space?
Well, to start with we have more than 80 people who are completely dedicated to dealing with fraud. And based on the feedback and requirements of any FI, we can offer several outsourcing services to meet their needs.
One service is focused on fraud write off management whereby an FI can leverage our fraud expertise. We also offer a total solution in which we manage all fraud, process all chargebacks, and financially protect an institution. The interest in both of these services is growing rapidly as fraud gets faster and more complex – and as US institutions are more heavily targeted.
Vantiv is in a unique position because whereas institutions see fraud only from their internal perspective or that of their cardholders, Vantiv sees fraud across the entire US and thousands of institutions. As a result, we're able to identify fraud trends faster, protect portfolios quicker and minimize cardholder impact to the growing threats from fraudsters
Wow. So more than a few things it sounds like in terms of services offered. And that makes sense, because as we've talked about for the past little while, this is a complicated part of payments, and as the shift – as the focus shifts over to the United States, and things get more complicated, it seems to be making more and more sense to partner with someone who has so much capability. So I appreciate the clarification and all that, and thank you for taking time to speak with us today.
Not a problem at all. Very happy to do it. Thank you.