Account takeover fraud (ATO) involves criminals acquiring a user’s details to take over their online accounts and continues to cause real impact to both customers (users) and the businesses they use. As criminals become bolder and their methods more sophisticated, financial institutions (FIs) are becoming more adeptat identifying, monitoring, and managing ATO fraud both before and after it occurs. One of the key ways FIs protect themselves is through the three lines of defense model (3LoD).
For a sense of today’s leading practices and how the 3LoD fits in, KPMG consulted with several leading FIs to examine how top organisations are managing ATO fraud.
An organisation's first line of defense (1LoD) is typically comprised of its business units (BUs) and centres of excellence (COEs). These, in turn, are supported by an informed and enterprise- wide approach to ATO fraud governance. Many peer firms have established group-level governance structures to promote intelligence-sharing between BUs and facilitate the escalation of fraud or cyber security issues as they surface.
Clearly defined roles are also central to effective ATO fraud governance. Governance structures are commonly overseen by accountable individuals from both the 1LoD and second line of defense (2LoD) fraud policy and oversight teams. Larger FIs have also assigned specific fraud prevention roles (or individual fraud specialists) within their BUs to drive the risk assessment process, manage cases, monitor ATO fraud control effectiveness, and act as on-site ATO fraud liaisons. Several have combined anti-money laundering (AML), cyber security, and ATO fraud initiatives into multi- disciplinary 'fraud centres' to take advantage of overlaps and shared data and resources.
The 2LoD informs, defines, and monitors 1LoD ATO fraud strategies. What is more, it ensures alignment between BUs, enabling the intelligent deployment of resources and information where needed.
A central strategy. Successful ATO fraud prevention strategies are backed by well-structured policies and standards that provide organisations with a baseline from which to formalise minimum expectations and responsibilities. Importantly, these strategies are reviewed and updated on a regular basis, which allows for sufficient flexibility to allow each BU to align to the overarching framework.
Effective ATO fraud strategies also detail the direction of the fraud function as it relates to fraud IT solutions, analytics, resources, future threats, and required capabilities. Additionally, they include fraud prevention and recovery initiatives that are tracked to ensure they are not only working but in step with the organisation's vision.
The sources for external intelligence can vary between industry consultants, law enforcement agencies, industry bodies, market peers, and fintech companies. Several FIs have also established an Intelligence COE at the group level to disseminate fraud intelligence throughout the organisation and add support to the broader financial crime function. That said, these CoEs were most commonly embedded in peer firms that operate primarily in one country.
If there is a theme among first and second-line defenses among leading FIs, it is that ATO fraud is not an issue that can be addressed alone. That is why a number of institutions have looked to third-parties for leading ATO fraud program frameworks and leading practices.
Independent audits have proven equally important in ensuring the right controls are in place and performing as anticipated. Using data analytics, these audits can analyse complete populations of data to enhance random or systematic sampling traditionally carried out by internal audit functions.
Additionally, having an integrated assurance framework has helped numerous FIs achieve greater comfort over their coverage of risks and controls. These frameworks help align third line of defense (3LoD) activity with 2LoD and 1LoD business monitoring to help identify gaps, overlaps, and duplications in assurance. And while it is not necessarily common practice, some FIs prepare one integrated report to their Board or Audit Committee on the risk type, as opposed to providing independent 2LoD and 3LoD reports.
Overall, financial institutions tell us this integrated assurance provides a holistic and aggregated view of risk assurance (aka a 'one truth') while promoting collaboration across the organisation
As cyber criminals are becoming increasingly confident in utilising the most sophisticated hacking techniques, including Account Takeover Fraud (ATO), financial institutions are feeling the pressure to employ equally sophisticated and thorough defense systems. The three lines of defense model (3LoD) enables an organisation to leverage the expertise of its people, big data capabilities and third- party contractors to design a patchwork of solutions tailored to the organisations specific needs. By assessing gaps in cyber defense and then building out a holistic framework based on identifying, monitoring, and managing ATO fraud both before and after it occurs, financial institutions can feel assured the right controls are in place for the continuous improvement of their cyber defense capabilities.