Tag Archives: financial crime

Fraud: the Cost You Will Never See

Do you know one of the large drivers of your insurance costs may be something you will never see listed as a line item by your agent or insurer? This is not a hidden fee the industry masks. It is not one you could ever find or have disclosed. It is the cost we all share for insurance fraud, which is the second largest financial crime in America (behind tax evasion).

In Iowa, the crime of insurance fraud happens when a person or business provides false information to an insurance company in a claim for benefits or in an application for insurance, with the intent to defraud the insurance company. Federal laws also contain provisions related to insurance fraud.

Before being appointed insurance commissioner, I do not recall thinking about insurance fraud much. Because of my experience in the insurance industry, I certainly knew that there was insurance fraud.  I recall stories I heard second- and third-hand of people who filed claims on boats that became ruined and then were insured after the fact, or of healthcare providers that billed health plans for procedures that never occurred. But I admittedly did not think about insurance fraud much.

People often think of these types of acts as victimless crimes, because no one is hurt except big insurance companies. However, we are all victims of these acts because fraud affects how much we pay for our insurance.

Insurance regulators see all types of fraud and know the cost is great. According to the Coalition Against Insurance Fraud, nearly $80 billion in fraudulent claims are made annually in the U.S. This figure encompasses all lines of insurance. The Federal Bureau of Investigation estimates that fraud costs each insurance consumer in the U.S. between $400 and $700 annually in increased premiums. These are calculable costs, which probably are far less than the total cost we all pay as insurance consumers, because a lot of fraud is not reported.

In Iowa, we would like to think that there is no insurance fraud. However, the statistics demonstrate a much different picture. On average, the Iowa Insurance Division receives 1.97 referrals each day of potential insurance fraud. From Jan. 1 to Sept. 17, 2015, my team processed 532 referrals with a reported financial impact of $3.7 million. However, only about one quarter of the 532 referrals reported what the financial impact was. Therefore, the $3.7 million is far less than the total financial impact.

Fraud prevention and elimination is a major effort for insurance regulators and insurance companies. It is an area where regulators and companies collaborate. In 42 states and the District of Columbia, fraud bureaus receive and review potentially fraudulent insurance claims. States have robust laws in place to protect consumers and the insurance marketplace from insurance fraud. Companies are required by state statutes to report insurance fraud.

Although these reporting requirements and laws help protect our markets and mitigate the cost of insurance fraud, it is far from eliminated. The need to mitigate or eliminate fraud presents huge opportunities for insurance companies and entrepreneurs to develop innovative tools to combat insurance fraud.

As we all now recognize, insurance companies are big data companies. They possess vast data on their policyholders. This puts insurance carriers in an evolving position to better help deter and eliminate fraud. With advancing data analytics, predictive modeling and simply more data, catching and possibly preventing fraud should become easier.

State insurance departments operate within tight budget constraints. In Iowa, we see innovation and technological developments as very helpful in aggregating data and identifying trends and issues. We are looking to these developments to help us increase efficiency in our investigations so we can combat insurance fraud and protect our consumers.

However, I have no false hope that all fraud will be eliminated. I have every belief that those who want to continue to do damage by committing insurance fraud will also be innovative and adapt to change. In other words, while technology and innovation will help find fraud, the scammers will soon figure out how to get around the new detection methods, too.

Fraud is a fact in every industry, and insurance is no different. However, I believe in the insurance industry there is more opportunity and incentive to commit fraud because of the value of the items insured and the amount of money in play. In addition, because insurance fraud is seen as a victimless crime, it may even be viewed as justifiable. Insurance regulators and companies are improving the capabilities to combat fraud using more technological tools. Credit card companies made tremendous strides in cutting down fraud, and insurance is working toward that goal, too. Innovators and companies that figure out how to succeed in this area will have lower prices and increased market share, and in the end that rewards consumers.

3 Steps to Improve Cyber Security

In the recent science fiction film Inception, protagonist Dominic Cobb infiltrated his victim’s dreams to gain access to business secrets and confidential data. He would then use this knowledge to influence things in his (or his client’s) favor. Cobb’s success depended on his ability to manipulate victims through greater understanding of their human vulnerabilities. Just like Cobb, cyber crime perpetrators begin by identifying their targets’ vulnerabilities and gathering intelligence required to breach their systems. Armed with this intelligence, they navigate their targets’ complex systems, establish covert presence and often remain undetected for a long time.It is clear that the growth in cyber crime has continued, if not accelerated, in the financial services industry. U.S. financial services companies lost on average $23.6 million from cybersecurity breaches in 2013, which represents the highest average loss across all industries. This number is 44% higher than in 2012, when the industry was ranked third, after the defense and utilities and energy industries. While this trend is not to be ignored, these actual losses are sometimes not meaningful to firms’ income statements. The potentially greater impact from cyber crime is on customer and investor confidence, reputational risk and regulatory impact that together add up to substantial risks for financial services companies. A recent global survey of corporate C-level executives and board members revealed that cyber risk is now the world’s third corporate-risk priority overall in 2013. Interestingly, the same survey from 2011 ranked cybersecurity as only the 12th-highest priority.

In Inception, although Cobb succeeded in conning most of his victims, he faced stiff resistance from Mr. Fischer, whose strong automated self-defense mechanisms jeopardized the attackers’ plans several times. However, every time Cobb’s team faced an obstacle, they persevered, improvised and launched a new attack. Real-life cyber attacks are, of course, far more complex in many ways than the challenges and responses between Cobb and Fischer. That said, the film does provide an interesting analogy that in many ways illustrates the problems that financial services companies face when dealing with cyber crime.

The interplay between attacker and victim is, indeed, a cat-and-mouse game in which each side perpetually learns and adapts, leveraging creativity and knowledge of the other’s motives to develop new offensive tactics and defensive postures. The relatively static compliance or policy-centric approaches to security found in many financial services companies may be long outdated. The question is whether today’s industry can create a dynamic, intelligence-driven approach to cyber risk management not only to prevent, but also detect, respond to and recover from the potential damage that results from these attacks. As such, transformation into a secure, vigilant and resilient cyber model will have to be considered to effectively manage risks and drive innovation in the cyber world.

The evolving cyber threat landscape

Although cyber attackers are aggressive and likely to relentlessly pursue their objectives, financial services companies are not passive victims. The business and technology innovations that financial services companies are adopting in their quest for growth, innovation and cost optimization are, in turn, presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the financial services technology ecosystem. For example, the continued adoption of Web, mobile, cloud and social media technologies has likely increased opportunities for attackers. Similarly, the waves of outsourcing, offshoring and third-party contracting driven by a cost-reduction objective may have further diluted institutional control over IT systems and access points. These trends have resulted in the development of an increasingly boundary-less ecosystem within which financial services companies operate, and thus a much broader “attack surface” for the threat actors to exploit.

Cyber risk is no longer limited to financial crime

Complicating the issue further is that cyber threats are fundamentally asymmetrical risks, in the sense that oftentimes small groups of highly skilled individuals with a wide variety of motivations and goals have the potential to exact disproportionately large amounts of damage. Yesterday’s cyber risk management focus on financial crime was — and still is — essential. However, in discussions with our clients, we hear that they are now targets of not only financial criminals and skilled hackers but also increasingly of larger, well-organized threat actors, such as hactivist groups driven by political or social agendas and nation-states, to create systemic havoc in the markets. An illustrative cyber threat landscape for the banking sector suggests the need for financial services firms to consider a wide range of actors and motives when designing a cyber risk strategy. This requires a fundamentally new approach to the cyber risk appetite and the corresponding risk-control environment.

The speed of attack is increasing while response times are lagging

Threat actors are increasingly deploying a wider array of attack methods to keep one step ahead of financial services firms. For example, criminal gangs and nation-states are combining infiltration techniques in their campaigns, increasingly leveraging malicious insiders. As reported in a Deloitte Touche Tohmatsu Limited (DTTL) survey of global financial services executives, many financial services companies are struggling to achieve a level of cyber risk maturity required to counter the evolving threats. Although 75% of global financial services firms believed that their information security program maturity is at level three or higher, only 40% of the respondents were very confident that their organization’s information assets were protected from an external attack. And that is for the larger, relatively more sophisticated financial services companies. For mid-tier and small firms, the situation may be much worse, both because resources are typically scarcer and because attackers may see them as easier targets. In a similar vein, the Snowden incident has perhaps increased attention on insider threats, as well.

Multipronged approach can supplement traditional technologies that may now be inadequate

Given that 88% of attacks are successful in less than a day, it might be tempting to think taht the solution may be found in increased investment in tools and technologies to prevent these attacks from being successful. However, the lack of threat awareness and response suggests that more preventative technologies are, alone, likely to be inadequate. Rather, financial services companies can consider adopting a multipronged approach that incorporates a more comprehensive program of cyber defense and response measures to deal with the wider array of cyber threats.

Financial services firms have traditionally focused their investments on becoming secure. However, this approach is no longer adequate in the face of the rapidly changing threat landscape. Put simply, financial services companies should consider building cyber risk management programs to achieve three essential capabilities: the ability to be secure, vigilant and resilient.

— Enhancing security through a “defense-in-depth” strategy

A good understanding of known threats and controls, industry standards and regulations can guide financial services firms to secure their systems through the design and implementation of preventative, risk-intelligent controls. Based on leading practices, financial services firms can build a “defense-in-depth” approach to address known and emerging threats. This involves a number of mutually reinforcing security layers both to provide redundancy and potentially slow down the progression of attacks in progress, if not prevent them.

— Enhancing vigilance through effective early detection and signaling systems

Early detection, through the enhancement of programs to detect both the emerging threats and the attacker’s moves, can be an essential step toward containing and mitigating losses. Incident detection that incorporates sophisticated, adaptive, signaling and reporting systems can automate the correlation and analysis of large amounts of IT and business data, as well as various threat indicators, on an enterprise-wide basis. Financial services companies’ monitoring systems should work 24/7, with adequate support for efficient incident handling and remediation processes.

— Enhancing resilience through simulated testing and crisis management processes

Resilience may be more critical as destructive attack capabilities gain steam. Financial services firms have traditionally planned for resilience against physical attacks and natural disasters; cyber resilience can be treated in much the same way. Financial services companies should consider their overall cyber resilience capabilities across several dimensions. First, systems and processes can be designed and tested to withstand stresses for extended periods. This can include assessing critical online applications for their level of dependencies on the cyber ecosystem to determine vulnerabilities. Second, financial services firms can implement good playbooks to implement triage for attacks and rapidly restore operations with minimal service disruption. Finally, robust crisis management processes can be built with participation from various functions including business, IT, communications, public affairs and other areas within the organization.

For the full report on which this article is based, click here.

Kevin Bingham is sharing this excerpt on behalf of the report’s authors, his colleagues Vikram Bhat and Lincy Francis Therattil. They can be reached through him.

Why Traditional Crime Measurements Don’t Tell the Whole Story

All over the nation, the question is being asked, “Why is the overall crime rate in the US on the decline?”

We have the answer:  “It’s not.”

In 1930, the FBI was given the task of collecting and publishing crime-rate statistics from across the country, and the UCR (Uniform Crime Reporting) Program was born. This program collects data from across the country, and it is published in several reports, including the often quoted Crime in the United States report. The report separates offenses into two categories: violent crime and property crime. 

These two categories appear to provide an adequate sample of the types of crimes that should be captured to measure the overall crime rate, but the four “property crime” categories fall short. There is a simple reason: They have not changed since the 1920s.*

For instance, the category of larceny-theft does not include embezzlement, confidence games, forgery, check fraud, etc. Identity theft, which is growing astronomically, is also not included.

According to the two entities within the federal government that measure and report identity theft rates — the Federal Trade Commission’s (FTC) Consumer Sentinel Report and the Bureau of Justice Statistics — identity theft crime rates continue to increase. Identity theft has been ranked as the #1 complaint reported to the FTC for the past 13 years. Of the 2,061,495 complaints captured from a variety of organizations that share data with the FTC, 369,132 were regarding identity theft.

The Bureau of Justice Statistics uses the National Crime Victimization Survey (NCVS) to capture and report its statistics on identity theft.  The last report available captures information from 2005-2010. According to this latest report, approximately 8.6 million households experienced financial identity theft.

The latest statistics available (2012) are from Javelin Strategy & Research Inc., an independent organization not affiliated with the federal government.  Their study concluded that there have been 12.6 million incidents of identity fraud.

Identity theft is increasing faster than property theft crimes are declining, but the public isn’t paying enough attention.  The reasons for apathy include the misconception that one can’t be a victim without a stellar credit rating (i.e., my identity isn’t worthy stealing) and the conspiracy theorist notion that this is all just a scare tactic promoted by industry to entice consumers into buying services that are unnecessary. Both are misguided.

A change in public perception is required. It has been engrained into us that we must take personal responsibility for safeguarding our possessions and our physical wellbeing, so why not our identity?

Most people realize that they cannot guarantee they will never be burglarized.  So they employ tactics to make it harder to break into their home.  When leaving for vacation, they secure doors and windows and activate alarms.  Often, mail is held at the post office and friends are asked to check in on the place.

People must likewise actively guard their identity components (such as passwords and devices).  Taking regular steps to safeguard your identity must become engrained in all of us.  It’s absolutely true that you can do everything right and still become a victim of identity theft – but why not make the thieves work hard?

Ask anyone if they would think twice about wandering into a dark alley, alone, at night, in a dicey neighborhood, and they would say, Absolutely! But consumers think nothing of going to strange websites and entering credit card (or even more personal information) without checking the legitimacy of the site, especially when you can get a screaming deal on that flat-screen TV or tablet.

It is widely recognized that fraud and financial crimes don’t scare or shock people in the same way that violent crimes do.  Unless they rise to the level of Bernie Madoff or Enron, the crimes rarely make headlines.

Additionally, financial crimes are often cited as much harder to accurately measure because of underreporting and lack of consistent reporting methods.**  Some individuals do not believe that financial crime victims suffer true harm, especially if they are eventually made financially whole, as can happen with some identity-theft victims.  There is a misconception that once an individual has false charges removed from a credit account, or false accounts removed from a credit report, or a false tax return remedied by the IRS, that they are no longer the victim.  The victim label is assigned to the entity that takes the financial hit, such as the credit card issuer/financial institution and the IRS. Regardless, a crime has still been committed. Even if the crimes are difficult to measure and don’t shock, they certainly should be included in our evaluation of crime rates.

The infiltration of technology into our daily lives has not only changed the way we live, it has changed the way crimes are being committed. Much like water, criminal elements will take the path of least resistance.  When law enforcement and society become adept at suppressing scofflaws by making a particular crime more difficult to commit, such as through anti-theft devices on cars, criminals move on to other crimes.

Non-violent crimes rates haven’t decreased; they have just changed. Whereas the criminal of twenty years ago was armed with a knife or a gun, today’s criminal is armed with a keyboard or skimming device. The weapon(s) of choice has changed from tools of violence to tools of technology.  Criminals aren’t committing fewer criminal acts, just different ones. We don’t have fewer criminals, only smarter ones.

* Upon inquiry, the FBI responded with the historical information to explain how the eight offense classifications known as Part I crimes were chosen as indicators of the overall crime rate in the country.  The first seven offenses were originally chosen in 1929.  Arson, the 8th offense was added in 1979. The 7 original offenses chosen to illustrate the overall crime rate and used in the annual publication Crime in the United States were not altered at that time.  In fact, they have remained mostly unchanged since the 1920s.

** The FBI has a Financial Crimes Report that is listed under its “Other Reports and Publications” section. Other offense data for fraud and fraud type offenses is captured in the FBI’s NIBRS (National Incident-Based Reporting System); however, identity theft is not one of the incident types captured.

The Financial Crimes Report(s) differ in format from the violent crime/property crime format in the UCR and are more difficult to decipher.  The data contained in these reports is for cases investigated by the FBI.  It does not include financial crimes cases for local jurisdictions throughout the United States as the UCR does.  The most recent report shows 5 year trends in various categories.  The categories of  Corporate Fraud, Securities and commodities fraud, health care fraud, and mortgage fraud (reported cases) all show increasing numbers. Financial institution fraud, insurance fraud, and money laundering case statistics show a decrease in numbers and mass marketing fraud has stayed relatively flat.

The NIBRS report for 2011 indicates there is data on the following fraud type offenses: Bribery – 293; Counterfeiting/Forgery – 74,131; Embezzlement – 17,000; Extortion – 1217, and Fraud Offenses – 245,301. This a total of over 330,000 known incidents that could be counted in the overall crime rate in the UCR.  Though small in comparison to the other property crime numbers, it is not a statistically irrelevant number.   Identity theft statistics are not captured on this report.  Identity theft statistics are published by another department within the USDOJ (of which the FBI is a part), the Bureau of Justice Statistics.