Tipos de KRI

Key risk indicators encompass different types of metrics. For the purposes of this article, KRIs
are divided into four different categories: coincident indicators, causal indicators, control
effectiveness indicators, and volume indicators.

 Coincident indicators can be thought of as a proxy measure of a loss event and can include
internal error metrics or near misses. An example of a coincident indicator in a payment
processing operation may be number of misapplied payments identified through internal
quality assurance sampling.

 Causal indicators are metrics that are aligned with root causes of the risk event, such as
system down time or number of late purchase orders.

 Control effectiveness indicators provide ongoing monitoring of the performance of

controls. Measures may include control effectiveness, such as percent of supplier base
using encrypted data transfer, or bypassed controls, such as dollars spent with
nonapproved suppliers.

 Volume indicators (sometimes called inherent risk indicators) frequently are tracked as
key performance indicators; however, they also can serve as a KRI. As volume indicators
(e.g., number of online account applications) change, they can increase the likelihood
and/or impact of an associated risk event, such as fraud losses. Volume indicators are
often associated with multiple risk types in a process or business unit.

Beneficios de los KRI

The Application of Key Risk Indicators holds a promising future in the corporate world and has
a great potential if implemented in a methodical way with a commonly understood
configuration and lingo and goes a long way in ensuring the smooth flow of business processes
and activities.

Organizations can reap rich dividends from adopting KRIs as the clear defining of these
expresses strong commitment to risk management involving stakeholders at all levels.

Building KRI also facilitates significant risk appetite and allows accurate reporting for timely
detection and action, besides meaningful comparisons across situations where risk is
applicable, and further permits effective monitoring of those risks and provides framework for
dealing with them.

The full description of the indicator available can easily provide an Early Warning Signal to the
management and prevent impending losses and other related issues that can be detrimental
to an organization’s growth and long term profitability.

The key risk indicators are immensely useful in supporting the top managements decisions and
actions as they effectively lay out the risky propositions and manage the groundwork vital to
achievement of business objectives and enhance future prospects with their benchmarking.

Limitaciones de los KRI

The system of organizing and managing the Key Risk Indicator is a vague concept in itself and
calls for in-depth understanding and structuring for collective comprehension. The accurate
measurement of the KRI is not a feasible option and not fully trusted by a business.

Any business develops various plans of actions to achieve their objectives and avert risks,
however blind faith in such strategies is not a viable option as their value cannot be fully
supported with concrete proofs, which makes their development not worth the effort.

Fraudes en Tarjetas de Crédito

Introduction

Credit Card Fraud is one of the biggest threats to business establishments today. However, to
combat the fraud effectively, it is important to first understand the mechanisms of executing a
fraud. Credit card fraudsters employ a large number of modus operandi to commit fraud. In
simple terms, Credit Card Fraud is defined as:

“When an individual uses another individuals’ credit card for personal reasons while the owner
of the card and the card issuer are not aware of the fact that the card is being used. Further,
the individual using the card has no connection with the cardholder or issuer, and has no
intention of either contacting the owner of the card or making repayments for the purchases
made.”

Credit card frauds are committed in the following ways:

 An act of criminal deception (mislead with intent) by use of unauthorized account and/or
personal information
 Illegal or unauthorized use of account for personal gain
 Misrepresentation of account information to obtain goods and/or services.

Contrary to popular belief, merchants are far more at risk from credit card fraud than the
cardholders. While consumers may face trouble trying to get a fraudulent charge reversed,
merchants lose the cost of the product sold, pay chargeback fees, and fear from the risk of
having their merchant account closed.

Increasingly, the card not present scenario, such as shopping on the internet poses a greater
threat as the merchant (the web site) is no longer protected with advantages of physical
verification such as signature check, photo identification, etc. In fact, it is almost impossible to
perform any of the ‘physical world’ checks necessary to detect who is at the other end of the
transaction. This makes the internet extremely attractive to fraud perpetrators. According to a
recent survey, the rate at which internet fraud occurs is 12 to 15 times higher than ‘physical
world’ fraud. However, recent technical developments are showing some promise to check
fraud in the card not present scenario.

Fake and Counterfeit Cards

The creation of counterfeit cards, together with lost / stolen cards pose highest threat in credit
card frauds. Fraudsters are constantly finding new and more innovative ways to create
counterfeit cards. Some of the techniques used for creating false and counterfeit cards are
listed below:
  Erasing the magnetic strip: A fraudster can tamper an existing card that has been
acquired illegally by erasing the metallic strip with a powerful electro-magnet. The
fraudster then tampers with the details on the card so that they match the details of a
valid card, which they may have attained, e.g., from a stolen till roll. When the
fraudster begins to use the card, the cashier will swipe the card through the terminal
several times, before realizing that the metallic strip does not work. The cashier will
then proceed to manually input the card details into the terminal.

This form of fraud has high risk because the cashier will be looking at the card closely
to read the numbers. Doctored cards are, as with many of the traditional methods of
credit card fraud, becoming an outdated method of illicit accumulation of either funds
or goods.

 Creating a fake card: A fraudster can create a fake card from scratch using
sophisticated machines. This is the most common type of fraud though fake cards
require a lot of effort and skill to produce. Modern cards have many security features
all designed to make it difficult for fraudsters to make good quality forgeries.
Holograms have been introduced in almost all credit cards and are very difficult to
forge effectively. Embossing holograms onto the card itself is another problem for card
forgers.

 Altering card details: A fraudster can alter cards by either re-embossing them — by
applying heat and pressure to the information originally embossed on the card by a
legitimate card manufacturer or by re-encoding them using computer software that
encodes the magnetic stripe data on the card.

 Skimming: Most cases of counterfeit fraud involve skimming, a process where genuine
data on a card’s magnetic stripe is electronically copied onto another. Skimming is fast
emerging as the most popular form of credit card fraud. Employees/cashiers of
business establishments have been found to carry pocket skimming devices, a battery-
operated electronic magnetic stripe reader, with which they swipe customer's cards to
get hold of customer’s card details. The fraudster does this whilst the customer is
waiting for the transaction to be validated through the card terminal.

Skimming takes place unknown to the cardholder and is thus very difficult, if not
impossible to trace. In other cases, the details obtained by skimming are used to carry
out fraudulent card-not-present transactions by fraudsters. Often, the cardholder is
unaware of the fraud until a statement arrives showing purchases they did not make.

 White plastic: A white plastic is a card-size piece of plastic of any color that a fraudster
creates and encodes with legitimate magnetic stripe data for illegal transactions. This
card looks like a hotel room key but contains legitimate magnetic stripe data that
fraudsters can use at POS terminals that do not require card validation or verification
(for example, petrol pumps and ATMs).

Impact of Credit Card Frauds

Unfortunately, occurrences of credit card frauds have only shown an upward trend so far. The
fraudulent activity on a card affects everybody, i.e., the cardholder, the merchant, the acquirer
as well as the issuer. This section analyses the impact that credit card frauds have on all the
players involved in transacting business through credit cards.
Impact of Fraud on Cardholders

It's interesting to note that cardholders are the least impacted party due to fraud in credit card
transactions as consumer liability is limited for credit card transactions by the legislation
prevailing in most countries. This is true for both card-present as well as card not present
scenarios. Many banks even have their own standards that limit the consumer's liability to a
greater extent. They also have a cardholder protection policy in place that covers for most
losses of the cardholder. The cardholder has to just report suspicious charges to the issuing
bank, which in turn investigates the issue with the acquirer and merchant, and processes
chargeback for the disputed amount.

Impact of Fraud on Banks (Issuer/Acquirer)

Based on the scheme rules defined by both MasterCard and Visa, it is sometimes possible that
the Issuer/Acquirer bears the costs of fraud. Even in cases when the Issuer/Acquirer is not
bearing the direct cost of the fraud, there are some indirect costs that will finally be borne by
them. Like in the case of chargebacks issued to the merchant, there are administrative and
manpower costs that the bank has to incur.

The issuers and acquirers also have to make huge investments in preventing frauds by
deploying sophisticated IT systems for detection of fraudulent transactions.

Fraud Prevention and Management

With all the negative impacts of fraudulent credit card activities – financial and product losses,
fines, loss of reputation, etc, and technological advancements in perpetrating fraud – it's easy
for merchants to feel victimized and helpless. However, technological advancements in
preventing fraud have started showing some promise to combat fraud.

Merchants and Acquirers & Issuers are creating innovative solutions to bring down on
fraudulent transactions and lower merchant chargeback rates.

One of the main challenges with fraud prevention is the long time lag between the time a
fraudulent transaction occurs and the time when it gets detected, i.e., the cardholder initiates
a chargeback. Analysis shows that the average lag between the transaction date and the
chargeback notification could be as high as 72 days. This means that, if no fraud prevention is
in place, one or more fraudsters could easily generate significant damage to a business before
the affected stakeholders even realize the problem.

Fraud Prevention Technologies

While fraudsters are using sophisticated methods to gain access to credit card information and
perpetrate fraud, new technologies are available to help merchants to detect and prevent
fraudulent transactions. Fraud detection technologies enable merchants and banks to perform
highly automated and sophisticated screenings of incoming transactions and flagging
suspicious transactions.

While none of the tools and technologies presented here can by itself eliminate fraud, each
technique provides incremental value in terms of detection ability. As it will be discussed later,
the best practice implementations often utilize several of these fraud prevention techniques, if
not all of the tools discussed here.
The various fraud prevention techniques are discussed below:

 Manual Review: This method consists of reviewing every transaction manually for signs
of fraudulent activity and involves a exceedingly high level of human intervention. This
can prove to be very expensive, as well as time consuming. Moreover, manual review is
unable to detect some of the more prevalent patterns of fraud, such as use of a single
credit card multiple times on multiple locations (physical or web sites) in a short span.

 Address Verification System: This technique is applicable in card-not-present scenarios.

Address Verification System (AVS) matches the first few digits of the street address and
the ZIP code information given for delivering/billing the purchase to the corresponding
information on record with the card issuers. A code representing the level of match
between these addresses is returned to the merchant. AVS is not much useful in case of
international transactions.

 Card Verification Methods: The Card Verification Method3 (CVM) consists of a 3 or 4

digit numeric code printed on the card but is not embossed on the card and is not
available in the magnetic stripe. The merchant can request the cardholder to provide
this numeric code in case of card-not present transaction and submit it with
authorization. The purpose of CVM is to ensure that the person submitting the
transaction is in possession of the actual card, since the code cannot be copied from
receipts or skimmed from magnetic stripe. Although CVM provides some protection for
the merchant, it doesn’t protect them from transactions placed on physically stolen
cards. Furthermore, fraudsters who have temporary possession of a card could, in
principle, read and copy the CVM code.

 Negative and Positive Lists: A negative list is a database used to identify high-risk
transactions based on specific data fields. An example of a negative list would be a file
containing all the card numbers that have produced chargebacks in the past, used to
avoid further fraud from repeat offenders. Similarly a merchant can build negative lists
based on billing names, street addresses, emails and internet protocols (IPs) that have
resulted in fraud or attempted fraud, effectively blocking any further attempts. A
merchant/acquirer could create and maintain a list of high-risk countries and decide to
review or restrict orders originating from those countries.

Another popular example of negative list is the SAFE file distributed by MasterCard to
merchants and member banks. This list contains card numbers, which could be
potentially used by fraudsters, e.g., cards that have been reported as lost or stolen in
the immediate recent past.

Positive files are typically used to recognize trusted customers, perhaps by their card
number or email address, and therefore bypass certain checks. Positive files represent
an important tool to prevent unnecessary delays in processing valid orders.

 Payer Authentication: Payer authentication is an emerging technology that promises to

bring in a new level of security to business-to-consumer internet commerce. The first
implementation of this type of service is the Verified by Visa (VbV) or Visa Payer
Authentication Service (VPAS) program, launched worldwide by Visa in 2002. The
program is based on a Personal Identification Number (PIN) associated with the card,
similar to those used with ATM cards, and a secure direct authentication channel
between the consumer and the issuing bank. The PIN is issued by the bank when the
 cardholder enrolls the card with the program and will be used exclusively to authorize
online transactions.
When registered cardholders check out at a participating merchant’s site, they will be
prompted by their issuing bank to provide their password. Once the password is
verified, the merchant may complete the transaction and send the verification
information on to their acquirer.

 Lockout Mechanisms: Automatic card number generators represent one of the new
technological tools frequently utilized by fraudsters. These programs, easily
downloadable from the Web, are able to generate thousands of ‘valid’ credit card
numbers. The traits of frauds initiated by a card number generator are the following:

 Multiple transactions with similar card numbers (e.g. same Bank Identification
Number (BIN)).
 A large number of declines.

Acquiring banks/merchant sites can put in place prevention mechanisms specifically

designed to detect number generator attacks.

 Fraudulent Merchants: Both MasterCard and Visa publish a list of merchants who
have been known for being involved in fraudulent transactions in the past. These lists
(NMAS - from Visa and MATCH - from MasterCard) could provide useful information
to acquirer’s right at the time of merchant recruitment preventing potential
fraudulent transactions.

Recent Developments in Fraud Management

The technology for detecting credit card frauds is advancing at a rapid pace – rules based
systems, neural networks, chip cards and biometrics are some of the popular techniques
employed by Issuing and Acquiring banks these days. Apart from technological advances,
another trend which has emerged during the recent years is that fraud prevention is moving
from back-office transaction processing systems to front-office authorization systems to
prevent committing of potentially fraudulent transactions. However, this is a challenging
trade-off between the response time for processing an authorization request and extent of
screening that should be carried out.

 Simple Rule Systems: Simple rule systems involve the creation of ‘if...then’ criteria to
filter incoming authorizations/transactions. Rule-based systems rely on a set of expert
rules designed to identify specific types of high-risk transactions. Rules are created
using the knowledge of what characterizes fraudulent transactions. For instance, a
rule could look like – If transaction amount is > $5000 and card acceptance location =
Casino and Country = ‘a high-risk country’.

Fraud rules enable to automate the screening processes leveraging the knowledge
gained over time regarding the characteristics of both fraudulent and legitimate
transactions.

Typically, the effectiveness of a rule-based system will increase over time, as more
rules are added to the system. It should be clear, however, that ultimately the
effectiveness of the system depends on the knowledge and expertise of the person
designing the rules.
 The disadvantage of this solution is that it can increase the probability of throwing
many valid transactions as exceptions, however, there are ways by which this
limitation can be overcome to some extent by prioritizing the rules and fixing limits on
number of filtered transactions.

 Risk Scoring Technologies: Risk scoring tools are based on statistical models designed
to recognize fraudulent transactions, based on a number of indicators derived from
the transaction characteristics. Typically, these tools generate a numeric score
indicating the likelihood of a transaction being fraudulent: the higher the score, the
more suspicious the order.

Risk scoring systems provide one of the most effective fraud prevention tools
available. The primary advantage of risk scoring is the comprehensive evaluation of a
transaction being captured by a single number. While individual fraud rules typically
evaluate a few simultaneous conditions, a risk-scoring system arrives at the final score
by weighting several dozens of fraud indicators, derived from the current transaction
attributes as well as cardholder historical activities. E.g., transaction amounts more
than three times the average transaction amount for the cardholder in the last one
year.

The second advantage of risk scoring is that, while a fraud rule would either flag or
not flag a transaction, the actual score indicates the degree of suspicion on each
transaction. Thus, transactions can be prioritized based on the risk score and given a
limited capacity for manual review, only those with the highest score would be
reviewed.

 Neural Network Technologies: Neural networks are an extension of risk scoring

techniques. They are based on the ‘statistical knowledge’ contained in extensive
databases of historical transactions, and fraudulent ones in particular. These neural
network models are basically ‘trained’ by using examples of both legitimate and
fraudulent transactions and are able to correlate and weigh various fraud indicators
(e.g., unusual transaction amount, card history, etc) to the occurrence of fraud.

A neural network is a computerized system that sorts data logically by performing the
following tasks:

 Identifies cardholder’s buying and fraudulent activity patterns.

 Processes data by trial and elimination (excluding data that is not relevant to
the pattern).
 Finds relationships in the patterns and current transaction data.

The principles of neural networking are motivated by the functions of the brain –
especially pattern recognition and associative memory. The neural network
recognizes similar patterns, predicting future values or events based upon the
associative memory of the patterns it has learned.

The advantages neural networks offer over other techniques are that these models
are able to learn from the past and thus, improve results as time passes. They can also
extract rules and predict future activity based on the current situation. By employing
neural networks effectively, banks can detect fraudulent use of a card, faster and
more efficiently.
 Smart Cards: To define in the simplest terms, a smart card is a credit card with some
intelligence in the form of an embedded CPU. This card-computer can be
programmed to perform tasks and store information, but the intelligence is limited –
meaning that the smart card's power falls far short of a desktop computer.

Smart credit cards operate in the same way as their magnetic counterparts, the only
difference being that an electronic chip is embedded in the card. These smart chips
add extra security to the card. Smart credit cards contain 32-kilobyte microprocessors,
which is capable of generating 72 quadrillion or more possible encryption keys and
thus making it practically impossible to fraudulently decode information in the chip.

The smart chip has made credit cards a lot more secure; however, the technology is
still being run alongside the magnetic strip technology due to a slow uptake of smart
card reading terminals in the world market.

Smart cards have evolved significantly over the past decade and offer several
advantages compared to a general-purpose magnetic stripe card. The advantages are
listed below:

 Stores many times more information than a magnetic stripe card.

 Reliable and harder to tamper with than a magnetic stripe card.
 Performs multiple functions in a wide range of industries.
 Compatible with portable electronic devices such as phones and personal
digital assistants (PDAs), and with PCs.
 Stores highly sensitive data such as signing or encryption keys in a highly
secure manner
 Performs certain sensitive operations using signing or encryption keys in a
secure fashion.

A consortium of Europay MasterCard and Visa (EMV) recently issued a set of

specifications for embedding chips in credit cards and processing transactions from
such cards. MasterCard and Visa have also issued deadlines for compliance with these
specifications indicating that banks will have to bear a large portion of fraud losses if
they do not comply with EMV specifications. However, the market response has been
slow so far due to large investments needed in implementing the EMV compliant
programs.

 Biometrics: Biometrics is the name given to a fraud prevention technique that records
a unique characteristic of the cardholder like, a fingerprint or how he/she sign his/her
name, so that it can be read by a computer. The computer can then compare the
stored characteristic with that of the person presenting the card to make sure that
the right person has the right card.

Biometrics, which provides a means to identify an individual through the verification

of unique physical or behavioral characteristics, seems to supercede PIN as a basis for
the next generation of personal identity verification systems.

There are many types of biometrics systems under development such as finger print
verification, hand based verification, retinal and iris scanning and dynamic signature
verification.