Build Business Rules into the System

Whenever possible, try to build your business’s “rules, policies & procedures” right into the system.

If there’s something that your people need to “check first” (before initiating a procedure), then always try to work with your Systems people to see if the application itself could handle that step.

Most systems functionality, naturally, already covers this when the application/process was originally designed & built.

But, often times, “stuff happens” along the way that makes you re-think your original assumptions.

Instead of instructing your people to take an extra step to “make sure that XYZ”, investigate as to whether the system itself can be enhanced.

Two examples quickly come to mind…

Citi was suffering extensive business losses with customer claims of “unauthorized ATM withdrawals”, many of which were occurring outside of the country in places like Colombia, Venezuela, Costa Rica, etc..

Our Citi-Florida marketplace was being hit extremely hard with these fraud losses.

Regulation E (Federal law that governs electronic transactions, like ATM & on-line banking transactions, auto debits/deposits from outside sources, etc.) is written in such a way that any Consumer customer can, basically, dispute any electronic transaction that has occurred within the previous 45 days.

And unless the bank can “prove” that the customer himself authorized or performed these transactions, the bank MUST honor the customer’s claims.

Very liberal interpretation, almost always in the customer’s favor.

And there were many frauds being perpetrated regarding these “foreign accounts” domiciled outside the United States.

And they usually began with a fraudulent address change.

The “crook” (or even sometimes, someone working in concert with the customer) would call into Customer Service to have the account’s mailing address changed.

Then, days/weeks later, the “crook” would call back to replace the ATM banking card (and, at times, receive a Systems-generated PIN/Personal Identification Number mailer) which, naturally, would be delivered to the fraudulently-changed address.

A month or so later, the “real customer” would call about not receiving his statement & all these “unauthorized ATM withdrawals” for which he obtained information on-line or over-the-phone.

And with ATM withdrawals limits @ “$1,000/$2,000 per business day per account”, these “unauthorized withdrawals” w/could total many, many thousands of dollars!

All the customer really had to do was claim that he never performed these transactions himself nor did he authorize anyone else to do so.

He would sign an affidavit to that effect and the bank would be forced to credit all that money back to him.

(Note: Was it really a crook who fraudulently changed the address, obtained a replacement ATM card/code & then withdraw as much cash as he could, as quickly as he could?

Or was it really a “scheme” dreamt up by the actual customer to have a co-conspirator of his call Citi pretending to be the customer (as, naturally, he would have all the info necessary to successfully pass the caller verification process & then change the address, replace the card/code & then withdraw the cash?

And, of course, the “real customer” would never, ever notice anything until a month later when all his money was withdrawn.

Either way, it seemed way too coincidental…and the losses that Citi-Florida were incurring were steadily mounting (into the millions)!

What to do?)

We took immediate steps to “teach our reps” to look for recent address changes before accepting a request to replace a lost ATM card.

This was a manual process.

But naturally, it wasn’t always followed & these crooks were persistent.

They only needed one chink in the armor to break through.

So we had a Systems enhancement put it that would “post a prominent warning” when an attempt to replace a card was made within X days of a recent address change.

Still more screw-ups.

Finally, we just decided to tighten the screws all the way.

It was the fraudulently-authorized address change request that kicked everything off.

The business took a very strong position and required that ALL address changes involving a foreign address MUST be completed at the customer’s home branch.

The customer would have to visit the branch (which wasn’t unusual as many of them traveled often between the U.S. & their country) or send a letter, signed by the customer & verified by the U.S. Embassy, to the branch so we could be sure it was legit & the branch had the opportunity to compare signatures. In addition, if there was any doubt, they could always contact the customer directly themselves.

We enhanced our system to automatically block the address change function on CWS/CitiPhone WorkStation for ALL CitiPhone employees whenever a foreign address was detected on the account.

And while this new procedure may have been a little more cumbersome for the “legitimate customers with legitimate address changes involving foreign address”, it was done to help better protect both the customer’s as well as the bank’s assets.

And it worked extremely well! Annual losses from this type of fraudulent “foreign address change & card replacement” dropped from $3MM+ annually to next to nothing!

We had tried all different ways to manually prevent these frauds, but the crooks (or some devious customers themselves) would always find a penetrable hole in our defenses.

(BTW, I hadda pull some strings & call in a few favors to have this CWS systems enhancement designed & implemented in 2 business days! It was done as an EMER (an EMERgency systems request)…submitted on Thursday & went live Saturday morning!

I’m sure you guys are already familiar with the “It’s not just what you know, but it’s who you know!” saying.

Another example of getting your systems application enhanced to accommodate a new business rule or practice was with our Immediate Credit program, whereby a customer’s account would be immediately credited on-line if the information entered regarding a submitted investigation request met certain eligibility criteria.

If it did, then the service rep would receive a message back, informing them that the account has just been credited for the amount in dispute & is immediately available to the customer.

The bank would still perform a behind-the-scenes investigation & reply back to the customer (“Keep the $ as your claim was honored”, “We need more information from you to complete our investigation” or “Your claim was not honored & we’ll be taking our money back in X business days”).

What happened over time (and it was determined to be an “inside job”) was that recently-opened accounts with very small balances would suddenly call & claim that a very sizable deposit that they “just made with a teller yesterday is not showing up in my account!”.

Apparently, they “knew the eligibility requirements for Immediate Credit” & called with these false claims (NO ONE made any deposits with any teller…it was merely a story, but the system is unable to verify the activities of a teller on-line so the claim can’t immediately be verified)!

After all, the whole Immediate Credit program was based on the “Trust Your Customer” philosophy.

Invariably, when we went to investigate these fraudulent “missing deposit claims”, there were no deposits made…but it was too late as the crooks already withdrew the Immediate Credit funds from the AYM & were long gone.

We started to incur significant losses once again.

We quickly noticed that all the accounts were recently opened, often within the past 30 days.

In addition, history has shown that the overwhelming majority of fraud losses are with accounts opened less than 90 days ago.

So, naturally, we put in a workaround process that required the service rep to manually check the account opening date before entering an Immediate Credit-eligible investigation on-line into CWS.

This manual workaround actually worked pretty well (as we continually communicated it to our reps).

Until…

I get a call at home one night around 11:30. (You never like receiving any calls at home after 9:00…it usually means something bad has happened!)

It’s Sherry Grabill, the Team Leader for the “graveyard shift”, the service reps who worked overnight in our 24 x 7 call center.

As I’m speaking with her, I can actually hear a rep crying in the background.

I’m thinking the worst, God forbid!

Apparently, the rep accepted & entered a missing deposit investigation on-line.

Without first checking the account opening date (so that a workaround process could be used instead, if appropriate).

The account was just opened a few weeks ago (along with a Savings & Money Market acct).

The missing deposit claim was for $3000.

Had the rep read the notes on the account (which are automatically generated as soon as the account is accessed on CWS), she would have seen that the customer had just called 4 prior times that evening!

The missing deposit investigation request was indeed accepted & entered directly into the system.

A $3000 credit was immediately issued as a result of the request meeting all Immediate Credit program eligibility criteria.

Minutes later, $1000 was transferred to the Savings acct & another $1000 to the Money Market account.

Two $500 ATM cash withdrawals out of the Checking.

Two $500 ATM cash withdrawals out of Savings.

And, yes, you guessed it…two $500 ATM cash withdrawals out of Money Market.

The rep discovered her mistake just minutes after the call, but by that time, the customer had withdrawn the entire $3000!

She let Sherry know & she called me. There’s nothing we could do to recover the money. We simply blocked the account & contacted the branch the following morning.

(Yes, of course, the customer never made a deposit nor had never even been to a teller. The only transactions were a small opening deposit, the $3000 Immediate Credit, the two $1000 transfers from Checking & the six $500 cash withdrawals over the 3 accounts.)

We got Systems to finally put an enhancement into the business rules governing the Immediate Credit program.

As soon as an investigation request was initiated on CWS, the system would immediately check the account opening date.

If the date was within the prior 90 days, the system would effectively “turn off or disable” the Immediate Credit functionality, but still accept the investigation request.

I’m sure that after we put this enhancement in, we had quite a few pissed-off crooks who were expecting that their accounts would be immediately credited after they called up with their fraudulent missing deposit claims.

Think about your own area to see if there are any “extra steps” that your people need to take “in certain situations”.

Special “workarounds” necessitated only in “some circumstances”.

Or anything that your people need to perform manually that would be done “better” (quicker, more effectively & without fail) by the system.

There are always changes necessitated in the functionality &/or business rules of a systems application over time.

Keep your eye out for such instances…you’ll be glad you did!

As always, thanks for listening!

Posted in:

Subscribe to Mike's Blog via Email

Enter your email address to subscribe and receive notifications of new posts by email.

Recent Comments

Leave a Reply