Ian Mitchell is founder and Board chairman of The Knoble, a nonprofit dedicated to bringing fraud prevention, cybersecurity and anti-money-laundering (AML) professionals around the world into the fight against modern slavery, human trafficking, scams, elder abuse, child exploitation and other aggressions aimed at vulnerable people. Previously a principal and head of Financial Services Fraud Management at PwC, Ian also has 20 years of experience with leading banks—in five countries and 13 states—as a fraud and financial crimes executive. He talked with Mike Sasaki, leader of the Mitek Systems global customer success team, about what brought him back into the financial crimes fight after an early attempt at retirement, what’s changing and challenging in today’s digital world, and what he hopes to accomplish with The Knoble.
Mike: So Ian, I understand that you “retired” to Chattanooga, Tennessee a few years ago to focus on your other career as a composer and musician. How did PwC coax you back out and into the fight against financial crimes?
Ian: Well, it was really more of a meeting of the minds. At a friend’s home in Florida, I had the opportunity to meet and talk with a former member of the United Nations initiative on human trafficking. I suddenly realized what had eluded me for most of my professional life: Financial crime is ultimately crime against people, and much of it is fueling abominable systems of human exploitation. Not long after that I was talking about the issue with some folks from PwC, who immediately shared my point of view. They convinced me to come over and lead their financial services fraud management group and agreed to help me build the connections and organization we thought were needed to bring other financial crimes professionals to the same realization about human impacts and support them in doing something about it.
Have pandemic-related changes made that fight tougher?
Yes, I would say so. The types of fraud we’re seeing are changing. You know, it’s interesting, traditional fraud losses are down—in fact, I know of one bank that is experiencing its lowest level of losses in a decade. But, at the same time, scams against consumers, and especially vulnerable populations such as the elderly and the young, are way up. With the acceleration in digital account openings and interactions, the attack surface is expanding for bad actors. One way they’re taking advantage of expanding opportunity is with money muling, which has been a hidden problem across financial services for a while, and now is definitely on the rise.
What exactly is money muling, and why is it a big problem?
Money muling is when you get someone to let you pass money through their account so that you can eventually move the funds to an endpoint where they’re used for criminal activities. Often the mules, who are promised a fee for the use of their account, are unaware, or maybe only partially aware, of what they’re helping to do. And it’s not just the elderly who fall for these scams. I know of the daughter of a prominent financial services executive who got roped in. Really, it’s not all that different from the way credit card companies back in the ‘90s used to entice students to open accounts by handing out free tee shirts and water bottles. I was a student back then, and there wasn’t much I wouldn’t do then for a free t-shirt!
The increase in money muling is a big problem because the way the financial services industry has traditionally been set up to fight financial crimes is not effective at stopping it. Often we think of money muling as a compliance or AML problem. But it’s much broader, and bad actors are innovating new schemes that don’t respect these organizational silos. I believe the only way we’re ever going to solve this problem is by getting AML, compliance, cybersecurity, and fraud management groups to work together and with law enforcement as well.
What are your thoughts about the role of identity verification in the ongoing lifecycle of financial services customers?
I like this question because this is exactly what we need to be thinking about. Given rising threats, and the patience of fraudsters in working these schemes over time, it’s not enough to have fraud controls at the front gate. This concept of Know Your Customer (KYC) is something fraud protection can learn from our compliance and AML counterparts. For financial services to be successful in combatting even the current wave of scams—which isn’t going away—much less what’s to come, we need to make sure our customers are who they say they are and that we know them also in the sense of their behavior patterns. Then we need to marry that continuous identity verification throughout the customer lifecycle with enhanced transaction monitoring, and context-based risk scoring.
Do you see biometrics as playing an important role in these defenses?
Yes, I think with Touch ID, Face ID, and the Android equivalents, the concept of having the end-user involved in their own identity verification—but in a very low friction way—is becoming widely accepted. But I think what’s important is how and when you apply biometrics. There has to be a proper marriage of the risk and context with the right kind of biometric. Face recognition, for instance, absolutely has a role in facilitating KYC, but it doesn’t make sense to use it against first-party fraud. My observation is that many organizations are so focused on the technology that they’re not spending enough time thinking about why they’re deploying it from a solution design perspective. I can tell you that a design that marries biometrics to risk rating and auto-assignment of appropriate treatments is very powerful stuff.
What direction do you see the future of identity going?
I can probably more easily tell you where I think it’s moving away from. We’re learning that identity is not an IP address, not your iris, not a number that can be validated or the right answers to challenge questions—every one of which can be breached. Identity is something far more complicated than that. It’s about a person. The person’s identity is all of those things and more. I believe that the verification solutions of the future are going to be based on this comprehensive concept of identity.
Now this prospect can get people a bit nervous. The first thing we get scared of is privacy, but anyone who has been fighting fraud for a long time knows there’s a lot of power in methods like tokenization and other things we can do to protect privacy.
So it shouldn’t be scary when we really start trying to understand “Who is Ian?” and “Why is he asking for this transaction?” We have the technology to manage these transactions far more intelligently than we do today—we just can’t forget as we implement it that our goal is to protect Ian—protect me from bad actors who want to pretend they’re me. And I think that if we can get to the root of this mission—the trust behind it—digital identity is going to become huge. It will be the essence of how we transact and are empowered in this world.
Can regulations help achieve this vision?
Yes, but they’re not always the driver. We talked about scams earlier—right now there are no regulations providing guidance on how to combat scams. But I can tell you there’s a groundswell of financial services and tech companies that are coming together and saying you know what, I’m not going to wait for regulation. I’m going to protect my customers now. That’s innovation. That’s us rethinking our traditional processes and finding better ways to address today’s challenges.
On the other hand, if you look at human trafficking, it’s currently hard for businesses to cost-justify investment in this space, so there’s a need for regulations to bolster the case for taking action. And financial services are also looking to regulators to create Safe Harbor provisions that would enable them to share information and get involved in the fight without taking on liability.
So ideally innovators should be innovating, and government should be supporting that. But in some cases, we also need a little more help from regulators. Progress sometimes requires the government to come in and open the door to innovation.
Are you optimistic we’ll get there?
Honestly, I’m an eternal optimist. I believe everything is ultimately changing for the good. And I think we now have the technology, the data, the platforms, the infrastructure, the solutions, and the people to fight the good fight, the real fight. When the financial crimes community actually starts working together we’re going to see something happen that the bad actors aren’t going to be able to contain. There is absolutely no reason why we shouldn’t win.
And I want to say something to financial crime fighters all over the world who might be reading this: Thank you! You show up every day and do your jobs, but maybe you don’t yet realize how important you are and what a difference what you do is making. The Knoble isn’t the nonprofit organization I started, it’s you. You are The Knoble who are helping to protect vulnerable people. If, like my former self, you hadn’t fully realized that’s what you’re ultimately doing, then give it some thought. Be proud of what you do and, if you can, get more involved in the fight and do a little bit more.