On 8th and 9th October, ICLP attended the annual Loyalty Fraud Prevention Association conference in Brighton. ICLP were founding members of the LFPA, and loyalty fraud is still an emerging area – both in terms of awareness and activity - and increasing year-on-year attendance at the conference and other LFPA events is testament to the response that airlines, hotels, retailers, and banks are having.
Head of Consulting at ICLP and LFPA President, Iain Webster, opened his closing address with one line that summed up probably the key trend from this year’s event:
“Points are cash, miles are money”
When someone defrauds a loyalty programme, or hacks into someone’s frequent flyer account and steals some points, this is the same as criminals stealing money. The overarching trend from those on the front line, and from loyalty fraud’s prosecution record, is that not enough people realise points have a cash value. One high profile loyalty fraud example in Australia led to no jail time, partly because it was ‘embarrassing to the company’ and also ‘not currency’. His thoughts were echoed throughout the day, summed up by Visa-Cybersource’s Denise Burkett: ‘I can’t stress enough how important it is to treat loyalty points as cash.'
The LFPA’s current goal is to prove all organisations this is indeed a serious issue, raise the profile of this fraud in the eyes of security organisations, and share best practice across companies and industries, to both better prepare each other, and to catch and deter fraudsters.
The impact of loyalty fraud can be immense and needs to be addressed. As Alan Lias, former VP Loyalty at Virgin Atlantic, discussed: ‘Even if you’ve only got a small fraud problem, the magnitude of impact can be in the hundreds of millions.’
"On the dark web, loyalty data is more expensive because it has a higher success rate."
Europol’s Jesus Ortega Orisch, a specialist in cybercrime, presented on the steps international collaborations between security services and governments are taking to combat and intercept fraudulent frequent flyers. Everything is available on the dark web, from guns to drugs to…loyalty account details? Fraudsters are increasingly chasing ways to access loyalty accounts, mainly because of member apathy and opinion towards them. They’re easier to access and generally aren’t protected as well by members. It resonates with the first of these quotes – because people are less inclined to treat points as ‘cash’, they take fewer steps to protect access to it.
As an example, Orisch mentioned a recent case of a fraudster from Ghana, flying from Istanbul to Prague on EgyptAir, with a ticket bought through Avianca, another Star Alliance member, using a stolen credit card from Brazil. Take it a step further, and there are cases people trafficked across the Atlantic on redemption seats from stolen frequent flyer miles, and smuggled over the border into the USA on fake passports. The LFPA defy you to say loyalty fraud is not a serious issue both from a business point of view, as well as your own accounts! Is your programme secure, and have you got separate passwords for all of your personal accounts? In the room, very few people could answer yes to both.
"Of your top 100 customers, it’s likely maybe 1 or 2 of them will be fraudulent."
Nik Laming, Loyalty General Manager at Cebu Pacific, and Dicken Doe, former Head of Analytics at HSBC, both talked in detail about how to detect fraudsters within your system. Sometimes, it’s frankly just luck that you chance upon fraudulent activity, but you can increase your chances by examining all outliers. Implementing effective monitoring of your loyalty customers and transactions is a positive, because’ you won’t know if you can’t see it’. Some of them are likely ‘gaming the system’ and taking advantage of loop holes.
Mark Lenahan, from CJ Ignition, also talked about the fraudsters’ customer journey and tracking inaccurate behaviour. Many examples of loyalty fraud are actually exploits of the customer journey. It’s hard to fake cumulative behaviour, meaning fraudsters will have erroneous customer journeys. By tracking activity efficiently and identifying those members who look exceptional is a simple step to counteracting fraud.
"Correct liability, correct breakage, correct revenue recognition"
Discussing the effects of new IFRS15 accounting treatments on loyalty programme finances, Iain Webster and ICLP Strategy Analyst, Tom Nichols explained the risks of ‘accidental fraud’ that comes as a result of disvaluing programme finances.
Making sure you understand the true cost per point is very important in any programme, in particular how your breakage rate the value and programme liability. The new impacts of the global account standards haven’t been fully explained for loyalty programmes, but by making sure you set aside the right amount of liability in a loyalty programme removes the chance that programmes will be caught short in redemption's and suddenly have a significant and unexpected outlay of expenditure.
"Intruders are likely to be in your systems for around 6 months before they’re detected."
Dan Farr and Richard Jones, from data specialists Foregenix, with consultant Adrian Jolly presented on the impact of the new GDPR regulations on businesses and loyalty fraud.
General Data Protection Regulations are coming into application in May 2018, meaning any company holding any personal data on EU citizens, no matter where the company is in the world, must abide to a series of conditions around data protection. With a number of serious data breaches for large-scale companies in recent years, including Yahoo, Deloitte, and TalkTalk, fines are becoming ever stricter for companies that do get breached.
With loyalty data proven to be valuable due to its higher success rate among hackers, it is critical to make sure you are storing and protecting your customer data effectively. Most of the regulations revolve around safe storage of data, gaining explicit consent, plus having legitimate reason for storing the data that you do. What is most terrifying is that hackers aren’t going to stop targeting getting the data from inside your system: it’s just going to cost you far more when it does happen. Currently firms are fined £500,000 in the case of a breach. A serious breach under GDPR will soon cost a company €20m or 4% of global annual turnover, whichever is greater.
Educating peers and colleagues across the loyalty industry on the importance of data regulation and accounting practice is an important part of knowledge-sharing and improving programme management. However, it became abundantly clear throughout the event how much of the activity around loyalty fraud that goes on is criminal, and how the predominant attitudes towards the value of loyalty points is fairly non-existent. The goal of the LFPA is to change this, and raise awareness globally. Iain Webster closed his address with a plea that next year the event keeps growing and should be 10 times as big – loyalty fraud is a huge issue, costs businesses millions each year, and there are very few people taking it seriously.