1. Rosetta Public Relations Communications BriefingMANAGING FRAUD COMMUNICATIONSTHE PRICE OF FEARIn risk management, communications often gets short shrift. Its soft. It deals with perceptions,which are kind of like emotions and, after all, what place do feelings have in robust risk models?The answer is a pivotal place. In addition to central issues like customer and stakeholder trust inyour organization (which has a ripple effect,affecting everything from supplier relationships toSome common types of fraudcustomer purchasing to stock price), there is theactual cost of fear and anxiety to yourWebsite hijackorganization. Scholars like Matthew Adler have CheckFree was a US e-billing and e-remittance company. Ineven developed models to quantify and monetize 2008 Ukrainian organized crime gained control over itsfear.Internet domains and redirected customers to a maliciouswebsite. Between 160,000 and 5 million customers may haveFraud connects very viscerally to our fears theft been affected.of our money, our identity and all the attendantconsequences. It makes sense that we look atHackcommunications about fraud through the lens ofRBS WorldPay, an electronic payment processing company,risk communications a discipline designed towas at the heart of an elaborate ATM scam that nettedhelp us understand and evaluate the things we thieves US$9 million. Hackers gained access to more than afear and dread. million financial records that enabled them to fabricatedebit cards and access accounts through ATMs. Hackersmay breach a system to steal data or they may installFRAUD AS A CONSTANT malicious software.The TJX case is to fraud what September 11th is toEmployee malfeasanceterrorism. In 2005 Eastern European gangs,Not every employee is a model one; some do very badworking with a Cuban crime ring in Florida, things. In 2007 an employee of Electronic Data Systemshacked the companys transaction databases andstole 500 customer identities and managed to sell 50 ofbegan quietly stealing data. As a major retailerthem to criminals before being arrested.(operating stores like Winners, HomeSense andTK Maxx in Canada, the US and Europe), it had a Data lossrich store of sensitive data like credit card records Although it may not cause financial loss, misplacingcustomer data or exposing it in some fashion is corrosive totrust. Bank of New York Mellon learned this when in 2008it lost a backup tape containing 12.5 million customer 1records.

2. that was tempting for thieves. The thieves made off with credit and debit card numbers andpersonal information like drivers licenses and social security numbers. All told, 100 millionrecords were stolen and used to run up credit card charges as well as launch a gift card scam. Bankswere forced to reissue cards by the thousands.But most instances of fraud lack this sort of grandeur. They are more likely to resemble Polo RalphLaurens data breach in 2005, where hackers stole credit card information and made counterfeitcards from bases in Eastern Europe. Or they make take the form of persistent phishing or cardskimming threats.Whatever form it takes, fraud undercuts the trust and confidence needed to fuel a transition todigital currency. We are now at the point where debit card use is ubiquitous. Newer services likemicro-payments and pre-loaded debit cards are becoming increasingly prevalent. All of these shiftsentail entry into a very complex world of payments and intermediaries and open up vistas ofopportunity for criminals. For example, in the United States alone in the past four years more than253 million personal records containing identification like social security numbers and militaryservice records as well as financial data such as credit card numbers were lost or stolen. Somewherein the world someone is doing something highly illegal with all those records.There is bound to be some leakage at some point in the digital world, whether online, at the pointof sale or at an ATM. For example, in 2004 the Gartner Group reported that two millionAmericans had lost an average of US$1,200 each due to online raiding of their bank accounts.Fraud is endemic to the system. Bank executives accept this and reflect it in their forecasts andplanning. However when it comes to managing communications surrounding fraud, it is not oftenseen in this light as a permanent fixture of the operating environment rather than a one-timeevent. We talk as though it was an aberration, a crisis, when in fact we should be communicating itto customers and partners as a risk. In this article I outline the principles of risk communication asthey apply to talking about fraud and dealing with instances of fraud. But first lets begin with areview of the environment in which you will be communicating.TRUSTRich Lowry of the National Review trenchantly termed the first decade of the 21st century the Ageof Cynicism. It is a time notable for a severe deficit of trust. We assume corruption andincompetence in all aspects of life government, politicians, media andcorporations, including our banks. The assumption seems to be that every public figure is a moralilliterate and guides his or her organization accordingly. This of course doesnt really fit the facts, asthis table shows:Corruption rankings by country1stDenmark, New Zealand, Sweden9thCanada, Australia16th United Kingdom18th USA, Japan180thSomaliaSource: Transparency International, 2008 Perception of CorruptionIndex2 3. But trust goes beyond faith in our corporate and government leaders; it goes right to basicconfidence in the financial system. In and of itself, a banknote is pretty worthless. You cant eat it.All those pretty printed designs make it hard to use as notepaper. And if you burn one it doesntgenerate much heat or light. But as a symbol it has significant value. This is because we all trust thatit will be accepted in exchange for something. If counterfeiting is an issue then confidence inbanknotes as representatives of value is eroded (think of the last time you tried to spend a $100bill). The same happens in the electronic banking world. If your personal file was one of the 3.9million on a backup tape lost by CitiFinancial in 2005 then your confidence in data security islikely low.If trust is low people will go offline, use money orders to settle online purchases, bank at branchesor curtail debit card usage. Trust is the bedrock of the financial system. Bankers know this.Without trust among counter-parties and depositor trust in banks the global financial system wouldgrind to a halt. Preserving trust is, therefore, the key element of any communications response tofraud. Without it you are nothing.RISKBefore we look at communications strategies to convey risk and build trust we first need to be clearabout what we mean by risk. There are many definitions, some technical for the actuarial types, butI prefer a simpler approach. Risk is the probability of something undesirable happening. Doingsomething always involves incurring some level of risk, even simple things. For example, odds areone in 3,500 that you will injure yourself next time you mow your lawn (in comparison you have aone in 5,000 chance of hitting a hole in one). But we need to factor in not just the probability ofthe event but its scale. We end up with an equation like this: Risk = probability of event X its expected impactWhen we assess risk we need to understand what is acceptable from the corporate perspective (e.g.how much fraud can you afford) and what is tolerable to the individual customer. For customers,although the only truly acceptable risk is zero, this in practice may come down to a risk/benefittrade-off, with potential financial losses and the effort required to set things right again balancedagainst the convenience of online banking and point of sale transactions. Anecdotally, mostmembers of the public see fraud as inevitable, irritating and endemic. The fact that many folks havesome personal familiarity with it calls from banks, card replacement and possibly accounthacking, is perversely a good thing as it undercuts the dread factor of this adverse event by reducingthe unknown.PERCEPTIONS OF RISKWe humans are terrible judges of risk. Our brains dont work that way. The myth of the rationalactor is, as our friends in behavioural finance tell us, just that a myth. Two of the most commonways we mess it up are:3 4. 1. The zero-infinity game here we catastrophize a totally improbable event, taking an almost nil chance of occurrence (such as an Oklahoman being bitten by a shark) and assigning it an almost infinite scale of awful consequences (severed limbs, death, disfigurement).2. The familiarity discount if we do something often enough without suffering an adverse event we mentally discount the risk. Familiarity breeds contempt. Think of driving a car. Many folks have never had a car accident and therefore consider the likelihood low even when the statistics tell us that we have a one in 81 lifetime chance of dying in a car accident.Other factors will affect perception of risk. Media mentions may skew our perceptions of risk. Forexample, on average there are six deaths from peanut-related allergies in the US each year. Yet thepublic perception of this as a significant risk is higher than that of lightning, which kills 90Americans a year. Our understanding of the frequency of an event is actually a measure of howprevalent that event is in the communications environment. Talking it up increases the perceivedthreat. Similarly, aggressive risk communication campaigns that stress the need to protect against athreat will increase fear and raise perception of risk.Fraud risk perception factorsTrust our sense of fear is in inverse proportion to the trust we have if customertrust in a bank is high then fear will be low.Control the threat we feel is lessened if we have some degree of control over it (thinkof flying vs. driving when you are at the wheel).Choice an unavoidable risk is more dreadful than one voluntarily accepted.Uncertainty if the nature of the threat is hard to explain or changes quickly then itwill be seen as more dangerous.Novelty new threats are scarier than old ones; compare AIDS, which killed about14,000 Americans in 2006, with influenza, which killed more than double that number(36,000).Awareness we may see a risk as a greater threat than it really is if it is a frequentmedia topic or the subject of a communications campaign.Personal how directly will the risk affect me? The more general the risk, the lower theperception of threat. Think of global warming.Risk-benefit if we perceive a strong benefit we will discount the risk.Catastrophic what is the worst-case scenario? Identity theft leading to financial ruinwill be seen as dreadful even if the incidence of such an eventuality is quite low.As you can see, one of the greatest challenges companies face is customer misperception of risk.Bank customers who have never had an account compromised may perceive debit card use astotally without risk due to the familiarity discount or conversely they may assume that doing onlinebanking will lead to their total financial ruin.FRAUD IS NOT A CRISISWhen an airliner suffers a total loss of its hydraulic systems it usually crashes. No one not thepilots, the mechanics, the airline management and least of all the passengers, expects this tohappen. Fraud is different. We actually expect that it will happen, that some aspect of the elaborate 4 5. security systems will fail. The sudden part is often the discovery of the fraud. This is what fools usinto thinking its a crisis.It is a mistake to apply crisis communications principles to an instance of fraud. This is becausecrisis communications focuses on preparing an approach to managing a crisis and initiating thatplan when needed. It has defined start and end points. Fraud, because it is a constant in theoperating environment, does not have a beginning or end.A different communications approach is needed risk communications before and after the fraudevent and issues management during the fraud. The issues management (and customer andstakeholder responses to it) will of course inform the risk communications approach, post-event. EventRisk communications(adjusted post-event)Issues managementRISK COMMUNICATIONSRisk communication is a way of talking about the probability of adverse events and their expectedimpact. Our goals are to put a given risk in perspective, encourage folks to use information toadjust their perceptions to form a better understanding of a risk and ultimately to empower peopleto change their behaviours to mitigate the risk.The knowledge gapMost good communications begin with research. In risk communication we take a two-prongedapproach. First we need to work out whats often called the expert model of the risk. In the case offraud we would map out where the potential points of fraud are in the system, which behavioursexacerbate them and which types of fraud are not affected by customer behaviour (e.g. a customer isnot likely to have any ability to influence a hacker attacking your central database). We then needto look at what the audience perception of the risk is. Weve already looked at some commonelements of that perception but this needs to be sharpened, likely by at least directional opinionresearch. At the end of this exercise we should have two models:1. What our experts believe is the model of how the risk operates2. What our audiences (e.g. customers) believe is the model of how the risk operatesOur next task is to see how the two models overlay. Assuming the expert model more closelyresembles reality, how close is the customer perception of the risk? From this we can narrow our 5 6. communications focus we know where the perceptions are out of line with the reality. Becausecomprehensive, in-depth risk communication is seldom successful we need to prioritize, based onthe potential for mitigating risk (e.g. if changing behaviour A will reduce the potential for fraudmore than behaviour B then we should work on adjusting A).The behaviour gapLets look at little more closely at behaviour. There are actually two elements to consider here:1. The information that informs or supports behaviour2. The reasons that knowledge is not applied to change behaviourOld style risk communication was often didactic, based on the Pollyannish belief that, if we givethem the right information, people will make the right decisions. In the 21st century, the era ofweb 3.0 and such, we should be taking a more participatory view. Our goal is to invite people toreconsider their perceptions in the light of new, or previously unknown evidence. To this end weneed to know what information they are using to build their risk assessment model and where itcomes from.Sometimes though we may have received the knowledge but failed to use it to mitigate a risk. Forexample, despite intensive public awareness campaigns against binge drinking, 360,000 teens 11-15get drunk every week in the UK. As a risk communicator your question should be: what makesthem discount or ignore the message? We may distrust the messenger (government, in this instance)or we may trust another source (e.g. peers) more. Again, opinion research will sharpen your sense ofthis.Putting it all togetherSo now we know what people think of a risk, how they arrived at that perception and whether ornot they act to mitigate a risk (and why or why not). How do we go from this information to a riskcommunication campaign?If we see our purpose as encouraging people to think differently about risk and make better riskmanagement decisions then we can see we cant win by simply contradicting strongly-held beliefs.We need to supplant the erroneous perceptions gradually. And we need them to some degree todrive the process themselves.You may consider using trusted sources, particularly if you lack credibility or are seen as biased. Aneutral expert voice, particularly one with credibility with youraudience, will help to carry your message.Mental noise theoryNobody likes to contemplate bad things. Theres a natural audienceWhen people are stressed they havereluctance to accept communications about things like fraud. Peopledifficulty:become stressed when considering the downside potential of things.And stressed people do not make receptive audiences. Messaging Hearing informationmust become simple, with key points repeated and supported by Understandinginformation. Our course creative communications can help byinformationensuring a degree of memorability. Just because we are dealing with Remembering informationrisk doesnt mean that the full toolbox of communications (such aswe see in conventional marketing) shouldnt be available.6 7. Sometimes less is more. Risk is relative. When we communicate risk we need to keep in mind thatsimply by doing so we can increase the perception of the severity or possibility of that risk.Perversely, high profile risk communication campaigns may actually undercut your desired goals byraising fears. Establishing context and maintaining perspective can help as can ensuring theappropriate amount of risk communications to engage in.Finally we shouldnt see risk communications as a standalone effort; it is part of your overallcommunications effort and needs to be connected both to issues management and day-to-daycustomer interactions. If you are effective in all three areas you will create a virtuous circle thatcontinuously reinforces trust in your organization.ISSUES MANAGEMENT THE BARCLAYS EXAMPLEFraud is, as I have stressed, a constant in a system that involves owners of money, custodians ofmoney, payment intermediaries, merchants and folks that want to steal money. There will come atime when you are facing an instance either of fraud or something like a data breach that stirs upfears of fraud. You will need to shift gears from risk communication to issues management. In thesesituations we can learn from past successes.It was supposed to have been the beginning of a new era in banking in Britain established bankstook their businesses online and at the same time oddly-named virtual banks like Cahoot, Smile, Ifand Egg were launched. But the year 2000 was not a good one for online banking security. Egg washit for hundreds of thousands of pounds and Barclays, in the midst of building the virtual side ofits retail banking business, ran into serious trouble.Barclays, the first British bank to launch a free Internet banking service, had 1.7 million customersbanking online by 2000. In May of that year the bank announced plans to double its spending one-commerce to 325 million. It spelled potential dominance in retail e-banking. But in July routinesoftware upgrade inadvertently enabled customers to view others banking information. The banktook aggressive measures and shut the website down while repairs were made. Compounding theissue, a human error the next day repeated the problem. The public perception was that theBarclays Internet banking venture was inherently insecure. Media coverage and critical consumeradvocates didnt help.So how did Barclays manage this issue? In my opinion it did well to tell a story comprised of fiveelements:1. Context the bank gave details of what happened and what caused it as well as what the financial implications for the victims were (no losses were incurred by customers)2. Scale the fact that only seven customers out of 1.7 million users were affected helped to demonstrate the relative risk3. Persistent risk the bank reminded customers that these sorts of problems happen from time to time; this is important because customers need to know that the risk of an event like this is not zero, that it is not a freak random event and there is always a possibility even if it is remote4. Corrective measures the bank outlined the steps that were being taken to fix the problem and minimize the chance of a recurrence7 8. 5. Confidence the bank reiterated its belief in the safety and utility of the serviceA WORD ON MEDIA REPRESENTATIONOne problem with fraud is that the majority of cases are really not that interesting. The firstinstance of a Nigerian advance payment scam was noteworthy but now that it accounts for 11 percent of all online fraud, its commonplace. So media tend to focus on the high profile instances offraud TJX case or the BCCIs and Bernie Madoffs of the world. The problem here is that this isunrepresentative fraud. TJX was a rarity not likely to be seen again for some time and most folkswill not suffer from a rogue trader but rather from a hack, possibly orchestrated by organized crime,or a phishing scam. Quick quiz: match the rogue trader to the bank a. Rusniake. Daiwa b. Iguchi f. Allied Irish c. Leeson g. Societ Generale d. Kervielh. Barings (Although you likely guessed them all, here are the matching pairs: a-f, b-e, c-h, d-g).The other problem is the prevailing narrative banks either deliberately or inadvertently putcustomers at risk. They fail them. Often consumer advocates will be quoted to support the view ofuncaring financial institutions. Fraud may be conflated with other issues such as excessive corporatepay, high service charges and branch closures to bolster the view of the unresponsive behemothbank. This is the storm Barclays ran into. Its not a fair portrayal but thats beside the point.Compounding this is the inevitable obsession with negative events that characterizes media, bothnews and entertainment. In an always-on media environment what is presented is a 24/7drumbeat of drama and danger, says Harvard professor David Ropeik. Crimes, including fraud,are over-represented communications theorist, George Gerbner, found that crime is 10 timesmore prevalent on television than in real life. The result is a climate of fear that fuels distrust.This is obviously more of a concern for issues management but it should still be borne in mind forany risk communications initiative, particularly one that either uses media to carry the message orhas the potential to attract media interest.A FINAL THOUGHTFraud is challenging topic to communicate, one that can spark customer fears and generate mediacontroversy. Conditioning your customers to the potential risks and equipping them with theinformation and tools to help them shape their behaviours is a more effective approach than a 8 9. reactionary crisis communication approach. Risk communication may, at the end of the day,prevent a need for crisis response.ABOUT THE AUTHORPaul McIvor is the founder of Rosetta Public Relations Inc., a Toronto-based communicationsshop. Prior to creating Rosetta, Paul managed communications at the Ontario Ministry of Healthand Long-Term Care and on Bay Street, providing financial communications services.416.516.7095 mcivor@RosettaPR.comwww.RosettaPR.com 9