Cease to resist, giving my goodbye
Drive my car into the ocean
You’ll think I’m dead, but I sail away
On a wave of mutilation
This is the final Commsrisk article. The website will continue to host the Commsrisk Global Fraud Dashboard under the stewardship of James Greenley, the software engineer who created it, for as long as he can find financial backers to support that work. Presenting reams of objective data compiled from varied international sources is the best way to build on the platform constructed during the first two decades of this website. Facts and figures need to rule; words are too messy and too easily twisted. My regular narratives about the communications sector end now, not with regret, but with pleasure. I am glad to be released to live a different life to the one that has consumed so much of me.
Life is short. There is much to explore during our brief existence as conscious entities. Last night was spent listening to Pixies perform at the Royal Albert Hall and I am increasingly focused on the preparations for an upcoming hike along Alta Via 1 in the Dolomites. Do not worry if some of the words in the last sentence seemed strange. They mean that I already decided to spend less time at a keyboard and more time doing things that bring me joy. Fighting arseholes who work in ‘public policy’ roles for telcos does not bring me joy although much of the tail end of my career has been wasted by these people. For decades, they took no interest in fraud or other criminal activities that occurred on networks. Now they seek to dominate global decisions about how to tackle fraud because consumer scams have reached the point where even the laziest government wants something done to reduce them. The intervention of a herd of people who know nothing about fraud is the worst possible double-whammy for both the public and the real experts who should be leading the fight against networked crime:
- Minimizing the number of people employed by telcos to tackle crime because shedding jobs is the top priority of current telco executives. Public Policy departments serve the same master as Human Resources departments: they find ways to enable mass redundancies because telco executives deem job cuts to be vital to maintaining profitability as revenues decline. They no more care about your job than they care about the reasons why phone scams got out of control. Their mantra is to resist, resist, resist government intervention even when it is vital to restoring trust. We actually need government intervention because only governments can force telcos to hire and promote the staff needed to reduce scams.
- Buying gimmicky ‘systems’ to tackle fraud because this has no impact on headcount but will appease governments who can claim a one-off ‘victory’ against scams. These purchases are followed by years of bullshit about the system being successful even though it failed due to a lack of human experts challenging the way it was designed and implemented. The US adoption of STIR/SHAKEN is the exemplar for this failure. Both the US government and public policy zombies continue to pretend STIR/SHAKEN has been a success, even though half a billion dollars of telco expenditure went into a system that did nothing to prevent scam losses skyrocketing in the 5 years since it was implemented. Stooges produce deliberately misleading statistics to disguise the collective failure in the USA because vendors make more money by selling one ineffective system after another than by actually reducing crime.
There is one area in particular that is doomed to fail because of this two-pronged madness: know-your-customer (KYC) checks. Only a human being can have the instincts, the freedom to deviate from a predefined course of action, and the imagination required to keep pace with the way criminal enterprises will cheat KYC checks. But instead of tackling the root cause of scam failure — most obviously in the case of STIR/SHAKEN, which was built upon shoddy KYC controls — we have committees comprised of people who are desperate to pretend that KYC can be improved without hiring and training people to continuously fine-tune KYC. They use the excuse that KYC must be flexible to argue for the least enforceable, lowest common standard for KYC behavior. We really need the kind of flexibility and harmony that comes from telcos working together to pursue a high standard for KYC that all must accomplish together, and for that high standard to be continually re-tuned to reflect how criminals change their methods.
The only people who could argue for truly robust KYC are senior anti-fraud professionals. And therein lies our problem. Fraud management has been so undervalued for so long that many telcos do not have a senior anti-fraud professional. Some of us got older; few rose in terms of power or influence. I reported to the board of Qatar Telecom but left because I was frustrated with my lack of influence. That was 13 years ago. Then I tried different ways to pursue needed change. Now I am retiring from Commsrisk after admitting my final defeat… or perhaps my final victory. You will need to keep reading to understand.
If I am frustrated with the lack of change in this industry then imagine how much change will ever be effected by the typical American junior manager. In Qatar, I had the opportunity to lobby members of the royal family directly. The typical American fraud manager will be lucky to speak to an actual decision-maker once a year. The difference between senior and junior management is not just measured in wages. It is shown in the freedom to make decisions in order to pursue goals. Consider the clown who still runs fraud management at AT&T. He once wrote an affidavit that said his team’s global fraud hotline had been put out of service because a fraudster made two phone calls to it. What is the seniority of a telecoms manager whose ‘hotline’ cannot handle three phone calls?
We need genuinely senior anti-fraud leaders to drive the fight for better KYC because junior managers are afraid to do anything but follow orders. They are forced to treat KYC as a box-ticking exercise, and as a cost to be minimized. We need people with the experience, imagination and freedom to deviate from a series of prescribed KYC checks if their instincts show it is necessary. They need to be free to talk about crime with counterparts and the authorities, even if it means admitting that mistakes were made in their own business. The confidence to do these things only comes with seniority. We will not get it from junior managers. And we will not get it from Americans, because there are no senior fraud managers in the USA. They only have corporate puppets who say little because the few that really know what they are doing are conscious of the punishment they will receive if they spoke freely.
So if you are tired of reading — and I can hardly blame you, because I am tired of writing — then stop after I make the following point. Somebody needs to demand the recruitment of senior antifraud managers who will push for much more robust KYC than has been the norm in telecoms. That somebody needs to be somebody like you, because I will not do it any more. Doing it involves maintaining a hawk-like eye on powderpuff industry associations like One Consortium who produce many fine words but have delivered nothing that changes the number of people that telcos hire to fight crime, and nothing that changes the seniority of the existing crimefighters within those telcos. They use the word ‘robust’ to describe KYC when a true antifraud professional would use the word ‘sellout’. I tried and I failed (perhaps). Others need to step up.
