For banks looking to make employees more vigilant around issues of fraud and cybersecurity, the carrot seems to work better than the stick.
Take Happy State Bank in Amarillo, Texas, for instance. About three years ago, the $3.3 billion-asset bank implemented a fraud squad rewards program after realizing that employees were being recognized for this through its outstanding customer service recognition initiative.
But the bank wanted to ensure that employees knew fraud prevention was part of their daily duties, not something extra provided to customers, said Renee McNeely, the bank’s director of human resources.
“It’s part of their daily job, but also commendable,” McNeely said. “This is why we started a separate program.”
When an employee at Happy State flags a concern, such as identifying irregularities with a check or catching possible identity theft, a branch manager can nominate that person to be recognized, said Jared Blake, bank officer and lead of the bank’s debit card team. If the operations side of the bank confirms that fraud was actually found, then that employee receives an extra $25 in their next paycheck and first-time fraud stoppers get a “fraud squad t-shirt.”
“Banks try to be vigilant, but this is a way to give even more recognition for saving the bank money and saving the customer money,” McNeely said.
McNeely estimates that the program has saved the bank and its customers almost $822,000 since it began.
Happy State and other banks on our Best Banks to Work For list turned to positive reinforcement to encourage employees to stop suspected fraud and cybersecurity threats. That approach still remains a novelty within the security industry, experts said.
Sean Sposito, an analyst in the fraud and security practice at Javelin Strategy & Research, has heard of a company cutting off internet access to employees who failed one of its regular phishing drills.
Happy State’s use of rewards, rather than punishments, to encourage vigilance hints at its broader culture, McNeely said. Employees don’t have to fear admitting to a mistake.
“No one wants to spend 40 hours a week in fear. Instead, we take opportunities to reward hardworking employees when they do something right,” McNeely said. “By choosing to emphasize reward over rebuke, our employees are not only happy to come to work each day, they also feel empowered to make suggestions and go above and beyond.”
These programs also help raise awareness of potential risks with all employees at the bank, experts said. Besides the t-shirts and bonuses, Happy State also highlights the employee’s success at preventing fraud in a companywide email.
“Fraudsters are continually evolving their tactics,” McNeely said. “Employee can read these reports and realize that they may need to be looking for those kind of scams. There’s always something new.”
Being cautious and risk adverse isn’t enough to prevent fraud and cybersecurity breaches, said Ron Shevlin, director of research at Cornerstone Advisors. Everyone in the bank must be given the tools to keep customer data safe, Shevlin said.
More Best Banks to Work For coverage:
“I would make sure that all of the policies and procedures you set up reaches all of the departments,” Shevlin said. “Too often there’s a management team that says cybersecurity is the IT department’s problem. There are specific roles for security processes that every department plays. Things that even the board of directors needs to do.”
Cybersecurity awareness needs to go beyond training and include regular practice, Sposito said. For instance, banks might send out regular phishing tests to see if employees click on emails they shouldn’t. Management teams could reward employees who successfully report the suspicious email to the correct department.
“Cybersecurity awareness shouldn’t just be those training modules,” Sposito said. “It should be more intelligent than that.”
At Cape Cod Five Cents Savings Bank in Harwich Port, Mass., employees who stop fraud are given a spot bonus and a letter of thanks from the bank president. The $3.3 billion-asset bank uses a variety of ways to report cybersecurity issues, such as including a fishing hook symbol in emails to report a potential phishing attempt.
Employees can also flag threats through the bank’s loop reports, which are reviewed by a team at the bank and then passed onto the appropriate department.
“Especially in egregious situations where fraudsters are attempting to defraud customers, it reinforces how important their role as an employee is in protecting customers,” said Chris Richards, senior vice president and chief banking services officer at Cape Cod Five Cents. “It’s a way to say thank you and it’s a way of helping other employees remain vigilant about spotting other fraudsters.”