In my experience as a fraud prevention consultant, I constantly have discussions with financial institutions and with different profiles of fraud prevention managers. Each with its own way of visualizing fraud and thus its own strategy to reduce it. The fact is that regardless of the institution and the fraud managers’ profile, there are three key considerations to be given before deciding how to deal with fraud, keeping in mind that it is virtually impossible to eliminate.
1. How much fraud currently exists in the institution? Or in other words, how much money is the institution losing because of fraud?
2. How much money could be lost, which is dependent on the fraud risk map.
3. What is the “acceptable” level of fraud?
The answers to these questions helps in proposing an effective prevention strategy and in the implementation of a plan to achieve visible results quickly, allowing the companies to see a real return on their investment.
A large percentage of financial institutions have adopted a rule-based system to stop transactions that meet certain fraudulent behavior. Fraudsters do not act based on a set of fixed rules, in fact they are very good at finding where the vulnerability of a rule is, in order to avoid detection and execute their fraud operation successfully. Here’s an example of this concept : The credit card of a financial institution’s customer was cloned. The card was used in a part of the country where risk for fraud was relatively low. Between 5 and 10 minutes later, the card was used in another part of the country to buy an appliance. Because appliances and electronics are very easy to sell, this transaction is considered to be high risk. The financial institution contacted the client to confirm the he had not executed the purchase, and the bank proceeded to block the card. Here are the two main takeaways from this incident:
1. The time between one transaction and the other is very short in relation to the distance that the client had to travel.
2. Typically, the purchase of an appliance or electronic is a high-risk transaction.
The fraud was detected post-mortem. The rule-based system detected the issue about the distance and also the article being purchased. The transaction is classified as high risk and an alert is issued for a fraud prevention operator to manage it. The operator called the customer by telephone, confirmed fraud and blocked the card. However, note that fraud was fully executed. Now — what happens if the purchase of the appliance had been 30 minutes, or several days later? The rule about distance and time would not be violated, and the transaction would not have been classified as high risk. Possibly a medium priority alert would have been issued, it would not have been managed fast enough, and several more fraudulent transactions could have taken place. In a rule-based system, a transaction can be evaluated by an extensive set of rules that are adding or subtracting a score depending on the nature of the transaction. Additionally, thresholds are based on the experience and/or perception of a fraud expert within the organization that configures them. If the score exceeds the threshold, then an alert is issued. The thresholds mentioned involve periodic tuning made by the fraud manager/expert or fraud organization of a financial institution, or perhaps using a machine learning technology to replace him/her. As a result, the following concepts should be taken into account:
1. What percentage of the rules are really being effective?
2. What percentage of rules have not forced an alert even once?
3. What percentage of rules are causing high false positives?
4. What thresholds are not working correctly?
5. How often should the expert tune these thresholds? These questions are difficult to answer, because they depend mainly on the experience of the fraud expert and the thresholds configured to throw a manageable quantity of alerts.
Predictive analytics are a result of the data analysis evolution. Starting with reporting and data analysis with Business Intelligence and Performance Management, and then finding patterns and unknown relationships with Data Mining, to then trying to predict in an intelligent manner how likely an event may occur in the future based on what happened in the past with Predictive Analytics. Without a doubt, the most important feature in a fraud prevention transaction monitoring system is to predict with a high degree of confidence if the transaction being analyzed is fraudulent or not. Using predictive analytics, it is possible to improve the decisions made about a transaction, or in other words, to improve an operational decision. This is made possible by existing mathematical algorithms that can determine the variability in transactional customer behavior and deviation that has a transaction based on the population of that particular customer’s transactions. In this model there is no expert intervention. In fact, this model is already used, typically the sales organization of a financial institution already has systems that let you classify a customer and offer products or services with the goal of increasing the life-value of customer according to their profile. On a related note, it is common knowledge that there are fraud patterns that should be stopped. When fraudulent behavior is known and proven, developing policies and controls that prevent it from happening again is a must.
Risk Based Authentication
A very useful fraud detection strategy is called risk-based authentication that allows for the client to be part of the fraud prevention cycle. If the client is involved in the decision to authorize or reject a high-risk transaction in real time, the prevention cycle is going to be more effective. Why? First, it will be definitive and accurate. And second, it will improve the customer experience and reduce operating costs since the alert is managed by the customer. Using multi-factor authentication technology in conjunction with scoring the risk of a transaction, empowers the client to be the final “approver” of a transaction thus preventing fraud.
Without a doubt, it is the combination of these institutional policies, a heuristic engine based on predictive analytics to detect known patterns of fraud, and risk-based authentication, that allow financial institutions to best detect, manage and reduce fraud without significantly increasing the operating cost.