Introduction to fraud management
Over the past decade, there has been a steady shift of daily activities online. This has been accelerated by the COVID-pandemic, which led to significant growth of electronic payments. Globally two-thirds of adults have sent and received money digitally . At the same time, criminals have been taking advantage of this growth combined with people’s digital immaturity. Losses from financial fraud and scams have more than tripled in the last decade (from $9.8Bn in 2011 to $32.4Bn in 2020 ). It is projected that there will be another $343Bn lost over the next five years . The financial industry can no longer ignore the threat to banks, payment services providers (PSPs) and their customers.
Nowadays, the integration of intelligent and scalable solutions into legacy systems, (eg transaction monitoring engines leveraging on machine learning or cloud-based platforms), is a core need for anti-fraud units in banking and PSPs at any level. The damages from fraud are not limited to financial loss. Reputational harm for financial institutions and legal and regulatory sanctions can cause equal or even greater damage.
Fraud comes in many forms:
- Credit/Debit card fraud. Attackers steal PIN codes by phishing, social engineering, or massive data leaks. On rare occasions cards are physically cloned or defrauded (Card-present frauds), while in most cases money is stolen through online payments or P2P services (Card-not-present frauds);
- Online transaction fraud. Attackers obtain home banking credentials or install malware directly on a victim’s device, defeating MFA authentication and transferring money directly to their own accounts;
- Scams: Attackers convince the victim to make a payment or a transfer through social engineering tactics. Some do not include ‘scams’ in the definition of fraud as it is the victim themselves that make the transactions;
- Bust-out frauds: Attackers don’t target individuals, they adopt a stolen identity or establish a fake company in order to get access to a bank line of credit (eg credit card) with no intention of repaying the balance or debts.
Banks and PSPs adopt defence in depth with multiple lines of defence. These are usually spread across processes and departments. Generally speaking, we can identify three key macro-processes in fraud management:
Challenges in traditional fraud management
Figure 1 Traditional fraud management process
Historically, fraud management has relied heavily on human domain expertise. Human involvement has been needed both in the governance of the anti-fraud system and in operations, such as alert investigation and fraud reporting. Only in recent years have advanced data-driven technologies been integrated to enhance the overall process. These not only automate repetitive manual tasks, but also support analysis and critical functions, like fraud response and recovery.
Increasing volumes of digital payments have required anti-fraud processes to adapt to larger workloads. Technology infrastructure has had to scale-up on huge amounts of transactional data, easily classifiable as big data.
In addition, fraud detection requires real-time processing. For any transaction, the fraud risk needs to be estimated and a decision made to alert or block in at most a few milliseconds to guarantee a frictionless customer experience. This has forced the banking and payment industries to make significant technological investments. Even so, barring a few innovative cases, the traditional anti-fraud model has not evolved. It has remained mainly rule-based, requiring high levels of manual intervention.
A rule-based transaction monitoring system makes use of simple conditions to approve, alert or deny a payment (eg “block if more than 3 transfers and total amount exceeding €1000 in the last 10 minutes”). Traditional business rules work easily in a real-time fashion and they can be configured quickly and simply in reaction to emerging fraud patterns or experienced losses. However they have limitations.
Thresholds are essentially static. Fraudsters can learn to guess their values simply by making multiple attempts. They always act the same for all customers in any situation.
This approach is not well-suited for the dynamic nature of both financial and cyber-crime activity, which evolve rapidly. Fraud schemes and counter-strategies adapt to each other continuously. Whereas purchasing habits of customers may vary markedly between social groups and over time but follow fairly predictable commercial trends and the economic climate.
Human expertise still predominates when defining business rules. Continuous maintenance and calibration is needed to keep rules up-to-date with new trends. These are generally expensive tasks in terms of time and effort, especially considering the hundreds of rules that make up a fraud detection policy.
Legacy solutions also suffer from high rates of (false positive) alarms caused by sub-optimal or outdated rules and the typically low risk appetite of fraud management units. False alarms not only cause friction for the customer, they also present a challenge for ex-post activities, such as fraud monitoring and investigation tasks and verification with the customers by contact units. These processes are typically manual, often leveraging fraud specialists’ domain experience and acumen, which, whilst very accurate on a single suspicious case, is not scalable to huge volumes of alarms.
Therefore a backlog of, often non-prioritized, alerted transactions continually accumulates. Fraud analysts lack the capacity to handle all cases, and so this inevitably leads to increased critical time-to-reaction to fraud events allowing malicious payments to slip through the cracks.
Furthermore, fraud reporting activities, which are also key for fraud management to keep control of attack trends and economic losses, have recently seen a growing adoption of business intelligence and analytics tools. These ease data aggregation and visualization activities, while the decision-making remains mostly an exclusive prerogative of experienced fraud managers.
AI-driven Fraud Detection
Most of the challenges we have described above involve optimization or automation of critical decision making, often done in real-time or near real-time. Artificial intelligence is well suited to these use-cases and guarantees scalability that human effort cannot. In particular, among fraud management macro-processes, fraud detection is the field where AI shines and where it provides the most significant advantages.
From a data science perspective, fraud detection is essentially a machine learning problem.
The aim is to identify fraudulent transactions from the genuine ones. This can be based on past examples of malicious patterns (supervised classification) or targeting suspicious behaviours as they differentiate from the normal habits of bank customers (anomaly detection).
AI and ML algorithms, running on a sufficiently high-performance architecture, can provide sufficiently short response times to process data-driven decisions on massive volumes of transactions in real time. This can limit the need for human intervention and responsibility to focusing only on really difficult or potentially high impact cases.
AI also handles the dynamic evolution of fraudulent patterns and the digital payment environment. It is able to recognize phenomena such as concept drift before they lead to performance decay. Then, ML models can be refreshed by several strategies (eg windowing or online learning) to incorporate new data and ‘forget’ outdated ones.
The need for a lot of sample data to train and test fraud detection models is however a challenge. This conflicts with the intrinsic scarcity of fraud (technically speaking, class imbalance), which are (luckily!) few in number in comparison with the great majority of legitimate operations. Outlier detection algorithms which exploit the anomaly of suspicious transactions (eg Isolation Forest, Local Outlier Factor), or rebalancing techniques (eg under/over-sampling) and robust classification models (eg XGBoost Tree or Random Forest endowed with cost-sensitive criteria) have proven suitable to address this challenge.
Another obstacle in adopting AI for fraud detection concerns understanding why a transaction is flagged as suspect by a black-box model; for this problem eXplainable Artificial Intelligence (XAI) can help. XAI techniques, such as meta-learning, can be used to train a second model that is able to discriminate within real-time model outcomes, helping further manual investigation with additional information.
Fraud detection is a non-trivial challenge. It needs both advanced technical experience and specific business knowledge to effectively leverage AI and improve a financial institution’s fraud detection process. The deep complexity of fraud detection requires that close attention is paid in all implementation stages, from model design and development to production deployment.
Additionally, MLOps practices should be adopted for ongoing maintenance and monitoring to ensure high-performance throughout the solution life-cycle. Whilst challenging, this is certainly less expensive than the risk of loss due to inefficient fraud management.
How can AI boost fraud management?
The adoption of AI in fraud management, and particularly in fraud detection, can be a game-changer for banks and PSPs in their battle against fraudsters.
AI benefits are not limited to countering frauds to reduce economic loss for financial institutions and their clients. They also enable several key capabilities for a modern anti-fraud system, improving the overall process performance and ultimately saving costs by efficiently focusing the manual effort of fraud specialists.
Figure 2 Where AI could bring a boost to the fraud management process
The table below details typical use-cases for AI enabled solutions, with a particular focus on the impact and benefits on key fraud management processes.