When Fighting Financial Crime, a Combination of Approaches is Best
Financial institutions spend significant time, energy and resources fighting fraud. The overall frequency of fraud may be low, however the cost – often a large credit loss or insurance claim – can be severe. Further, in addition to the direct cost, financial institutions bear significant compliance and reputational risks if they are the victim of fraud, such as the case in US Bank’s recent $613M BSA/AML settlement.
To combat fraud, leading companies are implementing fraud prevention procedures that include automated detection processes. The goal of the automated process is typically to flag potential fraud cases for review without flagging legitimate transactions, which creates a bad experience for customers and leads to high operating costs.
There are a few ways to implement automated fraud detection, however the most common is to process every transaction through decision logic that either approves the transaction or flags it for manual review. These processes may include the following:
- Off-the-shelf fraud risk scores pulled from third-parties (e.g. from LexisNexis or MicroBilt)
- Predictive machine learning models that learn from prior data and estimate the probability the transaction is fraudulent
- Business rules that set conditions that the transaction must pass to be approved (e.g. no OFAC alert, SSN matches, below deposit/withdrawal limit, etc.)
Fraudsters are constantly adapting to get around whatever process you put in place. Therefore, the best fraud prevention programs typically combine all the above approaches on a fully automated basis. This article discusses the pros and cons of each approach in detail.
Off-The-Shelf Fraud Risk Scores
Fraud risk scores are provided by a range of data providers, each of which has their own niche and area of expertise. Similar to the FICO Score (which serves as a common proxy for credit risk), fraud risk scores serve as a proxy for fraud risk. To automatically pull a fraud score, you typically need to connect to the data providers systems (either though their web portal or via their API) and provide personally identifiable information related to the transaction (e.g. Name, Address, Date of Birth, SSN). The fraud score returned is a representation of the risk of the transaction and can usually be mapped to a “probability of fraud” for each score via a table provided by the data provider.
- Leverages large, industry-wide datasets
- Typically provide reasonably accurate risk assessments
- Easy and requires no analytical work (similar to using a FICO Score to underwrite credit risk)
- Doesn’t fully answer the fraud question of if the transaction should be approved or denied. For instance, is a 0.01% probability too high? How about 0.1%? 1%?.
- Doesn’t consider all relevant information. For example, a U.S. loan application from an IP Address in Nigeria may receive a good score despite obviously being high risk, because IP Address is not necessarily an input to the third-party model.
We’re big proponents of third-party risk scores. For a relatively low cost, they provide access to models trained on large datasets and reasonably accurate risk measurements. However, fraud risk scores are an incomplete solution and usually need to be combined with business rules that set other requirements, thresholds and outputs.
Predictive Machine Learning Models
Similar to third-party fraud scores, predictive machine learning models serve as a proxy for fraud risk and typically output a “probability of fraud” for each transaction. However, whereas third-party fraud risk scores rely on models trained by other companies against industry-wide data, predictive machine learning models are trained by your own company against your own data and can therefore be significantly more accurate when forecasting fraud at your use case. However, there’s a catch – they require extensive historical data and the ability to train predictive models.
- Often the most accurate method of identifying fraudulent transactions
- Improve over time with additional data
- Training high-quality machine learning models requires significant internal historical data
- Models may be subject to bias based on the nature and quality of historical data
- Must be paired with business logic and rules that set basic requirements and thresholds
The short answer: it depends. Machine learning models are often the most effective tool, however they rely on deep datasets with thousands (or even millions) of historical records. For smaller institutions with limited data available, internal models may be less effective than other predictive tools such as third-party risk scores or basic business rules.
The good news is that the technical work of machine learning is becoming a lot easier with platforms like DigiFi’s Machine Learning Models that make it simple to train models.
Business rules set the conditions under which the transaction will pass and the outputs that will be generated (e.g. messages regarding why the transaction passed or was flagged for review). The rules are typically based on a company’s fraud prevention policies and the decision processes can range from simple (with just a few rules) to complex (with hundreds or thousands of rules).
- Implements rule-based requirements with certainty (e.g. the applicant cannot be on a terrorist watchlist, the applicant cannot have previously committed fraud at your institution, etc.)
- Can set thresholds for other risk scores (e.g. flag applications with a greater than 0.1% probability of fraud for review)
- Determine outputs that clarify why the transaction passed or inform a reviewer why it was flagged
- Significant effort is required to determine the required business rules, which is often a highly iterative process
- Unless paired with other tools, such as fraud risk scores and predictive models, business rules can result in too many transactions being flagged
Every fraud prevention process should include business rules. The primary challenge is automating this logic in a way that lets you can easily adjust it over time, and a common solution to this problem is a low-code Business Rules Engine that makes it easy to manage rule-based decision processes.
Putting It All Together
The approaches outlined above can each be effective individually, however achieving best-in-class fraud detection requires putting them together. When we work with clients to automate fraud prevention, we typically aim for a solution that:
- Gathers third-party scores from multiple providers
- Leverages a predictive machine learning model
- Sets basic pass/fail requirements based on rules
- Sets thresholds for the third-party scores and predictive model to flag exceptions
It’s also possible to start simpler and work towards this ideal end-state over time. If that’s your preferred approach, we suggest starting with third-party scores and conservative business rules – it’s certainly better to review a few extra transactions than to accidentally approve a fraudulent one!
DigiFi is a technology company that helps businesses make better automated decisions.
Our platform lets businesses easily use automated machine learning and rules management to optimize critical decisions with no coding or technical expertise required. Repetitive work that used to take hours can now be completed in minutes, letting your team focus on what matters most.