Digitization in the banking sector is ushering a brave new world of business opportunities ranging from new business channels and business models to streamlined, more cost-effective operations. However, those benefits are ‘price matched’ with certain risks — non-compliance, data breaches and more importantly a new quality level of sophisticated fraud.
Between 2015 and 2018, 60% of global banks have experienced an increase in fraud volumes and frequency:
As the chart above illustrates, card-not-present (CNP) and online fraud, in particular, have gained the most traction globally. According to the European Central Bank, CNP fraud reached €1.32 billion and accounted for as much as 73% of the total value of card fraud losses in 2016.
Personal data theft and its subsequent usage for creating synthetic identities — an elaborate scheme that assumes using a combination of real and fake, or entirely fake information to build a credit score and apply for loans — has been identified as the fastest-growing financial crime in the US in 2019. The staggering fact is that between 85% and 95% of synthetic identity applications are never picked up by traditional fraud detection analysis.
What’s even more problematic is that most financial organizations manage to recover less than 25% of their fraud losses within a year. Clearly, that’s a strong call for incorporating better fraud detection techniques in banks.
Rule-Based vs Machine Learning Fraud Detection: Why It’s Time to Switch Gears
Rule-based fraud detection systems, commonly used by financial organizations today, are intended to detect on-surface fraud indicators, e.g.: a large volume of transactions, multiple failed PIN code attempts, etc. They operate using an “IF X happens, THEN Do Y” logic, based on the set of rules and fraud scenarios, created by a human analyst. On average, banks apply around 200–300 different rules to verify the legitimacy of a transaction. Still, while the rule number may seem high, it is by no means comprehensive.
The biggest downside of the rule-based systems is that they are too straightforward — new threats require new rules. You have to explicitly program such systems to account for new types of banking or e-commerce fraud, for instance. Considering that cyber threats are getting more sophisticated and are evolving at breakneck speed, a lot of organizations need to play ‘catch up’. In other words, they are not tackling transaction fraud detection proactively. Instead, they are waiting for the precedent to emerge and then formalize it as a new rule. The human factor also comes into play here: an analyst responsible for creating new rules can provide incorrect and incomplete instructions to the system, further sabotaging its effectiveness.
Finally, rule-based systems are losing their relevance in the wake of expanding customer digital identities and the scope of interactions an average person now has online.
According to the illustration above, consumers utilize a multitude of payment methods and services:
- They interact with businesses online through multiple touchpoints, as well as have offline interactions.
- At the same time, the average person often treats imposed data security rules carelessly and fails to follow the necessary precautions if those are too bulky or complex.
- They often sign up for subscriptions and share sensitive data with unverified third parties, creating additional security loopholes that could be exploited.
Protecting customer’s digital identities in omnichannel banking is the new key area of concern for banks in the coming decade. It’s a challenging one too because financial institutions are under three-way pressure:
- They need to meet new compliance requirements (GDPR, PSD2, FATCA, AMLD5, etc.)
- They also need to proactively combat new types of fraud such as usage of false digital identities.
- And yet, they have to solve both of these issues without resorting to heavy-weight security approaches that would alienate customers who camp for seamless UX/CX.
Leveraging machine learning to detect fraud is proving to be the only effective way of meeting all those demands at once. Taking the ‘rule creation’ task away from human analyst to unsupervised learning/supervised learning algorithms means that you no longer need to brainstorm every possible fraud scenario — the AI will do that for you with much higher accuracy.
Machine learning algorithms can be dispatched to comb through all your datasets (with only partial instructions being given), analyze the different variables and establish repeating patterns that may signal an anomaly (fraud) or, on the contrary, define a perfectly acceptable transaction/behavior.
An ML-powered fraud detection application will also be capable of creating personalized security rules for different types of users, by assessing their digital identity through five different dimensions:
- Personal identity information
- Devices used
- Usual payment and business behavior
For instance, to reduce volume of e-commerce scam, a retailer can remove additional security steps for customers, who have already verified their identity or always log in from the same location. Alternatively, retailers can dynamically impose additional steps whenever a fraudulent device login is detected, and some unusual payment behavior takes place.