Fraud is endemic to the global payments system, and the tools that financial institutions have historically used to fight it are marginal at best. Instead, a hybrid approach using multiple analytic methods including link or network analysis to identify suspicious behavior at the transaction, account, customer and network levels provides the greatest return for an institution’s investment.
This hybrid approach builds on traditional methods to create a more holistic way of viewing a customer or account to reduce false positives and generate higher quality alerts. It is also better suited to the way fraud occurs – sometimes it is an isolated “one off” event, while other times it is an organized and sophisticated attack by criminal organizations.
Looking beyond traditional fraud patterns
For almost every fraud type – counterfeit payment instruments, synthetic identities, bust-outs – there is some type of organization behind it leaving telltale clues throughout their account and card applications, charges or payment behaviors. Clues exist in the provided addresses, phone numbers and places of business. With advanced analytics, fraud specialists can identify fraud earlier – even before the fraud occurs – thus eliminating or minimizing losses to better understand the fraud’s full nature, such as whether a fraudster is operating independently or as part of a larger organized fraud ring.
Rules and anomaly detection are certainly helpful, but both of these monitoring methods tend to generate a high level of false positives which can range up to 90 percent of transaction alerts. Predictive models, in contrast, use past fraud patterns to identify current account activity that appears similar. It provides a predictive assessment prior to fraud execution as a potential start of fraudulent activity.
Since these methods – rules, anomaly detection and predictive models – tend to focus on individual accounts and transactions they can miss the broader connection between multiple accounts and customers using similar data points such as the same address, phone number and employer names.
That’s where network analysis plays a part – identifying indirect links between two or more entities. The linkages between multiple customers and accounts can potentially be a piece of a broader organized fraud ring bust-out scheme. The fraud ring may use the same address, email address, or phone number to “manage” all of the accounts involved in a bust-out.
For example in one situation, nine people over a 12-month period opened credit card accounts with a single bank. All accountholders provided the same employer phone number at application. Several accounts busted out before others were opened. As the bank assessed credit worthiness of individual customers, they never realized the link between the various individuals. After the bust-outs occurred, investigation revealed that the phone number belonged to a small construction materials supplier that had no website, an odd location and address for this type of business, and no corporate records on file – a sign of a possible front company. If this connection had been identified earlier, it may have allowed the bank to perform better due diligence on card applications after the initial bust-outs and monitor the remaining open accounts more closely.
A true hybrid approach identifies the linkages and associations between the various accounts and integrates that information with the more traditional rules and analytics to better score risk, prioritize alerts, reduce false positives, increase the efficiency of investigators and reduce fraud losses.
What it takes to use a hybrid approach
One of the best aspects of using a hybrid approach is that banks don’t have to search for fraud in a single way. Instead, institutions can choose the best method or combination of methods to identify the specific fraud. Banks can execute network analysis in two approaches – “top down” or “bottom up”.
The “top down” approach analyzes all available data – addresses, phone numbers, credit reports, employee IDs, social security numbers, demographic info, types of credit held, lending data, “hot files” and criminal records – to generate network-level alerts. Investigators can then investigate the networks to determine the existence of organized fraud activity and manage the risk accordingly.
With the “bottom up” approach, fraud investigators start with the alerts generated by their existing tools (rules and anomaly detection) and run network analytics on these alerts to refine the risk score based on account and customer associations. When a link with a known fraudster is found the risk score goes up and alerts go out. When a financial institution closes one account, it tips off fraudsters who will frantically bust out the remaining accounts before they are closed. With network information, the investigator can identify related accounts and close them at the same time.
The hybrid approach is part of the FFIEC’s updated guidance and has been widely discussed at many of the recent financial services summits and conferences. What is your firm doing to implement this strategy? What are some of the challenges in technology and resources that you are struggling with?