Fraud Prevention Engine - Beyond Cyber Security

People make transactions using their credit/debit cards, bank accounts online, on call and in stores. In these transactions many entities are involved like merchants, financial institutions etc. When fraudsters commit these transactions these companies lose lot of money.

  • Companies have to refund cost of goods
  • Bear operational cost in fraud determination and investigation
  • Bad customer experience and brand reputation damage
These financial institutions and merchants have fraud operations teams and solutions to detect fraud early on to reduce the losses.

Fraud determination is not an easy process

  • Not all merchants are equipped with all security solutions
  • Not all e-commerce websites/apps validates customers in totally secure way
  • Not all merchants POS devices are chip enabled, some use manual entry mechanisms
  • Card details can be stolen and used by fraudsters, its hard to differentiate between real user and fraudster with valid details
  • People move and not always shop at the same place. Also based on the life needs their spend patterns change regularly
  • Merchants could be committing fraud
  • Customer might be committing fraud and disputing falsely
There are many scenarios and if merchants or financial institutions put strict rules and start declining lot of genuine transactions using thresholds or abnormal patterns then customer experience will suffer and they will lose business.

Fraud Decision Solution

InsightLake fraud decision solution combines ML/Deep Learning models with business rules to detect fraud in real time (milliseconds). Solution allows fraud ops team to provision business rules on different segments. Provision new or customize existing ML models using an intuitive UI.

Parallel Execution Unit/Workflow

For new authorization score determination happens in parallel using tiered scoring/decisioning process. Each determination unit/workflow can contain many parallel rules/models. Multiple units/workflows can run in parallel utilizing power of Kafka & Big Data environment. One unit could be the main and others could be experimental. After monitoring the outcome, if an experimental unit performs better then it could be promoted as main unit.

Segments

During a transaction many entities are involved. InsightLake creates and maintains profiles for these entities, including their reputation, scores, risk and usage. Some of the entities are listed below.

Location - (IP Address, Gateway IP in calls, Country, State, City, Zip) Reputation - InsightLake tracks the reputation of location based on past incidents or through black lists. In case of online transactions because IP addresses can be spoofed scoring weights are assigned accordingly. Anomaly - Location anomalies are detected by using ML models and rules. Current user location, past locations in time bound windows are checked along with user transaction patterns of known locations. Device - (Computer, Mobile, POS, Caller IDs) Reputation - Like location device reputation is maintained along with black lists. MAC address, device ids, caller ids, serial numbers/IDs are used in device profile and reputation scores are created and maintained. Device reputation scoring is done using variety of attributes like EMV Chip, Trusted Carrier, Known patterns etc. Anomaly - Device anomalies are detected using ML models and user's device usage patterns. Channel - (Call, SMS, Website, Store) Reputation - Channel profile/reputation is maintained and updated regularly to detect any hacking or fraudulent behavior. In case of website hacking, agent committing crime or other known fraud scenarios channels can be temporarily blacklisted to avoid further damage. Anomaly - User's past patterns in using channels are checked to see any deviation. Agent/Station Reputation - Like location device reputation is maintained along with black lists. MAC address, device ids, caller ids, serial numbers/IDs are used in device profile and reputation scores are created and maintained. Device reputation scoring is done using variety of attributes like EMV Chip, Trusted Carrier, Known patterns etc. Anomaly - ML models are used to track agent/station's past patterns with given customer. Merchant Reputation - Merchant profile is maintained with information like number of seasonal transactions, transactions with given customer, disputes, types of security provisioned etc. Anomaly - ML models detect a given customers shopping pattern at the merchant taking seasonality in account. Customer Account Profile - customer account profile enables how risky the customer is, their past behaviors, fraud incidents on account etc. Behavior Anomaly - Customer purchase patterns along with behavior models are utilize to determine if customer's transaction is genuine. Utilizing Customer 360 and Life events InsightLake allows finer determination of appropriate transaction cycle connected to past purchases. Transaction Thresholds - Thresholds enable pre-defined business checks like similar items purchased many times in a given window, which are some of known fraud patterns. Anomaly - Seasonal anomaly detection is performed and mapped with past 6 month transaction trend.

SLA Management

For a given execution unit SLA must be defined. In case of rule/model taking much time final decision unit needs to skip that output and use pre-provisioned outcome/action.

Execution Monitoring

Rules are models are part of execution unit. InsightLake enables monitoring of execution units and its components. Ops team can check rule/model performance, their execution timing and when they are missing the SLA. This helps in optimizing models/rules or complete execution unit.

Reduce False Positive Rate

  • Not every anomaly should result into decline
  • If an anomaly is detected then we should check the severity, past history of anomalies and how user verified them or disputed them.
  • Second tier of anomaly classification with machine learning will result in lowering the criticality. This will allow SMS/email being sent to the customer for verification.
  • In case of subsequent chained anomalies threshold can be put in place to block the card.
  • To improve customer experience an immediate message/call should be sent to verify.