We were privileged to host a roundtable event (albeit the table was V-shaped) for many of the leading challenger banks and fintechs that have appeared in the UK in the last few years. All of the companies in the room (Curve, goHenry, Loot, Monzo, Pockit, Soldo, Starling, WeSwap and World First) have made a mark and are gaining real traction with people and businesses. As we all know, with customers and success comes fraud and fraud attempts of many stripes - so there was a lot to talk about, which we did under the Chatham House Rule.
At Ravelin we posit that fraud risk can only be managed through a combination of technology, data and cooperation between businesses. Cooperation is probably the piece that lags furthest behind in many ways. Companies are still largely trying to resolve the fraud threat one by one, which makes the job of the fraudster a lot easier and the environment that much more target rich. Events like these are an attempt to start to understand what can be shared, where cooperation can happen and where it’s not possible,
A shared concern and frustration was the prevalence and ease with which people are falling to social engineering scams. This is a situation where people are divulging passwords and other personal information to fraudsters who, when armed with this data, can be very difficult to spot pre-fraud. The ease with which it was happening made a number of people at the table believe it was highly likely that people were selling their identities for small sums - little realising how much trouble this is going to cause them in future years. The value of an online identity needs to be taught in schools as a priority alongside the usual consumer education on not falling victim so these scams.
Probabilistic versus Deterministic Fraud Prevention
The conversation turned to the techniques and technologies that the roundtable members were using.
Rules based systems still dominated for a couple of reasons. Banks are driven by compliance and compliance is often best expressed through a rule. But of course this does nothing for predicting what might be a fraudulent transaction or a problematic customer. A shared frustration was that fraud detection products in the market often relied on data the bank did not have, i.e. a delivery address or a pickup address.
Another common technique was link analysis - looking at the connections of suspicious customers or transactions to try to spot emerging fraudsters, or to discover fraudsters who had not yet been caught. This approach, while valuable, was probably more manual than it should be especially as the searches often feel like raking over the same coals.
It was clear that there is an appetite and a need for a combination of technologies to be tailored to the fintech industry, to help them prevent fraud more effectively . We discussed the opportunity for neural nets to predict risk for unstructured data - offering a score based on historical behaviour without the need to programmatically determine the outcome. Graph networks also have a very obvious appeal for link analysis - instantly generating network diagrams that can show connections based on numerous variables.
To prosecute or not?
The conversation also turned to whether there is value in reporting fraud as crime. All the participants filled out Suspicious Activity Reports (SARs) as they are obliged to do but with little expectation that it would lead to police action. In a room full of fraud professionals only one had successfully prosecuted anyone for fraud. We and others have written about the futility of reporting fraud in the expectation of arrests being made. Everyone had significant sympathy with the complexity of building a case and the enormous workload of the police so the lack of follow up is understandable. The very simple fact is that businesses who trade online need to protect themselves and one another as best they can.
We’ve taken what is the first step to greater collaboration. Just to get people in the room who face similar challenges - many of whom had never met before - is a great step forwards. We will create some semi-formal groups to keep the discussion going and explore how and where we can share information on the technologies, data processing and sharing that will help everyone tip the balance of fraud on the side of legitimate business again.
If you’re interested in joining the discussion, please email firstname.lastname@example.org.