Chapter contents

In our first episode of 2017, we welcome back Michaela Verstraeten to give us even more insight into how online retailers can better protect themselves from fraud. CMO Gerry Carr and Michaela talk through how smarter retailers choose fraud technologies that are up-to-date.


Gerry: Okay, and welcome to the next in our series of podcasts. This week we’re looking at how smarter retailers choose fraud technologies. I’m joined this week by Michaela Verstraten, who is becoming a regular guest on these podcasts. Michaela was fraud lead and set up many of the fraud systems at companies like Levi’s and Nike and was a former member of the European Merchant Risk Council so is well placed to advise us on this having selected the technologies for all those vendors and advised many other companies. So, welcome Michaela.

Michaela: Thank you Gerry, good to be here again.

Gerry: Great. So, as I said, this week we are looking at how smarter retailers and probably any medium to large business selects new technologies to tackle fraud, but it’s probably best to look at where these companies are in terms of their fraud systems, they’ve been in business for a while, they’ve built up a bit of a legacy, I’m just wondering from your experience what those systems look like in a typical medium to large retailer?

Michaela: Okay, I think that it’s reasonable to say that most medium to large retailers have systems in place today. Often, they have evolved over time, so there may be a number of not necessarily well integrated solutions, which have been a response over time to moments where the business has come under attack from fraud. They will have tried to optimize the business or add services which would improve the detection rate and of course reduce the chargeback rates that the company is undergoing. I think that if they’ve been in business for a long time they probably have a legacy solution provider, could well be the system from their PSP - their payment service provider - then with some extra tools, either through the payment service provider or as separate integrations and contracts with, say, device fingerprint solution providers or adding on something like a tool to increase the verification of email addresses and it depends on the particular merchant how that’s been done, and how complex it is. Sometimes the complexity is driven by internally at a merchant, say, a merchant who has a history as a big retail or wholesale company who is now…has a web presence and is offering shopping online and through mobile and these things often lead to decisions having been made based on legacy in the past.

Gerry: I think I’m right in saying there’s some rules-based systems in there as well?

Michaela: Yes, in general those systems will be rules-based systems, based on a lot of knowledge within the business of the type of fraudulent attack that that particular company comes under and those rules-based systems can often run to hundreds of rules, some of which are indeed still current and very effective and others which could have just put in place for a particular instance, say three years ago, when they had an issue in a particular place. One of the things that good fraud teams within these companies need to do is persistently try to optimize their rules - rules optimization. It is true to say that the majority of fraud teams often are needing to balance keeping with the operation of manual review in most cases and don’t always have as much time or headcount as they might like to conduct really good research into why the fraud is happening and where it’s coming from.

Gerry: So, the picture you’re describing I think is I guess fairly typical in any mature business, they’ve been fighting various battles over various years, using various tools to do it, there’s a layer of rules on top of there and it’s become quite complicated over time, there’s a lot of point solutions doing specific tasks that are to a greater or lesser extent integrated, there’s probably a mixture of PSPs in there. It’s a complex picture, I think, and I guess what we’re asking is what advice would you give to a fraud manager, to a fraud lead in a situation like that about where do they go next, how do they clean this system up and get a system that’s ready for where fraud is going to happen next?

Michaela: I think what’s really important is any company, merchant of any size, that they do a review of current systems. I mean, ideally, on a biannual basis, to go into a thorough look into how is what they do have in place performing. I call it a fraud health check, and it’s something that I regularly do for some of my merchant clients. Taking a snapshot in time of how well the current setup is performing, measuring that, for example, against some of the benchmark industry norms that can be accessed, say, through the Merchant Risk Council payment survey and fraud surveys and especially important remembering to compare the company to very similar businesses, because some of these research papers are quite broad, or broken down into different verticals. Things will be happening for particular merchants in a particular vertical in a particular way. I think that the fraud health check is extremely important to also ensure that the team is aware, if they are using what they do have in place in the best way that they can be, and hopefully highlights any gaps, if you like, in the way that they are preventing the fraud today and if they can identity some of the fraud in a particular area is getting through, what can be done then. It raises questions, the reason for the fraud health check is to raise questions. Can we do this better? Are there any leakage points? If there are, how can we resolve them?

Gerry: And is this typically done internally or would you get someone external in to help you? Or is it a mix of both depending on the situation?

Michaela: I think it depends on the company. I mean the fraud manager himself, depending on how large the fraud team is, it can be done internally. As I say, I’m called in to do a fraud health check in various different companies, because sometimes it’s good to have a vision from someone who’s detached, if you like, from the daily operation. Sometimes it’s just a headcount issue in that within the daily work of the group, there isn’t the bandwidth to perform that health check. But I think it’s important to make a review, even if it’s a small review internally, and particularly it doesn’t matter if you’re planning to change any systems or integrations. I think it’s important to do it regularly. Then at least you will identify if you do need to begin to look at vendors and assess what’s available that you don’t yet have.

Gerry: You’ve predicted my next question, which I was going to say, does this show technology gaps and just from more recent experience, what technology gaps are you most commonly seeing these days? What is still missing in the topology of systems that fraud teams have in place?

Michaela: I think what’s very interesting in the marketplace, as opposed to the gaps that are in particular businesses, is that some of the more established fraud prevention vendors are adding…the buzzword of the recent 18 months or so has been machine learning, and you hear of some of the existing fraud solution providers also beginning to talk about machine learning, but not in the sense of a pure machine learning product but they feel they need to kind of add this to their existing quite more rigid rule-based systems that are in place. Most bigger companies will have a system that’s been in place for quite some time, often very rule-based, in a sense of having a number of rules, often a large number of rules, which are capable of detecting in each case one particular type of behavior and they all run together and move together but they are all reliant on those rules being written. In order to write a rule, you need to know something is happening before you can - and identify that - before you can adjust the rules and the rulesets. If the team is doing it well then they are adjusting those rulesets every month or two months or running some passive profiles, profiling to try to work out if this is the right thing to do. What you also have on the marketplace is a growing number of businesses which are using machine learning and I think that also, I come from having worked with big companies, if I go back to my time with Nike, everything was rule-based and as the fraud team, the fraud manager, your mission in life was to adjust those to keep up with the fight against the fraud that was being perpetrated on your site. I think that also the number of transactions going through these big retailers, that becomes really really more and more and difficult. And I think people, especially people with a history and great knowledge themselves, need to be courageous when looking at machine learning, you know? Not being afraid of it, I think that a lot of established fraud managers who know how things work in their own company, they know how the rule-based engines work, they have a tendency to be a little bit afraid that machine learning will negatively affect the team or it will leave the team with nothing to do, whereas I think it’s actually an opportunity to let the machine decide. One of the key things I see in a lot of teams is the team doesn’t have enough time to properly and deeply analyze the fraud that’s happening on the site because they are so busy with the operational side, making manual review decisions. If a machine is allowed to make those decisions, the team can then be redeployed, in fact, to conduct really good analysis, because the analysis of the information coming from the machine learning modules can give a much clearer picture in order to then change. Now, what I do like is where you have tools where machine learning works together with rules, so you put something in, it’s very customer-specific, you are working with the merchant to develop a set of specifics to that particular merchant, but then you let the machine learning and the algorithms add value to that.

Gerry: Thanks, Michaela. I think what I’m hearing is that they definitely need to do a health check, and commonly out of these health checks, this is the gap isn’t it? I guess it’s processing power, it’s the ability to get through the transactional flood that’s coming in in a sensible way but I think the education part - I’m interested in your opinion - the education part I think, on the part of the industry is that, look, this isn’t replacing necessarily, this is setting alongside and enhancing stuff that you’re doing already, just letting you do it in a more efficient manner. There still seems to be that resistance in the market. I had a conversation with somebody today where just the concept of taking away the rules was anathema, was sort of very emotional reaction to it. So, we still need to sort of explain that that level of control is still there, it’s just done in a different way? Is that fair summary of what you’ve been saying?

Michaela: Very much so. I mean, I’ve been convinced myself and when I’m speaking to people, it’s interesting they do ask me my opinion, and they say, ‘What do you think about machine learning and don’t you see it as a threat to a team?’ You know how I see it? I see machine learning as a potential new team member and integrated it as such and having...because you can learn from it, you can learn from the decisions that are being made by the machine and of course it needs to learn and in fact the people in your team are the people who can teach it. So, it can learn from us and I think that that’s where systems where you begin with, let’s call it a base set of rules, which might be very specific to your particular company and then you, as it were, let the machine learning do what it’s good at thereafter and have the possibility of potentially during the lifetime then as time goes on, months go by, to add in a specific rule if we feel the machine’s not picking up everything. But I think that especially at the volumes that a lot of the bigger online retailers are now transacting, you can’t be…it’s not effective and efficient to have a team that are needing to make decisions before 11 o’clock in the morning so that stuff can get shipped. I think it’s much more important that that team is looking at transactions which the system has said, ‘We didn’t want this one,’ your team can then be deciding, ‘Was that the correct decision? Is this a false positive? If it is, how do we make the machine accept it next time?’ for example. I even know merchants where they are identifying things like that, they actually call that customer who didn’t manage to get the order through and turn that into an order and it’s a change of mindset in how the fraud team works because the fraud team is then working with the machine but it also becomes a team that makes new orders happen that otherwise wouldn’t happen.

Gerry: Okay, Michaela, we’re coming up against time now but I do like the fact we’re ending with the analogy of machine learning as a new team member, and it’s a nice way of thinking at it. Probably not a lot of fun at the Christmas party, but very good at crunching numbers! Listen, thanks a million for your time again, and I’m sure we’ll talk again soon.

Michaela: No problem, good to be here.

Gerry: Cheers Michaela, thank you.

Michaela: Thank you, bye.

You can find more episodes on our Soundcloud page and iTunes