It’s a harsh truth that while data and technology in the fraud business abound, true domain expertise is a scarce resource. Meet Andy Procter, one of FICO’s fraud specialists. Having spent much of his career on the front lines fighting fraud at Citibank, Andy is now one of FICO’s Fair Isaac Fraud Advisors, where he specializes in fighting identity-based fraud including application fraud.
Today we are excited to pick Andy’s brain on the hot topic of how to fight identity fraud, specifically for application fraud.
What is the craziest, or most effective application fraud scheme you’ve seen?Andy: I’ve seen many things that have shocked me, some for the sheer audacity of the perpetrator and others at the incredulity of the organization not having means in place to prevent them.
- Instant access to online banking and therefore easy access to committing fraud due to the safe status of being an ‘existing’ customer.
- Instant access deposit account complete with overdraft facility and next day (post-book) application fraud checks.
- Online retailers only passing the registered address, not the delivery address through fraud checks.
In your opinion, what should come first: an underwriting decision or a fraud decision - and why?Andy: Credit risk is the bigger player in account originations. The overall question the organization is asking is ‘Should we extend credit to this(these) individual(s)?'
To answer that, there are more underlying questions: Does the application meet with credit policy - do we think they can afford to repay? Will they be profitable? What terms should we offer? Are they telling us the truth?
Only that last question is of concern to the fraud team. In fact, even if they are telling the truth, are they a fraudster? To answer those questions there are equally many checks to do. The order of those varies across organizations according to their business preferences and other factors such as regulations. However, where possible I recommend a cost- and time-efficient process. This often involves early credit policy knockouts, followed by early fraud knockouts. Only after that should you go out and pay for additional information.
Once all information is in and knock-outs have happened, apply the credit risk policy to determine those you want to accept. The applicants left at that point pose a potential risk of fraud loss, so carry out the fraud checks then. Some clients save their pricing and limit setting until after the fraud check. I like this process: Any flags for potential first-party fraud that aren’t sufficiently strong to deny the application can still have an impact on the potential loss by impacting credit lines, limit increase periods, cross-selling periods etc.
How have you seen financial institutions automate fraud processes related to application and identity fraud – both successfully and unsuccessfully?Andy: Across the world, I’ve seen varying levels of automation with varying levels of success. If done right, automation is great – it gives a fast, consistent and smooth experience for applicants. After all, the fraud team as much as anyone wants genuine applications pushed straight through and low false positives. Some organizations think automated decisions are bad or even non-compliant. That need not be the case. Automated declines on limited information is a recipe for a headache, but data-rich applications with an automated decision to request additional information or trigger OTP, for example, can be positive even for false-positives.
To fight fraud, how do you recommend financial institutions organize their teams? What are the requisite skill sets required to successfully execute an application fraud program?Andy: Connected decisions - we use it a lot but it is valid. We certainly do see siloed set-ups. Sometimes we see the credit card team linked with the unsecured personal loans, but the auto finance, mortgage and SME/corporate loans have completely separate policies, processes and systems.
As long as I’ve been in fraud the key strength is sharing data – that’s what the fraudsters do. I’ve seen clients share with competitor organizations but not with other parts of their own business.
As well as connected decisions, a successful application fraud program requires three main practices:
- Strategy – they drive the application fraud strategy in line with the business strategy. They look ahead to see what is coming and devise plans to prepare, they define the systems and processes to meet the current threat. Key skills: Big picture thinker. Business strategy in mind. Up to date with threats, trends and fraud defense systems/technology.
- Operations – they carry out the strategy. They are the front line. They operate efficiently and adhere to agreed SLAs. They also help strategy by being the eyes on the ground. Key skills: Think like a fraudster, know the systems and policies inside and out, quick thinker, diligent.
- Analytics – they inform the strategy decisions, they push for new data and strive to enable optimal performance of the whole team. Key skills: Apart from the obvious high numeracy and analytical ability, they need to be goal-focused, whether that goal is predicting the fraud risk on a new channel/brand/marketing campaign or optimizing rule and queue performance.
How should FIs appropriately balance false positives, and what and other metrics are important to maximize revenue growth while protecting the bottom line?Andy: Analytics. Feedback loops and defect analysis help drive false positives down. Also, I’ve seen some controversial fraud rules in my time, but some can be justified by their low false positives. Obviously, it is easy to lower false positives but not so easy to do it while maintaining or increasing the fraud detection rate (number of frauds found proactively by the detection tool as a proportion of all frauds detected).
The third metric in this trilogy is the referral rate. Most closely linked to the false-positive rate, this is the one that incurs the operational costs…and the one where human error comes into play. Some fraud teams have their strategies limited by the size of their operations team, some others have strict limits on referral rate placed on them by the business (without regard to the fraud rate of the organisation).
Regardless of the driver, the referral rate should be optimized in conjunction with the false-positive and detection rate.
For more on application fraud, check out the other posts in our series:
- Trends in Application Fraud – From Identity Theft to First-Party Fraud
- Best Practices in Establishing Your Fraud Risk Appetite
- ELI5: What does the Dark Web have to do with Application Fraud
- Data, data, data: Application Fraud and the elephant in the room
- Preventing Application Fraud with Machine Learning and AI
- 4 Success Factors for Machine Learning in Fraud Detection