As anyone involved in financial institutions or the payments world knows, fraud is an ever present threat. Furthermore, it is commonly accepted that fighting fraud is reactive, meaning the fraud needs to happen and the financial institution needs to react to the fraud by addressing the vulnerabilities in their system/product/process that allowed the fraud to happen in the first place. However, an increasingly common discussion that financial institutions have is this thought process is still relevant and accurate in today’s day and age.
With the advancements in technology specifically in the spheres of data management and artificial intelligence, should financial institutions be tied down to a decades old method of fighting fraud? Is a proactive risk management strategy worth the time, effort and inevitable losses a financial institution would need to incur?
What does proactive and reactive risk management even mean?
To fight fraud proactively means anticipating how a fraudster would take advantage of a financial institution, and closing the gap before any financial loss can be incurred. This means that when a fraudster attempts to take advantage of a financial institution, the fraudster is unable to do so, forcing them to give up. The aim of proactive risk management is to build a reputation of having such an impregnable system that fraudsters are deterred from attempting any fraud.
An example of a proactive risk management strategy would be 3D-Secure, when a one time passcode needs to be entered into a pop-up window. This serves as an additional identity verification check. The one time passcode would either be dynamic (a new code gets sent to the user each time a transaction is attempted) or static (the user sets a PIN code once and uses that code each time).
Reactive risk management is what is commonly practiced by financial institutions where fraud is identified by analysts and rules are enacted in the financial institutions’ risk engine to block further transactions that match the same pattern.
An example of this is when a cardholder calls their bank to report a fraudulent transaction, the bank will cancel the old card and issue a new card to the customer. Once the old card has been cancelled, the fraudster who had the card details would be unable to use the card thus, the existing pattern of fraud has been stopped.
But which is better?
To a risk management professional, answering this question is akin to deciding which is your favorite leg. Both have their own strengths and weaknesses but the ideal situation is to have full unlimited and unfettered use of both. However, for the sake of discussion and to simulate real world circumstances, all angles of the discussion must be considered.
Reactive risk management is a proven, effective and reliable strategy. Furthermore, there are a number of risk engines, data visualisers and data management tools to support this strategy. If set up and managed properly, these tools, coupled with trained risk management professionals should enable a financial institution to identify an ongoing attack and take any necessary actions to prevent any further financial losses from occurring. This entire process shouldn't take more than a couple of hours even if the financial institution is dealing with millions of transactions per day.
However, these actions can only be taken once fraudulent transactions have been identified. This means that the financial institution must already have suffered a financial loss before any action can be taken. Furthermore, there are many other factors that can come into play. For example one of the biggest weaknesses in any reactive risk management strategy is the human element. People make mistakes - this is an unavoidable fact. Regardless of the level of skill and training someone has gone through, eventually, a human will make a mistake. Sometimes, an attack will be missed entirely and sometimes, it will be caught late in its life cycle. Regardless, these mistakes cost money. Another weakness in the reactive approach is that in certain situations, it relies on input from customers ie: calling in to report an unauthorized transaction.
On the other hand, proactive strategies enable financial institutions to prevent fraud entirely by creating an environment where weaknesses are eliminated and gaps in the process plugged before any financial loss can be recognized. It is highly dependent on advanced technology to study customer patterns, identify transactions that do not fit the mold and challenge the user to prove that they are the cardholder. The finer points of how proactive strategies work can be found here. This method has the added benefit of being able to learn ie : each time a customer uses their financial institution’s product, the system can learn their spending patterns and thus, with increased accuracy, predict if a transaction is legitimate or not.
Yet for all it’s capabilities, this system has flaws and weaknesses as well. The first and most obvious one being that it is experimental and not a proven success meaning financial institutions will still face losses. The system will require development, testing, implementation, tweaking and being fed copious amounts of data before it can be considered a viable alternative to a reactive strategy. This of course will take time, money and the efforts of teams of data scientists, developers and coders before it will be ready to use. However, the biggest problem in a reactive system is that it will lead to a drop off in sales/revenue for merchants. As noted when 3DS was first introduced, a large number of merchants found their customers being put off by having to jump through hoops to make a payment despite such a system being implemented for the customer’s own good. This was further exacerbated by the merchants still facing chargebacks as the system was not perfect. Finally, proactive strategies are great for online transactions but, in general, are unable to cater for in-person transactions with the advent of contactless/wave payments.
What does all that mean?
In short, neither system is perfect and the best bet for a financial institution is to utilize both strategies in tandem. This can be achieved by developing a proactive strategy that blocks or allows transactions based on how certain they are that the transaction is legitimate and transactions that fall below a threshold of certainty gets channeled to a risk management professional to decide. Such systems are already in use in corporations such as PayPal. Whilst not perfect, it has helped the organization leverage the strengths of both risk management strategies.
This has the value added benefit of the system being able to learn from the risk management professionals as their determinations can be used to further train the artificial intelligence/algorithms.
If this seems a bit overwhelming or confusing, Dicorm is here to help. Contact us now for a no obligation, free consultation or even if you just want to discuss the merits of either risk management strategy.
Comments