By Vinaya Parvate, Global Head Fraud Risk Oversight for Institutional Clients, Citi
Vinaya will also be speaking at the upcoming New Generation Operational Risk: Europe 2019 Summit in London (12-13 March).
For more articles and insights like this, become a member of the Center for Financial Professionals by making your free account here.
Vinaya, can you please tell the Risk Insights readers a little bit about yourself and what your current professional focus is?
I have always been fascinated by complex, and seemingly intractable problems. As per a FBI report, in 2018 Business Email Compromise (BEC) alone cost businesses and individuals globally over US$12.5Bn. This was made up of millions of attacks. On the other hand, one single accounting fraud event like Enron can cause losses of US$74Bn.
In my current role as Global Head of Fraud Risk Oversight for Citi’s Institutional and Commercial business, and for its EMEA and Asia regions, I grapple with both ends of the spectrum. Specifically, my role is to support businesses in finding solutions to minimize the risk of attacks against Citi and its customers through maintaining an effective fraud risk framework. Our aim is to optimize the costs of managing fraud risk controls, with the risk mitigation benefits and impact on client experience.
What, for you, are the benefits of attending a conference like the ‘New Generation Operational Risk: Europe’? What can attendees expect to learn from your session?
Operational Risk is relatively a new discipline and all in the industry are at different stages of trying to measure, monitor, and manage all the complex and interlinked risks that fall under Operational Risk. Such a conference is a great opportunity to meet with other practitioners and share thoughts and ideas so we can all learn from each other’s experiences and together reduce systemic Operational Risk.
Fraud can be the outcome of many upstream risk areas like third party or outsourcing, technology risk, HR risks. My session will help attendees understand the interlinkage between Fraud risk and several other aspects of Operational Risk, and the need to build frameworks that allow various specialist areas to inform the management of Fraud risk.
In your opinion, how can we look to effectively use machine learning to detect fraud patterns?
A few common challenges in fraud detection are ease and flexibility to keep pace with changes in customer behavior, ability to handle diverse customer and product segments, and detection error trade-off (DET). Machine learning can be an effective solution for the first two types of problems. It does away with the inefficiency of manually defining rules for every situation that could be indicative of fraud, and can enable faster-to-market updates to track changes in customer behavior and attack patterns.
Machine learning models are typically developed using data at rest, and scaling these for real time decisions remains a challenge until the entire data infrastructure is modified to handle querying of streaming data.
While it does not provide easy solutions to DET, and hence may not provide significant returns on the investment immediately, machine learning will increasingly be the critical infrastructure without which the industry will find it difficult to stay current and ahead of all the new fraud patterns and modus operandi.
What are the key considerations that need to be made when detecting inconsistencies using device and location detection?
Many customers today are not confined to one location or a single device, especially amongst higher net-worth individuals and executives who lead international life styles. Location detection, while useful, has to be calibrated carefully to minimize needless friction during transactions. An example is where card issuers allow their customers to tell them through phone / electronic channels when they intend to travel abroad, and this information is used to reduce false alerts based on the location.
Device detection has truly transformed authentication by permitting passive authentication that makes the entire client experience far more efficient. The key consideration in device detection is to think about how to protect the client if their device is stolen. Depending solely on the device id for authentication neither meets the PSD2 expectation of Strong Customer Authentication (SCA), nor does it make for very good fraud risk management.
Using device id and location in conjunction is far more powerful than using a single variable in isolation.
How can we as risk professionals increase efficiency and limit false positives?
False positives typically pertain to two kind of situations: one where the alert is based on what may not be normal for a number of customers but is normal for the particular customer; or second where the customer behavior has genuinely changed such that this kind of a transaction would not have been normal in the past.
The best way to minimize such false positives and increase efficiency is by minimizing generic rules and allowing individual customer profiles to inform fraud detection to the maximum. Depending on the engine used for detection, the simplest way to handle this is though customer segmentation. That also has its limitations and this is where machine learning can come in where one is not constrained by rules or groups of rules but can consider each transaction using the full context of the latest situation of that specific customer.
Combination of variables like location, device id, IP address, digital fingerprints, transaction details, recent changes to customer static data, can be used to compare with recent patterns to provide a holistic transaction score that represents the likelihood of it being a fraudulent transaction.
Looking ahead, what operational / emerging risk do you think will keep people up at night?
In two words, cyber risk. This one risk has the ability to create a multitude of downstream risks. In the space of Fraud, fraudsters can use technology to carry out unprecedented large scale co-ordinated attacks across several banks and customers at the same time. The faceless nature of the cybercriminal and the constant evolution in their ability to mimic genuine business interaction makes it difficult to detect 100% of such intrusions.
The dynamic of this risk is such that all of us have to understand the various vectors, and critical controls, we can no longer leave it to just the technology colleagues.