By David Christie, CEO, Bleckwen
Interview ahead of the 2nd Annual Fraud and Financial Crime Europe Summit, taking place 2-3 April in London
Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?
Prior to joining Bleckwen, and with c20 years in financial services, I spent the last 12 years working as COO in cross border payments space, in both C2C, B2C and B2B so gained a global and holistic view of the challenges of managing Fraud and AML from a multi-jurisdictional, technology and business process perspective in probably one of the highest risk sectors. Managing the ever increasing cost of run and change within financial services organisations against an ever changing threat landscape has meant technology, more than ever, is becoming more critical to not only ensure base compliance but also manage cost more effectively whilst delivering higher levels of consistency, reducing errors and improving customer experience.
The battle against fraudsters and money launders is an ever increasing arms race so my focus has shifted from a consumer of fraud/AML tools to being a CEO of a company that can help banks and other financial institutions fight back by leveraging AI/machine learning powered behavioural analysis at an individual account level to reduce the total cost of managing fraud detection and prevention (manpower to process false positives, time to process alerts as well as and reducing underlying fraud loss rates).
What, for you, are the benefits of attending a conference like the Fraud and Financial Crime Europe Summit and what can attendees expect to learn from your session?
Primarily education – both sharing the knowledge of what is possible with new technology, but also listening and understanding the escalating challenges of what professionals in this space are dealing with first hand so I can focus my company on addressing them. Collaboration between financial institutions is a key step in winning this arms race and events like this provide the forums to discuss and initiate such actions.
How can technology such as AI and machine learning be used to automate and increase fraud and AML detection?
Fraud is a complex phenomenon to detect because fraudsters try to mimic good customers (actively look to hide amongst the good customers). Its is adversarial in nature as fraudsters adapt their behaviour to subvert rules, policies or controls put in place by actively finding flaws in the system across a myriad of use cases. Rare by definition its like finding a needle in a very large bag of needles, with a needle that is trying to hide itself. Also, unlike banks, fraudsters actively collaborate and share data to amplify their attack vectors to increase their chances of success.
Tracking fraudsters is therefore a difficult task and often causes friction in the customer experience, which generates significant direct and indirect costs.Most anti-fraud systems that are currently in place are based on rules logic determined by a humans because the derived results are relatively simple to understand which fraudsters ultimately leverage.
As a first step, these systems are easy to set up and prove to be effective. However, they become very difficult to maintain when the number of rules increases in line with the attack vectors they come under. With fraudsters adapting themselves to the rules in place, the system requires additional or updated rules, which makes the system more and more complicated to maintain and effectiveness degrades over time with the by product of lots of false positives, and impacted customer experience, worn out teams, and fraud levels increasing.
These issues are amplified by the accelerating adoption of new payments types and evolving behaviours (eg P2P, instant payments, contactless, open banking etc) which increases the volume of payments and the attack vectors to be exploited. Case in point is that APP fraud wasn’t recorded historically but now accounts for 24% of fraud in the UK according to Financial Fraud Action which shows the rapid change of typology seen. Their half yearly report highlights this has grown 44% since.
As a result, an effective detection system that is unintrusive, operated at scale in real time and detects the latest fraud techniques must address considerable challenges. We have found machine learning is proving to be an effective solution to get around this problem as it can handle huge volumes of transactions and data points that are dynamically changing and allows ultra granular decisioning in real time though behavioural analysis – something a human just cannot do – even armies of them . When coupled with a great UI/UX to help fraud analysts reduce the time to decision for those alerts that do get through we are finding that it gives a much better overall risk posture, cost base and client experience.
In your opinion, what are the benefits and implications of operationalising technology?
40-50% of change the bank costs and 20-30% of run the bank costs are spent on GRC which can equate from 4% to 16% of revenues depending upon size of the bank. c75% of this cost is people so operationalising technology to support these efforts with technology like AI or RPA can have a major impact on the human capital cost as well as refocus the staff on more complex and rewarding parts of the job. We have seen reductions of false positive rates of upto 95% (20 fold improvement) using AI and further time to resolution improvements using interpretability techniques resulting in both high reductions in direct and indirect costs of fraud prevention so the benefit is obvious – improvement to the bottom line. However there is more in it than that in that it gives better and faster response to criminal attacks and better client experience through less intrusive intervention – or positive friction, which can only be a good thing
The implications are that implementing these solutions, especially in legacy systems with silo’d datasets is tough for the IT teams especially with many competing GRC related change requirements in flight. Also getting GRC teams to move away from rules reliance is a slow process so having a solution that can do both and aid the transition can only help. Additionally alert overload from in some cases upto 50 fraud systems in a bank is unrealistic to manage so alert orchestration is also key.
What is an effective way of using technology to improve detection?
I see technology being effective across multiple levels. The obvious in the use of AI/ML in behavioural analytics to detect fraud and remove the need for rules that are exploited by criminals however like any defence system there needs to be multiple layers of detection and protection eg endpoint like trusteer, threatmetrix (with device fingerprinting and device reputation networks), as well as biometric defences on the relevant devices (FaceID etc) but technology is needed to bring all these alerts together into one holistic view (eg Fcase) as currently decisioning is soli’d and again criminals exploit the gaps in the defences. We need to remember that people are also fallible so protection from social engineering, scams etc as well as internal fraud needs to be dealt with so systems that are multichannel aware will be needed.
How do you see the impact of Fraud and Financial Crime evolving over the next 6-12 months?
Its only going to get tougher. Many countries are adopting real time payments architectures soon (eg Europe with SEPA instant), or have recently done so (Australia and Singapore) something the UK have benefitted from for c10 years and take for granted so decisioning in real time will become a necessity as latency to make decisions will drop and volume of payments will increase – and sampling is just not an option. These new architectures when combined with open banking make available new payment capabilities like RTP or P2P via intermediary TPPs and when combined with cross border or via blockchain you can get instant international payments cross currency in real time – which will be a fraudsters and money launderers dreamland whilst banks and financial institutions play catch up with legacy rules or sample based/ manual intervention processes.
I hope to see progress on banks collaborating more like they have done with KYC utilities. I would like to see similar for fraudulent/money-laundering account information and Bleckwen want to be at the forefront of seeing this happen as its in everyone’s interest.