Card Fraud

Fraud Prevention the Pep Guardiola effect

Posted on by davidsanchez

Fraud Prevention the Pep Guardiola effect

There are parallels between the evolution of football and financial cybercrime prevention (AML and Fraud), we will look to lay out the similarities in the article. Pep Guardiola is famous for inventing Tici-Taka football. A style of football that is world renowned and loved for the fluidity, movement, and overall dominance that his teams exert over their competition. They pass and move in such a way that they have complete control over the game and usually dominate possession with 65% and above. His team defend from the front, they close down passes, they intercept, and recover the ball quickly. They excel in transition, to transform defence into attack, this unique style has been replicated world over by other football coaches. There is however another component to this football style, that is often overlooked. The goalkeeper. Historically, the goalkeeper was held in high regard for their capability to stop shots, intercept crosses and how far they could clear the football away from their goal. They were the last point of defence against the attackers trying to put the ball over the goalline. Goalkeepers had a truly unfavourable job in footballing terms. As they were only ever remembered for their mistakes. There are blooper reels where goal keepers were not able to stop a simple shot, or miskick a clearance and gifting the opponents a goal, or humiliatingly being in the wrong place and getting lobbed by the attacker. Goalkeepers had to be tough physically and mentally as they could often go for long periods of the game with next to no defensive duties to do, yet when called upon had to be 100% ready and react in an instant to stop the threat. Additionally, that one mistake, could play on them for the rest of the season and career as they didn’t have an opportunity to make up for the mistake they made. Those of you that work in Fraud Prevention may already be able to see the similarities of the last line of defence the goalkeeper and your own role in an organisation. Under Pep Guardiola this changed, the Goalkeeper became an offensive player. As the offensive player, they are expected to be an expert in fluidly transitioning defence into attack. Pep ultimately had an unfair advantage over other teams by gaining an additional 11th outfield player, by changing what a goalkeeper does. They are no longer expected to kick the ball as far as possible into the opponents half, instead they are expected to make short possession based passes. This required a mindset shift and an evolution in football, ultimately Pep created an additional player on the pitch for his style of possession-based football that defended in an offensive way. Some of you may be completely lost as to where this article is going, some may understand it however may not yet have understood the relevance to fraud and AML, others may already know what I am about to say. The thing is. Fraud prevention and AML teams are the goal keepers of financial institutions. They are only ever remembered or in the news for a scandal, or an attack they failed to prevent. They can have a brilliant year identifying fraud, keeping customer’s money safe, closing accounts suspected of money laundering and defending wave after wave of attacks. In the shadows they may have stopped your account from an attacker imitating you, the reader, without your knowledge. And yet one event can undo all of this in the public eye. Fraud prevention is having its own Pep Guardiola evolution right now. Instead of the teams being the last line of defence and waiting for an attack to safely clear the danger as far away as possible. The teams can go on the offensive and defend from the front. This switch in mindsets allows you the capability to identify and stop attacks before they do damage, as opposed to react to attacks that are playing out and damaging the financial institution. Those of you in cyber security will likely have come across something similar, in the form of a cyber fusion centre whereby you unify offensive and defensive capabilities into one area. So, what components make up a cyber fusion centre?
  • Technical (offense)
  • Strategic (style of play)
  • Threat Response (defense)
  • Orchestration and Automation (recovery and transition)
Do the same components transfer to a next generation fraud prevention solution? Yes, and we will now cover each in turn.

Technical

Otherwise known as offensive capabilities. Rather than just waiting for a fraudulent transaction to occur you can instead reach out and gather intelligence on those that are trying to attack you and compromised device / accounts. This is typically comprised of:
  • Open-Source Intelligence (OSINT)
  • Cyber Threat Intelligence (CTI)
  • Own intelligence
  • Sanctions / PEP’s / HR Countries
This is all the intelligence that the organisation should know in order to be able to identify an attack before it causes damage. For example, you might want to be able to know about compromised devices interacting with your product, or customer accounts that are compromised, or mule accounts available to be purchased on the dark web, or compromised identities available to be purchased on the dark web. These potential points of compromise can be identified during an attack to reduce fraud. These signals are important to recognise attackers automating a coordinated attack on the Financial Institution (FI) and is a way to defend from the front.

Strategic

It’s great to have lots of intelligence about devices, accounts, identities and customers, however without knowing the impact that this is having in the market, other financial institutions and on your FI it is somewhat meaningless. Strategic intelligence, enables those using a fraud prevention solution to understand what is happening and what the likelihood is that they will also be attacked with a similar method. Typically, this is comprised of the following:
  • Threat Intelligence Network
  • Dashboards / Reports state of play
  • Cross financial institution real time attacks
  • Product risk understanding
A key separator in CTI, OSINT and a threat intelligence network is the ability to link with certainty the signals to the FI’s customer set. In footballing terms this is how you setup your football style to limit the amount of attacks you will face, by knowing your weaknesses and covering for them with offensive attributes that generates a threat to the attacker.

Threat Response

You can have all the offensive prowess with an abundance of intelligence and strategy but without a threat response, defense, you’re going to leak goals and let attackers in. So, what does a next generation defensive solution look like?
  • Real time decisioning solution
  • Accurate Machine Learning Models
  • Continuous Machine Learning Features and Data
  • Daily Adaptive Machine Learning Models (drift proof)
  • Advanced Alerting and investigation
  • Simulated attack “war room”
This is the capability to setup the application to be able to predict and defend against attacks. It is important for you to truly understand the opposition and the FI to determine where the attack will likely play out and crucially how you react when it does. The more you can remove from human decision making, in a potentially stressful situation, and instead automate under a predefined risk matrix the better. Doing so will remove bias and outcomes that generate a greater attack surface. In footballing terms, mistakes happen when players react to situations they have not trained for or are caught out of position.

Security Orchestration, Automation and Response (SOAR)

A football coach will practice drill after drill with their players, to build muscle memory and to react quicker to the opponent. That same technique is effective in fraud prevention. Typical components here include:
  • Behavioural and Continuous transparent Authentication
  • Run time application self-protection to protect devices under attack
When put brought together in a seamless way the fraud prevention solution can transform the business from one that blocks, inhibits growth and is blamed when there is a successful attack. To a solution that enables more business, enables more balanced risk taking, and the capability to defend from the front by having an extra player to attack. What can this type of solution identify:
  • Synthetic identities
  • Known compromised accounts
  • Compromised devices
  • Compromised cards
  • Mule Accounts
  • Mule Networks
  • Fraudulent transactions
  • Fraudulent transfers
  • Fraudulent beneficiary creation
  • Authorised Push Payment Scam
  • Secret Shopper Scam
Deploying such a solution will therefore help you to dramatically reduce fraud and false positives, ultimately taking charge of the situation. The benefits are:
  • Reduced fraud
  • Reduced fale positives (reduction in alerts)
  • Increased cyber threat intelligence
  • Greater surety to enable more business
  • Reduced time to onboarding
  • Reduced funding of organised crime
  • Compliance to regulation
  • Improved organisational efficiency
  • Happier fraud team
What’s stopping you from transforming your fraud prevention prowess from defensive only into a seamless attack and defense solution? If you’re interested to find out more why not reach out to Lynx on the contact details below. Lynx has helped numerous financial institutions make the transformation from a slow, unreactive, defensive only, fraud prevention solution. We enable companies to transform to a dynamic self learning fraud prevention solution that both attacks and defends, giving you the extra player. We have deep knowledge on device, user behaviour, locations, travel, spend, patterns of interaction, their associated beneficiaries, how much money they typically transfer/ spend and when. We have market leading bespoke algorithms with the most accurate models that learn every day so you can too.

Why don’t you give us a try?

We live and breath data and are experts in data science. We have world class algorithms, insight and intelligence. We ensure that:
  • Our models are the best in the business
  • We reduce your costs by reducing false positives by up to a factor of 100 compared to rules
  • We reduce fraud significantly
  • We reduce the complexity of rule building
  • We improve job satisfaction and alert fatigue by giving you meaningful alerts
  • We continuously learn to changing attacks and new products / customer behaviour
We’re confident that we’re able to stop the attacks you face and have been doing so for over two decades. We’re the Pep Guardiola of Fraud Prevention, the Machine Learning solution you’ve been patiently waiting for since they came onto the scene. Allow us to help you transform your organisation to stop more fraud, reduce operational overheads, enable seamless customer experiences, and transform your fraud teams capabilities to seamlessly predict, identify and react to attacks. So why don’t you reach out and ask for a P.o.C. today, you won’t be disappointed.

Stopping Sanctions Activity with AI

Posted on by davidsanchez

Introduction

Lynx has been building and applying artificial intelligence and machine learning technology to fraud prevention over the last 20 years and we are now applying this expertise to uncover and stop sanctions evasion. Though the methods for detecting and stopping fraud and sanction screening differ in some ways, there are similarities and best practices that can be leveraged between the two, such as: 
  • Utilizing digital data to identify digital attributes of criminals 
  • Uncovering organized crime network and associated compromised or synthetic identities 
  • Identifying and stopping mass account takeover / onboarding resulting in a network of mule accounts 
  • Uncovering malicious actors inside the organization who are both facilitating money laundering and fraud. 
We’re pairing this expertise in big data with practical industry experience to create detection tools that are more effective in identifying illicit activity (and therefore reduce false positives), as well as streamlining the way investigators work alerts and cases.   From our experience in the field, we know that investigators will not be replaced by AI anytime soon. AI can, however, generate more productive alerts, automate time consuming manual tasks, and give investigators more time to focus on the activity that really matters. This is exactly what Lynx AML aims to achieve through its advanced machine learning and configurable case management solution – the automation of manual activities so that investigators can spend more time on investigating truly risky activity. 

Artificial Intelligence, Machine Learning, GenAI.. What’s the difference?

First, let’s establish the difference between artificial intelligence, machine learning and generative AI.  Lynx AML Sanction Screening uses a hybrid of artificial intelligence technologies, most of which are machine learning, but it’s worth establishing what the difference is between these technologies.  Artificial Intelligence: these computer models perform complex tasks that exhibit intelligent human-like behaviors. As explained by the AI pioneer Arthur Samuel, AI “gives computers the ability to learn without explicitly being programmed.” [1] Machine Learning: machine learning is a subfield of AI and learns to program itself using historical data. This can be done in 3 different ways: 
  1. Supervised Learning: involves training the machine learning model with labeled data sets, after which the model can classify data or make predictions.  
  2. Unsupervised Learning: trains the machine learning model using unlabeled data, from which the model looks for patterns and trends. Unsupervised learning is often used to understand trends and relationships within datasets and make it especially useful in AML Transaction Monitoring, where it’s difficult for the human eye or traditional algorithms to make draw trends across such large transaction data sets. 
  3. Reinforcement Machine Learning: trains the model through trial and error rewarding the system when it takes the best action.  This method is often used when training autonomous vehicles. 
Generative AI: according to IBM, refers to “deep-learning models that can take raw data… and “learn” to generate statistically probable outputs when prompted. At a high level, generative models encode a simplified representation of their training data and draw from it to create a new work that’s similar, but not identical, to the original data.” [2]

How Lynx uses expertise and experience to identify and stop sanctioned activity 

Lynx AML – Sanction Screening solution is AI-led, whilst also human-centered. The solution leverages human insight to target models effectively (via the data validation process detailed below) and to continuously receive feedback from experienced investigators to continuously incorporate SME knowledge to ensure continuous learning, iterative model updates and avoid model drift (e.g. model degradation as the data, patterns or attacks change) (e.g. avoid model drift). 

What information is screened?

First, we need to do some groundwork to ensure our models are utilizing high quality data. To do this, Lynx starts with data validation, to establish accurate data feeds (e.g. who and what information is being screened?) and to target transaction and customer details with the appropriate level of precision. For example, when searching for a sanctioned individual’s name in a transaction, the model should apply an “approximate match” to the name field, rather than an “exact match” to cast a wide net to account for name variations. More on the model approaches are outlined below.  Before we get to the models though, we need to determine the sources that provide the sanctions information, such as sanctions watchlists or internal lists that outline the individuals, entities, countries, ships, etc., with whom transactions are prohibited. Once this is established, our configurable case management system allows users with the appropriate permissions to create complex rules for these watchlists to ensure specific lists are included or excluded (E.g. filtering for OFAC to ensure US sanctions lists are included). After the data has been validated, we have established the watchlist sources, and we have established the frequency of screening (we can screen real-time, as in milliseconds. a capability we’ve brought over from our real-time fraud solution), our models get to work screening transaction and customer details.

Lynx’s approach

Lynx applies a layered approach to name screening. We first “widen the net” to consider multiple variations of the names involved in the transaction, as well as the names on the watchlists. This allows the models to account for nicknames, misspellings, phonetic similarities, adding/removing brackets and whitespaces, etc.. This of course increases the number of possibilities.  We then apply methodologies to “narrow the net” or focus which name variations actually match the fields from the transaction. We apply multiple approaches here to derive a similarity score, including distance algorithms, phonetic algorithms, and AI models trained on large sets of data with known screening traps. Our models continually learn from new traps introduced by new data sets. The model ultimately assigns a score assessing how closely the transaction names align to the watchlist names. If that score exceeds the threshold set by our client, an alert is produced. Using this hybrid and layered approach, we have seen decreases in false positives, while also achieving a high level of accuracy (AKA no false negatives).  

Why was Lynx able to reduce false positives?

Legacy solutions have applied one or two methods to the matching process to ensure no missed matches but result in higher numbers of false positives. We drive down false positives without sacrificing accuracy by applying the right combination of data science and artificial intelligence to both expand and narrow the range of possibilities, without risking false negatives. 

Configurable Case Management

Finally, we pair our academic expertise with practical insight to deliver alerts into a smart case management system that reduces the burden on compliance managers. We give you the tools to: 
  • assign and prioritize alerts based on alert characteristics, 
  • configure a pre-generated narrative template, 
  • simulate different thresholds and watchlist filters to optimize alerts, 
  • provide out-of-the-box reporting dashboards based on industry best practice,  
  • provide dashboards configurable to your needs, 
  • enable real-time reporting capabilities (No waiting for data refreshes… real-time KPIs.) 
And we’re not stopping there. We are building the next generation of AI-enabled case and quality management to bring the age of AI to compliance operations professionals.  Ultimately, we aim to optimize the way organizations detect and manage financial crime, using AI-led, human-centered AI technologies to illuminate risk, eliminate the mundane and allow you to focus on what really matters.   
[1] https://mitsloan.mit.edu/ideas-made-to-matter/machine-learning-explained
[2] What is generative AI
Posted in AML