Financial institutions such as banks, insurance companies, and investment firms have a lot to lose if they get fraud detection wrong. Making errors in identifying fraud can result in losing customers, while failing to detect real fraud can result in severe data breaches.
A few years ago, CNG Holdings, a financial services company offering loans, check cashing, and leasing, found itself in this predicament. For years, the company had been using a homegrown system that relied on internally developed rules. However, as fraud detection became more complex, the system became increasingly unreliable, capable of missing actual fraudulent activities and producing an unacceptably high rate of false positives. Over time, the company had simply lost confidence in the effectiveness of its system.
“It was old technology, and it used an old method of fraud management,” said Rick Cooney, vice president of fraud and identity management at CNG Holdings. “We were shutting down a large number of deals because we had no idea whether they were fraud or not, so we were turning away good business.”
It’s common for older financial systems to encounter false positives and struggle to keep up with evolving threats, noted Ouliana Smith, a senior research analyst for financial services at Omdia. The adoption of web-based transactions, particularly real-time payments, has significantly transformed the landscape of fraud, as well.
A New Direction for Fraud Detection
These various factors led CNG Holdings to hire Cooney in 2018 to devise a more effective strategy. After about 30 days of closely examining the existing system, Cooney concluded that a complete system overhaul was necessary. “We had no reporting, we were impacting customers, and we weren’t effective,” he explained.
Furthermore, Cooney took an unconventional approach to the project, asserting that, in reality, fraud cannot be entirely prevented. “If you continually try to fight fraud, you’ll lose because there is just too much of it,” he said. “I came from the credit card business when we were fighting counterfeiting. The better we got at fighting it, the more they attacked, and the more they attacked, the more data they got. It’s the same thing with identity fraud. If you build your mousetrap to stop fraud, you will still have gaps, and, once they find those gaps, they will exploit it by blowing it wide open very quickly.”
With that mindset, Cooney decided to stop worrying about fraud patterns. Instead, he opted to build a process that uses behavioral biometrics to identify every customer the company does business with. He framed these biometrics around the concept of identity management using a multilayered defense strategy.
The result would be a system that uses identity management and multifactor authentication to verify customers’ identities. The layered identity management approach would involve various technologies to flag high-risk transactions and incorporate different types of authentication.
Finding a Partner
To begin this initiative, Cooney needed the company’s permission to collaborate with a vendor partner to develop an orchestration layer and decision engine. It was a big ask since he couldn’t initially find vendors that had already built a system according to Cooney’s vision.
“We needed a partner we could send an API to that would be flexible enough to do what we told them to do with it,” Cooney explained. He added that the partner could be a management company, device fingerprinting company, AI company, fraud scoring company, or customer identification process (CIP) company. Additionally, the partner needed to have the capability to immediately link to any vendor necessary, allowing CNG Holding to capture and consolidate data. Then, CNG could make decisions about whether fraud exists based on rules developed in a rules engine using scores.
CNG seems to be onto something. Platforms that use APIs to connect to third-party data sources in real time can enhance decision-making across lines of business. However, many financial institutions struggle to implement such platforms because of legacy systems, Smith said. “Banks need to increasingly put the modern technology and solutions into practice while driving best practice and real-time fraud attack data sharing with key stakeholders to improve their chances of success.”
After issuing a request for proposal and narrowing down the field, Cooney chose to partner with SAS, an analytics software provider. SAS would develop an identity-focused system based on its SAS analytics platform.
The end product was the SAS Identity 360 platform, hosted on Microsoft Azure.
Developing the Process
The first step was to create the orchestration layer overseen by SAS. CNG informs SAS whenever a connection to a specific vendor or process is required, and SAS manages those requests. That also includes receiving and storing the data associated with the vendor call, which is used in formulating rules.
The process has turned out to be fairly seamless, noted Jorge Chavez Miranda, a software architect at CNG Holdings. For example, CNG can quickly decide when to connect – or when not to connect – to different data and service providers. Changes can be made to the processes as needed.
When the business adds new data and service provider partners, SAS develops the necessary adapters to communicate with those vendors and ingest the data, Miranda explained. The new data can then be incorporated into the overall decision-making strategy in conjunction with the existing data and services that CNG was already using.
Another important piece of the process involves verifying the authenticity of identities. To do that, CNG uses a combination of CIP, which confirms the legitimacy of identities as opposed to synthetic ones, and multiple forms of authentication. Cooney emphasized the importance of the system using more than just one type of multifactor authentication, as cybercriminals can eventually bypass a single method. Instead, CNG chose to use four or five different forms of authentication, although it only uses one form per customer based on the assessed risk associated with that identity.
Each day, CNG uploads its new files of known fraudulent activities to SAS. The files include lists of blocked social security numbers, email addresses, phone numbers, birthdates, addresses, and other personally identifiable information linked to fraud. This data is continuously collected through CNG’s device fingerprinting, a behavioral biometrics system that uses machine learning and AI, as well as its CIP tool.
The final piece of the solution was a customized case management system for handling alerts. The system was developed by a third party per CNG’s specific requirements and was built on the ServiceNow platform. Each application within the system includes reason codes that help assess the relative risk of fraud.
“For example, we have a specific reason code to tell us when a [loan] application with a phone number and bank account associated with it is associated with a prior fraud event on our block list,” Cooney said. “That reason code causes an alert, and a case is set up in the case management system.”
From that point, an agent reviews the data and links it back to the reason why the phone number and bank account were originally put on the block list. The agent then assesses whether the new application is fraudulent. If it is determined to be fraudulent, any additional information, such as a different email or physical address, is included in the block list. This enables the application to continually learn.
The New System in Action
Since 98% of fraud involves new customers, Cooney decided to begin by focusing on that applicant pool. When a prospective new customer submits an application, their data elements are processed through the orchestration, checking the block list, device fingerprinting, where they are applying from, if they are applying on a proxy, if a bot is involved or it’s a known bad device, and if there have been multiple applications from various individuals using the same device. The results are compared against known fraud attack patterns.
Each application is screened for specific characteristics known to fraud rings. The data is then cross-referenced with CNG’s own fraud rules and information gathered from prior attacks. If anything triggers an alert during this process, it's forwarded to the case management system.
Eventually, an application reaches the point where it has successfully passed all tests, including behavioral biometrics. At this point, it receives clearance for approval.
The system performed effectively, to the extent that six months after its rollout to new customers, it was expanded to include returning customers and other processes, such as originations and online services. As a bonus, the process has significantly reduced CNG’s rate of false positives.
Cooney said that the next step is to develop a similar system for CNG’s leasing business. While this presents more challenges because it’s not direct-to-consumer (it’s business-to-business-to-consumer), he said he hopes to complete the project before his retirement next year.
About the authorKaren D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek and Government Executive.