Money20/20 2018: Top Three Takeaways for Fraud and Risk Teams
Last week, a number of my colleagues and I attended Money20/20 Las Vegas, the premier financial and payment technology conference of the year. In between the talks and a number of discussions with fellow attendees, there was a lot of great information being exchanged regarding the future of fraud and financial crime. In case you missed the event or could not attend the sessions, here are my top three takeaways from the event for fraud and risk teams.
1. Criminals are migrating to digital channels, and online user accounts are at greater risk than ever before.
A major discussion point in the conference was the impact of EMV chip adoption on the overall fraud landscape. The rapid adoption of EMV chips in the US has in large part been driven by the liability shift implemented in 2015 by major payment networks placing the liability of counterfeit card fraud on the party – issuer or merchant – that has yet to support chip technology. This shift has provided a huge incentive for both issuers and merchants to adopt EMV, and has been successful in decreasing counterfeit fraud by more than 50%.
However, as with past cases where measures were put in place to block a certain type of fraud, criminals are not deterred – they simply migrate to more vulnerable channels to fund their illicit revenue stream. In particular, online channels have proven to be attractive for criminals in part due to their ability to better preserve their anonymity and conduct attacks at a larger scale using botnets and scripts.
In the panel session “Fraud Whack-a-Mole: Securing Payments in a Post-EMV Chip World”, panelists mentioned the following trends:
- Card-Not-Present (CNP) fraud is up 40% since the liability shift occurred
- Account takeover (ATO) is on the rise
In addition to the above trends, many expressed concern with the uptick in online application fraud such as synthetic identity and true name fraud. In combination with the rise of automated, sophisticated attacks and ever-increasing breaches of personal data, online accounts are more vulnerable than ever before. Being better able to leverage digital signals to detect fraud will be a key focus for risk teams in the coming years.
2. Early, accurate detection of fraudulent activity will become increasingly critical as faster payments become the standard.
Faster payments have been top of mind for many financial institutions for some time now, with countries around the world either having already rolled out faster payment initiatives or on track to do so. At the conference, faster payments continued to be on the radar of many participants.
In 2008, UK was an early adopter with their Faster Payments Service (FPS), followed by Eurozone’s SEPA Credit Transfer (SPC) in 2017. In the US as well, faster payments are on the close horizon with the Federal Reserve’s Faster Payments Task Force aiming to roll out faster payments in the US by 2020. With these developments, financial institutions large and small are asking the same question: how will this impact fraud?
Looking at historical trends, fraud rates increased by 300% in the years following the rollout of Faster Payments in 2008 in the UK. With faster payments, criminals were able to get away with money faster than the accounts and transactions could be reviewed and frozen.
One way to counter this inevitable risk is to block the fraud upfront using various forms of authentication – biometrics was a popular topic at the conference. However, history has shown that no authentication method is foolproof – SMS-based authentication and one-time passwords (OTPs), one time considered to be relatively secure, has since been shown to be vulnerable to various attacks such as authentication bypass, SMS interception, carrier breaches and more.
In addition to improving authentication, merchants and issuers alike need to invest in real-time machine learning based fraud detection solutions that provide faster and more accurate detection of emerging attacks, serving as an effective second layer of defense.
3. The community is starting to become aware of the limitations of supervised machine learning with respect to fraud.
AI and machine learning continued to be a hot topic at Money20/20 this year, but the tone of the conversation has shifted significantly. In “Real Stories from the AI Arms Race in Cybersecurity & Fraud” and other sessions, participants elaborated on their challenges in implementing machine learning system for fraud detection.
Many discussions touched on the fact that fraud is a use case, unlike most others. Other machine learning problems such as image recognition have a relatively static “end goal” – a dog always looks like a dog and a cat like a cat – but fraud presents a moving target and is limited only by the creativity of the adversary. Once a new detection model is rolled out, then criminals will quickly find holes and learn to get around the system again. Participants commented that risk teams need to look over their shoulder constantly and re-validate and re-tune models continuously in order to tackle new and unknown fraud patterns.
Model overfitting was also mentioned as a common problem. When a machine learning model is trained based on historical cases, oftentimes it will be “overfit” – that is, correspond too closely to the specific data that the model was trained on. While this phenomenon exists for any modeling scenario, it poses an enormous challenge for fraud use cases as the shifting nature of fraud means that any supervised model is prone to overfit and cannot effectively detect new fraud patterns that have not been previously seen.
Here are my takeaways and recommendations from Money20/20 this year.
- Focus on solutions that can make full use of digital signals. Be aware of emerging fraud trends and make sure that your customers’ online accounts have sufficient protection.
- Invest in early, accurate detection to block fraudulent transactions before they do damage. Leverage AI to reduce reliance on manual reviews.
- Understand the limitations of supervised machine learning, and explore technologies such as unsupervised machine learning to future-proof your fraud detection stack.