Effective fraud prevention involves more than just "stopping fraud". Fraud can't be stopped effectively unless you also manage cost, preserve user experience, and avoid potential false positives. Resolving these details becomes harder at scale and as fraudsters' methods evolve.
When it comes to fraud risk — how much is too much?
Good user experience (UX) is key to competing in digital financial services, but it can also lead to increased fraud risk. If your products are easy for legitimate customers to apply for and use, they may also be easier for fraudsters to exploit.
If your fraud checks are too lenient, the risk of fraud (and fraud attacks) increases dramatically. Conversely, if you adopt a zero-fraud policy, you’re likely to lose a large pool of potential customers due to false positives or a poor UX which causes drop-off.
Instead, consider a perspective which splits applicants into three groups:
Applicants you definitely want to approve
Applicants you definitely want to deny
Applicants that aren’t in group 1 or 2
This guide will cover how to efficiently auto-deny and auto-approve customers. It will also cover how to use step-up authentication and graduated onboarding to approve and service more good customers while keeping fraud risk under control.
Fraud is an ascendant threat. 62% of financial institutions (FIs) reported a YoY increase in fraud volume in 2022, and every dollar in fraud losses costs financial firms $4 today — more than a 20% increase from 2019.
It's also a widespread threat. Fraudsters are continually testing FIs’ fraud prevention systems for gaps in coverage. This small-scale testing behavior is what we call “ambient fraud”, and it’s how fraudsters uncover vulnerabilities that they can exploit later in a coordinated fraud attack.
Your fraud prevention systems should be able to fend off a majority of ambient fraud and fraud attacks without manual intervention and without impacting customer experience. How? By structuring data sources according to these two rules:
Use multiple, complementary data sources to optimize coverage.
Structure your fraud checks in order of low to high customer friction, and in order of free data services to paid ones.
Complementary data will offer you as much coverage as possible with minimal redundant coverage. The objective is to structure your system so that specific fraud threats are being checked for by the data sources best suited to detecting them.
Meanwhile, ordering fraud checks from free to paid can reduce cost, and ordering them from low to high friction can reduce unnecessary interruptions to the customer experience. Your data sources should be ready when you need them, but shouldn’t interfere with the onboarding process when you don’t.
Finally, make sure run fraud checks before anything else. Other components of your onboarding process like AML and credit checks can incur a cost every time you evaluate an applicant. Don’t run these AML and credit checks first, only to have applicants later fail fraud checks.
Data sources are the tools in your toolkit. Like any tools, some are built for specific purposes while others are more broadly useful. You don’t need to use every data source on every customer, and no single data source is sufficient to adequately address the spectrum of fraud risk.
Is this application created by a robot?
Preventing bots from entering your application process should be the first step, even before you collect any applicant PII.
Is the person on the application real?
To prevent synthetic fraud, you need to verify that the applicant is a real person. Data sources that offer fraud scoring can automatically flag potentially fraudulent PII or suspicious details like phone numbers or device data.
Is the named customer filling out the application themselves?
To prevent third-party fraud, use data sources that can detect identity theft. These tools can trigger step-up verification or manual review even if a fraudster is using legitimate PII belonging to someone else.
Try to obtain satisfactory answers to these questions using only the necessary tools in your toolkit.
The tools at your disposal will depend on the vendors you use. However, most data sources for fraud prevention fall under one of the following categories:
Generally, each data type is suited to a different purpose—whether that’s third-party fraud detection, bot detection, or catching synthetic identities. Generally, data types can be mapped to the key questions as indicated below. You may have access to multiple fraud prevention tools within each data type, and each tool may vary in terms of specific fraud use cases and cost structure.
Keep in mind: multiple data types may attempt to answer the same question. For instance, behavioral data and device data both provide bot detection. This is not necessarily redundant, because behavioral and device data approach bot detection differently.
The optimal mix will also depend on your goals. Some data types like behavioral data or fraud scoring can be set up to run automatically and, in combination, can determine auto-approval or auto-denial given certain flags. Auto-decisioning in particular benefits from having access to multiple data types, as it’s much more difficult for fraudsters to pass multiple checks than to pass just one or two.
But there is a cost structure associated with every data source. Cost scales with volume for some (but not all) data types. That's why the sequence of your data source can determine how much you spend, how much your UX is affected, and how many good customers you ultimately onboard.
We recommend using data sources in a specific sequence. This will help you prevent fraud and will ensure that you introduce cost and user friction only when necessary.
Ordering data sources from free to paid
Ordering data sources from low friction to high friction
With this sequence, you can eliminate clearly risky applicants earlier, before you leverage paid services. You can also ensure that clearly safe customers are approved without having to complete unnecessary steps like step-up or knowledge-based authentication.
What about applicants who fall somewhere in between clearly risky and clearly safe? They may be legitimate applicants with thin credit files or other unusual characteristics—or they could be fraudulent.
You can tell the difference using step-up verification. Requiring a scan or image of I.D. documents, along with a selfie for comparison, adds friction and likely isn’t something you want to put every applicant through. But step-up can give good applicants a way to prove their identity. It also uncovers a significant amount of fraud and is much more secure than knowledge-based authentication.
There are some applicants who fall in between clearly risky and clearly safe. Step-up authentication is designed for you to give these applicants a second look.
Step-up authentication effectively de-risks your applicant pool by identifying the safest and riskiest applicants who can't be auto-approved using standard data sources and approving or denying them, respectively.
What if an applicant passed step-up verification, but still triggered some potential fraud flags along the way? They're probably a legitimate applicant, but maybe you aren't confident enough to approve them outright.
It's possible to manually review these applicants, but your team may not be able to determine more information beyond what you collected through the application and step-up processes. For a more scalable alternative, consider graduated onboarding.
Graduated onboarding involves opening the account for these applicants but stops short of granting access to every feature. For 60 or 90 days, watch these customers closely for potential signs of fraud. If, by the end of this period, the customer has behaved normally and hasn’t raised fraud flags, then grant them full access (with ongoing fraud monitoring in place).
Automatically denying or approving obvious cases
Using complementary data sources
Ordering data sources from paid to free, and from low friction to high friction
Using step-up verification
Using graduated onboarding where applicable
Even after you onboard a legitimate applicant, fraud continues to pose a risk (in the form of account takeover fraud, for example). Build fraud models based on ongoing customer data as a further complement to effective fraud controls at the point of origination.
Understanding fraud means also understanding the tools at your disposal and knowing how and when to use them. A successful strategy will empower you to know fraud when you see it without losing legitimate customers or spending more than you have to.
Learn how to triage and stop high-velocity and fraud ring attacks base on Alloy's best practices.
Alloy CEO Tommy Nicholas outlines the top three challenges he sees banks face in their KYC and fraud prevention efforts and shares some lessons banks can learn from fintech companies to overcome these challenges.
Join Alloy, LexisNexis® Risk Solutions, Prove, and Ekata to hear our take on where fraud has been and where it’s going.
New research shows 92% of fintech companies are devoting more resources to battle fraud. See how your fraud and compliance strategy stacks up.