![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#15 - Is your fraud strategy making you more vulnerable?
One of the oldest tenets you hear in fraud prevention is that you want to focus on, well… prevention.
And indeed, when you look at where our industry has innovated in the last decade, it’s mostly in the predictive elements of the job.
But what about fraud mitigation? Is there a place in a modern fraud management organization for responsive processes and tools?
Is it possible that by chasing an idealistic state, we’re left exposed to more fraud than necessary?
Today, I’d like to explore these two contrasting approaches to fraud management.
Which one is better?
The results might surprise you…
Fraud mitigation is the most basic form of managing fraud.
Its premise is very straightforward and easy to implement:
Once you incur fraud, you investigate it and design policies and/or processes to make sure it doesn’t repeat itself.
This simplicity is its greatest asset.
In order to implement it, you need to have some rudimentary components:
Alerts for incoming fraud (such as receiving a chargeback)
A response team (either FraudOps or Fraud Analytics)
A mechanism to facilitate system changes: block-lists, rule engine, SAR filings, etc.
The fact that you recognize at least one of the above as being used today by your company just comes to show: it’s a very prevalent approach.
But at the same time, it’s also a very criticized approach.
It assumes by default that you’re going to incur losses.
It assumes you must be reactive.
It assumes you don’t even try and pretend to preempt fraud.
And even when you disregard all that, it raises another question - can it be employed at scale?
If you need to manually investigate each fraud case/ring, how will you grow your business without linearly growing your team as well?
Fraud prevention aims to stop fraud in its tracks.
No one claims to eliminate fraud completely, but the essence is still the same.
Fraud prevention is all about taking proactive measures to stop fraud before – or as – it happens.
I usually see two approaches to it:
The first can be categorized as “supervised learning”, even when Machine Learning is not at play.
In essence, you create some sort of an automated process to block fraud patterns you’ve seen in the past.
What’s then the difference between this and fraud mitigation? It’s all about specificity.
Mitigating fraud, your “blocked patterns” will be quite specific to the fraud attack at play. It’ll focus on specific entity data, addresses and devices.
Preventing fraud, your “blocked patterns” would be more generic. Either by employing behavioral rules (i.e., geo mismatch) or by training Machine Learning models.
Basically, you’re trying to learn from past fraudsters how future fraudsters will attack you.
The second approach is “unsupervised learning”, where past examples of fraud are not needed.
In simplified terms, we’re speaking about anomaly detection: Identifying a suspicious behavior just by it being different enough from what you’d normally expect to see.
How do you do that?
Teams that focus on fraud prevention rely mostly on an inter-layered set of behavioral rules and different machine learning models.
As such, their composition tends to skew more towards data analytics and data science teams.
Side note: even if you acquire your score from a vendor, using it effectively will require a data team to manage it.
What’s the best strategy? Prevention or mitigation?
I bet that your first instinct would be to think Fraud Prevention is the way to go.
Your second instinct would be to think the best approach would be a combination of the two.
Here’s my hot take:
Most Fintechs should focus on Fraud Mitigation only.
You see, folks tend to think that relying on predictive systems that stop fraud before it happens are bound to eliminate their losses.
But in reality, it’s the other way around.
They can easily inadvertently increase them.
Let me break it down:
Frederick the Great is quoted to have said “He who defends everywhere defends nowhere”.
We need to remember that in the fight against fraud, we’re always playing defense. Being proactive has a very limited meaning in such a scenario.
Fraudsters choose where to attack, when to attack, and how to attack.
Being ready to repel every conceivable fraud threat without any losses is exactly what the quote meant when commenting on “defending everywhere”.
Think about it:
Will your velocity checks block the first attempts of a new attack?
How good are your fraud models dealing with new regions or flows?
What anomaly detection algorithms do you know that don’t require human “babysitters”?
Fraud teams that focus on prevention find out very quickly that tweaking their models is a Sisyphean task that is bound to fail.
Those chargebacks will arrive.
But even worse:
By focusing on preventative measures and neglecting “defeatist” mitigation processes, these teams end up losing even more than necessary.
Getting the basics right is 90% of the work.
Before investing endless resources into predictive measures, ask yourself how fast you can resolve incoming attacks that penetrate your defenses:
How long does it take your team to notice a new attack once it starts?
How long does it take your team to analyze its source and develop appropriate mitigation steps?
How long does it take your team to test and deploy said steps?
Our working assumption should be that fraud will penetrate our systems.
Preventative systems are never fault-tolerate, and so we first and foremost need to learn how to react to fraud.
There, I’ve said it.
We need to learn how to get good at being reactive.
It’s not about AI, anomaly detection, and cutting edge technology.
It’s about dashboards, alert systems, process playbooks, and training days.
You want to get good?
Get boring.
Think differently? Hit that reply button, I read all messages.
That’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Fraud Strategy "Power Call" - Book a consultation call with me to get clear, actionable recommendations that fit your budget. Guaranteed.
Book a Call Now >>
Fraud Strategy Workshop - are you an early-stage Fintech that needs to move fast and with confidence? Book this 1.5-hours workshop to get instant insight into your vulnerabilities, optimization opportunities, and get clear actionable recommendations that won't burn through your budget.
Book Your Workshop Now >>
Fraud Strategy Transformation Program - are you a growth-stage Fintech in need for performance optimization or expansion of your products offering? Sign up to this 6-8 weeks program, culminating in a tailored made, high-ROI roadmap that will unlock world-class performance.
Schedule a Call Now >>
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
