![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#09 - Why Velocity Checks Kill Conversion (and how to fix it)
One of the most powerful tools for stopping fraud are velocity checks.
But like any other powerful tool, they pose a danger.
Using them without care can increase false positives, hamper user experience and even jeopardize sales campaigns.
No wonder that Tomas, A TSFS reader, asked if I could delve into this topic.
So today we’re going to cover what velocity checks are, what kinds of checks we can employ, and best practices on how to employ them.
Definitions
A velocity check is aimed to answer how many times we’ve seen a certain “asset” in a particular time window.
An asset can be any data point, but usually in the context of velocity we focus on unique or semi-unique assets.
A unique asset identifies one user and only that user. An example would be a card PAN, a device ID or an email.
Side note: There are exceptions and edge cases to all of these examples, but I’m keeping it simple for now.
A semi-unique asset identifies a user, but can be shared between users. An example can be name, address, IP, etc.
Usually, each asset will have several counters that will update every time it appears in a new event in the network. The counters will differ in the windows of time they keep - one hour, one day, etc.
Here are examples for a basic velocity checks:
# of logins from the same IP address in the past 5 minutes.
# of payments from the same credit card in the past 1 day.
Velocity is the 2nd most powerful tool for stopping fraud.
How so? It all comes down to greed.
Fraudsters always seek to maximize their gains. The simplest way of doing that would be to try and commit one very high-amount fraud attempt.
The problem is that dealing with high amounts almost always leads to higher scrutiny. Both traditional FIs and Fintechs will put extra care when executing such user actions.
Amount-based limitations, friction, and step-up investigations are the first thing you put in place when mitigating fraud.
So the next best thing - from a fraudster's perspective - would be to attempt many low(er)-amount actions instead.
Yes, it takes more time and effort. And yes, some attempts are bound to fail. But fraudsters know that with enough “brute force”, they’ll be able to get away with some of it.
This is where velocity checks come into play:
While a fraudster is making repeat attempts across multiple accounts/users, velocity checks will identify this behavior.
All of this sounds good, so what’s the catch?
Velocity checks can mistakenly block good users as well.
Here are some example:
Users from the same location (e.g. festival, concert, sports event, etc.) using their 5G connection to transact online. All of them will be routed to one (or a mere few) IP address.
Users signing up for the company’s service on a fair booth, using the company’s own tablet device. All of them will show up with the same signup device.
Overseas users sending goods via a reshipping service will all use the same shipping address.
Company-internal testing scripts will get blocked for using the same internal IP address.
As we can see, not only that velocity checks can result in false positives, but they pose an even higher risk in combination with the business’ own activities.
Smarter velocity checks can help reduce false positives.
In fact, basic velocity checks like I’ve listed above are the ones I also tend to avoid implementing. There are better and more fine-tuned checks that I’ll be aiming to use. I’ll list some of them:
Overlaying assets: this method is highly effective in reducing false positives. You basically create a counter for a pair of assets.
For example, instead of checking:
how many times I’ve seen this email in the past hour?
I can check:
With how many different cards have I seen this specific email in the past hour?
This will help me avoid blocking a user who’s trying again and again to repeat a failed transaction.
Velocity by status: tell me if you see a difference in the risk between these two cases:
A customer tries to buy a laptop 3 times and fails, now trying for the fourth time with a new card
A customer who bought 3 laptops successfully, now trying for the fourth time with a new card
Big difference right?
In the first case, we assume it’s a legitimate customer who’s just trying to complete a transaction. In the second case, we ask ourselves: Who other than a fraudster needs to buy four laptops in one go?
This nuance can be detected if we have a velocity check that captures only completed actions, versus counting also failed attempts.
Velocity by STD: One of the issues with velocity is that it keeps hitting the same “common assets” again and again: An IP address of an airport wifi, a virtual terminal operated by a merchant, a default email value caused by a faulty partner integration. There’s no lack of examples.
By using standard deviation to measure the current velocity value against the normal distribution of this asset will help to filter out such cases.
Side note: velocity by STD can be a powerful tool, but it requires the highest development effort compared to the other methods covered. Take that into account before exploring low hanging fruits.
Velocity by amount: noticed how velocity is focused on counting events instead of actual financial exposure? Counting amount instead (or in addition) can help create a more complete risk assessment.
This can be especially helpful when dealing with APMs, where there’s also credit risk (e.g., bank transfers, BNPL, etc.).
Strapped in resources and cannot invest in sophisticated features?
Follow these hacks to reduce velocity false positives:
Approval lists: Are you hitting the same common assets repeatedly? Include them in an approval list that bypasses velocity checks. But use it wisely! Are you sure fraudsters cannot infiltrate this flow? Be certain you have other fraud prevention mechanisms in place.
Campaign alignment process: I’ve seen too many times sales and marketing campaigns (and budgets) go up in flames because of velocity checks. Make sure your commercial teams are aligned with your fraud team before they launch a campaign. A minimum of two week’s notice is recommended.
Avoid basic, semi-unique velocity checks: I mostly see this with velocity IP usage. It might be ok for “soft” actions like login attempts, but I would avoid using it for signups or payments. The false positives might be high, and there are probably better ways to catch fraud there.
These are crude methods to avoid false positives, and they cannot scale very well.
But in the absence of more sophisticated means, it’s well worth trying them out.
TL;DR
Velocity checks can be a double-edged sword: They are very effective in stopping fraud, but they can drive false positives as well.
Do this to make sure you use them correctly:
Combine them with other heuristics to make sure you don’t rely on them only
Don’t limit yourself to basic velocity counters - implement more nuanced checks
In absence of the above, create dedicated approval lists (but manage them with care!)
Do this well and you might find you don’t even need to implement AI scores to fight fraud.
Have questions or feedback? Reply to this email, I read all messages.
That’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Fraud Strategy "Power Call" - Book a consultation call with me to get clear, actionable recommendations that fit your budget. Guaranteed.
Book a Call Now >>
Fraud Strategy Workshop - are you an early-stage Fintech that needs to move fast and with confidence? Book this 1.5-hours workshop to get instant insight into your vulnerabilities, optimization opportunities, and get clear actionable recommendations that won't burn through your budget.
Book Your Workshop Now >>
Fraud Strategy Transformation Program - are you a growth-stage Fintech in need for performance optimization or expansion of your products offering? Sign up to this 6-8 weeks program, culminating in a tailored made, high-ROI roadmap that will unlock world-class performance.
Schedule a Call Now >>
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
