Business Process Services White Paper Five Critical Metrics that Enhance Credit Card Fraud Detection
About the Author Tuhin Lawrence Bhura Tuhin Lawrence Bhura is a consultant in the fraud and Anti Money Laundering (AML) domain, and has led several business consulting assignments and process reengineering efforts in this space. He has 10 years of consultancy and delivery management experience in fraud detection and AML across multiple products and channels in several geographies. His project on fraud loss reduction for a reputed global bank earned him the Indian Statistical Institute's coveted recognition for the best Six Sigma project of the year, and has been featured in Six Sigma Software Quality Improvement published by McGraw-Hill.
Abstract Financial institutions (FIs) are losing signi cant amounts of money to credit card fraud every year. Every time fraud loss goes up by even a few basis points, the reputation of the FI suffers. More importantly, the negative impact on the customer makes it imperative for banks and service providers to mitigate fraud risk. Cards are among the most susceptible of all product types, and require extensive intervention to prevent losses through fraud. This paper delves into the question of whether banks and nancial service providers have done enough to mitigate card fraud. It also discusses certain critical metrics that are often neglected, but can be effectively used to detect fraud, and save time and costs.
Contents Current Methods Used to Detect Card Fraud 5 Using Key Metrics to Improve Fraud Detection 5 Metric #1: Point of Detection (PoD) 6 Metric #2: Average Fraud Loss per Case 8 Metric #3: Loss Avoidance Value (LAV) 8 Metric #4: Agent Detection Rate (ADR) 10 Metric #5: Queue Penetration Rate (QPR) 11 Deploying a Cost-effective Methodology to Aid Fraud Detection 12
Current Methods Used to Detect Card Fraud In their effort to prevent and detect financial crime, organizations develop and invest in tools, techniques, and skilled resources on an ongoing basis. Preventive techniques and detection scenarios created with analytical models help construct the first layer of filters. Robust detection teams identify suspicious activity. Credit cards tend to be the most vulnerable of all product types, as the sheer volume and real-time nature of transactions make fraud detection and prevention a formidable task. Card product companies therefore employ some of the most sophisticated platforms, applications, scoring mechanisms, knowledge sharing models, as well as round-the-clock manual surveillance for fraud detection. A common method employed by organizations to enhance their prevention and detection mechanism is behavior-based transaction monitoring. This involves analyzing transactions, within the context of a customer's regular behavior, to isolate and alert the authorities in case of suspicious activity. Many antifraud solutions rely on 'if then' statements to generate a report of transactions that fall within a rigid set of guidelines. These systems lack flexibility as they do not adjust to activity that does not match the preprogrammed rules. This makes it easy for intelligent criminals to work around the system. While all market-leading solutions provide real-time risk scoring, it may be not be enough as financial criminals can just as easily attack from a low profile risk score as a high-risk one. As a result, there is a need for real-time risk scoring that uses behavior-based monitoring as a continuous feedback loop to validate profile risk scores. Real-time risk scoring incorporates the dual dimensions of Profile Risk Scores (PRS) and Behavior Risk Scores (BRS). Fraud detection techniques can be classified into different categories. These include neural networks, data conditioning and sampling for effective accuracy evaluation of parameters, outlier detection, selforganizing maps, Bayesian classifiers, artificial immune systems, and fuzzy systems. Generally, fraud detection is viewed as a data-mining classification problem, where the objective is to correctly classify the card transactions as legitimate or fraudulent. While this may be somewhat true, data analysis does not provide the perfect solution. This is primarily due to the scarcity of real datasets as only a few fraud detection models have been implemented in actual detection systems. Key Metrics for Fraud Detection The following sections highlight the importance of implementing and tracking effective metrics in card fraud detection. We will also delve into the top five metrics that every card fraud detection team should use, along with the relevant approach and likely benefits. This is by no means an exhaustive list of metrics, and FIs can create customized metrics that meet their requirements. 5
1. Point of Detection This recent phenomenon in the field of fraud detection is very quickly gaining popularity amongst fraud risk operations teams. The point of detection (PoD) measures the number of fraudulent transactions that were missed in a fraud case before the fraud system flagged the first alert. Therefore, a PoD of three would mean that the system was able to detect suspicious behavior and raise an alert only on the third fraudulent transaction. Alternatively, the PoD can be measured based on the alerts reviewed, i.e., for alerts generated in the system and reviewed by an agent or investigator. Additionally, this indicator can be used to: Measure the percentage of fraudulent transactions that are caught on the very first attempt. The higher the percentage, the better. Track the time taken to respond to an alert from the moment it is triggered in the fraud system. Track the loss that could have been prevented, if the alert had been attended to immediately. This metric helps evaluate the efficacy of the fraud system and the fraud detection team. The ability of a system to pick up the alerts quickly will result in the organization reducing fraud losses by a significant margin. If the average PoD of a system drops by even a fraction of a transaction per account, it can lead to a major difference in the overall numbers. Modifying the capacity according to the alert volume enables agents to address alerts faster. Enhancing capacity by adding resources during peak hours of operations can also help reduce the PoD for alerts reviewed by an agent. Alternatively, adjusting the detection scenario rules can help minimize false positives and optimize capacity by decreasing the ratio of alerts to agents. This can also help enhance the PoD. The following example illustrates how the PoD metric can be improved through another methodrole redesign. A leading card and payment processor in North America redesigned the role of its agents on the operations floor to lower its PoD. A dedicated team was formed to handle all outgoing verification calls and serve as 'verifiers'. The remaining functions were performed by 'investigators', who were responsible for detecting and reviewing suspicious alerts. The investigators were not responsible for verifying any of the outbound or inbound calls. This approach is illustrated in Figure 1 using sample data. It is assumed that it takes approximately five minutes to review an alert end-to-end, including these activities: (A) review, (B) block, (C) call customer, and (D) take final action. 6
1:00 2:00 4:30 Review Block Call Customer 1,000 alerts /day 1 out of 10 alert - 100 alerts/day Customers reached - 50%-50 alerts/day 5:00 Final Action 50 alerts / day Figure 1: Process flow for debit card fraud detection Before the role redesign, a six-member investigator team reviewed 60 alerts a day, which meant each agent reviewed 10 alerts. The review time for 10 alerts was 10 minutes or 600 seconds. As shown in Figure 1, the block ratio was 1:10, hence there were six cases to be blocked. The total block time taken was six minutes or 360 seconds. Therefore, the total review time for investigations (activities A and B) for all 60 alerts was about 960 seconds. 1000 800 960 seconds to complete 60 samples 600 400 200 0 Figure 2: Total review time for all alerts Now the organization has split the functions across two roles: investigators and verifiers. Sixty sample alerts are reviewed by five investigators (with the remaining investigators playing the role of a verifier). With all other ratios maintained as above, the total review time for investigations (activities A and B) for all 60 alerts appears to be about 810 seconds since the blocks can now happen in parallel to the review tasks, as illustrated in Figure 3. 1000 800 600 400 200 (repetitive) 0 Figure 3: Reduction in total review time 7
The time taken to detect fraud decreased by nearly 20% (reduction from 960 seconds to 810 seconds). This helps agents review and block cards sooner and increase their response time to alerts by 18%. In effect, by employing role redesign, the FI was able to reduce PoD by nearly 20%. 2. Average Fraud Loss per Case An allied metric to point of detection is the average fraud loss per case, which quantifies the value of loss per fraudulent transaction. This helps estimate the true impact of fraud. Figure 4 illustrates this metric at a large US bank. $300 $250 $200 $150 $100 $50 $- $260 $189 $210 $217 $221 $232 $198 $206 $207 $219 $215 $207 $51 $57 $61 $72 $62 $63 $56 $54 $57 $57 $59 $54 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Avg. gross fraud loss per case Avg. gross transaction per case Figure 4: Loss per case over a period of 12 months The average gross fraud loss per card for the year is about $215 and the average fraud transaction amount is about $58. This data reveals the amount of loss sustained by the bank for every transaction that occurs after the alert is triggered in the system. 3. Loss Avoidance Value (LAV) Fraud detection teams are always looking at ways to reduce the cost of operations, and justify their operating capacity. Despite their efforts to save millions of dollars in the form of fraud losses, and protect the reputation of the bank, fraud detection teams are still viewed as cost centers. Most of these units operate on budgets that are assigned on a yearly basis. Sometimes, the approved budgets are not sufficient to implement robust strategies. It is therefore imperative for a fraud detection team to adequately highlight the value it brings to the FI. A credit card fraud detection team can measure its performance and validate its expenditure more effectively than a debit card team. The credit card detection team often estimates actual losses as gross values that have not been recovered. The LAV is estimated at the cards Open to Buy (OTB) or Open to Purchase (OTP) value. For instance, if a card's credit limit is $10,000 and the used value is $2,300, the OTB or OTP is the value of the credit limit left on the card ($10,000 - $2,300 = $7,700). Credit card detection teams are able to justify their business needs by putting together a grand total of possible loss exposure or the LAV. 8
However, debit card detection teams do not enjoy the same luxury. While the gross loss is estimated by adding the loss value not recovered, the LAV cannot be scientifically measured. Some of the metrics that FIs currently use are ineffective. FIs can choose any of the following metrics to estimate loss avoidance in the case of debit cards: Metric 1: The average number of days that the customer takes to identify fraud multiplied by the average value of losses per day. This depends on factors such as the number of linked accounts, the withdrawal limit, and the day of the week. Metric 2: The average value of fraud claims over the last year is another indicator of LAV. Metric 3: The average value of fraud claims per account balance available in any customer segment category. Metric 4: For every fraud identified, responses to a specific questionnaire (as shown in Figure 5) should be tabulated to arrive at a potential loss value. While this method may appear complicated, the questionnaire and relevant responses can be automated easily at the back-end to arrive at the specific loss value for every identified fraud transaction. Of the options listed above, metric 4 is by far the most scientific and acceptable to auditors. This approach is explained further with an example in Figure 5. This approach requires the fraud analyst or an automated system to fetch responses to a series of questions. These responses help evaluate the fraud loss avoided on a particular card fraud. The questions provided are indicative and the actual questionnaire needs to be developed based on the FI's risk and account structure. No. Criteria Responses for Accounts Responses for Linked Accounts Remarks Number of days since the rst disputed transaction occurred Account balance on the day of identi cation Withdrawal limit per account Did the fraudster use a linked account? 3 3 $8,000 $2,000 $1,000 $1,000 Yes Day of the week Tuesday Tuesday 9
A Maximum withdrawal exposure (in ve days) $4,000 $2,000* (limited balance) Four days considered due to the weekend. Five days would have been considered if the day of the week was Monday. B Maximum Point of Sale (POS) transaction value exposure $8,000 No POS Average of (A) & (B) $6,000 $2,000 C Possible loss exposure (conservative estimate at 50% of value in the row above) $3,000 $1,000 Loss that occurred prior to identi cation of the fraud (this is not a speculative value, but an actual one) $3,000 $1,200 Loss of approximately $1,000 per day in the main account and $400 per day in the linked account D Average fraudulent transaction per day x exposure days $4,000 $1,600 Four days Loss avoidance value average of (C) & (D) $3,500 $1,300 $4,800 Figure 5: Recommended method for estimating LAV 4. Agent Detection Rate (ADR) The agent detection rate comes second only to the use of basis points as an ideal quality metric. The ADR represents the total number of fraudulent cases identified by an agent as a percentage of total fraudulent cases in the work queue. This appears to be an obvious way to estimate the ADR. However, in most detection processes, agents are tracked separately based on cases they missed, and their efficiency in blocking or detecting suspicious activity. When fraud losses are missed by an agent but identified by the claims team, the missed cases are flagged and communicated back to the agents. Nevertheless, mere communication and detection of missed cases is not a perfect measure of success, and begs the use of a better quality metric. 10
Suspicious activity within the 'alerts reviewed' category cannot be estimated in real time. Suspicious activities would include the sum of Confirmed Fraud (CF) activities identified by the agent and the number of Fraud Claims (FC) received by the claims team in a given period: ADR = CF/(CF+FC) The ADR may be measured as the number of card frauds or the value of accounts. The ADR may be measured and tracked at the team level as well. However, if SAFE and TC40 type reports are accessible, the overall fraud identified i.e., fraud claims including confirmed frauds for a given period can be taken from this report. This approach, however, is limited by time constraints, as the claims data is not received on the same day as the review data. In some cases, it may take more than two months to receive an FC for an agent. We believe that ADR assessment can be better measured in the following ways: 1. Real-time ADR: This requires computing the current identification rate on the basis of the FC received over a previous period. For example, if an agent has identified 30 CFs as of January 31 and 12 FCs over the prior three months excluding January, the agent's ADR is 71% (i.e., 30/[30+12]). 2. Recurring ADR or next-quarter ADR: This method makes it possible to delay the estimation of an agent's ADR by a quarter or any agreed period of time. Although this method does not generate real-time feedback, it provides a more logical approach to estimating the ADR. It ensures that the CF and FC belonging to the same period are used to evaluate the ADR. Another option would be to estimate the ADR in both formats and use it to assess agent performance and provide feedback. 5. Resolution Rate Resolution rate is a critical problem for the card fraud detection team. The Queue Penetration Rate (QPR) is the rate at which alerts on the queue are addressed on a given day or time. QPR can be explained through an example. If, for instance, 20,000 alerts enter the fraud detection queue in a day but agents work on only 5,000 of these, then the QPR is 5,000 divided by 20,000 (25%). Most banks operate under the assumption that it is only critical to work on top-of-the-queue or high-risk alerts, since the majority of fraud losses can be avoided through high-risk alerts. Additionally, if a low-risk alert or a bottom-of-thequeue alert shows incremental suspicious activity, the risk score of that account increases, and it ascends the queue. This change in hierarchy or risk score ensures that the particular account is reviewed on priority. However, this method allows a low-risk alert to engender fraud losses until such time as further losses push the case up the queue for review. This is an extremely reactive approach and may lead to large losses. All alerts generated must be reviewed by the detection team, however, banks often do not achieve this state as they do not always have the necessary capacity. Figure 6 illustrates the example of a regional bank from the US that had an average queue penetration of just 30% on weekdays and about 12% on weekends. 11
Category Volume Queue % Basis Points Real-time Decline Volume 18,684 24% 6.87 FICO score 900+ 6,775 9% 2.45 FICO score 800+ 17,993 23% 6.71 FICO score 700+ 34,657 44% 11.56 Figure 6: US regional bank's QPR for one month If the weekday average queue penetration is about 30%, then the team restricts its investigation to the top two categories (real-time decline volume and FICO scores of 900+). The category with the highest basis points tends to be ignored as it appears at the bottom of the queue. Understanding and managing the queue penetration percentage for every queue or category is essential, and is the only way to ensure that fraud losses are optimized across queues and categories. Deploying a Cost-effective Methodology to Aid Fraud Detection Card fraud is one of the biggest threats facing financial institutions today. With restricted budgets, and pressure to optimize costs and losses, operations managers need to seek out tactical measures to manage fraud effectively. Deploying and tracking simple yet critical metrics through automation can help financial institutions achieve this objective. These metrics are relatively easy to deploy and financial institutions can incorporate these into a fraud detection process. 12
About TCS Business Process Services Unit Enterprises seek to drive business growth and agility through innovation in an increasingly regulated, competitive, and global market. TCS helps clients achieve these goals by managing and executing their business operations effectively and efficiently. TCS' Business Process Services (BPS) include core industry-specific processes, analytics and insights, and enterprise services such as finance and accounting, HR, and supply chain management. TCS TM creates value through its FORE simplification and transformation methodology, backed by its deep TM domain expertise, extensive technology experience, and TRAPEZE suite of solution accelerators and governance enablers. TCS complements its experience and expertise with innovative delivery models such as using robotic automation and providing Business Processes as a Service (BPaaS). TCS BPS unit has been positioned in the leaders quadrant for various service lines by many leading analyst firms. With over four decades of global experience and a delivery footprint spanning six continents, TCS is one of the largest BPS providers today. Contact For more information about TCS Business Process Services Unit, visit: www.tcs.com/bps (http://www.tcs.com/bps) Email: bps.connect@tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburner: http://feeds2.feedburner.com/tcswhitepapers About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and TM assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at www.tcs.com IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2015 Tata Consultancy Services Limited TCS BPS Design Services I 11 I 15