Using Risk Analytics to Fight Fraud and Maintain Compliance

Mark Crichton,

Fighting financial fraud is an ongoing battle. A recent report found that in 2019, the total value of card fraud losses in the UK amounted to €706 million, with remote purchases accounting for 76 per cent of these losses. Given the growth of eCommerce, this isn’t surprising, but since the pandemic, cybercriminals have become more active, as they take advantage of people using digital platforms to carry out financial interactions.

Since lockdown began in the UK, over £16.6 million has been lost to shopping fraud alone, and the number of phishing related websites has rocketed 350 percent since the start of the year. These phishing attacks combined with the countless major data breaches have exposed over 15 billion consumer credentials – including bank account logins – which are now circulating the Dark Web, enabling criminals to conduct fraudulent activity in the name of banking customers.

Meanwhile, financial and data regulations have placed more emphasis on security than ever before. Ensuring compliance with regulations such as PSD2 is critical for banks and FIs in order to avoid severe repercussions from industries bodies.

The challenge for banks and FIs is how to balance compliance requirements with the need to protect customers against the growing and rapidly changing threat of fraud, without compromising the overall customer experience.

Increased digital fraud and account takeover attacks

When lockdowns were put in place around the world, consumers were compelled to use mobile and digital forms of banking to comply with social distancing mandates. Criminals have always looked to follow where the money is, and so as transactions shifted to these online realms, digital forms of fraud surged.

At the same time, we’ve also seen fraudsters play on fears and increased communications to lure consumers into falling for scams. Since the start of the pandemic we’ve seen an abundance of coronavirus related phishing campaigns targeting consumers to steal sensitive information, as well as several other campaigns designed to trick individual’s into downloading malicious files such as malware. For example, as mobile banking usage increased, the channel soon after experienced a rise in mobile banking trojans according to research by Kaspersky. Phishing and malware attacks help facilitate all types of fraud including account takeover attacks.

With so much personal data and credentials already exposed, consumers are always at risk of having their data used without their consent for fraudulent purposes. However, combined with the increase in digital activity and cyberattacks, the onus falls on banks to adopt security infrastructure that is adept at spotting fraud in real-time, before any damage is done.

Banks vs. consumers

However, responsibility cannot be solely tied to the individual. Banks take an agile, multi-layered approach to security in order to protect their customers’ accounts from attacks using stolen credentials. Banks and FIs need to deploy risk-based fraud detection systems powered by machine learning in order to detect and block fraud attempts in real-time, without harming the user experience.

Risk analytics analyze enormous amounts of data from a range of channels, such as the device used, location, and transaction history. The machine learning algorithms can constantly monitor banking sessions and assess data points such as time of day, length of a session, and spending patterns. All of this information can be used to build up a comprehensive picture of an individual’s normal behavior. Any abnormal behavior that might be suspected to be fraudulent can be spotted in real-time, and additional security measures implemented accordingly. For example, if a user deviates from the norm and sends £1,000 from a new location, instead of blocking the transaction outright, which could cause frustration, the customer may be asked to provide a fingerprint to supplement a passcode.

Fraud detection systems that use risk analytics and machine learning are proficient at spotting the early signs of a phishing attack. The algorithms can determine the probability of the HTTP referrer being from a phishing page, which can be supplemented with expert rules put in place. These rules will determine how the system should respond to a phishing attacks taking place.

These security mechanisms will improve banks precision when detecting fraud as more data is collected, all of which is done without impact a user banking experience. For low risk transactions there is little to no friction added to the customer journey, whereas additional necessary security steps are only taken for transactions that are deemed to be risky or abnormal.

While banks and technology have a significant role to play in the fight against fraud, consumers must also stay on their guard. Banks, retailers, governments and other industry bodies should educate their customers on the threats they may be facing, and the steps they can take to actively provide a defense. For example, consumers should understand how to spot a suspicious email that may be a phishing attempt, what to do if they accidentally click on a malicious link, and why they shouldn’t provide any personal identifiable information via phone or email.

Risk analytics and maintaining compliance

Implementing risk analytics also helps banks and FIs comply with the PSD2 requirements for transaction monitoring. PSD2 mandates the use of transaction monitoring to deter fraudulent payments and prevent threats like account takeover, new account fraud, and mobile fraud. Financial institutions must also be able to demonstrate the effectiveness of their monitoring systems to auditors and regulators.

Through risk analytics, mobile, application and transaction data is analyzed in real-time to detect known and emerging fraud types in the online and mobile banking channels. This analysis produces a transaction risk sore, which can then drive intelligent workflows that trigger immediate action based on pre-defined and/or customer-defined security policies and rules.

By taking into account a number of risk-based factors – including known fraud scenarios, malware infection detection and the transaction amount – transaction risk analysis enables banks to achieve compliance, better protect their customers, and reduce their operational costs.

As consumers grow more used to the already growing trend of digital banking, banks and FIs will be challenged with thwarting increasingly sophisticated forms of fraud and maintaining regulatory compliance, all without impacting users’ experience. The latest risk analytic technologies offer organizations in the financial industry the ability to meet these challenges and thrive in remote, digital environments.

This article, authored by Mark Crichton, Senior Director of Security Product Management, first appeared October 22, 2020 on

Mark Crichton is the Senior Director of Security Product Management at OneSpan, with over 20 years’ experience in architecting, deploying, developing and strategic consulting within the realm of global IT security and payment security solutions.