Blog Posts Process Analysis

Application Fraud — Establishing Your Fraud Risk Appetite

Blog: Enterprise Decision Management Blog

Person filling out application

In my previous post on application fraud, we explored the drivers behind the rapid acceleration of identity-based fraud, which includes identity theft / third-party fraud, synthetic identity fraud, and first-party fraud. Fraud and security are a top priority for financial institutions — but just stopping fraud isn’t enough. Managing fraud is a balancing act that starts with knowing your fraud risk appetite.

Fraud managers have to look beyond losses and loss prevention and consider consumers’ need for a frictionless experience, regulators’ stipulations and the competitive pressures of fintech disruptors. Fraud managers need to ask:

Striking the right balance between top line growth, profitability, compliance, and protecting your bottom line against fraud loss means that establishing a fraud risk appetite is an imperative to success. If we don’t want any fraud, then we probably shouldn’t be doing business.

Step 1 – Balancing Act

Step 1 in setting your fraud risk appetite requires balancing 3 key levers: Detection Rate, Review Rate, and False Positive Rate. For example, finding 95% of your frauds in the top 3% of risk-ranked referrals with a 20:1 false positive rate. The majority of fraud managers are intimately familiar with establishing this process for each of their controls, e.g., X is my threshold for application fraud, Y is my threshold for card fraud, Z is my threshold for wire fraud.

Chart of fraud risk appetite components

Step 2 – Identity Proofing and Information Sharing

Step 2 begins with recognizing that the thresholds of “Yes-Fraud” “No-Not Fraud” aren’t black and white, and shouldn’t be viewed in isolation. There is a “Maybe” answer that says “Maybe this person is an application fraud. I’m not ready to turn them down as a customer, but maybe I should be treating their transactions a bit differently than someone who is definitely not fraud.”

This concept speaks to the idea of protecting your organization across the customer lifecycle. At point of origination, you stop the obvious frauds. The maybe frauds and the not frauds, they become customers because you are trying to grow your business. But what if we take what we learned about these customers at point of origination and we carry it through to our downstream controls?

What if we constantly iterate across our customer base to understand how a customer’s identity risk changes over time given the introduction of new data – how they transact, what device they use to log in to an account, what new applicants or customers share information with them? In order words, identity proofing doesn’t stop just because an applicant became a customer. New information means new intelligence that we can act on.

Graphic of fraud risk appetite

And looking further down the customer lifecycle, what if we use this intelligence to improve how we detect transactional fraud, including non-monetary transactions that may indicate an account takeover (ATO) or financial transactions that indicate payments fraud?

If an applicant has a medium risk of synthetic identity fraud at point of origination, this risk assessment may increase over the course of several years as new data indicates the now customer is part of a fraud ring. What if your organization can act on that identity now? Or, what if your organization can now better segment transactional fraud controls that detect bust-out transactions?

The concept of protecting across the customer lifecycle should not just be about sharing intelligence downstream, but also thinking about a bilateral sharing of intelligence – what you learn in your transactional fraud detection, what you learn in ATO root cause analysis, is intelligence that can be brought forward into your application fraud controls.

Step 3 – Collaboration with Risk

Lastly, step 3 requires thinking big across the risk and the fraud continuum. As discussed in a recent blog post, collections strategies are oftentimes wasted on fraud that is masquerading as bad debt. Recognizing there can be a fuzzy line between credit risk and fraud, means also recognizing the risk and fraud controls have room to interplay and benefit each other.

Taking the paradigm of protecting across the customer lifecycle, and merging it with a similar assessment of an organization’s risk controls, we experience significant gains. For example, while the capabilities to detect fraud and assess risk at point of origination may differ, the data ecosystem has huge overlaps.

In a similar vein, risk controls in customer management that manage credit line increases, payments clearances, etc., can improve fraud detection when they have intelligence about a customer’s evolving fraud risk and use this intelligence to segment treatments. Lastly, a collections practice is optimized operationally, financially and analytically when we are able to determine which accounts are fraudulent (no intent to pay) and which are legitimate bad debt (limited ability to pay).

Fraud conceptual graphic

The Fraud and Risk Continuum

Setting a fraud risk appetite is about creating a balance for your business and recognizing that there is more to assess than just losses. If we starting thinking across the customer lifecycle, across the fraud and risk continuum, we can strengthen our defenses, find synergies in data, technology, and analytics, and take a big step forward in top line growth, profitability, compliance, and protecting the bottom line.

In my next post I will take a more technical nose-dive to understand the convergence of fraud and security. What does the dark web have to do with application fraud?

Feedback is welcome and I look forward to sharing with you more.

The post Application Fraud — Establishing Your Fraud Risk Appetite appeared first on FICO.

Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples