Digital Onboarding in Banking: How to Reduce Risk

by Tamas Kadar
Fraud detection and prevention tools are everywhere these days. Here’s your free complete guide on what works, what doesn’t, and why choosing the right one is a key business decision. But first let’s start with the basics:
Fraud detection is a collection of processes and techniques designed to identify, monitor, and prevent fraud. In the online business world, fraud, scams, and bad agents are damaging in a number of ways. Companies have to put steps in place to ensure that fraud is detected and stopped before it affects business.
Detecting fraud is the first step in identifying where the risk lies. You can then prevent it automatically or manually using fraud detection software, RiskOps tools, and other risk management strategies.
Most modern businesses also employ dedicated fraud detection specialists, whose job titles can be as varied as: Trust and Safety officer, Risk Manager, Payment Specialist, Fraud Analyst, etc…
There’s simply no way around it: if your business is online, you’ll need real-time fraud detection and prevention software. Attacks take on many forms and affect businesses differently, but they are certainly pervasive. According to PwC’s 2020 Global Economic Crime and Fraud Survey:
More bad news: the intensity, scale, and sophistication of fraud attacks show no sign of slowing down. In this online guide, we’ll look at the latest attack vectors, what you can do to measure detection successfully, and of course, how to choose the right fraud prevention tool for your business.
For fraud prevention and detection, you’ll need to combine as many of the following features as possible:
Read our guide for the best fraud detection software available.
SEON offers a fully modular fraud solution and the support of a team that are experts in online fraud
Book a Demo
Fraud takes on many forms, and it adapts to every business model. However, there are a few recurrent attack vectors worth knowing about. These include:
And even with the best technology around, there are major obstacles that could impact how effective your business is in fraud detection – or even backfire against your business goals.
How do you ensure your transactions aren’t fraudulent? Block every single transaction. Of course, you’ll also be preventing legitimate customers from paying on your site. This is called a false positive, and the problem is that aggressively conservative tools may create a lot of them.
In fact, vendors who offer their prevention services with a chargeback guarantee model have a strong incentive to be more strict. They may tolerate more false positives without you noticing.
There’s a reason companies started calling it the customer insult rate: false positives hurt your sales numbers and your business reputation. If users can’t use your services, they’ll take their business to a competitor.
Read more about how false positives can impact a vertical here.
Detection works by setting up rules. You will block suspicious IPs. Flag strange-looking devices. Or block emails found on blacklists.
The problem? The rules that work one day may not the next. Your risk team needs to constantly think on their feet, and remain agile with the systems in place. Moreover, what works for one business might be damaging to another. You won’t use the same rules to catch a poker bot farm, as to detect anti browser fingerprinting by ID fraudsters.
There is no one-size-fits-all solution, even within the same vertical – every business needs prevention that meets its needs.
Another (bad) way to stop fraud: be overbearing with your data collection. Yes, in theory, you could ask each user to fill an incredibly long questionnaire about themselves. You could have the most in-depth KYC verification checks (Know Your Customer). You could ask for a selfie ID every time they log on.
The problem is of course that you are creating so much friction that users will turn to competitors. In today’s online landscape, websites and apps that are the easiest to use will have a competitive advantage. Aggressive risk management may actually backfire if it slows access to your goods or services.
Even if you’re convinced that you need a fraud prevention system, the question remains as to how you should deploy it. Here are 5 of the best options:
Most payment gateways and providers will offer their own fraud prevention tools. This is true of Stripe (who has their own Radar tool for payments), or even Shopify (who lets you enable Fraud Protect on their eCommerce platform).
This is how they work:
The key advantage of this method is due to the amount of historical card data analytics these companies have. Stripe, for instance, claim there’s an 89% chance that any card has already been used on their network before – even if it’s the first time they identify it on your site.
There are two key downsides here:
Time to look at more advanced solutions, but you’re now faced with a new dilemma: buy or build?
Building fraud prevention in-house is absolutely possible, provided:
There are numerous advantages to this route, especially in terms of data protection, product knowledge and integration. You also get more control over the technology, which can be useful for internal training and career development. A lot of seasoned fraud managers started in customer service or payment and moved to the internal RiskOps team later.
However, the main issue is with scaling. Salaries and costs aren’t easy to budget when you never know how regular attacks will be. If they only spike during one month of the year, can you suddenly hire more staff? Moreover, it can be hard to track down expenses, whereas third party solutions will have clear ROI figures and transparent results.
You can read more about in-house versus outsourced fraud detection solutions here.
An interesting development in the lexicon of risk management: many companies now favour the term Trust & Safety over Fraud or Risk. This is particularly common in B2C businesses, where the old terms (inherited from the banking world) tend to scare customers. In spite of this rebranding, the departments have virtually identical roles and goals.
Cloud-based solutions from third-party providers have a number of advantages. Scaling possibilities are an obvious one, as you can pay depending on usage. This, of course, has a positive impact on helping you manage costs and overheads.
Maintenance is also a plus. Updates and bug fixes are all taken care of by the provider. No need to monitor upgrades or to develop extra features in-house. And the roll-out for new features tends to be much faster than with built-in solutions.
Speaking of features, you will of course be at the mercy of the provider’s tech, which is why testing it with your real data is primordial.
The biggest challenge, however, may be the integration process. We’ll dive deeper into the options you have below, but always keep an eye on:
The latest trend in risk tech, a fraud prevention API meets the needs of modern, cloud and web-app powered businesses. Using API calls is fast, affordable, and becomes extremely useful if you already have a tech stack, or want to build multi-layered protection feature by feature.
Essentially, it’s like an anti-fraud feature buffet. You can pick and choose the services that make sense for your industry, such as real-time data enrichment for KYC and AML (great for financial services and banking), or geo IPs (to prevent chargebacks in eCommerce).
These solutions take single data points on your site (email address) and find linked external data from various open-source databases. This allows you to get a complete user profile for your security team, without adding extra friction to your customers’ journey.
There are two points to consider: firstly, you need one license per provider, which can quickly make the costs balloon. Secondly, a middleware platform might need to be built, which can add to development costs and integration complexity.
What if you need more than one solution to meet your needs? Multi-layered risk management is the way to go, giving you complete control and flexibility over your prevention arsenal. Here is when it makes sense:
Concrete examples would include partners we work with who have in-house systems for calculating risk. They do not want to rebuild everything from the ground up, or they are legally required to keep some data to themselves (for instance with credit scoring).
They can simply feed the results of our modular APIs into their system. This can be their own middleware, or even an external risk scoring system, and will improve the accuracy of their scoring through real-time data enrichment, including with social identity data.
Another use case would be clients who already use our Sense Platform as their core solution, and need to integrate external data via our user_label field. We’ll provide data to contribute to risk scoring or rule generation. It can also create a “network effect”, by sharing risky data with other merchants.
Finally, for the manual review stage, you can still enhance your processes by using a third-party tool such as our Intelligence Chrome plugin. While not technically an integration, the fraud analyst acts as a bridge between multiple systems to improve efficiency. There is no shared data between the multiple systems, and from the customer’s perspective this is one seamless process.
After evaluating how you can integrate the solution, there are key differences between the systems you should consider.
A lot of anti-fraud solutions and management software come with rules tailored to a certain vertical. If you want to reduce fraudulent app installs, you’ll find a provider for that. More interested in boosting AML (anti-money laundering) protection for alternative credit scoring than to detect fraud? Another provider has got you covered.
The benefit is of course that you are working with intelligence that targets your specific problem. The shortcomings are just as obvious: a lack of control could incur more risk.
A flexible system, for instance, may give you control over:
As with any customizable system, the added control may give better results, but also require more time and effort from your side.
Safety management is nothing new, and certain vendors have become household names over the years. They also tend to specialize over time to target specific verticals, which is why you’ll often find organizations in the same market using the same anti-fraud platform.
One benefit? These legacy platforms have been in operation for many years, and have accrued incredible amounts of data, mainly through shared blacklists.
One downside is that the data itself may become stale, or obsolete. Some flags may have been wrongly placed, which corrupts the entire database.
There are also concerns with data protection and compliance (which we’ll cover in more detail below).
Any company operating in iGaming will be familiar with a handful of legacy risk management platforms. They have been operating for years, and have accumulated vast amounts of data about blacklisted IP addresses, email addresses, and even player names.
Machine learning is often sold as a magical solution. Put simply, it’s about using your own business data to suggest precise risk rules. The accuracy of these rules improves over time, which can make them an effective tool against attacks.
The problem? Not all machine-learning solutions are created equal. This is largely due to how transparent the system is.
Blackbox solutions tend not to go the extra mile to explain their decision, which makes them harder to fine-tune. Whitebox solutions, on the other hand, will do their best to deliver clear explanations in the form of decision trees or human-readable explanations.
The key point here is that machine-learning tends to bring more value when it can assist human intelligence rather than replace it completely. This is particularly relevant in the context of the next point: supervised vs unsupervised fraud detection.
Whether your fraud prevention system is supervised or unsupervised varies largely on your risk appetite.
After your system runs the data through rules, you will generally get a score. This can be used to set thresholds for approving or denying an action. You can also create a threshold for manual review – but this is optional.
In fact, some businesses may want to automatically approve or reject all user actions with minimal interaction. In other words: whether the detection is supervised or unsupervised depends on you. But having the option to manually review cases will always give you more control and precision for those cases in grey areas.
In the world of fraud, prevention is based on data collection. And as we know, this is a practice that is increasingly under scrutiny from government agencies.
While these vary from one market to the next, certain regulations such as The General Data Protection Regulation (GDPR) and the EU’s PSD2 immediately spring to mind.
Ensuring your fraud management system is compliant is particularly important for financial institutions, banks and other companies with strict KYC and AML regulations. This is true whether you build in-house or purchase third-party services.
One often overlooked feature of fraud prevention solutions: the ease of use. The best engineers are not always the best designers of user experience, which is why some interfaces can be confusing, bloated, and frustrating.
While navigation is a matter of personal preference, users should consider whether the following features are available to make their lives easier in the long term:
There is always a fine balance between data aggregation and noise. How clean is the dashboard, and how easy is it to make important numbers jump at you without having to slice and dice through hundreds of data points?
Accuracy is one thing, speed is another hugely important metric. Once integrated into your platform, how quickly can you make a decision to allow processes? Ideally, your prevention tool should offer real-time blocking and a short response time, whether it’s for reverse email lookup or device fingerprinting.
The system should also process asynchronous requests, where one data point is immediately checked while other data points are queued up for analysis – without slowing down the customer experience.
This is particularly important with API calls. How fast is communication between endpoints? What is the provider’s uptime rate?
Finally, the fraud-prevention tool should give enough reports and analytics for your team to monitor its efficiency. Manual processes, detection accuracy (checked via confusion matrices), and ROI are all metrics you must regularly keep an eye on.
These are crucial numbers you should be able to access, both for your team’s KPIs, and also to create KRIs or Key Risk Indicators.
KRIs will allow you to unveil new growth opportunities, anticipate risk in advance, and generally take a more proactive approach to risk management.
You can read more here about our complete guide to KPIs Vs KRIs in fraud detection.
Your developers or CTO should check in advance the API documentation. Having a clear understanding of how the tool will integrate with your platform can save hours of costly technical difficulties down the line. Some points to consider:
Integrating a fraud management tool can be temporarily disruptive to your business. Here again, a clear knowledge of the processes prior to integration will reap more rewards in the long term.
It’s not common practice, but ideally, you should be able to test the solution for free, and with your own business data.
For most online businesses, margins are razor-thin, and the competition is strife. Which is why a reasonable pricing model is just as important as its features. Below are some of the points to consider before selecting your provider:
In addition to an adequate pricing model, you should also consider if the provider has:
While it’s challenging to calculate the true cost of fraud, some providers make it just as hard to evaluate the ROI of their solution. Always read the fine print and ask for clear, transparent pricing whenever possible.
With a growing number of fraud-prevention tools available on the market, it can be easy for merchants to be confused. It is bad enough that companies have to deal with relentless attacks, on top of that they must now face the challenge of vetting the right solution as an important business decision.
Hopefully, this guide will serve as a good primer. By now, you should have a clearer idea of which tools make sense for your company. And remember that remaining informed, whether it’s about the latest attack techniques or cybersecurity tools, is always the best way to stay one step ahead of the fraudsters – and your competitors.
SEON Fraud APIs are highly configurable for various business use-cases to match your unique business needs
Book a Demo
Legacy fraud detection software companies tend to lock clients into costly, multiyear contracts. However, newer solutions favour the more flexible way of paying per API call, where the price varies upon your usage.
Book a demo with us to see which price solutions work for you.
A good fraud tool should let you automate risk management by calculating risk and declining, accepting, or letting you review user actions. The risk is calculated with data, which is why data enrichment, social media lookup and device fingerprinting can help you complete the picture.
Fraud solutions can help you reduce chargeback rates, account takeover attempts (account hacking), and registration with fake IDs, amongst others. It can also help with compliance for KYC and AML checks.
Learn more about:
Showing all with `` tag
Click here
Join over 6000 companies in getting the latest fraud-fighting tips