Protecting the Enterprise:

Enterprise Fraud Strategy – Vision and Reality

Fraud Management Institute

June 2010

Research Report
Sponsored by
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Table of Contents

Introduction......................................................................................................1
Part I – Planning an Enterprise Fraud Strategy...............................................2
Enterprise Fraud Management – The Vision.................................................2
Driving for Increased Effectiveness...................................................................3
Increasing Operational Efficiency......................................................................4
Enterprise Fraud Management – Today’s Reality.........................................5
Challenges to Achieving Enterprise Fraud Management..............................6
The Business Case for Enterprise Fraud Management.................................7
Level and Type of Investment...........................................................................8
Savings from Loss Avoidance..........................................................................8
Savings from Operational Streamlining.............................................................9
Validating the Business Case.........................................................................10
Part II – Executing an Enterprise Fraud Strategy..........................................11
Data Integration..........................................................................................11
Fraud Detection Methods and Models........................................................12
Business Rules..............................................................................................12
Anomaly Detection.........................................................................................13
Predictive Models...........................................................................................13
Social Network Analysis.................................................................................14
Alert Management......................................................................................14
Evaluating Results......................................................................................15
Budgeting and Control................................................................................16
Implementing an Enterprise Fraud Strategy...............................................17
Enterprise Fraud Management – The Future.................................................18

i
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Introduction

Financial institutions of all sizes are discovering that they need to rethink their
approach to managing fraud. The rapid expansion of new products and new
channels for customer access has opened up new opportunities to satisfy customer
needs. However, this expansion has also opened up the opportunity for fraud that
cuts across an institution’s product lines, channels and even geographic regions, as
fraud rings attempt to exploit any vulnerabilities they can find.

One key vulnerability that fraud rings always try to exploit is the difficulty of trying
to match and correlate data from separate product or geographic silos within an
organization. The sophistication and size of fraud rings is rapidly increasing, and
so is their ability to “hide” elements of a coordinated attack in diverse products
or channels.

Domestic gangs and organized crime rings have become big players, able to
mount attacks whose scale and sophistication dwarfs those of just a few years ago.
Crime rings in foreign countries pose an even more serious threat, as they launch
widespread coordinated attacks, often with the tacit approval or even the active
cooperation of a sovereign state.

Different countermeasures are required to meet these challenges. It is often possible

to neutralize a small- to medium-scale attack by blocking certain transactions or
closing compromised accounts. Large-scale attacks require a more aggressive
response. From both an offensive and defensive standpoint, it is important to identify
those attacks as early as possible, focus the efforts of the whole organization on
countering the threat, and contact the appropriate government agencies as quickly
as possible.

Spotting fraud early and moving aggressively to deal with it requires a solid
organizational infrastructure that can support these efforts. For many institutions, this
means an “enterprise fraud strategy” that coordinates fraud detection and interdiction
efforts across the entire enterprise.

All institutions, regardless of size or budget, face conceptual challenges in moving

to an enterprise fraud strategy. One conceptual challenge relates to justifying an
enterprise fraud strategy in the first place. It is important to identify all the sources of
value that a strategy can provide to the organization, including tomorrow’s threats
as well as today’s. These justifications must take into account not only the classical
ROI-type criteria, but also the “life insurance” value of being prepared to meet future
threats that could seriously compromise an organization’s reputation, capital and
regulatory status.

Planning the steps to realizing an enterprise fraud strategy poses a second

conceptual challenge. No institution has the resources to implement this strategy
in one fell swoop. It must be phased in, with appropriate selection of organizational
units and implementation of organizational controls at each step of the way, so as to
maximize the benefits from this strategy as early as possible.

1
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

This white paper discusses both the vision of enterprise fraud strategy that
many institutions find so attractive, and the reality they face in implementing an
enterprisewide strategy effectively. It is based on interviews we conducted with
financial institutions ranging from $50 billion to more than $1 trillion in assets, as well
as government agencies. We will also discuss where organizations want to go, how
far they have gotten, and the major challenges they face in making further progress.
Finally, we’ll outline the steps that organizations can take in determining the value of
an enterprisewide move for their own organization.

This white paper consists of two parts. In Part I, we discuss the concept of an
enterprise fraud strategy and the challenges that organizations face in pursuing
a strategy. Part II discusses the implementation specifics related to making the
strategy a reality. We conclude with some remarks on the future of enterprise fraud
management.

Part I – Planning an Enterprise Fraud Strategy

Enterprise Fraud Management – The Vision

What is an enterprise fraud strategy? What are its components? What does it offer?
By and large, the institutions we interviewed shared a remarkably common vision
of the elements that make up an enterprise fraud strategy. In brief, the long-term
goal of an enterprise fraud strategy is to establish a framework for enterprisewide
deployment of fraud resources, including both material and human resources. This
framework should make it possible to:

• Gather and cross-match fraud-relevant data from all product lines, organizational
units and geographic regions of the enterprise.

• Analyze this data to “connect the dots” and spot large-scale fraud attacks early in
their life cycle.

• Prioritize alerts based on the level of risk that they pose to the entire enterprise.

• Plan and execute focused countermeasures to combat large-scale attacks.

• Develop and support highly skilled and motivated fraud teams who can carry out
these tasks quickly and efficiently.

Institutions differ, to some extent, in their view of the best organizational structure to
utilize. For some institutions, this means grouping all fraud functions into a single,
centralized organization that is responsible for all fraud-fighting activities. For other
institutions, it means leaving most of the fraud-fighting resources in individual units,
with centralization of certain functions (e.g., data integration /data warehouse) and
overall direction by a centralized authority.

2
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

There are two key business drivers that are causing organizations to give serious
attention to an enterprisewide strategy. These are:

• Increased effectiveness. The ability to look at fraud holistically across the

enterprise and identify large-scale fraud threats early in their development,
and mount effective countermeasures while there is still time for them to have
maximum impact.

• Increased efficiency. The ability to leverage investments in data, tools and

personnel is attractive in an economic environment where every organization and
function is being asked to “do more with less.”

Driving for Increased Effectiveness

Nearly all the institutions we interviewed expressed the need to prioritize their fraud
interdiction efforts in terms of the risks posed to the enterprise, rather than the risks
posed to individual products or individual accounts. Implicitly or explicitly, these
firms are making an important distinction between enterprise-level risks and lower-
level risks.

Lower-level risks typically stem from single individuals or small, localized fraud
rings. These fraud attacks can have a serious impact on individual accounts, and
can result in significant fraud losses, sometimes amounting to millions of dollars.
Although it is important for an institution to counter these attacks, their scale is
not sufficient to pose a serious threat to the institution as a whole, or even to a
specific product line. For financial institutions, limited countermeasures such as
blocking specific transactions, closing affected accounts and reissuing comprised
cards are typically sufficient to counter the threat. For government agencies, limited
countermeasures include terminating benefit eligibility, instituting recovery efforts and
levying civil fines.

Enterprise-level risks are distinguished from lower-level risks by a dramatically larger

scale and/or scope. Larger fraud rings are able to bring significant resources to
bear in their fraud efforts, including global botnets that can execute thousands of
transactions in a heartbeat.

Fraud attacks that represent enterprise-level risks typically start small and increase
slowly in their early stages, as the attackers test different strategies and points of
attack, searching for the avenues that will afford maximum payoff. This is the stage
at which interdiction efforts are likely to have their maximum impact, if applied
promptly. Effective data integration and tools that can match cross-channel and
cross-product events, such as social network analysis and point-of-compromise
analysis are particularly important at this stage, where accounts may be tested using
a variety of methods. It is exactly this sort of integrated analysis that an effective
enterprisewide strategy is designed to support.

3
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Many institutions are aware that the scale and scope of enterprise-level fraud
threats are likely to increase over time, as fraud rings continue to grow in resources
and sophistication.

In short, the potential savings of an enterprisewide strategy in terms of losses

avoided three to five years from now (a realistic implementation time frame) may be
larger than today’s loss avoidance numbers would indicate. At the extreme, a strong
and effective enterprise fraud strategy might foreseeably enable some institutions
to avoid risks to reputation or regulatory status that would seriously affect the firm’s
viability. Organizations contemplating an enterprisewide strategy need to be aware
that the potential value of this “life insurance” should be factored into any justification
or budget planning.

Institutions that are growing rapidly have a special interest in managing their
enterprise-level risks. As firms increase in size, they become a progressively more
attractive target for larger-scale, coordinated attacks as the fraudsters seek their own
“economies of scale.” Some growing firms have already experienced this escalation
in fraud attacks, and are eager to find ways to identify the new and larger threats.

Increasing Operational Efficiency

Operational efficiency is also a compelling business driver for many firms. Fraud
management efforts have always faced limited budgets, and in the current economic
environment, those budgets are coming under even more intense scrutiny. A truly
coordinated, enterprisewide strategy offers many potential savings as both technical
and human resources are pooled and applied for maximum impact.

Potential savings opportunities noted by institutions we talked to included:

• Pooling of data integration resources. Building a single data warehouse involves

a single, centralized effort to integrate and cross-match data from all available
sources. The value of integration efforts is maximized, and duplication of effort
is avoided.

• Sharing of software and platforms. Redundant and obsolete platforms can

be eliminated. Training can be made uniform across the organization. Financial
institutions in the $1 trillion asset range can have upward of 60 different fraud
systems and platforms. Rationalizing the software/platform infrastructure offers
the potential for significant savings in terms of both licensing fees and internal IT
management costs.

• Common methodologies. Use of best practices in analytics, countermeasures

and management can be applied across all product lines.

• Human resource efficiencies. Short-term efficiencies are gained through more

efficient use of analyst and investigator resources by prioritizing alerts and
eliminating duplicate efforts. Longer term, a solid central fraud team can lead to
better career paths, better motivation and ultimately better performance.

4
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Firms that have experienced recent growth through acquisition of one or more other
institutions find these opportunities especially attractive as they seek to eliminate
duplication while they integrate existing operations.

Enterprise Fraud Management – Today’s Reality

Nearly all the firms we spoke with are taking some steps toward an enterprise fraud
strategy. In most cases, the initial step is the establishment of informal cooperation
among individual lines of business. The immediate goal of this informal cooperation is
to share information on current and emerging fraud threats, as well as best practices
for addressing these threats.

The longer term goal of these cooperative networks is to begin the all-important
process of breaking down the silos represented by differences among lines of
business or regions of the globe. As we shall see, these differences represent the
primary challenge that must be addressed in moving toward more formal cross-
enterprise cooperation.

For most firms, the ultimate goal of an enterprise fraud strategy is to manage
the detection and handling of all fraud alerts at the enterprise level, where anti-
fraud efforts can be prioritized and scheduled according to the needs of the
entire enterprise.

Some institutions have already begun moving in this direction. Among financial
institutions, fraud detection for online banking (especially international online
banking) is one of the most frequently mentioned candidates for enterprisewide
alert management. Other applications that have attracted interest for enterprisewide
integration include:

• ACH transfers.

• Check fraud.

• Employee fraud.

• Remote deposit capture.

In the government arena, areas that have attracted attention for agencywide and
cross-agency coordination include:

• Social services (e.g., public assistance, child care).

• Employment services (e.g., unemployment insurance, worker’s comp).

5
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

• Taxes and revenue (e.g., individual and business income tax, real estate tax).

Enterprisewide deployment of specific fraud applications requires selecting a

platform and infrastructure that can support deployment on an enterprisewide scale.
Several of the most advanced firms have already selected platforms, such as the
SAS® Fraud Framework, and are in the process of rolling out applications built upon
these frameworks.

Challenges to Achieving Enterprise Fraud Management

The institutions we interviewed identified a number of challenges to achieving full

enterprise-level fraud management. The first challenge they face relates to resource
limitations. The move to enterprise fraud management can be time-consuming and
expensive. To justify this move, it is necessary to develop a compelling business
case. The next section below discusses the nature of this business case, and what it
needs to look like.

A second set of challenges relates to operating differences across the organization.

Financial institutions seeking to integrate fraud practices face a host of differences:

• Differences across regions. Different regions of the globe, and even different
regions of the US, experience different fraud profiles, requiring different tools and
levels of investment.

• Differences across lines of business. Needless to say, different products are

subject to different fraud threats, which again motivate different tools and different
levels of investment.

• Differences due to acquisitions. When banks grow by acquiring other

institutions, each institution will have a different tool set and business culture.

Government agencies face similar differences across agencies, or departments within

an agency, including:

• Differences in legislative mandates. Governmental programs and agencies

derive their authority from legislative mandates. These mandates will often differ
with respect to the processes and procedures that each agency and/or program
may follow.

• Differences in regulatory culture. Agencies and programs can also differ with
respect to their overall approach to regulation, including the point at which to
intervene, the appropriate level of intervention, and the aggressiveness with which
investigations are pursued.

The challenge posed by these differences can be multiplied when one or more local
unit exhibits a “silo” or “turf” mentality, which can result in inadequate sharing of
information or resources.

6
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

One organization we spoke with described an innovative method for helping to break
down the silos associated with these differences. One unit’s system was tested with
the other unit’s data, and vice versa, to yield apples-to-apples comparisons of the
capabilities of each.

In general, however, resolving this challenge requires a people-centered approach,

often involving the leadership of very senior management. Vendors such as SAS have
developed experience in resolving these differences and eliminating the silo mentality.
Best practices that SAS recommends in this sphere include:

• Establishing executive-level responsibility for managing fraud losses across the

organization.

• Adopting a common standard for measuring and valuing losses avoided that
extends beyond just losses recovered (see “Evaluating Results” below).

• Setting metrics and goals for each line of business that align with enterprise
objectives (see “Budgeting and Control” below).

• Using an incremental approach to gain buy-in. Start by sharing data on known

fraud losses. Then, push integration upstream in the detection process for
further gains.

The Business Case for Enterprise Fraud Management

As we mentioned earlier, developing the business case for enterprise fraud

management poses both conceptual and operational challenges. The complexity
of establishing such a business case means that many institutions will need to rely
on their vendors to help them build a business case that is based on industrywide
experience and projections of future levels of fraud activity. Institutions should take
this into account when selecting vendors for their enterprisewide infrastructure.

In this white paper, we will discuss four components of an effective business

case for enterprise fraud management infrastructure. These are the level and
type of investment, the savings from loss avoidance, the savings from operational
streamlining, and validating the business case.

7
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Level and Type of Investment

When considering the level of investment in an enterprise fraud strategy, it is

tempting to consider a minimalist approach that keeps costs at rock bottom.
While cost control is always an important consideration, it is also worth keeping in
mind that the key benefits of an enterprise fraud strategy depend on providing a
single facility for the most important components of that strategy. The following key
capabilities, for instance, are what make an enterprise strategy work:

• Common access to enterprisewide data. Having one place to go for access to

all data helps to streamline both the costs and efforts of data integration as well
as simplify downstream application development.

• Common application infrastructure. A single framework for developing fraud

applications helps to reduce the time required to develop each application,
and allows fraud staff to focus on the application rather than learning new
environments.

• Common case management. The need for cross-organizational

communication doesn’t stop with an alert. Large-scale fraud threats may require
cooperation among several business units as the threats are investigated and
countermeasures taken.

The planned level of investment in any enterprisewide program should ensure that
these capabilities can be realized and supported in ongoing operations. It would be a
mistake to sacrifice any of these common capabilities in the name of cost efficiency.

Savings from Loss Avoidance

Every institution expects to include some estimate of the savings from loss
avoidance in their business case. However, they vary widely in the practical details of
making these estimates. Best practices that we have identified in estimating potential
fraud losses include the following:

• Use realistic estimates of potential losses. Limiting fraud loss estimates to

incidents that are actually interdicted is likely to produce numbers that are
unrealistically low. Some estimate of the total loss avoided should be included,
whether this is based on a notion of total exposure, or on historical loss figures.
See “Evaluating Results” for more details.

• Use most likely fraud savings scenarios. When basing estimated fraud loss
savings on current experience, it is important to select cases that most closely
resemble the results that will be achieved when the enterprise fraud strategy
becomes operational. Estimating savings based on approaches that will soon
become obsolete will tend to understate the true savings to be achieved. The
best approach is to base savings estimates on a “proof of concept” or “proof of
value” that uses the new technology in representative situations. See “Validating
the Business Case” below.

8
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

• Include projections of future fraud activity. Implementing an enterprise fraud

strategy is a multiyear project. Using today’s fraud loss numbers may understate
tomorrow’s fraud losses, due to the normal organic growth of the institution’s
business, as well as the increasing scale and sophistication of fraud attacks.
Accurately estimating the fraud losses that warrant an enterprisewide strategy
requires some projection of current losses into the future.

• Make some allowance for extreme threats. As discussed above, enterprise-

level fraud risks involve some potential for reputation and regulatory risk that can
seriously cripple an organization. These are, admittedly, low probability events
that are difficult to quantify. But they represent an important source of value for an
enterprise fraud strategy, and should be given some consideration.

In short, developing an accurate business case requires making sure that the
estimates of fraud loss savings are not excessively conservative. It is, of course,
important to avoid excessive optimism as well. Estimates should be based on solid
historical experience, projected for the changes that will take place in the time frame
allocated for implementation of the strategy.

Savings from Operational Streamlining

In addition to the savings from fraud loss avoidance, an effectively implemented

enterprise fraud infrastructure will create the potential for savings from increased
operational efficiency. These savings also need to be considered when developing
the business case. Areas of increased savings and efficiency include:

• Leveraged investment. Investment in platforms and individual tools is most

cost-effective when it is leveraged across the entire enterprise. This is already
happening with enterprise case management (see the SAS white paper Enterprise
Case Management, www.sas.com/reg/wp/corp/13056). The same holds true for
investments to improve and/or integrate in-house data sources.

• Platform replacement. Establishing a single platform and tool set across the
enterprise will inevitably make it possible to replace older legacy tools. When
third-party tools are replaced, the licensing and maintenance fees associated with
those tools represent potential savings. These savings magnify when a platform
can be eliminated in several lines of business. When in-house applications are
replaced, the expenses associated with maintaining those applications represent
a savings.

• Staffing efficiencies. A central fraud organization brings more fraud professionals

to a single place, resulting in more flexible deployment, enhanced career paths
and better esprit de corps. Many of these benefits are a challenge to quantify, but
they exist nonetheless.

The key to operational savings lies in removing areas of duplication and redundancy,
whether the redundancy occurs in data integration, systems and platforms, or
staffers performing the same function in different organizational units. Each of these
areas represents a potential savings, and each should be considered when building
the business case.

9
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Validating the Business Case

As we’ve mentioned already, a business case should be based on hard data from
actual experience, but the experience chosen should be representative of the wider
results to be expected once an enterprise fraud infrastructure is in place. The best
way to ensure the accuracy of an estimate is to base it on a proof of concept effort
that puts real, up-to-date enterprise fraud technology to work in a small- to medium-
scale application that will reliably extrapolate into enterprise-level expectations. The
proof of concept can be in many forms, including actual implementation for a line of
business, a historical analytic look back, or an architectural feasibility analysis.

The reliability of a proof of concept effort is critical to the overall success of an

enterprise fraud strategy implementation. Institutions that follow this route will
want to select a vendor that has a reputation for conducting successful proof of
concept efforts. Success in this context includes both tangible benefits delivered
in the proof of concept phase, as well as accuracy of estimated long-term payoff.
Best practices that we’ve identified for a proof of concept effort include asking the
following questions:

• Data integration. Does the platform support effective data integration at

a reasonable level of effort? Are there built-in tools to streamline the data
integration?

• Detection method development. Does the framework support a variety of fraud

detection methods (see “Fraud Detection Methods and Models” below)? Does
it support uniform standards and methodologies that make these development
processes more efficient?

• Collaborative alert management. Does the framework support effective

collaboration in managing alerts related to fraud or improper payments?
Collaboration may involve multiple staffers performing alert evaluation, triage,
countermeasures and investigation. Each needs to see up-to-date information on
what others are doing.

Of course, an organization may not have the resources immediately available to

conduct a proof of concept. In this case, it is important for the organization to
make contact with its peer organizations, leveraging the experience of its peers in
assessing the current and future value offered by different strategic alternatives and
vendor technologies.

Developing a solid business case is an important first step in the move to true
enterprise fraud management. Whether the business case is based on a proof of
concept, or on peer experience and evaluation, it helps to set both short- and long-
term expectations for the emerging enterprise strategy, as well as frame the criteria
for more detailed implementation decisions downstream. The business case approval
process itself should also be an effective tool for aligning resources and preparing to
move forward with the strategy.

10
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Part II – Executing an Enterprise Fraud Strategy

Data Integration

Data integration capabilities are viewed as critical to an enterprise fraud strategy by

all of the institutions we interviewed. Some institutions have even elected to begin
their move toward an enterprisewide strategy with construction of an enterprisewide
data warehouse.

An effective enterprise fraud data warehouse needs to capture and integrate data
from a wide variety of sources. These include:

• Transactional data. Data on product line transactions form the heart of any fraud
detection effort. Ultimately, all product lines need to be included.

• Account data. Identifying information on account holders can be critical to cross-

matching fraud incidents. If the data is householded, householding information
also needs to be included.

• Human resource data. Employee collusion is an important component of many

fraud schemes. Information on employees also needs to be captured, and cross-
matched with the accounts that each employee touches.

• Organizational data. Job-related data such as title, location and supervisor are
also important components of any attempt to detect employee collusion.

• Plant, branch and location data. Location data on branches and ATMs can be
important for point-of-compromise analysis, as well as mapping the geographic
extent of potential fraud threats.

This data needs to be integrated for very fast retrieval and cross-matching.
Aggregates related to accounts, account holders, employees and geographic regions
need to be pre-computed if they are to be useful for real-time risk scoring.

Clearly data integration is a massive effort. Institutions considering an enterprise

fraud infrastructure should give careful consideration to the data integration support
provided by any potential vendor.

11
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Fraud Detection Methods and Models

In building their fraud detection methods and models, firms are using all of the
following approaches:

• Business rules. Individual rules that score or define alerts based on intuition and
general experience.

• Anomaly detection. Alerts are defined based on events that represent statistical
deviations from normal or expected behavior.

• Predictive models. Full-scale statistical models that establish alerts based on a

risk score derived from event characteristics that are indicators of prior incidents
of fraud.

• Social network analysis. Alerts are based on the level of association (through
shared or similar attributes) between the current event and individuals or accounts
that are known or suspected of fraudulent behavior.

The choice of which methods to use often depends on the particulars of the
application and the institution. In general, there is a trend away from the use of
business rules as the lone method for defining alerts.

Business Rules

Business rules are individual rules that are based on the experience or judgment of
skilled analysts. They can be used to specify an action, or compute a score based
on points for each rule that applies. Business rules have the advantage that they
are easily developed and deployed, especially in an emergency situation to counter
imminent attacks.

From a management perspective, however, business rules have several weaknesses.

They are typically static in nature and difficult to maintain, especially if the original
authors are no longer available. They are heuristic and threshold based, so they
become obsolete as fraud methods change, but it is difficult to tell when they have
become obsolete.

Smaller firms tend to show a greater reliance on business rules. Even in larger
firms, business rules are still the preferred method to use for simple applications,
or for new applications where sufficient data is not yet available to support more
rigorous methods.

12
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Anomaly Detection

Anomaly detection rules tend to fall into two categories:

• Comparative anomalies. An account or individual stands out because its

activity differs significantly from members of its “peer group.” For example,
if a bank employee has executed transactions on many more accounts that
eventually show a loss, compared with that employee’s peers in the same job and
geographic region, this represents a comparative anomaly.

• Behavioral anomalies. An event stands out because it differs significantly from

the typical behavior of that individual or account. For example, if the first transfer
to a newly established bill-pay vendor is much larger than the amounts transferred
to other vendors, this represents a behavioral anomaly.

Anomaly detection rules are attractive to some firms because they are often easier
to maintain than arbitrary business rules, but they don’t require the development
expense associated with full-scale predictive models. The motivation for each
anomaly detection rule is often quite clear. Since anomaly rules are always defined
relative to statistics captured over a recent window of activity (e.g., the last three
months), they automatically keep up with changing conditions in a way that business
rules do not.

Predictive Models

Predictive models typically compute a risk score for an account, individual or

transaction, based on attributes that are known to be statistically correlated with
high-risk transactions, such as large ticket size, international address, time and
distance from last transaction, etc.

Predictive models tend to fall into two general categories:

• Statistical models, such as regression models, are based on a rigorous statistical

analysis of the impact of the selected variables on the outcome. Scoring is
determined by statistical formulas.

• Training models, such as neural network models, are based on computer

algorithms that are “trained” by presenting a large number of example cases, and
indicating the correct answer for each case.

Predictive models typically require development projects to select variables, condition

the data, choose a modeling approach, and train the model. These projects can take
up to several months to develop a sophisticated model.

Predictive models are the preferred choice for sophisticated or high-volume

applications. Nearly all institutions, for example, use predictive models for risk scoring
of credit card transactions, where the time and expense of model development can
be leveraged across a large base of transactions.

13
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Social Network Analysis

Social network analysis estimates the degree to which a single individual, account or
transaction is related to other individuals, accounts or transactions that may indicate
a large, coordinated fraud effort.

Social network analysis operates by matching individuals, accounts and transactions

with certain attributes (such as SSN, birth dates, addresses, phone numbers) that
are identical or closely related.

Alert Management

Nearly all firms are moving toward higher levels of integration in detecting and
responding to fraud alerts. However, firms vary widely in terms of where they
stand right now with respect to this integration. Many firms, especially the largest,
continue to handle alerts separately for each line of business and each region
of the globe. In some of these cases, the alerts are integrated into a single case
management tool (see the SAS white paper Enterprise Case Management,
www.sas.com/reg/wp/corp/13056), but other firms continue to use or allow
different case management solutions to be employed.

Two institutions, both large regional banks, reported that they integrate alerts into
a single queue. In this configuration, alerts are raised by a variety of fraud detection
tools, and then integrated into a single queue, which is worked by a single,
dedicated enterprise-level team.

Alert triage (determining which alerts to pursue further) is likewise accomplished in a

number of different ways. Some firms automate the triage process. In other words,
alerts are prioritized automatically, with no room for human discretion. In other firms,
a dedicated team is used to triage alerts prior to further efforts. Finally, some firms
allow each analyst to prioritize his or her own alerts.

When a dedicated team is used to triage alerts, the team may be given written
guidelines to govern the triage process. Typically, these guidelines describe “red flag”
situations that automatically receive high-priority treatment.

Some transaction streams require real-time processing, so the picture is slightly

different. When real-time transactions are taken into consideration, the transaction
must be either accepted or rejected immediately. Credit and debit card transactions
are examples. In other real-time applications, such as automated loan underwriting, it
is possible to refer some of the cases to a third “refer” category for human processing.
Other examples of real-time processing where a referral queue is used include:

• Account verification.

• ATM deposit screening.

14
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

• Check fraud screening.

• Remote deposit capture.

The fact that some transactions require real-time decisions, however, does not mean
that alerts are not generated. Typically, some fraction of the rejected transactions
are serious enough to warrant offline research and investigation. These alerts can
be generated as part of the real-time decision making process, or separately via an
offline batch process.

Some institutions are already deploying approaches that provide for some amount
of enterprise-level alert management. In one case, alert processing occurs at two
separate tiers. “Ordinary” alerts are processed as usual, with separate alert queues
for each line of business. During triage, however, some of these alerts are identified
as having enterprise-level significance, and are passed to an enterprise-level alert
management team for further processing.

A second institution is experimenting with the automated creation of enterprise-level

alerts. Alerts produced by different tools in different lines of business are integrated
into a single alert database. Social network analysis is then employed to identify
alerts that may have a common source, and tie them together to provide true
enterprise-level alerts.

Evaluating Results

The key metric used by all of the organizations we talked to relied upon some form of
“losses avoided.” Most typically, this was defined conservatively as the face amount
of interdicted fraud. If a transfer of $500 out of an account were interdicted, this
would count as losses avoided.

This conservative definition has a weakness, however. Taking the dollar amount of
the first interdiction does not account for the additional losses that would likely have
occurred if the first transaction had not been interdicted. To remedy this situation,
some organizations also use historical expected losses per account as a way of
estimating the loss potential of an account on which fraud has been attempted.

Some institutions also use total exposure as a metric. Total exposure is defined as
the total account balance at the time that fraud is interdicted, and measures the total
loss to the account if a fraudster were to drain it completely.

These basic metrics can be adjusted in a variety of ways:

• Losses occurred. Exposure metrics should be corrected for losses that

actually occurred.

• Losses recovered. Some institutions include losses recovered through

investigation and law enforcement referral into its fraud metrics.

15
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Other metrics that are used by some firms include:

• Number of account closures, and the exposure prior to closing an account.

• Number of fraud attempts blocked.

• Average loss per account.

• Average fraud transactions per account permitted prior to detection.

Several firms identified the importance of considering the tradeoffs between losses
avoided and other business metrics, especially those related to customer loyalty
and attrition. It is a fairly simple matter to reduce losses avoided by reacting to more
alerts. But this will typically have unwelcome side effects in terms of lost business
and unhappy customers.

Budgeting and Control

Any of the metrics we’ve just discussed can be used as the basis for budgeting
decisions. In order to accomplish this, the raw metrics are typically adjusted in
two ways:

• Frequency. Losses avoided are expressed as a percentage of assets, transaction

volume, account balances or some other measure of the total population.

• Productivity. Losses avoided are expressed in terms of the dollar cost of

achieving each loss.

All institutions use some form of “hurdle rate” in assessing the potential value of
new fraud initiatives. One institution in particular uses a hurdle rate of 400 percent in
determining whether to undertake or continue a project. In other words, the actual
or potential fraud savings must be at least four times the project cost in order for the
project to be deemed viable.

16
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

Implementing an Enterprise Fraud Strategy

Some form of centralized oversight and control is essential to any enterprise fraud
strategy. Institutional approaches tend to vary over the degree to which all functions
need to be centralized. In general, there are three models:

• Centralized fraud function. In this model, all fraud functions are centralized
in a single team. This team performs all fraud functions from data analysis
through investigation. This model is particularly attractive to small- and medium-
scale institutions.

Centralized Fraud Function

Central Fraud Office

Data Alert Alert

Analysis
Integration Triage Processing

Region/LOB Region/LOB Region/LOB

• Regional centralization. Very large institutions find it more expedient to centralize

functions across specific geographic regions.

Regional Centralization

Central Fraud Office

Region 1 Region 3
Data Alert Alert Data Alert Alert
Analysis Analysis
Integration Triage Processing Integration Triage Processing

Region 2
Data Alert Alert
Analysis
Integration Triage Processing

Regions/Lines of Business

17
 Protecting the Enterprise: Enterprise Fraud Strategy – Vision and Reality

• Centralized oversight. Most of the tactical fraud functions remain within

lines of business, but a central organization provides oversight and a pool of
skilled experts.

Centralized Oversight

Data Central Fraud Office Alert

Integration Processing

Line of Business 1 Line of Business 3

Alert Alert Alert Alert
Analysis Analysis
Triage Processing Triage Processing

Line of Business 2
Alert Alert
Analysis
Triage Processing

Regions/Lines of Business

Each of these models can have other variants, depending on the specific
circumstances of the institution. All, however, rely on some form of centralized
oversight in order to maintain effectiveness across the enterprise.

Enterprise Fraud Management – The Future

Nearly all financial institutions will continue to move in the direction of greater
integration of their fraud efforts, with progressively more fraud work being done at
the enterprise level. This progress will occur incrementally, and organizations will
be very selective about the applications that warrant enterprise-level treatment.
Online banking and employee fraud are two prime candidates, followed by ACH
transactions and remote deposit capture.

The quality of the business case will continue to be critical to all decisions in this
arena. Firms who wish to prepare for the future will need to give significant thought
today to the form and content of the business case for moving in this direction.
A successful proof of concept is the best way to build a strong business case.
Institutions wishing to pursue this approach should carefully evaluate a vendor’s
track record of helping customers with proof of concept efforts that provide reliable
indicators of future project success.

18
SAS Institute Inc. World Headquarters   +1 919 677 8000
To contact your local SAS office, please visit: www.sas.com/offices
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA
and other countries. ® indicates USA registration. Other brand and product names are trademarks of their respective companies.
Copyright © 2010, SAS Institute Inc. All rights reserved. 104593_S58423.0710