Photo bymcuseo

What is fraud detection and why is risk mitigation important?

The prevalence of fraudulent activities presents a major problem to firms across the financial sector. In fact, according to a report from the Association of Certified Fraud Examiners (ACFE), the typical organization loses 5% of revenue to fraud each year. In addition to the risk of identity theft, phishing scams, and other types of consumer fraud, firms should also be on the look-out for occupational fraud, which is a type of financial crime that occurs when an employee, manager, or third party misuses an organization's resources for personal gain.

The report from earlier found that more than $4.7 trillion is lost annually due to occupational fraud alone worldwide. While fraud attempts have risen sharply post COVID, there are strategies that can be leveraged by organizations to manage the risk of fraud both internally and externally. In this post, we are going to discuss a few frequently asked questions on the subject of how to manage the risk of fraud within your organization.

Managing the Risk from Fraud and Fraud Detection Tools

1. How can AI models contribute to enhancing fraud detection systems within banks, and what challenges do they bring in terms of compliance and oversight?

According to a survey from The Economist of bankers around the world, Fraud Detection is the single most common application of AI within banks. This makes a lot of sense since banks often have large amounts of data to train on and this data usually suffers from severe class imbalance (where many more transactions are non-fraudulent than fraudulent) and many subtle patterns that can be difficult for simpler models to easily capture. In addition, AI is a powerful tool not only for those preventing fraud, but also for malicious actors who are looking to engage in fraudulent activities and so having the most up to date and mature approach can be of utmost importance as attacks become more sophisticated over time. The risk from fraud and AI fraud detection solutions is further increased due to upcoming regulation like SS1/23 in the U.K. and current regulation like SR 11 7 in the United States, that cover models used for fraud detection, whether you develop them internally or leverage third party applications.

2. Can you tell me more about the risks associated with leveraging 3rd party tools for use cases such as Fraud Detection and how you would recommend mitigating these risks?

While 3rd party models built specifically for use cases such as fraud detection can be a great way to enhance your fraud detection capabilities without too much internal investment, these tools can come with greater risks. One of the greatest risks is the risk of Shadow AI, where a 3rd party tool that originally did not use AI begins to use AI without the bank knowing and its performance starts to change in unexpected ways. This is a risk we hear banks are often concerned about and its risk is likely only to grow as the use of AI proliferates across vendors. The best way to mitigate this risk is to be proactive and start by scheduling automated reviews of your fraud detection and other 3rd party tools. With a proficient enough approach you can monitor the 3rd party tool for any changes in behavior that may be indicative of AI. You can then set up automated testing for Validity, Reliability, and Interpretability to monitor if the performance of the 3rd party models are dramatically improving or decaying or whether there is a shift in what features are most important for prediction. These sorts of results can warrant taking a second look at your fraud detection or other 3rd party vendors and setting up a follow up audit with 3rd parties. Luckily there are approaches that are completely model agnostic and don’t need any information about the model to detect these changes.

3. Considering the recent regulatory changes like SS1/23, what steps should banks take to ensure their AI models comply with these new requirements?

Regulations like SS1/23 and the others stress the importance of having a complete firm wide model inventory and the greatest challenge we hear about from firms is simply understanding their Model Landscape and mitigating the risks from models currently hidden from the Model Inventory. Therefore having a truly model agnostic method to discover and risk assess the use of AI in EUCs, Models, and 3rd party applications and data sources is absolutely critical. One approach is to set up different Risk Profiles that are consistent, but custom to different use cases (AI, Classification Models, Regression Models, 3rd Party Tools, etc.), then creating different testing treatment groups for each Risk Profile. So each class of AI model is tested in an automated, but nuanced way according to its use case, with the documentation for this test being automatically generated. Consistently checking 3rd Party libraries for security vulnerabilities identified from trustworthy organizations such as NIST and data sources for Data Drift can also be important in meeting best practices and recommendations from regulations such as SS1/23.

4. Are there any other kinds of risks that arise from fraud that the audience should be aware of and what are some approaches to dealing with these risks?

While consumer fraud is a major area of risk that needs to be addressed, another lesser discussed area of risk is occupational fraud, where an employee within an organization misuses company resources for personal gain. That is why having controls and accountability within your organization can be really key, and this is another requirement stressed often by regulators. This can include tracking who is making what changes to models such as your Fraud Detection models, have clearly defined policies for the approval of model changes before they are deployed, and clearly defined roles and responsibilities for monitoring and independent review post deployment. Gaining visibility into these different activities can help you identify bottlenecks as well as problem solve when effective policies are not being followed or if high risk changes are being made, even if they are being made unintentionally.

Streamlined Risk Management

Overall, having a comprehensive approach to the dynamically evolving landscape of fraud and fraud detection and mitigation technology can be instrumental to the success of a financial institution. This includes the use of 3rd party AI fraud detection tools as well as internally developed fraud detection models, and even managing the risk of occupational fraud within an organization. With a flexible approach, risks from fraud detection methods that are decaying over time or using AI can be addressed and your organization can avoid errors that can be costly to the organization.

About CIMCON Software

CIMCON Software has been at the forefront of managing AI, EUC, and Model Risk for over 25 years, trusted by over 800 customers worldwide. We are ISO 27001 Certified for Information Security and have offices in the USA, London and Asia Pacific. Our risk management platform directly supports the automation of best practices and policy including an EUC & Model Inventory, Risk Assessment, identifying Cybersecurity & Privacy Vulnerabilities, as well as an EUC Map showing the relationships between EUCs and Models. We also offer an AIValidator tool that allows for the automation of testing and documentation generation of models and 3rd party applications that can be leveraged as a no code tool or a Python Package.