Artificial Intelligence for Banking Fraud Prevention

No notes for slide

In this article, I intent to present my company – NetGuardians’ approach when it comes to deploying Artificial Intelligence techniques towards better fraud detection and prevention.
This article is inspired from various presentations I gave on the topic (TODO link) that synthetize our experience at NetGuardians in regards to how these technologies were initially triggering a log of skepticism and condescendence and how it turns our that they are now not optional anymore to efficiently prevent fraud in financial institutions.

Qq mots
NG / 3.5 years / CTO
18 years in the software engineering business, not tired yet
 technology, digitalization concerns, Artificial Intelligence and Data Analytics

Before getting to the heart of the topic, I would want to say a few words about NetGuardians, as a way to justify my legitimacy on the topic I am presenting today.

NetGuardians is a swiss software editor based in Yverdon and founded by two former students of the Engineering School in Yverdon. NetGuardians develops a Big Data Analytics platform deployed in banking institution most essentially for one big key concern : fraud prevention and detection where fraud is considered its broad way, meaning both internal fraud (employees diverting funds from their employing bank) and external fraud (Credit Card Theft, Ebanking session hijacking, etc.)
The NetGuardians Analytics platform works by correlating massive amount of data from various data sources and uses Machine Learning algorithms to learn in different ways about customer or employees habits and behaviour in order to be able to detect anomalies in this behaviour.

The Company has been founded in 2008 but really started developing in 2012 after a pretty long incubation period. It counts today 60 employees and around 50 customers all around the world.
For 3 years, the company double its incomes and signs a dozen of new customers every year. We hope we’ll keep doing this this year.

Today, I would want to present how Artificial Intelligence Technologies appear to be indispensable when it comes to preventing fraud efficiently in banking institutions.Here financial fraud is considered at the broad scale, both internal fraud, when employees divert funds from their employer and external fraud in all its forms, from sophisticated network penetration schemes to credit card theft.
I don’t have the pretention to present an absolute or global overview. Instead, I would want to present things from the perspective of NetGuardians, from our own experience in regards to the problems encountered by our customers and the how Artificial Intelligence helped us solve them.

Before 2000, banking institutions are only poorly equipped when it comes to fight financial fraud.

For most of it, detecting fraud cases relies on manual verifications and tests performed by
Internal Control,
Internal Audit or
External Audits
And unfortunately, this implies a lot of issues:
By working with samples only, Internal control and Audit let a lot of fraud cases pass through the cracks and are found only very late or even never.
Analysis are cumbersome and most often finding fraud cases is not the first and foremost objective of the auditors.
Now of course, the most essential security rules and checks are implemented within the Operational Information System or in the form of procedures to be respected and audited.
Also, some banking institutions already have an Analytics System – or Business Intelligence - at the time and some ad’hoc reports are implemented on top of it that target fraud detection.

In these early times, neither the subprime crisis nor the south European countries debt crisis happened. Margins are important, people trust banks and all in all bankers are happy people.
Fraud cases, mostly internal, exist of course but financial institutions feel rather safe,

In the second half of the 2000’s, however, the costs linked to fraud, increasingly external, the complexity of attacks and the maturity of attackers rise.
Banking institutions react by deploying quite massively and for the first time specific analytics systems aimed at detecting banking fraud, both external and internal.

At this time, these systems are rules-engines that work by checking or searching pre-defined and well defined conditions within the data extracted from the information system.
In a way these systems can be considered as simple extensions of the security checks and rules implementing directly within the operational information system.
The solutions come most of the time from the AML – Anti Money Laundering – World, their editors having understood that banking fraud was a way to extend their sales

A very simple rule example is show at the bottom of this slide.

At this time, a first set of papers have already been published on the success, still somewhat relative in this early days, of some Machine Learning approaches implemented towards banking fraud detection.
But Machine Learning and Artificial Intelligence are considered with a lot of condescension and skepticism.
Bankers and their engineers are not willing to consider an approach whose interpretation of results is deemed fuzzy.

NetGuardians has been built at these times and the NetGuardians platform could be seen as a gigantic rule engine,.

Unfortunately, the reality of fraud and financial cybercrime evolved fast and dramatically.
Let me give you two examples

In February 2016, a group that we deem around 20 persons, composed by financial experts, software engineers and hackers have attacked the information system of the Bangladesh Central Bank.
They manage to compromise the bank internal gateway to the SWIFT Network. The SWIFT network is the international banking messaging network used by banks to communicate and transfer money through electronic wire.
The pirates used the SWIFT network to withdraw money from the Bangladesh Central bank VOSTRO account by the US Federal Reserve.
They manage to transfer 81 millions USD to the Philippines and used the Philippino casinos to launder the stolen funds.
As a sidenote, the fact that they have stolen “only” 81 million USD is an amazing luck for the bank, or rather an amazing bad luck for the cybercriminals.
An Anti-Money laundering system – rule-based - deployed in the US federal Reserve blocked the 6th transaction because the beneficiary name contained the word “Jupiter”. Jupiter was on a sanction screening list in the US because a cargo ship navigating under Iranian flag is called “Jupiter” something. The 6th transaction being blocked, all the further ones, around thirty, have been blocked as well.
But 5 transactions pass through before the 6th has been blocked by the Fed and went further through the correspondent banking network
Another transaction has been blocked by the Deutsche Bank, a routing bank, because of a typo “ Shilka Fandation” instead of “Shilka Fundation”
So only 4 transactions our of 35 successfully arrived to the Philippines and as such the total loss have been reduces from 951 million USD initially intended to “only” 81 millions USD

As a fun note, a few week after the heist, all the responsibles of the financial institutions involved, the US Fed Reserve, the Bangladesh Central Bank, even the finance minister of the Philippines were all convinced that the money – or at least a significant part of it – would be recovered and that the cybercriminals would be caught.

2 years after, today, we know that we will never recover these funds.
The attacker are safe, untraceable and will never be found
We believe that this is a group of about 20 persons who worked on the heist preparation for about 18 months. 81 million USD is a pretty number.

Now you think
But this is Bengladesh … right ?
Here we are in Europe, even better, here we are in Switzerland … right ?
And in Switzerland we don’t really feel concerned by the numerous security holes in the Bangladesh Central Bank Information System
So let me give you another example…

The Retefe worm is a worm developed by a team of cybercriminals targeting specifically the ebanking platforms of small and mid size Austrian And Swiss Banking Institutions
The worm is used by the thieves to take control of the victim’s ebanking sessions and to submit fraudulent transactions to the system

This worm is 4 years old
For 4 years, fraudsters keep on updating it, modifying it and extending it to counter the anti-viruses software and the specific protections put in place by the banks.
This worm is 4 years old and nevertheless, as pointed out by the Computer security section of the federal finance department, it is still making today between 10 and 90 victims in Switzerland and Austria,
Today, in the swiss banks …

My conclusion from these examples is as follows:
Today, fraudsters and cybercriminals are professionals
The time when fraud was coming from a little hacker working in his garage or a back-office employee disappointed by his bonus, is over.
Today, attackers are professionals who have industrialized their methods

Some facts and projections to understand what reality banking institutions are facing nowadays …

In frebruary 2016, a group of cybercriminals managed to steal 81 million USD from the VOSTRO account of the Bangladesh Central Bank by the US federal Reserve
This is one of the biggest bank heist in history and the most impressive cybercrime ever

In a report called “Report to the nations”, the international association of Fraud Examiners estimated that in 2017, the total cost of fraud has been 3000 billions USD
In banking fraud, a big part of this amount is related to internal fraud, when bank employees divert funds from their employer.
In Switzerland, of course, thanks to the maturity of the banking business as well as the security checks and practices put in place in banking institutions, internal fraud is marginal, compared to external fraud.
But external fraud is a cruel reality, think of the Retefe Worm.

Finally, Cyber Security ventures estimates that by 2021 the total cost of cybercrime will reach 6000 billion USD.

La réalité à laquelle les banques sont confrontées aujourd’hui, c’est celle-ci.

The principal implication of this reality, the problem which banking institutions are confronted to nowadays is that historical systems deployed to counter fraud – rules engines – are beaten.

[Page Down on problems]
Let’s assume that a banking institutions wants to define a set of rules aimed at detecting when an attacker imitates a customer to steal money from his accounts
Imagine the situation of a first customer, someone such as myself, using his ebanking account to pay his loan at the end of the month, his mortgage, his taxes, telephone bills, etc.
In my case, a big transaction withdrawing 20 k CHF from my account for a beneficiary located in Nigeria should raise an alert. It’s clearly an anomaly completely outside of my usual habits and behaviour.
Imagine now the situation of a another customer, a responsible of acquisitions for a big corporation, a frequent traveller, spending most of his time abroad and using the corporate account to pay big amounts to providers all over the world.
In the case of this second customer, a small payment benefiting to a counterparty in Switzerland would be the anomaly and should raise an alert, not a payment to an abroad counterparty.
If one wants to detect anomalies for these two different situations, one would end up implementing a completely different set of rules for the two distinct customers.
And this is impossible

[After scroll down]
Every bank customer, and even user up to a certain level, is different.
Representing everyone’s own and private situations with rules would require to implement and manage hundreds of thousands of rules on the system, which, obviously, is impossible
Only the most common set of rules can be implemented, which means that
A lot of frauds pass through the coarse grained net
In addition, in order to catch the biggest frauds, the limits enforced by the rules have to be very low, which has the consequence of flagging a lot of cases to be analyzed (the so called false-positives) requiring an army of analysts to be reviewed and discarded
The direct consequences for our customers are
Financial impacts : frauds must be reimbursed. And these analysts spending their days discarding false positives must be paid.
Reputation impacts : a fraud case being communicated in the newspapers is a nightmare for banking institutions. Even without a large scale communication, customers impacted by fraud lose faith in their institution. I do not need to explain to you the consequences that the thousands of papers published on the Bangladesh Bank heist had on the Bangladesh central bank.

Rule-bases systems are beaten today.
Something else is required to protect efficiently Banking institutions from banking fraud.

Artificial Intelligence provides the solution to this problem

In 2016, we started at NetGuardians to integrate the first advanced algorithms, so called Machine Learning algorithms, in our systems.

We let an Artificial Intelligence analyze continuously the history of billions of transactions in the system and learn about individuals habits and behaviours.
With big data technologies, AI can analyze a very extended depth of history and build dynamic profiles for each and every individual related to a financial transactions.
Individuals are both Customer and Users (Internal Employees)
Profiling customers is required for both Internal and External Fraud.
Profiling users is required for Internal Fraud.
Big Data technologies are key to maintain these profiles up-to-date in real time by tracking each and every interaction between the user and the bank systems
In addition to a financial transaction direct characteristics such as the beneficiary, the target bank country, the amount of the transaction, its currency, etc., the machine can correlate a lot of indirect characteristics, such as where in the world was located the ATM where the user withdrawn money from, where was he connected to his ebanking session, etc.

For each and every individual a dynamic and up to date profile captures his behaviour and his habits
Then, each and every financial transaction, regardless of its type, it being a security trade order, an ATM withdrawal or an ebanking payment, is compared against the user profile and a risk score is computed.

Based on this risk score, the machine eventually decides whether the transactions is genuine or not and whether it requires further investigation by a human analyst within the bank.

The gains of this new approach, based on customer profiling done by AI, for our customers is striking.
It has been a game changing shift of paradigm.

[Page down on gains (blue)]
In the banking institutions where we can deploy this new generation approach, we almost eliminate the amount of fraud cases passing through the cracks.
And that, by still reducing to 1/3 of what it was before the number of cases flagged by the system to be reviewed by an analyst or fraud investigator (most of them being the so-called false positives)
Not only the amount of cases, but the amount of time required to investigate a case could be reduced by 80% by having the machine presenting the profile of the customer and how the individual transaction deviates from it with relevant and meaningful visualization techniques
Finally, the number of re-confirmation asked to customers could be reduce to ¼.

[Page down on benefits (green)]
Reducing the time required to investigate a case in addition to the amount of cases to be investigated as a direct financial impact: a lot less analysts are required to investigate these cases
Drastically reducing fraud cases passing through also has obvious financial impacts
Now all of this, especially reducing the number of times a re-confirmation is asked to customers has positive impacts on reputation

[Page down on remaining drawbacks (red)]
Now working on a per-customer basis is sometimes still sub-optimal. Sometimes a genuine transactions is always very unusual on a per-customer basis and it is required to broaden the view of the Artificial Intelligence.
Let me give you an example
Let’s imagine that tomorrow I buy a new Audi
That would be a transaction of 60 kCHF leaving my account for a beneficiary – Amag Audi Switzerland – that I never used before.
Such a transaction, new beneficiary and huge amount is completely outside of my profile.
Based on this, the AI will decide to block the transaction, requiring a further validation from my end which will annoy me.
So how can we avoid that ?
If we look more carefully and globally at the transactions of this kind, big amounts benefiting to Amag Audi Swritzerland, among the customers with same profiles as myself, are quite usual.

The machine needs a broader view to understand that this transactions is not unusual

The machine can look at the big picture and analyze transactions at a broader scale.
Recall the Audi example. When such a transaction is very unusual for a specific customer, looking at other customers with similar conditions, habits and behaviour is required.

And here again AI comes in help.

AI can analyze behaviours and habits of customers and group together the people with same patterns. People that are the same age, same wealth level, same origins or same … will have a strong tendency to behave the same: for instance drive the same kind of car, such as an Audi, live in a flats of the same size, pay the same amount of telephone bills at the end of the month, etc.
The machine can analyze customer activities and transactions on the large scale and cluster together customers with same behaviour.
Then, these groups can be profiled just as individuals.
And finally, a transaction can be scored against the customer group profile in addition to the customer profile.

Recalling the Audi example. When scoring this specific payment against the individual profile, the transaction will be flagged as suspicious.
Scoring it against the group profile will clearly indicate that it’s a genuine transaction. People buy new Audis every day, especially in Switzerland

With this new approach, looking at the broader scale and comparing customers with each others instead of only scoring transactions in the individual context of a customer, we could improve our fraud detection system further

[Page down on gains (blue)]
The number of cases to be analyzed (false positives) could be reduced further
In addition, the groups and their profiles happen to be an invaluable source of information for other concerns such as marketing, trend analysis, etc.

[Page down on benefits (green)]
Of course reducing the number of cases to be handled by the investigation team has a direct impact on operational efficiency and induces further financial gains

[Page down on remaining drawbacks (red)]
Now all of this, transaction scoring and customer clustering works amazingly but it works after the facts. The transaction has been input in the system and if we are not fast enough, depending on how we integrate within the bank information system, we can be too late, doing only fraud detection and not fraud prevention. What if we could analyze the User or customer activities even before the transaction is input one the system and detect fraud before it happens ?
What if we could interpret weak signals coming from the analysis of how the Customer interacts with the banking information system to qualify him as legitimate or potentially fraudulent ?
All of this require completely different analysis techniques.

[On blank page]
Let me give you a simple example of what I mean by analyzing a customer’s interaction with the banking Information system.
The interactions of a customer with the ebanking application is the simplest example I can come up with.

[Page down on Genuine User]
Imagine the situation of a genuine user of the ebanking platform whose behaviour when inputting is payments is always the same
He logs in the ebanking platform
He looks at his account balance
He performed all his payment, from input to validation, many of them
He checks his pending orders, making sure he missed none of them
He logs out the platform

[Page Down on Worm]
Now if a worm hijacks the ebanking session, the worm will do none of that
The worm will likely go directly from login to payment input, validation to logout
Here I am only showing transitions but one can also consider User think time, keyboard stroke speed, etc.

[Page Down on principle]
AI can analyze all this behaviour and activity tails a user or customer leaves on the banking information systems and build a model capturing this behaviour
Then, when an individual action is performed, the machine can compute the likelihood of that action to be performed by a legitimate user or an attacker based on the past activity.
And here as well, AI can build profiles of this activities and their likelihood both at individual level and group level through clustering techniques.

With this kind of analysis, by looking at all the interactions of the users or customers with the banking information systems, AI can look at all individual events and qualify these interactions as legitimate or suspicious regardless of the financial transactions being input or not on the system

[Page down on gains (blue)]
AI can detect a fraud, or the intention to commit a fraud, even before a transaction is input on the system, by analyzing the user or customer activity before inputing the transaction
In addition, by analyzing the behaviour of the customer as a whole, AI can qualify him as legitimate or suspicious and protect the information he sees if any doubt occurs, thus protecting his privacy in addition of his assets.
Finally, all this understanding of the user or customer habits and behaviour can be used to design even more advanced transaction scoring models

[Page down on benefits (green)]
This ability to detect fraud before they happen lead to further improvement of the operation efficiency and operational security of the banking institution
Protecting the customers privacy in addition to their asset is important to protect the reputation of financial institutions, This is especially important for private banking institutions

[Page down on remaining drawbacks (red)]
With «AI vs AI», I wanted to illustrate the current research topics we have today at NetGuardians to improve further our algorithms.
In a few words, we see today that cybercriminals are increasingly using advanced algorithms on their end to study the banks attack surface and discover means to attack the banks and their customers.
We are in a cat and mouse game where attackers attempt to counter the security systems put in place by banking institutions, which in their turn deploy new form of algorithms and intelligence to protect them further.
In can only be looking forward to telling you more on this matter in a near future…

This brings me to the conclusion of my presentation …

[On image]
Our own experience and conclusion with AI technology and it’s concrete application in our use cases is without appeal.

[Page Down on summary of gains and benefits]
Introducing advanced algorithms, machine learning and advanced analytics techniques in our use cases has been key to help us improve the way we secure financial institutions and their customers
We could:
Reduce the fraud cases passing through and almost eliminate them
Reduce the number of cases to be analyzed and make the detection system a lot more relevant
Drastically reduce the amount of time required to investigate a case

[Page Down on principle]
Today, at our customers, Artificial Intelligence monitors every single interaction between individuals, both customers or employees, and the information system, to qualify their actions as legitimate and fraudulent, in addition to analyzing with highly sophisticated models financial transactions input the system.
Today our reality is as follows: Artificial intelligence monitors human behavior on a large scale to secure banks and their customers

[Page Down on note]
But Science Fiction advances much faster than reality. Regarding artificial intelligence, the collective imagination, fed by Musk and Hollywood, is way ahead of reality
In the collective imagination, artificial intelligence today generates quite a lot of fantasies.
So let's agree on something if you do not mind.
If one calls weak artificial intelligence, an intelligence able to solve a problem in a strict context, to optimize a solution or a mathematical function, or to look for an answer to a question in a strict context, one calls a strong artificial intelligence an intelligence able to argue , to contextualize or to show sensitivity or initiative.
If progress in weak artificial intelligence is today very fast and very impressive, we do not have the slightest trace of a proof that would allow us to believe one day in the emergence of a strong artificial intelligence.
Strong artificial intelligence is science fiction.

The problem is that approach names like neural network are generating a lot of fantasy in the public imagination who take this name literally.
With neural networks, the public imagines a digital brain, whereas the reality is that of "matrices of convolutions", intensive iterative calculations carried out on gigantic numerical matrices. On the other hand, powerful technologies with less evocative names (genetic programming, random forests or "boosted gradient") raise less fantasies.

Today, these artificial intelligence techniques give the most impressive results when they help the human and not when they supplant it.
Chess is one of the first areas in which computers started beating humans.
The examples of algorithms that manage to defeat the great masters of chess in a not systematic but regular way are legion.
But these are the so-called "centaurs", sometimes amateur players, but helped by artificial intelligence, half-human, half-machines - who now win all the "freestyle" games.
I would like to mention a second example with a test performed last year
Melanoma specialists have been asked to identify cancerous lesions based on photos of skin lesions
These experts had a precision, a success rate of the order of 95%
An AI based on neural network deployed towards the same objective reached an impressive 93% accuracy, failing to beat the experts.
But a set of interns, rather students that actual doctors, accompanied and helped by an artificial intelligence have arrived at 97% accuracy, beating both Artificial Intelligence alone and experts

Today, the most impressive results of these technologies come from what is called Augmented Intelligence, when Artificial Intelligence intervenes in support of the human decision process and not to replace it.

And enhanced intelligence is exactly what we do at NetGuardians by providing bankers with the means to prevent fraud cases much more effectively.

Straigtfoward …
2 aspects I’d like to illustrate :
The ability to run these analyzes in real time. Be able to analyze the activity of bank customers and users in real time and is at the root of the difference between preventing fraud and detecting fraud. It must be possible to work very low processing times to characterize a transaction before it is placed on the market
The user experience. The deployed algorithms can be as intelligent as one can imagine, if one is not able to provide investigators and analysts with clear, concise and precise information, allowing them to understand the context of the transaction and the reasons for it. systems to block it, all this does not work. Users reject the solution. Providing analysts with extremely intuitive and visual means to understand machine decisions is essential.

Artificial Intelligence for Banking Fraud Prevention

Jérôme Kehrli

Artificial Intelligence for Banking Fraud Prevention