Banks are turning to machine learning and other advanced technological protocols to protect consumers in the escalating fraud arms race, as legacy systems creak under the digital burden - market participants and commentators say.
“As banking has entered the online and mobile channels, so has fraud and the complexity of today’s digital attacks increased. Financial institutions now have a whole host of additional access points and complex channels to defend,” according to Mark Crichton, senior director, security product management at OneSpan, the security company.
Between $25m and $40m is estimated to be lost to card not present fraud (CNP) globally, according to Accenture. CNP - or ecommerce fraud - is increasing hand in hand with the wider availability of sensitive customer data following a string of data breaches, according to UK Finance.
The advances in computing power, the proliferation of data and the patterned nature of fraud, make the application of machine learning “an obvious response”, according to Jonathan Warren, business architecture specialist at Altus Consulting.
“Machine learning can help efficiently determine which transactions are most likely to be fraudulent, thereby reducing cost and supporting higher levels of identification and prevention than us humans, serving to prevent the negative consequences for business and consumer,” writes Warren over email.
Different branches of machine learning have evolved: supervised machine learning involves a human correcting the machine until it achieves an acceptable level of performance, while unsupervised learning has no defined output, allowing the machine to draw observations based on commonalities in unclassified data.
“Machine learning is very good at understanding minute trends in lots and lots of data, exactly what humans are not good at,” says Eddie Bell, head of machine learning at Ravelin, the anti-fraud company.
“In terms of maturity the current fraud models are not actually that tricky a problem for machine learning so I’d say that the underlying technology of machine learning to support fraud detection is very mature,” he says.
Market participants and even artificial intelligence advocates admit trust has been an industry concern, confining the technology to pilot phase, other fraud prevention providers blame a lack of education amongst banks for “initial distrust”, according to Marina Jacobone, head of partnerships at TAS group.
“Banks are now converging towards the adoption of fraud prevention and detection solutions that make use of ML which is capable of quickly adapting to shifting patterns of fraud. ML is being seen as a technology that can finally deliver the banks a solution for something they’ve long been struggling with,” said Jacobone in an email.
Not a silver bullet but an edge over competitors
In December 2015 the European Banking Authority (EBA) published its anti-fraud vision in a discussion paper, in which it set out its aim to “enhance consumer protection, promote innovation and improve the security of payment services across the European Union.”
But it hasn’t been easy sailing since. The EBA used the word “unprecedented” to describe the level of interest they received in response. A total of 224 responses and more than 300 different concerns during the consultation phase between the discussion paper and the final draft of the Strong Customer Authentication (SCA), largely out of concern for the added friction merchants would see and the potential conversion hit they’d take, according to Bell.
SCA will require account servicing payment service providers (ASPSP), namely banks, to challenge all transactions with two factor authentication using two of three knowledge, inherence and/or possession elements.
Following the feedback, the EBA published guidelines outlining the conditions required for ASPSPs - banks, predominantly issuers - to become exempt from SCA, striking a balance between security and consumer convenience.
Those conditions outline the ASPSP’s requirements - to be above a certain fraud rate threshold while the application of a transaction risk analysis model must be monitored in real-time, with yearly external audits and the ability to switch off should the ASPSP fall below the threshold.
“SCA is the most disruptive change we’ve had in payments since chip and pin,” says O’Keefe, adding that consumers will not be ready for it.
“The new standard,” he says, “means that any transaction over €30 will have to be challenged. Only about 5% of transactions are challenged today in the UK. Banks will be asking, if I don’t want to interfere with 95% of my customers’ transactions, how am I going to achieve that?”
It is here that machine learning is touted as the underlying and real-time engine of the risk-based analysis which would make banks and their merchant customers eligible for SCA exemption.
If banks are able to keep below the mandatory fraud rate threshold and perform auditable and justifiable risk analysis on each transaction, then it gives them an edge on competitors who might fail the fraud threshold or opt to SCA all transactions, believes TAS Group’s Jacobone.
“SCA exemption,” said Jacobone, “is the basis on which banks will compete in the near future to attract customers, merchants and end users, offering a payment experience that maximizes security and ease / speed of use.
“Machine learning can perfectly support the bank in the decision on whether to apply or not apply the exemption. As the payments world moves to Transaction Risk Analysis, PSPs who are able to best leverage ML technology will prevail over their competitors, reducing fraud losses and increasing customer loyalty,” she said.
Despite the competitive advantage, O’Keefe suggests that SCA exemption - the incentive for investment in machine learning - is only one option for issuers and their merchant customers, namely whitelisting and greater app functionality.
Whitelisting will allow the ASPSP to ask customers’ consent to identify safe merchants, permitting customers to forego SCA on their most visited sites. A current market example is the SafeKey solution from American Express.
“If whitelisting achieves 70 or 80% for 20% effort and perhaps that’s more of a slow burner for what you do with machine learning.
“Is machine learning the answer or is giving the customers the control to authenticate easily the best way forward? A lot of it comes down to how good the bank’s mobile banking app is and using that app to authenticate transactions, give customers greater controls or manage whitelists,” he says.
However, O’Keefe admits this opens the door to blanket whitelisting which may not necessarily address the EBA’s overall objective of reducing fraud. It also makes issuer merchant relationships interesting. As SCA exemptions are optional if the issuer decides to authenticate all transactions it has the right to do so.
“It becomes interesting when considering Amazon and its one click functionality. It’s possible - it might be commercial suicide - but an issuer could interfere with every step in the transaction and that’s its right,” says O’Keefe.
The biggest problem facing machine learning, according to Ravelin’s Bell, is in the infrastructure surrounding the technology.
“The problem is getting that model out, making sure it runs efficiently, monitoring it, explaining what it’s doing, making sure it doesn’t break. This is what most startups and even enterprises will struggle with, not just making the models which is easier,” says Bell.
While Altus’ Warren agrees the infrastructure is costly, he also believes there is a comparative lack of industry understanding of the technology which could also negatively impact machine learning’s desired impact.
“Like all fledgling technology in its embryonic beginnings, it’s expensive and not fully understood. Firstly, there’s a talent gap with insufficient data scientists, qualified and skilled to implement advanced machine learning. This is serving to inflate salaries and create a lack of supply to progress implementation.
“Equally, most firms have acquired a lot of data but it’s normally unstructured, unlabelled and therefore presents a challenge for machine learning. To consider implementing machine learning for many firms could involve a mass data project,” says Warren.
Overall, the decision to invest in machine learning for the competitive advantage may be a luxury only a few can afford, according to O’Keefe.
“With the backdrop of Open Banking, RBA, whitelisting and account aggregation, any banks may look at ML and think it’s too hard. It could be that those that can afford to invest in machine learning will win out because of this.
“It may be that the payment networks with their huge amounts of data are best placed to make use of it and risk score. They’ll charge for that type of service but it may be better for an issuer to opt for that, rather than only use their data,” he says.
The future of machine learning: learn to play with other technologies
Meanwhile, the card schemes have been proactive in directing the industry towards biometrics, with MasterCard recently mandating issuers to implement biometrics capabilities by April of this year.
OneSpan’s Crichton acknowledges that machine learning requires an added technological dimension such as biometrics.
“Specific to the SCA exemptions – it is yet to be proven that machine learning (with simple score based allow and deny policies) will be strong enough to allow initial levels of authentication (the recognition of the device to a strong enough level or the behaviour-metric elements of the user journey).
“But I certainly believe that in combination with physical authentication factors such as biometrics, a customer would be in a much more strategic position as the regulation develops and as their online and mobile business adapts to the way that users want to interact with them,” he writes.
It is the wide availability of smartphones where O’Keefe places his bets on the future of authentication. According to the latest data from Statista, some 94% of UK adults own a smartphone.
“If we overlay payment trends,” he says, “where mobile payments are increasingly common, and biometrics becoming more common on mobiles, it may be logical that authentication happens on phones.”
Through banking apps, banks will be able to make informed decisions regarding the security versus usability challenge that stronger authentication has thrown up, believes Crichton.
“The key to reducing fraud is building layers that can not only help you detect threats, but also help you ease a user’s journey within an application, ultimately helping you make a smarter decision in response to the security vs usability challenge.
“For this reason, I don’t see machine learning being overtaken in any race, but it also cannot be relied on in silo. Machine learning combined with a strong field of other authentication technology will ensure the strongest defence against fraud,” writes Crichton.
The visible hand
Despite these convictions, there is still a very real possibility that the legislative landscape could again shift direction in the coming years, changing the course of machine learning’s potential within authentication, according to O’Keefe citing a letter to key stakeholders from the vice president of the European Commission, Valdis Dombrovskis in February.
“New forms of authentication,” reads the letter “would also make strong customer authentication much more convenient, and the convenience of SCA is a major determinant of competitiveness and consumer confidence in the area of payments.
“Convenient SCA also reduces the need to rely on exemptions, notably based on transaction risk analysis which would give a competitive edge to those market participants that have access to a large pool of personal and payments data,” writes Dombrovskis.
For O’Keefe, the vice president’s letters suggests a variety of technologies could come to the fore in the not so distant future – to compete with machine learning.
“Dombrovskis’ words demonstrate that a desire for convenient SCA is the preferred direction and not a reliance on exemptions, says O’Keefe. “This might make banks reluctant to pin their hopes on one technology but instead look how their mobile apps can deliver seamless SCA.”