Fraud Signals: What happens when the ‘warning flare’ fizzles out?

Fraud is on the rise. And not just in terms of organised scams. Incidents across the finance sector have increased significantly since the cost-of-living crisis started, with confirmed cases of opportunistic fraud - including ID fraud - already up by 15%  compared to pre-pandemic levels. It’s a situation predicted to worsen as the crisis continues.

What can organisations do to protect themselves and customers? One answer very much in the spotlight is the use of fraud signals. 

Backed by many, including the Open Identity Exchange (OIX) and the DCMS, as a key mechanism for fighting fraud and improving online safety, the use of fraud signals is certainly important. But not necessarily in isolation. Read on to find out why.

Fraud signals: the fast-acting warning flares

In June this year, the DCMS released its beta version of the UK digital identity and attributes trust framework - a set of rules and standards designed to establish trust in digital identity products in the UK. You can find out more about the framework in our guide, here. 

The fraud management section stipulates that framework participants must “have a structured ‘shared signals’ framework” to “send and receive relevant identity data and intelligence” that indicates fraud. In other words, an agreed mechanism for sending up real time warning flares that notify relevant framework participants to be on guard against a particular threat.

Fraud signal scenario

  1. Ms F calls her account provider to report that her account has been hacked.
  2. In response, the provider sends out a fraud signal to other ID providers in the framework who then match this data against their existing customer base.
  3. Two hours later a product application is submitted to another provider under the name of Ms F but from an unusual IP address. The provider in question also sees the fraud signal that was raised earlier, giving them strong reason to believe that the application is fraudulent.
  4. The decision is made not to progress it further and the provider issues another fraud signal that to say that Ms F’s account has been taken over.

This example demonstrates one of the key benefits fraud signals deliver. Real time awareness. Like a warning flare, the signal is clear to see and illuminates the exact point at which risk is detected so that others can act accordingly.

There are caveats of course. For the warnings to be issued and understood successfully, fraud signals must be clear and unambiguous – following open standards wherever possible. They must also conform to a commonly agreed set of indicators and agreed responsive actions in order to avoid any kind of confusion and achieve the best outcomes. 

With these considerations accounted for, the system works. And not just in terms of fraud detection. Take cyber security for example, where service providers regularly share data on vulnerabilities and attacks at time of discovery. 

There is a ‘but’. In cyber security the fact that data is not persisted, i.e., not stored for any period of time, is not necessarily problematic. With fraud, it is. Because at least some level of persistence is necessary for meaningful analysis to be undertaken to detect fraud. Even if fraud signals are saved for just a short time and then deleted, the bright warning flare soon fizzles out, increasing the risk of no long-term reference point.  

Which can present a problem. For instance, synthetic identities can be fostered over long periods of time, meaning that previous signals are often deleted by the time the individual in question re-attempts a fraudulent application with minor modifications in their modus operandi. 

Longer persistence of fraud signals could, in a competitive environment, also enable anti-competitive behaviours by potential bad actors within the ecosystem. Strong governance by signal frameworks is mandatory to mitigate this threat.

Fraud databases: the value in volume

In contrast, fraud databases present a solution with greater longevity. Providing a detailed record of fraud/money laundering incidents identified and investigated by organisations, these databases work on a system of reciprocity – a contributor one day becomes a beneficiary of valuable intelligence the next. 

If we think of signals as flares that raise the alarm, fraud databases are the incident logs which help others learn to avoid risk in the future. 

In his report entitled ‘Lessons in private-private financial information sharing to detect and disrupt crime’, Nick Maxwell, Head of the Future of Financial Intelligence Sharing (FFIS) Research Programme, highlights the efficacy of such platforms in terms of improving detection rates but also from a process efficiency perspective. 

National SIRA is a good example. The largest syndicated database of cross-sector customer risk and fraud intelligence in the UK, it contains over 300 million rows of confirmed fraud. Populated by over 160 contributing members spanning financial services and insurance, it helps members save over £1billion in prevented fraud losses each year. 

Other examples of fraud databases in the UK include CIFAS, National Hunter and the Insurance Fraud Register at the IFB. A number of shared intelligence databases also operate with a singular focus in terms of data type, for instance looking at emails or IP addresses associated with fraud. Examples here include Emailage, Threatmetrix, Iovation and IP Quality Score. 

Fraud database scenario
  1. A banking institution believes an account has been set up using a synthetic identity under the name of Mr K. After investigating, suspicions are confirmed, and the account is frozen.
  2. The bank is a member of National SIRA and therefore submits details of the fraud for the benefit of other cross-sector members.
  3. Mr K is not deterred. Sometime later, he logs onto a different bank’s website and applies for a standard current account using the synthetic identity.
  4. The bank in question is also a National SIRA member and as part of its onboarding process, cross-references applications with the database. Mr K’s application is instantly flagged as fraudulent. This attempted application and associated details is then also logged on National SIRA.

As well as demonstrating how such databases help contributing members detect and prevent fraud – avoiding potential financial loss and reputational damage – this scenario also indicates the ‘data enrichment’ process which takes place. Something the transient nature of signals can’t offer as effectively. 

Each time a new incident is logged the data-set available for analysis grows, making it easier to identify patterns and behaviours that indicate risk. Especially with the help of predictive analytics and AI-based solutions. This, in turn, expands the range of risk-based decisioning possible – from whether or not to accept a new customer to deciding into which risk category (and therefore price) an insurance policy should fall – increasing opportunities for automation and efficiency whilst minimising the impact on “good” customer experiences. 

As with fraud signals, however, databases are not without issue. For instance, great care needs to be taken in terms of maintaining data privacy and safeguarding the data held from any form of malicious breach. The work required on these points is perhaps one of the reasons only a relatively limited number of large-scale databases exist, which are in turn managed by Specified Anti-Fraud Organisations (SAFOs) in order to provide a clear legislative basis for data sharing over and above the Data Protection Act. 

Also, while the volume and quality (only verified outcomes logged) of data held supports more long-term analysis and generates highly accurate risk indicators that can subsequently be built into rapid screening processes, the real time detection of new fraud modus operandi (MOs) is certainly a task more suited to a shared signal control system. 

Which is better, database or signal?

Neither. Because both have pros and cons. Considering fraud signals and fraud databases as a straight ‘either/or’ option is always going to result in a base not being covered; a risky compromise.

Adopting both as part of a hybrid approach, however, ensures fraud detection and prevention is covered from multiple angles. The opportunity exists to use:

  • Signals to pro-actively identify new fraud MOs as they are uncovered, and to share risk data across a network in real-time; and
  • Fraud databases to track and log existing fraud modus operandi, perpetrators, and support aggregated analytics over historical and emerging trends.

It’s a powerful combination. One that ticks a hugely important box in terms of immediate awareness while also allowing organisations to leverage data insights in a meaningful and diverse way. To build screening, quoting, and onboarding processes that are better, faster and ultimately more cost-effective. And which offer an improved customer experience.

Without doubt, a hybrid approach to fraud control offers huge potential. And that demands closer consideration and action. As an industry we need to make ‘what’s possible’, practical. By drawing on the success and experience of the SAFOs and their users - to address emerging use cases in digital identity, authorised fraud and customer vulnerability - while also ironing out the business case for signals in terms of efficiency, identification of fraud and cost.

Recommendations made by the FATF (Financial Action Task Force), are recognised as the global anti-money laundering (AML) and counter-terrorist financing (CFT) standard. They repeatedly advise that “having rapid, meaningful and comprehensive sharing of information from a wide variety of sources” is essential. A hybrid approach which draws on the best that these two distinct forms of fraud control offer is very much in line with this guidance. It’s an approach that means warning flares will never fade. 

Time to connect