Good day and welcome to my last 2020 quarterly CEO synopsis, and what a year it has been. In this, I outline the dynamics I see developing in the global identity verification (IDV) market and highlight Ekata’s response to continuous market demands. I increasingly try to blend verified third-party research with our first-hand customer and market interactions in financial services, payments, and eCommerce from our Amsterdam, Singapore, Budapest, and Seattle offices.
This synopsis is longer than I would normally write, but I want to do justice to the discussion as we close out an unprecedented year. Today I’ll discuss the adoption of machine learning (ML) modeling, a powerful and relatively new arrow in the IDV and cyberfraud ecosystem, with a historical look specifically at the financial services segment.
ML modeling to fight fraud has been adopted everywhere, hasn’t it?
The adoption of artificial intelligence and ML modeling to fight fraud is spelled out well in the 2019 Anti-Fraud Technology Benchmark Report. The report states:
“The amount organizations are expected to spend on AI and machine learning to thwart online fraud is expected to triple by 2021. The ACFE study also found that only 13% of organizations currently use AI and machine learning to detect and deter fraud today. The report predicts another 25% plan to adopt these technologies in the next year or two – an increase of nearly 200%.”
We are seeing this trend clearly in the market with our customers and partners. Contrary to what many think, this study indicates that barely 1/3 of companies will employ ML modeling to combat fraud by the end of 2021. And the largest segment of the twenty-four markets represented in this study, with 21% of respondents, is financial services.
My personal story of identity theft
Along with an estimated 86,500 other Washingtonians, I had my identity stolen this past spring by a Nigerian fraud ring targeting unemployment payouts from the CARES Act. It was not a great experience personally and still continues to be a hassle. According to Bloomberg Law, eleven states experienced major fraud related to unemployment claims from the spring to the summer of 2020, including 1+ million dubious claims across Arizona, Colorado, Maryland, Ohio, the list goes on.
You might be wondering how this scam, perpetrated at such scale, captured my identity. After all, as the CEO of a company in the identity verification industry, I am diligent about passwords; informed on security and data attacks, calls scams, etc The short answer is that the Washington State Employment Security Department (along with other states, I suspect) takes a deterministic approach to identity verification, one built on static identity data and processes created some 50 years ago for credit risk, not fraud risk. How does that work?
I have never filed for unemployment in Washington State, and therefore had not previously “claimed” my Employment Security Department (ESD) account, effectively leaving the account “open” for anyone to claim. It looks like this.
- Step 1: Be sure it is “the Rob Eleveld” deterministically by asking for my full name, Social Security Number (SSN), and date of birth (DoB), along with an email address to receive registration. After all, the ESD wants to be sure to send my unemployment check to the right person!
- Step 2: Create a password for the account.
- Step 3: Enter a financial institution and account where unemployment benefits should be sent.
Talk about a rudimentary account opening fraud check. As we all know, the static identity data elements required in this process above, have all been compromised, many times over, and can be easily purchased on the Dark Web for every US citizen.
The deterministic approach was never designed for fraud risk globally
In the United States, the deterministic approach consists of verifying a direct link between a name and a unique identifier (SSN or more broadly National ID) and DoB; created for assessing credit risk with the passing of the Fair Credit Reporting Act (FCRA) in the 1970s. The objective was important, to ensure that the correct credit score was associated with “The” Rob Eleveld.
This deterministic approach is a process that today is still a regulatory requirement for assessing the credit risk of an applicant, but the approach was never intended to be used for fraud risk. A deterministic fraud assessment is not a system designed for the requirements of managing global fraud risk, not in 2020 (as the Nigerian fraud ring proved 86,500 times to the State of Washington ESD) and not in the years to come.
A very recent headline on CNBC from 05 January 2021 indicating unemployment benefit fraud is still going strong
Free compute power changed fraud patterns beginning in 2017-2018
At Ekata, we observed global fraud patterns in payments and eCommerce metastasizing in 2017-2018 (we were still Whitepages Pro then) when cloud computing became mainstream, and state-sponsored fraud rings began exponentially increasing attempted fraud. Why? Because compute power effectively became free. Shifting a fraudster handling
Back in 2015, a fraudster might buy 100 stolen credit card numbers on the Dark Web and peck around trying to complete transactions before the cards were canceled. By 2018, a fraud ring was buying 100,000 stolen cards and ramming those cards against websites and accounts in parallel. At that scale, they have enough attempts to figure out how to bypass rules-based fraud systems.
Global fraud behaves like financial markets – moving quickly to exploit arbitrage opportunities
To fight state-sponsored fraud rings, we needed to start with a proper mental model of the enemy, and my mental model of fraud shifted when observing the changes in 2017-2018. I have come to see global fraud operating similarly to global financial markets.
Global hedge funds deploy capital quickly, anywhere in the world, to take advantage of outsized returns, what an investor might broadly categorize as “arbitrage opportunities” with large potential returns relative to the risk incurred. As word gets out about an opportunity, more capital flows in, which has the effect of reducing the potential return until there is little, if any, at which point the arbitrage opportunity is gone. Then investors go looking for the next arbitrage opportunity. Of course, this process is legitimate and governed by laws and regulations.
Global and state sponsored fraud operates illegally, but the behavior pattern is very similar. The Nigerian fraud ring observed a number of states with very simplistic account signup verification during a time when new unemployment account signups and unemployment payouts were seeing explosive growth. It was a classic fraud arbitrage opportunity, which unfortunately will likely be exploited again at smaller scale with Congress recently passing the follow-on to the CARES Act.
As states slowly beef up their fraud checks for new unemployment account signup, the fraud payback will be reduced while the resources to beat enhanced account opening fraud checks will increase, driving down the overall arbitrage opportunity. At a certain point, the Nigerian fraud ring and others will then move on, looking for the next weak spot in global financial services, eCommerce, payments, or remittances to exploit.
Acquirers and large merchants shift rapidly to ML models to fight global fraud
As a result of the 2017-2018 changes in fraud patterns, payment service providers (PSPs) and large eCommerce merchants began aggressively shifting to ML models to increase their defenses. In my “global arbitrage” mental model, they were, in effect, greatly increasing the resources fraud rings would need to invest to conduct successful attacks at scale. This in turn drove down the arbitrage opportunity on their platforms relative to other weaker spots in the global ecosystem.
The benefits of moving to ML models include:
- Ability to train models across geographies or globally, providing a more consistent approach to combat the global arbitrage approach of sophisticated fraud rings.
- More precision in identity verification and fraud decisioning. This is especially important as the number of input elements increases (e.g., what used to be just name and address when someone opens an account is now some combination of name, address, phone, IP, email, etc), which in turn drives up the complexity of possible linkages and behaviors of those elements online over time.
- Increased flexibility to adjust what I call “the decisioning aperture” wider or narrower based on the business objective. For instance, some of our customers are just trying to keep bots out of an online marketplace (where a wider risk aperture will suffice) while others are providing loans in the thousands of dollars/euros in a few seconds (where a very narrow risk aperture is needed). This benefit enables much more business control and fidelity relative to legacy fraud systems.
Of course, with the adoption of new technology comes new requirements to support that technology. Some of the new supporting requirements in ML modeling include:
- More data scientists and modelers.
- Consistent, normalized data from a variety of sources. The more diverse types of data ingested in ML models, the more robust the decisioning will be in finding fraud.
- Data provided in “model feature” format: binary responses [1/0 or true/false]; categorical response [a finite response set like red/yellow/green]; or a numerical range [the model itself then determines where the decisioning cut point is along the range].
While seemingly simple, our experience is that many companies struggle to fulfill these requirements internally, especially both #2 and #3. Most internal databases or data warehouses were not designed with normalization in mind, and very seldom are they in model feature format, which then requires new internal services to be built with significant engineering commitment to create model feature-ready inputs with low latency responses at three or four nines of uptime.
Financial institutions are also moving to ML models, but are lagging by a few years
Financial institutions are moving to this ML paradigm as well, at least in account opening, although they are a few years behind. To better understand the delay in this shift to ML models among financial institutions, we must remember that banks historically lost money primarily due to loan defaults, where the evaluation paradigm was established decades ago under the FCRA and is focused purely on credit risk. This is the process financial institutions know, and it has created enormous inertia in their efforts to adapt in the fight against modern fraud. The static data provided by the credit bureaus (which was never designed for fraud analysis) began to be used for simple fraud checks during the account opening process mainly because it was there and available from well-established credit check processes.
We also need to keep in mind that loans or claims for many decades have been primarily consummated at bank branch offices or government facilities. A borrower or claimant would need to show up in person, provide one or more forms of identification, then review, as well as, sign a significant amount of paperwork. This high friction, time-consuming process made fraudulent loans or claims much more difficult to execute and very challenging for fraudsters to do at scale (i.e. not a large arbitrage opportunity). Based on the last time my wife and I refinanced our mortgage only a few years ago, many of these processes have continued to be in person at traditional financial institutions.
Point-of-Sale lenders and crypto companies are early adopters of ML decisioning in account opening
Today, in a world of online applications and transactions, that world has drastically changed. As a result, lenders, issuers, and payment services providers really require distinct, more sophisticated ML modeling of both fraud and credit risk.
We first noted this phenomenon a few years ago in point-of-sale (PoS) lending, where Ekata has many customers including Affirm, Klarna, and Afterpay. A PoS lender typically has a five second service level agreement (SLA) where they must evaluate both fraud and credit risk before presenting a PoS loan offer.
We have found PoS lenders to be very savvy with identity data. Early on, they made a very clear distinction between fraud and credit risk in their models, tracking independent evaluations of both. They had a global or at least multi-geo footprint, creating a necessity to guard against the global fraud arbitrage opportunity sooner than many traditional financial institutions operating in a single country. Our crypto-focused customers including Coinbase, Uphold, Kraken, and Simplex were also early adopters of sophisticated ML modeling to fight fraud for the same underlying reasons.
More sophisticated ML models used by issuers also create an opportunity for passive authentication
Along with the benefits stated above for moving to ML models in fighting fraud, traditional financial institutions and especially issuers have another huge incentive with the Second Payment Service Directive in Europe and adoption of 3DSecure 2.0, both of which increase the focus on authentication: ML modeling with more precision and the ability to accept more and varied data signals offers the potential for much broader passive authentication. This opportunity can provide an important competitive advantage to any issuer which reduces friction on transactions and provides a better frictionless customer experience through passive authentication when authentication is required.
Ekata’s entire identity verification product suite supports ML modeling
At Ekata, we engineered our identity verification products to support a global approach to fighting fraud. Instead of going country by country as is a regulatory requirement for credit risk, we launched our global API response in 2016 specifically to move a fraud model anywhere in the world. It has been global from day one.
As ML adoption accelerated in 2018 due to changing fraud patterns I describe above, we adapted. Specifically, we shifted our product roadmap to ensure we could provide our customers with an external API call that would meet or exceed any internal data service requirements in terms of availability, very low latency, and easy model testing and ingestion.
Today all of Ekata API products are designed to support our customers in their fight against global, well-funded, often state-sponsored, fraud rings. To be specific, all of our API products deliver:
- Global availability: four nines of uptime for our global product suite.
- Low latency: sub-100 millisecond round trip API responses (P99, or 99% of responses) anywhere in the world. We have data centers in North America, Singapore, and Germany so that none of our customers experience cross-ocean wire travel of 200-300 milliseconds.
- Easy model ingestion: Every row of our API response sets is a model feature, designed for easy model testing and ingestion without additional need for data normalization or manipulation.
- Easy model training support: Our products all support point-in-time testing up to a year in arrears for model retraining.
The Rule of Law that underpins our industry and our communities
In closing, I want to thank you for engaging with me and my thoughts. I know this one was long. But I also want to make a brief statement to all of you as business leaders who fight every day to do right by your customers, your employees, and your communities at large.
Many years ago, I took an oath to protect and defend the Constitution of the United States of America against all enemies, both foreign and domestic. I thought deeply about that oath when I took it at the tender age of 20, because I had to wrestle with my own mortality and what I was willing to die for in order to take it. It is therefore to me a sacred oath. I served in the United States Navy for five years on active duty as a submarine officer to fulfill that oath and duty to my country.
One of our most critical rights enshrined in the US Constitution is the democratic process of voting. That right and the peaceful transfer of power underpins the rule of law. Any public servant who perpetuates lies about the integrity of our voting system or who attempts to overturn elections after all legal means in the courts have been expended (and there is well-established case law around vote counts), has clearly violated that oath. I have no time for them, and I will never again trust them as public servants, as they are not fit to serve in their respective offices. Full stop.
I encourage all of you to join me in actively supporting the rule of law in your companies and communities, as well as demanding the same from your elected public officials.
Finally, let me say that I am hopeful that vaccine distribution will accelerate globally, and that I will see some of you in the market by summer! Rob