Credit Card Fraud Analytics: The “Obama Problem”

Credit Card Fraud Analytics: The “Obama Problem”

“Excuse me, sir….”

You know the situation.

It’s probably happened to you. You’re traveling. Or out to dinner with clients. Or buying a special gift.

And suddenly, you’re stuck with that shopkeeper or waitress staring at you saying the words you dread to hear:

“Your card has been declined.”

There’s nothing wrong with your card. You have available limit. Your payment wasn’t late. You’re the victim of poor credit card fraud analytics.

Your transaction was flagged by the bank as being “suspicious” and your card was shut off. Now, it’s your responsibility to turn it back on. If you’re lucky, your bank may contact you in advance of shutting it off. Or maybe they’ll reach out to you in the moment. But no matter how it goes, it’s now your problem.

Well, it was President Obama’s recently as well, as he admitted at a meeting of the Consumer Financial Protection Bureau (CFPB) recently.

While dining out at a nice restaurant, his card was declined by his issuer (Chase Bank, as far as the news reports go). He was saved by his wife’s card, which did work.

Which goes to show you how random and problematic these analytics can be.

No One Wants Fraud

Just so it’s clear: no one wants fraudsters to get away with anything.

But the fraudsters seem to have moved from the random target to the “big prize” of hacking into an entire organization. That completely changes the dynamic of how we detect fraudulent activity on a card.

Instead of looking for an “out of the blue” odd transaction, we’re invalidating thousands (or in the case of JPMorgan Chase, millions) of customer’s cards in order to “start over.”

"I'm sorry, sir. It looks like you purchased several airline tickets. In Serbia."

“I’m sorry, sir. It looks like you purchased several airline tickets. In Serbia.”

And we want our banks to stop fraud before it happens. There’s nothing worse than waking up to a checking account being emptied because the debit card was compromised. There is something so much more violating about debit card fraud than credit card fraud.

When the bank misses those, it’s a false negative. The “Obama problem” as I’ve named it here is a false positive.

What we need are fewer false negatives and fewer false positives. Obviously the bank is motivated to reduce the false negatives. Are they as motivated to reduce the false positives?

CEP as Credit Card Fraud Analytics

Best in class credit card fraud analytics are done via complex event processing (CEP). You take a series of events, along with their sequence and timing, and correlate them to a fraud event – or the lack thereof. It’s a sophisticated technique that the large banks do themselves and the smaller banks outsource.

But generally the event processing is limited to the internals of the transactions themselves. They don’t take context into consideration.

That means if your card is used in London and then 10 minutes later in Washington DC, the CEP algorithms will likely pick up the problem.

But, if you buy a ticket to London with your card, then use your card while you’re there, CEP won’t pick up that you’re supposed to be in London – although, it certainly could if it read the transaction details.

Large banks may have the wherewithal to integrate more transaction context into the anlaysis, but the smaller banks – who typically outsource this function to their core providers – do not.

Leveraging Mobile Context

For card present transactions, the mobile device could end up being the key.

Customers with the mobile application installed on their phone could give permission for the bank to use their location, cross-reference it with the merchant, and approve the transaction as not only card present, but cardholder present.

That might even result in lower discount rates… but let’s not get ahead of ourselves.

Let’s move from “card present” transactions to “cardholder present” transactions.

For card not present transactions, geolocation may not help, but multi-factor authentication can. If the card issuer has concerns about the transaction, they could in real-time send an authentication request to the cardholder’s mobile device. By validating the transaction, they could bypass the typical “decline and verify” process and simply move to a “delay but approve” process. This change would significantly improve the customer experience in a number of ways.

First of all, there’s no more embarrassing “your card has been declined” conversation. But instead, the waitress or shopkeeper can say, “I’m waiting on your authentication.” Much, much better.

Also, no more frustrating wait to speak to a customer service representative – especially for those smaller banks that do not have 24/7 service in this area. I speak about that problem in my book, Seven Billion Banks. I advocate a “you break it, you buy it” framework for banks. If you turn off the card in the middle of the night, you better darn well better be able to turn it back on in the middle of the night too.

But this multi-factor authentication is completely automated and saves the mundane “please verify the last five transactions” conversation. (Besides, who remembers the last five things they bought with their debit card along with their amounts anyways?)

Will EMV Save Us All or Just Make Today’s Analytics Irrelevant?

Maybe this is all moot.

The EMV "chip-and-PIN" system will change the dynamic of credit card fraud analytics.

The EMV “chip-and-PIN” system will change the dynamic of credit card fraud analytics.

I mean, if you go to Europe and explain about the “card shutting off” problem, they will stare at you with blank looks and wonder why you put up with such treatment from your bank.

That’s because they all use chip-and-pin cards, or EMV in the Fintech parlance. And EMV is coming to the United States in 2015.

EMV is the combination of an embedded chip in the card and your memorized PIN that jointly are required to facilitate the card present transaction. Even if someone steals your card, they don’t steal your PIN, and unless it’s something easy to guess, like 1234, you’re likely not going to have your funds stolen from you this way. It’s a form of multi-factor authentication – one physical and one knowledge-based.

So, does that mean that mobile context doesn’t matter anymore?

Not at all.

There is still the issue of card not present transactions which don’t typically require a PIN. In addition, there could be future breaches of bank systems where PINs are also compromised in the future. There’s enough money in credit card fraud to be a significant motivator.

So I still believe credit card fraud analytics need to improve. Complex Event Processing needs to include more contextual information in the analysis, including – among other things – mobile context. That means leveraging geolocation and mobile authentication as part of the fraud analytics process. And more than context, the mobile device is a vehicle for communication during what can be a very upsetting time. Sometimes the situation needs to be resolved immediately, like when you’re buying dinner or checking into a hotel or standing in a long like at a checkout. Calling your bank after they open on Monday is no longer acceptable.

In addition, whatever you do today, upon EMV rollout the dynamics change overnight. Your experience up to that point will basically be thrown out the window. False negatives. False positives. You’ll be swimming in them. Is your analytic infrastructure ready to switch over?

What Should You Do?

If you’re a bank, this directly affects your customer experience and bottom-line equally. Spend the time to analyze what your fraud prediction “holes” are. Do you collect information about your false positives? Are the analytics updated, or do you just turn the card back on and forget it? What’s your plan to update the analytics upon EMV rollout? Do you have an analytic platform that can adapt quickly to the changing fraud environment? Or are you simply rebuilding models whenever you can get the resources?

If you’re a vendor in this area selling to banks, it matters too. So take note mobile banking vendors! Sharing geolocation information – on an opt-in basis – should be a mandatory option of any mobile banking app.

In addition, analytics vendors should prepare for the change in event processing that will come with EMV. Be ready to change the credit card fraud analytics you use today. Rather than making event prediction less meaningful, EMV and future behavioral changes will actually change the dynamic of where fraudsters attack the system. Those that don’t prepare do so at their own peril.

I cover some of these analytic use cases in two places I can point you to.

First, I have a big data analytics introductory lecture here. It covers the basics of big data in retail banking and several use cases that include CEP.

Next, if you have a copy of the book Seven Billion Banks, you can register it using the instructions in the book to get access to the Seven Billion Banks video training series. We cover fraud in that series. If you don’t own the book, you can remedy that here.

Finally, if this is a burning question for you right now, then let’s talk about it. You can schedule a free consultation with me if you’re not a client here. If you are a client, email us and we’ll set something up.

Leave a comment below and tell us how you’re preparing to handle the coming EMV change – either about credit card fraud analytics or any other aspect of credit and debit cards.