Fighting financial fraud through fusion centers

Keeping up with financial fraud is incredibly difficult because accurate fraud detection requires a deep, real-time analysis of all the events surrounding a transaction.

Consider a typical payment transaction: A single transfer of funds to a new payee may not raise suspicion, but when authentication records show a discrepancy between the account owner’s usual geographic location and that of several device logins from multiple IP addresses in the same time frame, the transfer should be flagged.

Pulling all the required data elements together early enough to flag compromised accounts is challenging for fraud solution teams. Without all the information at hand, context isn’t sufficient: threat intelligence is incomplete, isn’t guaranteed to be accurate, and false positives (incorrectly identifying suspicious activity) are more likely. This is compounded by the evolution of new payment methods and communication channels, which create new attack surfaces that fraudsters are quick to target.

Cybersecurity and fraud teams are trying to fight back; quantitative analysts have tried to optimize the relationship between fraud detection and false positives for years. But it’s not easy. Identifying fraudulent transactions tends to rely on statistical models and rules for detection, and when these models lack real-time access to all the circumstantial evidence needed to build effective data forensics, their “decision-making” falls short.

This is true even of sophisticated machine learning (ML) or artificial intelligence (AI) tools. Algorithms are developed to understand fraud patterns and intelligently scan, predict, and stop fraudulent activity before it occurs, but they’re only ever as good as the data with which they are built.

Cybersecurity and fraud departments should work hand in hand

The boundaries between cybersecurity and fraud/financial crime have been blurred in recent years. Indeed, cyberattacks on financial services are often the first stage of fraud taking place.

Take common attacks like phishing or account takeovers for example. Are these cyber-attacks, fraud, or both? And fraud isn’t always an immediate process; some fraudulent schemes are going on for years. Who has responsibility for what, and when?

The truth is that cyber-attacks and fraud are now too closely linked to be considered separately. But many firms still have investigative fraud teams and cybersecurity teams operating independently, along with the systems and processes that support them.

As a result, these teams have different levels of access to various data repositories, and do not necessarily use the same toolsets to analyze them. That data is arriving at fluctuating speeds, in multiple formats, and in huge volumes. Some firms may have to navigate a complex legacy technology environment to access that data. In short, there is no consistent context within which a unified decision can be made.

This approach is untenable. Operations need to change if organizations are to get on top of the threat. Teams need to have a portfolio of techniques to call upon, a centralized structure for identifying and combatting threats, and an agile approach to fight cyber-attacks and financial fraud.

Fusion centers

If teams can’t achieve their goals independently, they need to work together, so firms are being advised by both regulators and their own auditors to consider building a fusion center.

A fusion center is an environment that merges cybersecurity and fraud operations. A new team, dedicated to fighting all aspects of cybersecurity and financial crime.

From a data perspective, it makes a lot of sense. Fraud teams typically have access to structured transactional data originating from the general ledger or databases – their data is good, but it often has limited contextual insight into those transactions.

Conversely, cybersecurity teams have invested heavily in analytics-orientated security information and event management (SIEM) tools that rely on ingesting log data and other unstructured sources for incident investigation and resolution. While these systems have a good deal of context from unstructured data sources, they don’t have an easy way to extract insights from transactional systems like the fraud teams do.

Context is king, so by combining these data sources, fusion centers offer the complete view needed to respond to malicious behavior with speed and accuracy.

Businesses need to think about the structure of individual teams in a different way, deconstructing the barriers between teams and the siloed pots of data that they are collating. Political fiefdoms must be broken down, too – bad relationships or possessiveness can’t be tolerated. Teams need to work together to understand data and processes that will often be new to them.

Data is also, self-evidently, crucial. In an ideal world, firms can use the fusion centers to centralize transactional data from ledgers, databases, and/or the mainframe – including watchlists and external data. They would then combine this with all the unstructured data sources found in security operations, which can run into the thousands.

The best way to do this is by using a platform approach. By bringing one data source on board at a time, into a centralized environment, it becomes possible for firms to achieve big wins early on using fusion centers.