Organization of Work to Combat Fraud in a Financial Institution

Larionova Svetlana L'vovna ORCID: 0000-0002-1815-2139 PhD in Technical Science Associate Professor of the Information security Department, Financial University under the Government of the Russian Federation, 125167, Russia, Moscow, 49/2 Prospekt Leningradskiy str. sv-larionova@yandex.ru

Introduction           

The credit institution is engaged in combating fraudulent transactions against its customers for the following reasons:

- firstly, the fear of the threat of losing customers and reputation if fraudulent transactions with the mention of the organization are made public;

- secondly, the threat of non-compliance with the requirements of legislation and the imposition of sanctions by the regulator;

- thirdly, the threat of substantial damage in the event of lawsuits and penalties.

         Thus, the main goal of a credit institution in the fight against fraudulent transactions with the funds of its customers is to minimize the risk of its own losses. Ensuring the safety of customer funds at the moment has ceased to be the main goal and task of modern banks. If at the beginning of the development of banking activity robbers attacked the cash desks of banks, took cash, banks in the most extreme cases refused their obligations to customers, then in the era of non-cash settlements and payments, banks directly inform the client that their funds may be stolen and the bank is not responsible for it. Actually, this obligation is assigned to the bank, as a rule, by law (for example, Article 9 of Law No. 161–FZ ^[1]).

         This article is devoted to the consideration and analysis of the possible causes of the current situation in the field of bank fraud, as well as the consideration of the effectiveness of the measures taken and the development of proposals for the assessment and areas of improvement of anti-fraud measures in the banking sector.

Description of the problem of the issue and the objectives of the studyBack in the late 90s of the last century, no one could have imagined that funds deposited in a bank in non-cash form with the opening of an account could be stolen.

         Although at that time the population "suffered" from unscrupulous bankers – they withdrew funds to accounts abroad and declared themselves bankrupt, i.e. unable to fulfill obligations to their creditors, including depositors and account holders. After the introduction by the state of guarantees for mandatory reimbursement of a certain amount of deposit in any credit institution, in principle, the problem with the provision of unreliable banking services was solved.

         After 30 years, we are again faced with the problem of providing unreliable banking services, and not on the scale of individual commercial organizations, but on the scale of the entire banking system. At the moment, there is no credit institution that would have the right and opportunity to assure its customers that the funds placed by them will be securely stored and multiplied on demand by their owners.  The progress in the development of banking activity in fact turned into its great regression, which was the result of the introduction of new and newest banking technologies that allow customers of a credit institution to remotely conduct financial transactions using their computers, mobile phones or by using special technical devices (ATMs, payment terminals, etc.) and electronic means of payment (bank cards, electronic wallets, mobile banking applications, etc.).  

         According to the reports of the Bank of Russia ^{[2, 3]}, losses from cyber fraud on transactions without the consent of customers are growing annually both in quantity and volume. At the same time, it should be noted that the share of funds reimbursed in 2022, depending on the service channel, ranged from 0.9% to 18.5%. Fraud schemes change every year ^{[4, 5]}. Previously, virus infection through the installation of virus software and SMS banking prevailed. Skimming – fraud by means of overhead devices on ATMs – is almost gone. Phishing remains an actively used scam scheme. Social engineering is now the main scheme in cyberbullying, since it is easier to influence a person than to technically develop viruses and applications. Fraudsters widely use social engineering methods to force a client to provide the data necessary for the theft of his funds. For this purpose, special contact centers and offices with IP telephony are organized. As a rule, "employees" of the bank's security service, representatives of government agencies call, warn about the loan, changing the phone number, an attempt to steal funds from the account, report on the investigation of the case against the bank's client manager. Two main results of fraudsters' actions when contacting a victim of social engineering:

• "self-transfer": the client independently transfers money under the pressure of a fraudster;

 • identity theft: the fraudster receives the necessary data for the transfer on his device from the victim's account.

         Studies of mobile banking applications ^{[6, 7]}, on the basis of which new payment technologies are being developed (QR–code payments, card payments on a mobile phone, etc.), show that applications do not have an acceptable level of security: most applications contain critical vulnerabilities, the operation of which does not require access to the device or administrative rights.

To exploit a number of vulnerabilities in the client parts of mobile banks, it is enough for an attacker to install a malicious program on the victim's device, for example, during a phishing attack. The analysis of existing vulnerabilities ^[8] showed that the following list of threats is relevant for remote financial services systems:

· The threat of performing operations on behalf of the user by intercepting user data when paying online;

· Threat of interception of confidential and/or authentication data entered by the user;

· The threat of pharming when buying goods or receiving financial services;

· Threat of malware infection on the client's device;

· The threat of an attacker implementing a man-in-the-middle attack;

· The threat of changing the logic of the mobile application;

· The threat of using social engineering methods to obtain identification data of mobile applications or online cabinets or the use of electronic means of payment;

· Threat of leakage of confidential data from the client's device;

· The threat of password selection to the client's personal banking account;

· The threat of theft of the client's funds by bank employees.

The purpose of this work is to determine the optimal anti-fraud system and directions for its improvement.

Methods and means of countering fraud        

At the moment, the following measures to combat fraud are provided by law ^[9]. The Bank of Russia is working to collect information about all cases of fraud when servicing clients of financial organizations. Based on this information, databases are formed, so-called black lists of clients, lists of devices from which fraudulent transactions were carried out, and also contain other signs of fraudulent transactions. The legislation requires notifying the client about every electronic remote transaction with his accounts and the funds provided related to the transfer of funds. When using remote banking facilities that provide the ability to transfer funds, two-factor authentication of customers is required. The client must be notified of each transaction made remotely and be able to notify the financial institution of a fraudulent transaction. The most important thing is that for each remote electronic transaction of the client related to the transfer of funds, a check for signs of fraud should be carried out. For these purposes, anti–fraud systems should be implemented in financial organizations.

The scheme of operation of the anti–fraud system – the online fraud monitoring circuit is as follows:

• to build a line of actions of the client based on the operations performed by him through various service channels;

• build a client profile;

• build a diagram of typical/atypical customer behavior;

• apply a set of AI rules, models and algorithms to the client's profile and behavior pattern;

• analyze each client's operation and make a verdict: approved, suspicious, rejected.

The procedure of contacting the customer to the contact center when a suspicious operation is detected helps to train the fraud monitoring system and its algorithms. Customer complaints allow the system to automatically double-check the correctness of marking transactions as suspicious and rejected. Feedback from the client allows you to mark the relevant operations in the system and respond to them correctly in the future.

• If the operation is rejected, the client immediately receives a call to make sure that it is rejected correctly. In the opposite case, the operation is relabeled so that such operations are not rejected in the future.

In addition to checking electronic transactions made by the client, it is also possible to connect all operations of the bank's offices to the anti-cyber fraud system. Previously, it took two employees to enter the client's operation into the computer and confirm it. Now confirmation of the operation from the second employee is rarely required, since the anti-cyber fraud system knows the profile, the pattern of the client's behavior and deviations from it. This allows you to optimize the customer service process. In addition, the client sees what the employee is doing in the office and confirms it with his own hand. This allows the client to control the operations performed by a bank employee. In parallel, the anti-fraud system checks the actions of both the employee and the client.

Financial organizations have the opportunity to use anti–fraud systems in different ways:

1. Cloud solutions of foreign and domestic manufacturers: the customer company connects to the cloud platform, transmits data on operations, the platform marks operations as allowed, rejected and requiring additional consideration according to pre-determined schemes by the customer.  The advantages of this option: there are no costs for the maintenance of servers, support, the manufacturer is responsible for the performance of the system, the quality of algorithms. In addition, it is possible under the contract to allocate fraud risks to the manufacturer. Disadvantages of this option: it is necessary to outsource the entire anti–fraud process, up to the provision of confidential client data.

2. Local manufacturer's solution. It is bought, "unfolds" within the customer company. The responsibility for efficiency lies with the financial organization.  Any improvements to the system are an additional paid service, since the program code of the platform is the intellectual property of the manufacturer.

3. Combined solutions: a combination of cloud and on-premises solutions.

In general, this solution is suitable for large companies: a sufficient level of service and additional functions of the cloud component of the solution.

         It should also be noted that the Bank of Russia provides financial organizations with the opportunity to use the Feed–Antifraud system, which provides information to identify signs of fraud.

                There are several approaches to risk assessment in anti-fraud systems:

1. Using rules (Rule Based). Risk assessment is based on static rules and lists. Examples of such systems are SmartVista FP, Compass. Such systems are considered ineffective because scammers quickly hack and bypass algorithms. Detecting a deviation that allows you to bypass the algorithm is an opportunity to launch an attack. For example, blocking transactions by amount: if a fraudulent transfer of 50,000 rubles. did not work, but in 12,000 rubles. it turned out to be successful, so a scheme for a smaller amount will be applied.

2. Using an Artificial intelligence (AI Based) model. The necessary number of cases must be accumulated in the financial organization in order to correctly adjust the labeling of transactions and the model does not show incorrect deviations. This approach allows you to adapt to different types of attacks and will allow you to more effectively assess the risk of fraud. But it should be noted that these systems will not allow the use of fraud detection rules established by law.

3. Combined systems (AI + Rule Based).The modern most effective standard of the fraud monitoring system. They are built on lists, rules, algorithms, AI models, several levels of verification and a combination of these tools and allow you to identify complex signs of fraud.  For example, the system can identify that the operation was performed in Moscow now, and in half an hour – in Rostov, and this is a significant deviation that indicates fraud.

AI models of fraud monitoring are based on the types of fraud and take into account the features of customer service channels (mobile application, office). Combined anitifrod systems allow performing the following functions:

• real-time transaction verification;

• graph models reveal connections in the behavior of customers and scammers;

• geo-models analyze geolocation of transactions, movement between them;

• to improve the quality of analysis, classify complaints from customers to filter cases of domestic fraud and erroneous deviations of transactions;

• scoring according to the rules – evaluation of individuals and legal entities, phones, devices based on negative signs, based on available data.

         There are many ways to improve fraud analysis algorithms. One of the problems of artificial intelligence models is related to the uneven distribution of source data into classes: operations performed by clients are significantly more than operations without the consent of clients, which leads to incorrect classification of minority class objects and incorrect training of artificial intelligence models. It is customary to solve this problem by generating synthetic operations without the consent of clients and then mixing them with real operations, for which SMOTE and ADASYN algorithms are used ^{[10, 11, 12]}.  As part of solving the problem of unbalanced data distribution into classes, CycleGAN networks can also be used to generate synthetic fraudulent operations to train an anti–fraud system ^[13].

Provided that attackers use drop accounts in their schemes, anti–fraud systems detect transactions with a high degree of probability. If the operation is identified as a transfer to a drop account, it is suspended in accordance with Article 9 of Law No. 161-FZ. A specialized contact center works with such operations.  There are two types of transfers to drop accounts: when a transfer is made by a fraudster or a client makes a transfer under the influence of a fraudster. In the first case, the operation is immediately blocked, and the fraudster client receives a notification about the blocking of the operation, after which he can contact the bank. In the second case, the contact center faces the task of getting through to the client as soon as possible and convincing him not to transfer his money to the drop account through other channels. In principle, Law No. 161–FZ clearly also requires suspending the transfer to the drop account. It should be noted that, being able to identify a fraudulent transaction with a high degree of probability, a financial institution does not have the right not to execute it if the client is legitimate, conscientious and insists on carrying out the operation.

Key properties of the modern anti–fraud system:

• cross–channel monitoring of customer transactions;

• a single model for different categories of customers;

• self-learning fraud risk assessment module;

• fast adaptation to new types of attacks;

• minimization of "manual" interference in algorithms;

• deterministic processing time of each transaction;

• ability to quickly connect new products/data sources;

• connection of new analysis models.

         The fraud monitoring scheme is presented in general form in Figure 1 below.

Figure 1. Fraud monitoring scheme

Each operation goes through an evaluation stage – scoring.  For example, legitimate operations are assigned a value from 0 to 500, suspicious ones – 501-999, rejected ones – 1000 and higher. A profile is formed for each client: login, ID, mobile phone, which is linked to the bank, a web application on the computer and a mobile application from which the client enters the online bank, the set and types of operations that he uses, the client's location, familiar locations. Risk assessment is a model to which client profile data is transmitted, as well as data on the operation currently being performed. Depending on the risk assessment, the financial institution either transfers the transaction for further processing, or requires the client to additionally confirm the identity, or refuses to perform the operation. The operation can also be transferred to manual processing and analysis by a specialist.

Based on fraud analysis and fraud risk assessment for the operation and the client, risk–Based authentication (RBA) is used to counter fraud – the choice of the client's authentication method depending on the level of risk of the operation. Under the type of the client's operation, the necessary method of its confirmation with a sufficient level of reliability is selected: facial biometrics, a call from a bank employee, passport data.

The fraud monitoring system receives data about the operation, the channel of its execution and the client's profile, the system processes the data, assigns an intermediate status to the operation and, depending on this status, requires the client to confirm the operation. This method of confirmation after receiving from the client is also checked in the fraud monitoring system.

During the operation, the fraud monitoring system checks for more than 150 parameters, including login + password, device type, location, time of day, remote control, familiarity or novelty of the operation. If a deviation is detected, then the weight of this deviation is compared with the number of points of deviations. Based on this, the risk level is assigned and the confirmation factor of the operation is determined.

The factors for confirming the operation can be: an IVR call from an automated system asking to say "Yes" or "No", an incoming call from an employee from the bank, an SMS message with a code, a passport check for authenticity, a second employee (if the operation is carried out in the office), an outgoing call to the bank, a QR code, a card + pin code, biometrics, push notification in the app, NFC token, etc–

Different RBA factors are applicable in different situations. For example, if the client transfers money himself under the influence of a fraudster, then it is impossible to confirm the operation with biometrics, a call from a bank employee is required.

The fraud monitoring system is applicable not only to protect the client from external fraudsters, but also to prevent internal fraud, since employees can act as a fraudster in the branch channel.

The fraud monitoring system can also help in the fight against DDoS attacks. If fraudsters managed to collect data on bank customers and their cards and as an attack they began to perform uniform transfer operations, this may lead to an overload of the processing system. In this case, the fraud monitoring system will detect anomalies in the attackers' operations, block the cards, the operations will not fall into the processing, and it will not be overloaded.

Assessment of the quality of anti-fraudThe quality of fraud monitoring consists of two parts – firstly, customer satisfaction: it depends on how many false positives are allowed during fraud monitoring and how much the system complicates the processing of transactions, for example, by adding additional factors within the framework of risk–based authentication.

          Secondly, the main characteristic of the evaluation of anti–fraud systems is the ratio of the number of successfully identified and suspended transactions confirmed by customers to the total number of fraudulent transactions recorded based on customer complaints. This indicator is estimated either in the quantitative version of transactions, or in terms of cash turnover.

K1= Tpr/Tm (Formula 1),

where K1 is a characteristic of the evaluation of the anti-fraud system,

Tpr – the number of confirmed suspended customer transactions,

Tm – the total number of fraudulent transactions recorded in a financial institution based on customer complaints.

K2= Opp/Ohm (Formula 2),

where K2 is the evaluation characteristic of the anti-fraud system,

Oda – amount of funds (turnover) for confirmed suspended customer transactions,

Om is the amount of funds (turnover) of fraudulent transactions recorded in a financial institution based on customer complaints.

         Individual financial organizations evaluate the anti–fraud quality indicator - the ratio of the turnover of financial transactions to the volume of stolen funds by fraudsters.

K3= RPM (formula 3),

where K2 is the evaluation characteristic of the anti–fraud system,

OB – the amount of funds (turnover) on financial transactions of clients related to money transfers for the period,

OBm – the amount of funds (turnover) of fraudulent transactions recorded in a financial institution based on customer complaints for the period.

         The first described indicator related to customer satisfaction can be measured based on the average customer rating. In case of suspension of the operation, the client confirms or refutes it in one way or another, after which he puts an assessment of satisfaction with this service                                                                    i=N        

                                                                            _{K 4= ? Oc i/N (formula 4),}

                                                                              ^{i=1        where K4 is the evaluation characteristic of the anti–fraud system,}

Oci – evaluation of the I–th client;

N is the number of customers who rated the service during the time period.

ConclusionsThus, the main tool for combating fraudulent transactions are fraud analysis systems based on the use of artificial intelligence models and static rules, lists and algorithms.

         Due to the high efficiency of social engineering methods, these systems are the key tools in the fight against fraud in the event of threats of remote banking services. To effectively detect fraudulent transactions, anti–fraud systems based on artificial intelligence models and indicators of fraudulent transactions, risk-based authentication should be used. The quality of fraud analysis should be assessed by accurate numerical indicators that characterize the percentage of stopped fraud operations, as well as the degree of satisfaction of the financial institution's customers with the process of fraud analysis of operations. The latter indicator is a subjective assessment of customers, based on this indicator, it is possible to estimate the probability of customers refusing the services of a financial institution.

Statistics show that the number of fraudulent transactions in financial organizations is steadily growing. What is the reason? The financial institution sees it as a lack of authority in terms of customer transactions. Clients make transactions on their own, which are later assessed as fraudulent, and the financial institution has no way to resist the client.  

         In my opinion, the latter statement contradicts Law No. 161–FZ, which determines that a financial institution has the right to refuse to use electronic means of payment to the client, and, therefore, remote banking services, if the client violates the procedure determined by the bank. The use of financial services to commit fraud is certainly a violation of the procedure for using innovative electronic financial services. If the client is involved in a fraudulent transaction, the financial institution must suspend the electronic remote provision of services, regardless of whether the client is a fraudster or a victim. In addition, the problem also lies in the fact that by law, when detecting a fraudulent transaction, a financial institution has the right, but is not obliged, to suspend the remote provision of services to the client, i.e. block the provision of services to the client through mobile and web applications, electronic means of payment.