Machine Learning and financial crime

When we founded ClearBank, one of the key questions we set ourselves was, “how do we leverage technology to be better”. When I say “better”, we meant better at particular services or functions that a clearing bank have to undertake or offer. This one question really me on the journey of delivering a true Banking as a Service (BaaS) offering to other regulated institutions and FinTechs. It’s also why we wanted to explore Machine Learning to help in the fight regarding financial crime.

I will be honest, I don’t find “RISK” management fun, however, as part of managing risk and trying to mitigate financial crime, things can get quite innovative, and that is where the fun can begin. These areas have some real obvious, yet rather powerful application uses for deep machine learning. I know some will call this AI, but it’s far too narrow to be called AI (I have a real bug bear with people calling things AI when it is Machine Learning – let’s save that for another day though). So, these use cases, what are they:

1. Fraud detection
2. Anti-Money Laundering

Most of us when we read fraud detection think of our experiences with our payment cards, either someone else is seemingly able to purchase “stuff!” with our cards, or we get stopped and cannot use our payment card because the bank thinks something fraudulently is going on. However, fraud is wider than that, think ID theft, actually having your bank account taken over by other individuals, these are two other areas of fraud that impact many of us today. So, how can machine learning help with actual transactional based fraud, and fraud such as account takeover? The answer is to use it to learn about you, you as an individual, and what I like is also learning about you in context of your peers activities. I will come back to that one in a moment.

The second obvious use case is that of AML (Anti-Money Laundering). This is where we can use machine learning to help identify money movements that could indicate a form of money laundering, especially within closed groups. One of the benefits here of being an actual direct clearer (as in connecting to all the payment schemes) is that you can track the money movements across all the channels, helping to gather sufficient data that a machine learning platform can start to identify money laundering techniques.

For the purpose of today’s post though, let’s just focus on fraud detection…

 

What’s normal?

Let’s use machine learning to learn what your transactions look like. Believe it or not, most of us are creatures of habit, we buy coffee typically from the same shops, we purchase our lunch or shopping at similar times in the day from similar locations. We visit restaurants on date night (which for me is always a Friday night with the wife), we drink at the same bars etc etc etc. You get my point. Machine learning can take all that data and start to build a profile of your normal activity. Sure you will have the odd splurge on some big ticket items, a holiday, a sofa, a car etc but across all your activity Machine Learning can build a pretty accurate picture of what looks like “normal” activity for you, as opposed to what looks “strange” for you.

We can apply similar learning to how you access your account, locations when you access it, the devices you use, the time of your access etc. These data points help form a profile again of what “normal” looks like, and therefore “strange” can be identified.

This all sounds great right, however, how many of us have incidents when we find we cannot make a payment, or we get alerts saying, “due to fraudulent activity your card has been suspended”? This can be the result of a “rules” based matrix approach, trying to spot fraud, or a machine learning implementation that could be better. Essentially your provider is identifying “strange” and creating what we call a “false positive”, in other words, thinks it’s fraud when it isn’t.

 

I love context

With Machine Learning, you can add layers of learning, so why not add an additional layer that looks at the context of “normal” or “strange” in relation to your peers. Let me give you an example, because without it I don’t poses the capabilities to articulate what I mean…

You never gamble on horse racing, however, it’s the Grand National here in the UK, and you fancy a flutter. When placing your bet, this looks like “strange” activity for you and your account. It can easily be flagged as attempted fraud and you are stopped from placing that bet. However, if your banking providers machine learning platform understands “context” it can make a better assessment. See, the Machine Learning platform could learn that it is the Grand National, it could also learn that your peers are also all placing bets on that race, this too could look like “strange” for individuals, but as a group of you, all of a sudden this doesn’t look like strange activity. Essentially, your Machine Learning platform has learnt the “context” of that activity, therefore it looks “normal”. The result, well instead of getting stopped from having that flutter, your horse comes in, you make a fair few “quid” and everyone is happy…. The power of Machine Learning with “context”.

 

Compute compute and a little more compute

Machine Learning is highly powerful, and I hope you see just how capable and helpful it can be at protecting your account from fraudulent activities. However, you need data, lots of it, and lots of compute power to crunch those numbers and algorithms to actually provide a decent Machine Learning based platform. The challenge therefore is having enough compute power to learn at an individual level, but also at a group contextual level. Until the Cloud really came along, this made Machine Learning a tool that only the real big players could leverage, simply because of the cost of purchasing enough physical compute power. That’s all changed, the cloud allows us to elastically scale resources associated with Machine Learning up and down, which drastically reduces the cost involved. It also brings far greater flexibility in terms of how these platforms are built and connected into the banking systems.

At ClearBank I always wanted to ensure we had sufficient compute capabilities, that’s why our Machine Learning solutions reside within our Azure cloud, giving us access to all the compute power we need, when we need it. We have partnered with some pretty cool technology companies too, such as FeatureSpace, enabling us to build out deep powerful machine learning solutions to fight financial crime, which do understand “context”.

 

Quick recap…

Essentially a good Machine Learning based solution can protect your account from fraudsters. It can learn what normal looks like for you, and when understanding “context”, it can even spot when activities are yours that typically don’t fall into your normal activity. The keys to unlocking this level of capability is harvesting enough data, and having the compute power to process it all. The cloud here is an enabler, helping financial service providers take advantage of the endless scale of the Cloud in the fight against financial crime.

It would be great to hear your comments and thoughts on this, but also any ideas or applications where you can see the use of Machine Learning really having an impact in financial services.

 

 

The cost of plastic

We live in a digital age, and yet all our online and over the phone payments are carried out based on a very non-digital technology – payment cards. Essentially cards are protected by you needing to know a few numbers off the face of the card, and 3 additional security numbers on the back. If you aren’t the only one who knows those numbers, then you aren’t the only one limited to spending on that card.  Yes, there are many new security measures online, such as 3d secure and verified by blah, and yes, there are endless reams of PCI compliancy rules that businesses should follow. But at the end of the day, a bunch of numbers is hardly the easiest thing to secure.

 

The end of cards?

Cards have served us well for a long time now. But the cost of issuing a piece of plastic with some numbers on, isn’t cheap (on such a large scale). The costs of trying to protect those numbers for banks and mainly businesses are always on the increase, and this always results on businesses being charged more to accept a card based payment. What’s worse is, that when that card isn’t physically present, such as online or over the phone (especially when online sales are increasing) the poor old merchant is charged even more for the pleasure of accepting their customer’s payment.

What we must remember is that fraud doesn’t cost your issuing bank much at all. Rather it is the merchant who sold the goods that loses out financially, and they will lose out on the value of whatever they sold. For small businesses that’s quite a risk, especially when they branch out onto the web. I have known many small businesses to be stung like this, loosing thousands in revenue and of course lost product (a double hit for them).

Now we have a number of alternative payment systems and services starting to become available, some in the form of virtual currencies, mobile payments, different payment schemes and processes online (ala PayPal) and these are starting to become quite disruptive to the traditional card schemes and banking business. With alternative payment options growing in popularity, could this possible be the beginning of the end of the card? I say the beginning, as cards are heavily entrenched in our daily lives, and to date, only Starbucks IMHO has shown that consumers and businesses are starting to really make a choice when making a payment – and opting for something other than their card.

 

Digital payments for a digital age

I am a strong believer that when the technology landscape changes drastically, you need to embrace it fully. When cards were first becoming popular, there was no internet, no over the phone payments nor over the phone banking. But the internet is here, and cards haven’t changed at all. The infrastructure hasn’t changed, all that has changed is that software developers let us type in our card details so that the card can be identified. Not much evolution or embracing of the new digital age there.

Payment schemes need to be designed with their current landscape in mind, payments need to be designed for the digital world, which with mobile devices now blends seamlessly at times into the real world. This is what we have done at CloudZync. We have designed a payment scheme for the digital world that can be used online and out there in the real world, day to day via your personal mobile device.

For me, this is just the beginning of looking at how we transact, how commerce takes place, how customer relationships are forged in the real and digital worlds, and it’s an exciting time to be in this space. CloudZync is pushing the boundaries of what we expect from financial products, commerce, customer relationships and in terms of technology making our lives easier. Technology making my life easier and safer as a consumer, and the same applies to businesses. Technology making sales, transactions, experiences and relationships easier to manage and more profitable. To achieve these goals, we must always challenge what has gone before and that includes cards and banks…

Payment Security. Has it been forgotten?

People may think I’m not being serious with this post title, but I really am. These past few weeks yet more examples of security not being taken seriously in the payments market have emerged. It started with an article I read on Finextra regarding Google bypassing the secure element on an Android phone for NFC based transactions. It’s the launch of HCE (Host Card Emulation).

 

HCE and NFC

I’m not going to go into too many details and technicalities about it, but my own take on the whole situation with HCE, NFC and Google is that Google and the card schemes are changing the rules in which payments are supposed to be made. They are doing this to better fit with their own solutions, and to potentially lock out ventures like ISIS in the US and WEAVE here in the UK and at the risk of security.

There are strict reasons behind PCI compliance and the use of EMV (secured chip and pin to most of us) and it seems that these are now causing issues for Google and others, so instead of looking for real solutions they change the rules. A great take on this can be found on finextra here

 

QR/Barcodes in transactions

These are the choice of many payment solutions out there, including my own companies CloudZync with Zwallet. However, QR and Barcodes are easy to create, especially static ones, so using these for passing payment information has to be taken into consideration, and I would never allow an authorisation of a payment to be made just because a valid code has been scanned. Yet I have witnessed many solutions out there now that do this…

With Zwallet we always make sure the consumer is involved in the authorisation process fully, so we keep intelligence in the process at the cost of 1 second in the transaction process. For me, 1 extra second making a payment is well worth it to aid in security. (I would like to point out that Zwallet transactions are still dramatically quicker than typical card based transactions, even with the added 1 second for security).

 

Security underlying cause for concern?

So what is the underlying cause of security concerns with payments? What really causes so much effort to go into technology a trying to patch security issues or catch fraud post a transaction? The answer is the actual card scheme itself and the infrastructure behind it.

Let’s be real. Cards are amazing. For the last 40 years they have steadily dominated the way in which most of us pay for goods and services. But, has security increased much in that time? A little is the answer. There is a lot more technology backed behind it, but fraud is back on the rise again, so we must ask ourselves why. And the answer is simple, cards were never designed for the digital economy. Everything that we do to utilise the card infrastructure is a cludge, a patch/hack in tech terms. All this technology and security to try and secure something that is very insecure, 16 digits on a card, mixed with two dates and 3 digits on the back.  If we lose control of those details then a fraudster can do whatever they want with our cards, and that’s why so much is invested in fraud detection post a transaction and so much is invested in risk management.

My fear is, while card based transactions using Chip and Pin remain ok, the way we use cards digitally isn’t so secure. Throw into the mix mobile payments and companies actively trying to utilise card details in their solutions to make payments, and holes start to appear. In essence, trying to use technology to secure something that by its nature is not secure causes all sorts of issues. And though great lengths to make things much more secure are possible, the costs behind these rack up.

No matter how you try to secure card details, or to what lengths you go, the fact remains that the infrastructure for cards requires those simple card details, and fraudsters are becoming increasingly intelligent, innovative and capable of getting their hands on those details and using them.

 

The security solution

The only real secure option is to start with a blank sheet of paper for payments and wake up and realise that the digital economy requires payments to be carried out on an infrastructure that is designed for digital transactions from the ground up. It also MUST include more human elements in the process and not just require everything to be automated.

Real intelligence still remains with the consumer and the business. By removing them from the process more and more, we may make the payment process a little quicker, but we increasingly make it less secure. After all, the process of me having to know my PIN to make a payment is far more secure if I have lost my card, compared to just waving my card in front of a reader and making a payment.

These are the reasons behind the security approaches we have at CloudZync, the reasons why we make sure the consumer has to actively be involved in the purchase process and actively have to authorise each and every payment. If we remove them too much, then there are more gaps for fraudsters to exploit.

I’m not saying everything can be 100% secure, it simply can’t, and intelligent innovative fraudsters will always find a way to exploit processes and technology, but we must actively make it as hard as possible, and currently, in the race to stamp authority on possibly the payments method of the future, security seems to be being overlooked…That is a great concern of mine, and should be a great concern for each and every consumer out there and business owner…

The cost of taking our money

As consumers we don’t really think about the costs involved with doing business, all we care about are the products or services we are looking for, and getting them at the lowest possible price. Oh, and to be fair, there is nothing wrong with that. All consumers know there are costs involved in running a business, but some costs, like a business paying to take our money, we often forget about…

This is something that even the EU is now trying to look into, proposing a cap on the “interchange fee” charged by your bank back to the merchant for taking your money from your debit / credit card. The problem here though, is that those fees will probably move elsewhere, meaning it will be pushed onto the consumer – more than likely in the form of us having to pay annually for the privilege of having a debit / credit card (something many EU banks already do).

So in this post I want to quickly look at costs businesses have to pay in order to take our money…

Someone has to pay, every time we use these

 

The average costs

When a business accepts debit / credit cards, they pay for being able to provide that option to us, the consumer. Now you may think that it’s a cost based purely on the transaction process itself, but you would be wrong. Typically, in order to take card payments, a business has to register for merchant services (SMEs and independents usually go through high street banks – though the actual merchant service is usually sub-contracted out). The business pays a monthly fee for this, and the cost of that will depend on the business, amount of transactions they process and their value. But many small businesses, start-ups etc pay around £30 per month per terminal. On top of that, there is a standard flat fee per transaction that goes through the machine, again this will vary in price. For debit cards though, a start-up maybe looking at loosing 20p per transaction, while credit cards may also have a fixed fee associated with them, but will include a fee based on a percentage value of the transaction value. To give you an idea here, this fee could be anything from 1% right up to 4% of the value of the transaction, again depends on your business, your provider etc etc.

Now these fees may seem small, but remember these fees per terminal are per month, and that every single transaction is subject to these fees. When you look at tight operating costs and small profit margins, you all of a sudden see why providing card facilities isn’t always an option for a business.

Here are some facts and figures. The average cost of a credit card transaction (remember average) to a business is 36.2p. This cost drops to 9.6p for debit cards, while handling cash is 1.5p. If you were to calculate your shop sold 100 items in a day – that would mean you have spent £36.20 in handling those transactions (if credit card). Now multiple that by 300 working days (just for simple maths) and you see you have £10,860 lost in credit card charges (not including the monthly fees). Now, for many SMEs, independents, start-ups, actually any business, this is a large chunk of money lost.  Obviously these are just some figures to illustrate my point, and that point is that actually, processing cards is not cheap.

So with these sorts of costs, is it any wonder that businesses want a cheaper alternative, and are actively looking for alternatives.

 

Will Mobile drive down costs?

Mobile payments are the most obvious alternative to typical card transactions. But there are 3 different form factors of mobile payments at the moment:

1. Typical card processing, but using a mobile phone as a card terminal
2. Using NFC technology for contactless payments
3. Use real mobile payments, originating from mobile devices and no need for cards at all

 

So, option 1: Companies like Square, iZettle, Sumup etc provide a dongle that allows any business to turn their smart phone device into a device that allows them to process card transactions. This proposition brings down the monthly cost to the independent and SME business – they no longer need to pay for their merchant accounts with high street banks etc. But these solutions are still expensive for the merchant. Typical fees are at least 3.75% per transaction! That’s very high and ultimately expensive for the merchant. You must remember that these are still card transactions, so in our example earlier, the £30 per month fee may have been removed (saving the company £360 over the year), but their fees have gone up, so still looking at £10,000+ in card charges.

Option 2: Use contactless technology…Well you still need merchant accounts here, so you are still paying your £30 per month (if not more if your bank charges etc for NFC enabled technology). However, your card processing fees will drop a little – and this is because at the moment the interchange fees on an NFC transaction are lower than those associated with Chip and Pin transactions, signatures, and card not present. But this is making only a small dent in the overall fees paid, and again the merchant in our example is shelling out £10,000+

 

Option 3: Real mobile transactions offer real options to merchants. Since they aren’t dependent on card schemes such as VISA, MasterCard, there are less companies involved in the transaction handling process. This means savings can be made in every step of the process, and these savings are passed onto the merchant. Companies like CloudZync and their Zync Wallet product provide drastic savings to businesses. Take our merchant example, with CloudZync the merchant pays no monthly fees, and since they are processing 100 transactions per day, are simply charged 1p per transaction. That means their daily processing fee has dropped from £36.20, down to £1. So the business annual handling fee drops from in excess of £10,000, down to just £300 for the year.

 

Cost of business, and cost of not adding value

What we must remember with mobile though, is the potential here to add value to the merchant – consumer experience and relationship. While cards, cheque and cash provide payment methods, mobile has a lot more to give (just as it does with our emails, social connections, organisers etc). Mobile transactions can be the gateway to greater consumer merchant engagement, better shopping experiences and ultimately, provide a potential tool to ensure business growth.

So while this post really is focussed on the cost of doing business, and potentially doing business with mobile devices, we should also remember the cost of potentially not doing business with mobile devices….Can a business afford to not make processing savings and not increase customer engagement and retention? I don’t know any that can afford to miss out on both…