Technological Thoughts by Jerome Kehrli

In this article, I intend to present my company's - NetGuardians - approach when it comes to deploying Artificial Intelligence techniques towards better fraud detection and prevention.
This article is inspired from various presentations I gave on the topic in various occasions that synthesize our experience in regards to how these technologies were initially triggering a lot of skepticism and condescension and how it turns our that they are now really mandatory to efficiently prevent fraud in financial institutions, due to the rise of fraud costs, the maturity of cybercriminals and the complexity of attacks.

Here financial fraud is considered at the broad scale, both internal fraud, when employees divert funds from their employer and external fraud in all its forms, from sophisticated network penetration schemes to credit card theft.
I don't have the pretension to present an absolute or global overview. Instead, I would want to present things from the perspective of NetGuardians, from our own experience in regards to the problems encountered by our customers and the how Artificial Intelligence helped us solve these problems.

This article is available as a slideshare presentation here https://www.slideshare.net/JrmeKehrli/artificial-intelligence-for-banking-fraud-prevention-95475760

A video of the speech is available on youtube:

1. Early times, the 2000s

Before 2000, banking institutions are only poorly equipped when it comes to fight financial fraud.

For most of it, detecting fraud cases relies on manual verification and tests performed by

• Internal Control
• Internal Audit or
• External Audits

And unfortunately, this implies a lot of issues:

• By working with samples only, Internal control and Audit let a lot of fraud cases pass through the cracks and are found only very late or even never.
• Analysis are cumbersome and most often finding fraud cases is not the first and foremost objective of the auditors.

Now of course, the most essential security rules and checks are implemented within the Operational Information System or in the form of procedures to be respected and audited.
Also, some banking institutions already have an Analytics System - or Business Intelligence - at the time and some ad'hoc reports are implemented on top of it that target fraud detection.

In these early times, neither the subprime crisis nor the south European countries debt crisis happened. Margins are important, people trust banks and all in all bankers are happy people.
Fraud cases, mostly internal, exist of course but financial institutions feel rather safe,

2. The late 2000s - fraud costs rise

In the second half of the 2000's, however, the costs linked to fraud, increasingly external, the complexity of attacks and the maturity of attackers rise.
Banking institutions react by deploying quite massively and for the first time specific analytics systems aimed at detecting banking fraud, both external and internal.

At this time, these systems are rules-engines that work by checking or searching pre-defined and well defined conditions within the data extracted from the information system.

In a way these systems can be considered as simple extensions of the security checks and rules implemented directly within the operational information system. These solutions come most of the time from the AML - Anti Money Laundering - World, their editors having understood that banking fraud was a an interesting opportunity to extend their sales.

A very simple rule example would be as follows:

At this time, a first set of papers have already been published on the success, still somewhat relative in this early days, of some Machine Learning approaches implemented towards banking fraud detection.
But Machine Learning and Artificial Intelligence are considered with a lot of condescension and skepticism.
Bankers and their engineers are not willing to consider an approach whose interpretation of results is deemed fuzzy.

NetGuardians has been founded at these times and the NetGuardians platform could be seen then as a gigantic rule engine.

3. The reality of fraud changes dramatically

Unfortunately, the reality of fraud and financial cybercrime evolved fast and dramatically.

Let me give you two examples

3.1 The Bangladesh Bank heist

In February 2016, a group that we deem around 20 persons, composed by financial experts, software engineers and hackers have attacked the information system of the Bangladesh Central Bank.
They manage to compromise the bank internal gateway to the SWIFT Network. The SWIFT network is the international banking messaging network used by banks to communicate and transfer money through electronic wire. The pirates used the SWIFT network to withdraw money from the Bangladesh Central bank VOSTRO account by the US Federal Reserve.
They manage to transfer 81 millions USD to the Philippines and used the Philippino casinos to launder the stolen funds.

As a sidenote, the fact that they have stolen "only" 81 million USD is an amazing luck for the bank, or rather an amazing bad luck for the cybercriminals.
An Anti-Money laundering system - rule-based - deployed in the US federal Reserve for Anti-Money Laundering blocked the 6th transaction because the beneficiary name contained the word "Jupiter". Jupiter was on a sanction screening list in the US because a cargo ship navigating under Iranian flag was named "Jupiter" something. The 6th transaction being blocked, all the further ones, a little less than thirty, have been blocked as well.
But 5 transactions pass through before the 6th has been blocked by the Fed and went further through the correspondent banking network.
Another transaction has been blocked by the Deutsche Bank, a routing bank, because of a typo: "Shilka Fandation" instead of "Shilka Fundation".
So only 4 transactions our of 35 successfully arrived to the Philippines and as such the total loss have been reduced from 951 million USD initially intended to "only" 81 millions USD.

As a fun note, a few week after the heist, all the responsibles of the financial institutions involved, the US Fed Reserve, the Bangladesh Central Bank, even the finance minister of the Philippines were all convinced that the money - or at least a significant part of it - would be recovered and that the cybercriminals would be caught.

Two years after, today, we know that we will never recover these funds.
The attacker are safe, untraceable and will never be found. We believe that this is a group of about 20 persons who worked on the heist preparation for about 18 months. 81 million USD is a pretty number.

Now you think ... But this is Bengladesh ... right ?
Here we are in Europe ... Even better, here we are in Switzerland ... right ? And in Switzerland we don't really feel concerned by the numerous security holes in the Bangladesh Central Bank Information System. So let me give you another example...

3.2 The retefe Worm

Quoting https://www.govcert.admin.ch/blog/33/the-retefe-saga:

The Retefe worm is a worm developed by a team of cybercriminals targeting specifically the ebanking platforms of small and mid size Austrian And Swiss Banking Institutions.
The worm is used by the thieves to take control of the victim's ebanking sessions and to submit fraudulent transactions to the system.

This worm is 4 years old.
For 4 years, fraudsters keep on updating it, modifying it and extending it to counter the anti-viruses software and the specific protections put in place by the banks.
This worm is 4 years old and nevertheless, as pointed out by the Computer Security Section of the Federal Finance Separtment, it is still making today between 10 and 90 victims in Switzerland and Austria.

Today, in the swiss banks ...

My conclusion from these examples is as follows:
Today, fraudsters and cybercriminals are professionals. The time when fraud was mostly coming from little hackers working in their garage or back-office employees disappointed by their bonus, is over. Today, attackers are professionals who have industrialized their methods.

4. Facts and Projections

Some facts and projections to understand what reality banking institutions are facing nowadays...

In frebruary 2016, a group of cybercriminals managed to steal 81 million USD from the VOSTRO account of the Bangladesh Central Bank by the US federal Reserve
This is one of the biggest bank heist in history and the most impressive cybercrime ever

In a report called "Report to the nations", the international association of Fraud Examiners estimated that in 2017, the total cost of fraud has been 3000 billions USD.
In banking fraud, a big part of this amount is related to internal fraud, when bank employees divert funds from their employer.
In Switzerland, of course, thanks to the maturity of the banking business as well as the security checks and practices put in place in banking institutions, internal fraud is marginal, compared to external fraud. But external fraud is a cruel reality, think of the Retefe Worm.

Finally, Cyber Security ventures estimates that by 2021 the total cost of cybercrime will reach 6000 billion USD.

The reality to which banks are confronted nowadays is this one.

5. Historical systems are beaten

The principal implication of this reality, the problem which banking institutions are confronted to nowadays is that historical systems deployed to counter fraud - rules engines - are beaten.

Let's assume that a banking institution wants to define a set of rules aimed at detecting when an attacker diverts a customer account to issue fraudulent transactions.

• Imagine the situation of a first customer, someone such as myself, using his ebanking account to pay his loan at the end of the month, his mortgage, his taxes, telephone bills, etc.
  In my case, a big transaction withdrawing 20 k CHF from my account for a beneficiary located in Nigeria should raise an alert. It's clearly an anomaly, being completely outside of my usual habits and behaviour.
• Imagine now the situation of a another customer, a responsible of acquisitions for a big corporation, a frequent traveler, spending most of his time abroad and using the corporate account to pay big amounts to providers all over the world.
  In the case of this second customer, it is on the contrary a small payment benefiting to a counterparty in Switzerland that would be the anomaly and should raise an alert.

If one wants to detect anomalies for these two different situations, one would end up implementing a completely different set of rules for the two distinct customers.
And this is impossible.

Every bank customer, and even user up to a certain level, is different.
Representing everyone's own and private situations with rules would require to implement and manage hundreds of thousands of rules on the system, which, obviously, is impossible.
Only the most common set of rules can be implemented, which means that:

1. A lot of frauds pass through the cracks.
2. In addition, in order to catch the biggest frauds, the limits enforced by the rules have to be very low, which has the consequence of flagging a lot of cases to be analyzed - the so called false-positives - requiring an army of analysts to be reviewed and discarded.

The direct consequences for our customers are as follows:

• Financial impacts: frauds must be reimbursed. And in addition these analysts spending their days discarding false positives must be paid.
• Reputation impacts: a fraud case being communicated in the newspapers is a nightmare for banking institutions. Even without a large scale communication, customers impacted by fraud will loose faith in their bank.
  Then I do not need to explain the consequences that the thousands of papers published on the Bangladesh Bank heist had on the Bangladesh central bank.

Rule-based systems are beaten today.
Something else is required to protect efficiently Banking institutions from banking fraud.

6. Artificial Intelligence comes in help

Artificial Intelligence provides the solution to this problem.

In 2016, we started at NetGuardians to integrate the first advanced algorithms, so called Machine Learning algorithms, in our systems.

We let an Artificial Intelligence analyze continuously the history of billions of transactions in the system and learn about individuals habits and behaviours.
With big data technologies, AI can analyze a very extended depth of history and build dynamic profiles for each and every individual capturing his transactional behaviour.
Individuals can be both Customer and Users (Internal Employees):

• Profiling customers is required for both Internal and External Fraud.
• Profiling users is required for Internal Fraud.

Big Data technologies are key to maintain these profiles up-to-date in real time by tracking each and every interaction between the user and the bank systems.
In addition to a financial transaction direct characteristics such as the beneficiary, the target bank country, the amount of the transaction, its currency, etc., the machine can correlate a lot of indirect characteristics, such as where in the world was located the ATM where the user withdrawn money from, where was he connected to his ebanking session, etc.

For each and every individual a dynamic and up to date profile captures his behaviour and his habits.
Then, each and every financial transaction, regardless of its type, it being a security trade order, an ATM withdrawal or an ebanking payment, is compared against the user profile and a risk score is computed.
Based on this risk score, the machine eventually decides whether the transaction is genuine or not and whether it requires further investigation by a human analyst within the bank.

The gains for our customers of this new approach, based on customer profiling done by AI, is striking.
It has been a game changing shift of paradigm.

In the banking institutions where we can deploy this new generation approach, we almost eliminate the amount of fraud cases passing through the cracks.
And that, by still reducing to 1/3 of what it was before the number of cases flagged by the system to be reviewed by an analyst or fraud investigator (most of them being the so-called false positives).
Not only the amount of cases, but the amount of time required to investigate a case could be reduced by 80% by having the machine presenting the profile of the customer and how the individual transaction deviates from it with relevant and meaningful visualization techniques.
Finally, the number of re-confirmation asked to customers could be reduce to 1/4.

Reducing the time required to investigate a case in addition to the amount of cases to be investigated has a direct financial impact: analysts spend less time investigating such cases and can focus on task with more added value. Drastically reducing fraud cases passing through also has obvious financial impacts.
Now all of this, especially reducing the number of times a re-confirmation is asked to customers has positive impacts on reputation

Now working on a per-customer basis is sometimes still sub-optimal. Sometimes a genuine transaction is always very unusual on a per-customer basis and it is required to broaden the view of the Artificial Intelligence.
Let me give you an example.
Let's imagine that tomorrow I buy a new Audi. That would be a transaction of 60 kCHF leaving my account for a beneficiary - Amag Audi Switzerland - that I never used before. Such a transaction, new beneficiary and huge amount is completely outside of my profile.
Based on this, the AI will decide to block the transaction, requiring a further validation from my end which will annoy me.
So how can we avoid that ?
If we look more carefully and globally at the transactions of this kind, big amounts benefiting to Amag Audi Swritzerland, among the customers with same profiles as myself, are quite usual.

The machine needs a broader view to understand that this transaction is not unusual.

7. The Machine can do better

The machine can look at the big picture and analyze transactions at a broader scale.
Recall the Audi example. When such a transaction is very unusual for a specific customer, looking at other customers with similar conditions, habits and behaviour is required.

And here again AI comes in help.

AI can analyze behaviours and habits of customers and group together the people with same patterns. People that are the same age, same wealth level, same origins, live in the same region, etc. will have a strong tendency to behave the same: for instance drive the same kind of car, such as an Audi, live in a appartments of the same size, pay the same amount of telephone bills at the end of the month, etc.
The machine can analyze customer activities and transactions on a very large scale and cluster together customers with same behaviour.
Then, these groups can be profiled just as individuals.
And finally, a transaction can be scored against the customer group profile in addition to the customer profile.

Recalling the Audi example. When scoring this specific payment against the individual profile, the transaction will be flagged as suspicious.
Scoring it against the group profile will clearly indicate that it's a genuine transaction. People buy new cars every day, especially in Switzerland

With this new approach, looking at the broader scale and comparing customers with each others instead of only scoring transactions in the individual context of a customer, we could improve our fraud detection system further.

The number of cases to be analyzed (false positives) could be reduced further.
In addition, the groups and their profiles happen to be an invaluable source of information for other use cases and concerns within the bank such as marketing, trend analysis, etc.
Of course reducing the number of cases to be handled by the investigation team has a direct impact on operational efficiency and induces further financial gains

Now all of this, transaction scoring and customer clustering works amazingly, but it works after the facts. The transaction has been input in the system and if we are not fast enough, depending on how we integrate within the bank information system, we can be too late, doing only fraud detection and not fraud prevention.
Our idea from here was:

• What if we could analyze the User or customer activities even before the transaction is input one the system and detect fraud before it happens ?
• What if we could interpret weak signals coming from the analysis of how the Customer interacts with the banking information system to qualify him as legitimate or potentially fraudulent ?

All of this require completely different analysis techniques.

8. Even further

Let me give you a simple example of what I mean by analyzing a customer's interaction with the banking Information system.
The interactions of a customer with the ebanking application is the simplest example I can come up with.

Imagine the situation of a genuine user of the ebanking platform whose behaviour when inputting is payments is always the same:

• He logs in the ebanking platform.
• He looks at his account balance.
• He performed all his payment, from input to validation, many of them.
• He checks his pending orders, making sure he missed none of them.
• He logs out the platform.

Now if a worm hijacks the ebanking session, the worm will do none of that:

• The worm will likely go directly from login to payment input, validation, then logout.

Here I am only showing transitions but one can also consider User think time, keyboard stroke speed, etc.

AI can analyze all this behaviour and activity trails a user or customer leaves on the banking information system and build a probabilistic model capturing this behaviour as a succession of interactions.
Then, when an individual action is performed, the machine can compute the likelihood of that action to be performed by a legitimate user or an attacker based on the path-to-action.
And here as well, AI can build profiles of these activities and their likelihood both at individual level and group level through clustering techniques.

With this kind of analysis, by looking at all the interactions of the users or customers with the banking information systems, AI can look at all individual events and qualify these interactions as legitimate or suspicious regardless of the financial transactions being input or not on the system.

AI can detect a fraud, or the intention to commit a fraud, even before a transaction is input on the system, by analyzing the user or customer activity, in the form of its interactions with the Banking Information System, before inputing the transaction.
In addition, by analyzing the behaviour of the customer as a whole, AI can qualify his interaction session (ebanking, mobile banking, PSD2, etc.) as legitimate or suspicious and kill the session in case of a doubt, thus protecting the information he sees and protecting his privacy in addition to his assets.
Finally, all this understanding of the user or customer habits and behaviour can be used to design even more advanced transaction scoring models.

This ability to detect fraud cases before they happen lead to further improvement of the operational efficiency and operational security of the banking institution.
Protecting the customers privacy in addition to their assets is important to protect the reputation of a financial institution. This is especially important for private banking institutions.

With «AI vs AI», I wanted to illustrate the current research topics we are working on today at NetGuardians to improve our algorithms further.
In a few words, we see today that cybercriminals are increasingly using advanced algorithms on their end to study the banks attack surface and discover means to attack the banks and their customers.
We are in a "cat and mouse" game where attackers attempt to counter the security systems put in place by banking institutions, which in their turn deploy new forms of algorithms and intelligence to protect them further.
I can only be looking forward to telling you more on this matter in a near future...

9. Conclusion

Our own experience and conclusion with AI technologies and it's concrete application on our use cases is striking.

Introducing advanced algorithms, machine learning and advanced analytics techniques in our use cases has been key to help us improve the way we secure financial institutions and their customers.
We could:

• Reduce the fraud cases passing through and almost eliminate them.
• Reduce the number of cases to be analyzed and make the detection system a lot more relevant.
• Drastically reduce the amount of time required to investigate a case.

Today, at our customers, Artificial Intelligence monitors every single interaction between individuals, both customers or employees, and the information system, to qualify their actions as legitimate or fraudulent, in addition to analyzing with highly sophisticated models financial transactions input in the system.
Today our reality is as follows: Artificial intelligence monitors human behavior on a large scale to secure banks and their customers.

But Science Fiction advances much faster than reality. Regarding artificial intelligence, the collective imagination, fed by Musk and Hollywood, is way ahead of reality.
In the public collective imagination, artificial intelligence today generates quite a lot of fantasies.

So let's agree on something if you do not mind.
If one calls weak artificial intelligence, a computer solution able to solve a problem in a strict context, to optimize a solution or a mathematical function, or to look for an answer to a question in a strict context, one calls a strong artificial intelligence an intelligence able to argue, contextualize or to show sensitivity or initiative.
If progress in weak artificial intelligence is today very fast and very impressive, we do not have the slightest little trace of a proof that would allow us to believe one day in the emergence of a strong artificial intelligence. Strong artificial intelligence is science fiction.

The problem is that approach names like Neural Network are generating a lot of fantasy in the public imagination who takes this name literally.
With neural networks, the public imagines a digital brain, whereas the reality is that of "matrices of convolutions", intensive iterative calculations carried out on gigantic numerical matrices. On the other hand, powerful technologies with less evocative names, genetic algorithms, random forests or boosted gradient raise less fantasies.

10. Artificial Intelligence vs. Augmented Intelligence

Today, these Artificial Intelligence techniques give the most impressive results when they support the human and not when they supplant it.

Chess is one of the first areas in which computers started to beat humans.
The examples of algorithms that manage to defeat the great masters of chess in a regular if not systematic are legion.
But these are the so-called "centaurs", most of the time amateur players, but helped by Artificial Intelligence, half-human, half-machines, who now win all the "freestyle" games.

I would like to mention a second example with an experience that has been performed last year.
Melanoma specialists have been asked to identify cancerous lesions based on photos of skin lesions.
These experts had a precision, a success rate of the order of 95%.
An AI based on a Neural Network deployed towards the same objective reached a pretty impressive 93% accuracy, yet failing to beat the experts.
But a set of interns, really rather students that actual doctors, accompanied and helped by an artificial intelligence have reached 97% accuracy, beating both Artificial Intelligence alone and experts

Today, the most impressive results of these technologies come from what is called Augmented Intelligence, when Artificial Intelligence intervenes in support of the human decision process and not to replace it.
And Augmented intelligence is exactly what we do at NetGuardians by providing bankers with the means to prevent fraud cases much more effectively.

11. AI Pillars at NetGuardians

The key pillars which enable us to deploy Artificial Intelligence technologies are as folows:

All of this is pretty straightforward to understand.
I would just insist on two key notions:

• The ability to run these analyzes in real time. Be able to analyze the activity of bank customers and users in real time is at the root of the difference between preventing fraud and detecting fraud. It must be possible to work with very low processing times to characterize a transaction before it is placed on the market.
• The user experience. The deployed algorithms can be as intelligent as one can imagine, if one is not able to provide investigators and analysts with clear, concise and precise information, allowing them to understand the context of the transaction and the reasons for the system to block it, all this does not work. Users reject the solution. Providing analysts with extremely intuitive and visual means to understand machine decisions is essential.

(This article is available as a slideshare presentation here https://www.slideshare.net/JrmeKehrli/artificial-intelligence-for-banking-fraud-prevention-95475760)