Unbundling The Enterprise Risk Stack

Throughout their lifecycle, companies will face varying fraud-related risks when servicing customers. Some of these risks are commonplace for any online business, while others are more obscure; encountered depending on company industry, maturity stage, or product features offered to customers.

What is certain is that as a business becomes more successful in capturing users and market share, compounding rates of fraud volume are unfortunately inevitable. As a byproduct of growing risks related to fraud, many companies move through natural successive phases of maturing their fraud data strategy and tooling to combat the worries of losses.

However, the common progression of these phases, despite seeming like a natural evolution of a risk strategy, leaves many maturing risk functions in reactionary positions as they face fraud typologies that come sooner and higher in volume than expected.

In this post, we’ll chart these common phases companies go through in developing their enterprise risk stack. We’ll also outline an alternative, adapted strategy for companies looking to stay ahead of their fraud loss curve as they expand their products and customer bases.

Phase 1 – Realizing there’s a fraud problem

When an initial product is taken to market by an early stage company, nearly all the energy in that company is directed at acquiring and servicing customers.

At a certain point, general awareness in the market of the value in a product invites attackers looking to abuse it. Common fraud typologies like fraudulent transactions, identity spoofing or service abuse tend to come through in initial bursts.

If the company is uncomfortable with writing the experienced fraud loss amounts off as “the cost of doing business”, they can choose to hire fraud specialists to help identify, then mitigate, fraud loss. At this stage, internal teams will stay focused on growth initiatives and outsource fraud detection to a service provider selling an integrated solution which covers broader fraud types, including identity verification, KYC and more. 

Such a platform, if able to detect a majority of fraud and not detract from the company focus on growth, is deemed as “good enough for now” until the next phase.

Phase 2 – Fraud typologies diversify and grow in volume

In this phase, a company continues to reach more customers and expand its products while fraud typologies and instances have grown in proportion to company expansion.

The limitations of the vertically integrated solution are known with growing concern, and an initial fraud or risk executive is hired to manage the expansion of the risk stack from a tooling and data perspective against the growing losses.

Here, the executive response is to move past a single solution and into a bundle of different risk APIs from multiple providers and global data networks which cover efficacy gaps in detection and keep loss volume under control. 

Given headcount limitations, there is also an emphasis on orchestrating automated decision workflows through tools like Alloy in response to the fraud, answering the question of what APIs and data in the bundle should be used or not used depending on the specific risks of a customer interaction.

Phase 3 – Unbundling the risk stack for maximum efficacy

The final phase of a risk strategy is when the limitations of the first two phases are most painfully felt. In this phase, a company has attempted to close its widening efficacy gaps in fraud detection brought on by its success in expanding customer reach.

Bundles of risk APIs and orchestrated decisioning are no longer good enough to stem fraud losses at scale, as the company has become a large and attractive target to attackers. Internal data scientists and fraud specialists have been hired to use first party customer data and to develop customized risk scoring models. 

This effort is akin to developing a full product, involving first-party data gathering, feature definition, stakeholder involvement, and development timelines. 

But because the entire risk stack foundation is built on third party APIs and the data those vendors own, there are severe limitations to breaking the in-use fraud models down to their essential data types and re-engineering fraud scoring models from the ground up for greater performance.

All of this is compounded by an organization’s typical inability to, within their product, capture fine grained behavioral customer data at scale to use in its in-house modeling tailored for unique and costly cases.

Planning ahead for access to the right data

The main problems with this common cycle are twofold. First, countermeasures to an inevitable risk of fraud are taken reactively instead of preemptively at every phase. Second, the utility ceiling of the risk data foundation (third party data and off the shelf models) is hit when fraud losses are at their highest, without any optionality for immediate solutions.

Both of these problems can be avoided if companies decide early on to diversify their risk stack with a mix of third party risk data and modeling with first-party behavioral data collection.

Fine-grained customer behavioral data (those data types which provide rich insight into a unique user’s product interactions on a given device) shed light on legitimate and illegitimate behaviors third party tools are not designed to collect or model off of.

Parallelizing the collection of first-party and third-party data puts companies in a flexible position to design their own risk scoring model for unique cases before the costs of not having tuned modeling arise.

Planting the seeds of a “high trust” environment

Taken a step further, first-party data collection allows the customer themselves to build their “good” behavioral profile from the ground up, allowing companies to tailor account or product privileges depending on the appropriate level of risk. 

This is only possible when the ground truth about the customer is attained directly from their behaviors and interaction in-app. A newly registered desktop user can be gated from making a wire transfer from a mobile financial services app if they have not established a repeated pattern of trustworthy interactions. 

And on a long enough timeline, once a pattern is established these security experiences can be reduced as mutual trust develops between customer and company, shrinking the need for certain protocols like mandatory MFA checks at every login or for every transaction.

Nuance in security escalation is only possible with nuance in behavioral understanding, and these kinds of flows not only insulate companies from sustained risk loss, but serve to establish personalized security experiences which customers appreciate and expect in today’s online environment. With this adapted approach, all except attackers win; companies, risk teams, customers. 

When behavioral data gathering is a key layer in the early development of a company’s risk data ecosystem, unbundling a traditional risk stack down the line is far less painful, and yields new benefits for those companies who had rapid customer expansion in their sights from day one.