Improving Fraud Detection: Rules versus Models
It is standard practice in managing payments to block potentially fraudulent transactions via a set of rules. These rules can be very effective in mitigating fraud risk, and practitioners in the industry are comfortable with this approach. Quite often these rules are able to mitigate the losses from fraudulent transactions without producing a correspondingly high alarm rate.
For example, a fraud team might create rules based on a location and block transactions from risky zip codes. They might also create rules to block transactions from cards used too frequently by blocking any transactions for cards with more than 4 previous transactions in the past 30 minutes.
Despite the appeal of the rules-based approach, it has natural limitations. Machine learning is able to address many of these limitations, and a machine learning model in combination with rules can much more effectively identify risky transactions.
Limitations of rules
- Rules are limited by fixed thresholds. Each rule has a threshold, e.g. “block when greater than 4 transactions in a 30 minute period.” The problem is that the ideal value for this threshold can change over time. Machine learning can understand this from the data and adapt. A static rule system can not.
- Rules are limited by being absolute.
Each rule is a “yes” or “no” decision based on a threshold. In contrast, it might be better to have different threshold ranges: very risky, risky, and good. In contrast to a rules-based approach, models naturally produce a score from 0-1000, just like a credit score, that allows for a range of actions based on different risk tolerances.
- Rules fail to capture interactive effects. It is possible to create rules based on more than one feature. For example, consider the rule we brought up earlier, which blocks any transactions for cards with more than 4 previous transactions in the past 30 minutes. However, probing and finding these interactive effects is difficult. Machine learning models are ideally suited to finding these relationships, whereas rules can only impose them but not learn them from the data.
- Rules provide low coverage. In many cases, only a few highly accurate rules can be found. In order to identify and block more than a small number of risky transactions, it becomes necessary to add more and more rules of decreasing accuracy. The end result can be an unacceptable rate of incorrect transaction blocking.
- Rules have low relative performance. The simple fact is that a hybrid approach combining rules and models will have better performance metrics than rules alone. This is possible because models understand the interactive effects highlighted in #3 above, and they are able to identify risky transactions that simple rules alone can’t find. We regularly see lifts in fraud detection in the range of 30 to 40 percentage points, with no additional false alarms, after we introduce models.
This doesn’t mean that you will get rid of rules. Some rules are just so valuable (e.g. those with >90% accuracy) that you would be foolish to not use them and not flag the corresponding transactions. Models should be used to find the extra signals that a rules based approach just can’t identify.
Along with its ability to find interactive relationships in the data, the magic of a model-based approach is that it learns from the data and changes over time. Unlike rules, models can account for changing criminal tactics as fraud behavior evolves over time.
In addition, model thresholds can be easily adjusted to meet changing performance metrics. The best approach is the hybrid one: combining models and rules. In the end, fraud losses will be lower as this approach is able to identify many more fraudulent transactions for a given alarm rate.