SUNZ 2011 - Suren De Silva - SAS Fraud

Copyright © 2010 SAS Institute Inc. All rights reserved.

Fraud, Waste & AbuseThe value of a “hybrid approach” Suren De Silva – Solutions Manager Financial Crimes

2

Copyright © 2010, SAS Institute Inc. All rights reserved.

Fraud – A Constantly Evolving Threat 'Greatest threat to human health' SMH - February 16, 2011

Bacterial strains have mutated and are now resistant to the most powerful antibiotics

The increasing ineffectiveness of antibiotics is putting complex medical treatments at risk

Fraud like “resistant” bacteria a complex, evolving threat Traditional approaches are increasingly ineffective A more holistic, hybrid approach is required !!!

3


Three best practice approaches

1. Reframing the “Fraud” business problem2. Adopting a “hybrid” approach to detection3. Utilising analytics across the business

process

4


So what ? More fraud identified

50% plus lift in accurate detection over traditional methods

Reduction in false positive rates A leading bank in Australia reduced false positive rates in its cheque

fraud rates by 95% while increasing detection by 400%

Improved investigation efficiency Each referral taking 1/2 – 1/3 the time to investigate

Significant increase in ROI per investigator Combining effects of lower false positives with prioritization of higher

value referrals and faster more accurate investigation of referrals

5


Agenda

Fraud – “An evolving threat” Ineffectiveness of traditional approachesBest practice approachesQuestions


Fraud - “An evolving threat”

7


The evolving nature of fraud Fraudsters

Far more sophisticated – organized crime, patient, sharing High velocity of attacks – Fraudsters disappear after 2-3 claims Hitting multiple channels and products at the same time Leveraging knowledge of detection systems and recruiting insiders Continuously evolving fraud strategies More organised – local and global – Web 2.0 and beyond allow virtual

syndicates – collaboration on the shadow net Mediums’ Expanding

Exploding with Computers and the Digital Age Faster systems – payment, loan, etc. – more real time

Phishing, skimming, synthetic identities, social engineering, etc. Landscape Changes

Global Economy – External and unknown – hard to prosecute Economic changes – white collar, financial distress

8


inetOrgPerson

inetOrgPerson

inetOrgPerson

inetOrgPerson

inetOrgPerson

Person 1

Person 1

Person 1

Work Visa

Migrant

Tourist 1

Tourist 2

Risks assessed along narrow lines

Organisation staff and siloed systemsOffenders

Bus. Migrant

Risk Management – Traditional Approach

9


inetOrgPerson

inetOrgPerson

inetOrgPerson

inetOrgPerson

inetOrgPerson

Organizational Person

Organizational Person

Reality Today !

Organised crime is taking advantage and freely moves across the silos using counter intelligence, mules, technology and resources

Bank / Insurance Co / Government Agency

Offenders


Ineffectiveness of traditional approaches

11


1. Provide a skewed picture of risk

Consider this… A process identifies non-state individuals conspiring

against the government based on: The contents of their communications Their communication methods of choice The frequency of their interactions

If the individuals are conspiring, 99% of the time the test will be positive

If the individuals are not conspiring, 99% of the time the test will be negative

12


So we execute!

The test is put into production A collection of individuals are identified as conspiring

against the government The test is known to be 99% accurate, so enforcement is

mobilised and set into action

Pretty conclusive, right?

It may be wrong as high as 99.99% of the time, despite being 99% accurate (Huh?!?)

13


Here’s why …

Few people actually conspire against the government: Assume 1 / 500,000 people actually conspire Assume Australia’s population is 22 million

General formula: Population * (Incidence rate / Sample Population) * Test Efficiency

A positive result will be wrong in 99.99% of cases, despite the test being 99% accurate

Conspiring Not ConspiringPredicted Conspiring 44 220,000 Not Predicted Conspiring 0 21,779,956

14


The Lessons

All approaches have strengths and weakness

If you rely too heavily on a single detection method, you will be wrong, catastrophically so at times.

15


2. Static approaches in a dynamic environment

Consider this…

• To detect counterfeit credit card activity a bank through data mining creates a set of rules and red flags that indicate that the a card may have been “swiped” and counterfeited.

• These rules are to:• Address all customers• Across all states / provinces

16


Result: 300% faster, 1000% difference

# Transactions

0 1 2 3 4 5 6

Analytic RulesStatic Rules

1000 % Difference in Loss

17


The Lessons

Rules don’t work well with ‘context’, but they do provide a false sense of security.

Rule-based detection works great when your subjects maintain their behaviour and are happy to be observed. How often does that happen?

18


3. Reactive – Focused on the past

“Past events predict future events”

2000

2011

19


…Not Always !!

A completely reactive focus leaves you open to nasty surprises !

20


Summary

Traditional detection approaches: Rely too heavily on a single or a few detection approaches Highly reliant on static rules or models Too often focused on the past

Potential outcomes include: High false positives Detection blindness = Increased risk of a catastrophic surprise Increasing costs to maintain and respond to dynamic fraud

threats


Best practices in fraud management

22


Three best practice approaches

1. Reframing the “Fraud” business problem2. Adopting a “hybrid” approach to detection3. Utilising analytics across the business

process

23


Video (1 Minute)

http://www.youtube.com/watch?v=GiPe1OiKQuk&feature=related

…. We have known knowns, known unknowns, and unknown unknowns…. The same can be said about Fraud



24


1. Framing the fraud problem

Best practice approach: “Detecting known risks as well as unknown risks”

25


Look more broadly as well as deeply

Customer / Claimant / Passenger

Conduit

Collusion

Transactional

(Risk at a point in time)

Historical Profile

(Risk over time)

(Past behaviour)

Peer Group Profile

(In relation to others)

26


Result: 32 times increase in fraud detected

SAS Approach

SAS subjected 6 years of historical data from 5 different source systems (including claims, payments, application, 3rd party, and fraud case data) to the predictive capabilities of the SAS Fraud Framework. Client investigators evaluated the solution results during a 3 week validation period against 3 main categories of cost avoidance: investigative efficiency, earlier detection of fraudulent providers & participants, and incremental detection of fraudulent providers & participants.

Business ProblemThe Department of Social Services of a large US County was being hit by fraud, waste, and abuse across their public assistance programs. The County engaged SAS to pilot the SAS Fraud Framework to determine if the data analytics and visualization solution could assist in proactively detecting both opportunistic and organized fraud in the Childcare program.

Results• 32 times increase in # of fraud rings detected

annually• Incremental estimated saving of $31.1M annually

27


“Understanding and Framing the Fraud Problem”Entity or Network

Is the transaction or relationship focused at an entity level (1-1 relationship) or are multiple parties involved (network level)?

If it is entity focused, is there a collusive element to the fraud risk you are trying to manage?

Time scale Is the fraud likely to happen in a point in time (e.g. one off

bounced cheque) or likely to occur over time? (internal fraud) If over time do we expect changes gradual or sudden

changes over time?

Understanding the “Unknowns” What can I do to monitor the development of distinct

behaviour or network clusters? What can I do to monitor changes in the frequency and

nature of my “known” risks?

28


2. Hybrid Detection – Use multiple methods

29


Result: 57% lift over models used in isolation

SAS ApproachSAS subjected 4 years of historical data to the predictive capabilities of the SAS Fraud Framework. Client investigators evaluated the solution results during a 3 week validation period to identify incremental fraud detection at the claim and network levels, reduction in false positives, and enhancements to investigative efficiency.

Highlights• Advanced analytics drove 35%

better results than competition

• 57% lift over current process• Incremental estimated save of

$10.3M annually (for same # of annual investigations)

• 45% correct hit rate on claims

• 67% correct hit rate on provider networks

• 100% of WC and GL claims processed (~$16B claims)

Business ProblemA large US commercial insurer was incurring significant fraud losses across their lines of business. The insurer engaged 3 vendors in a competitive pilot to determine the solution that would provide the most lift over their current rules and models and enhance effectiveness of the triage and fraud investigation teams.

ResultsThe key client decisioning factors for vendor selection include:

• Incremental Detection: $10.3M annually (for same number of investigations)• ADVANCED ANALYTICS, allowing the appropriate prioritization of

investigator time and extraction of maximum value. Using SAS advanced analytics, SAS performed 35% better than all other vendors.

• OPEN ARCHITECTURE, allowing client to become self sufficient vs. other black box + services based approaches (self sufficiency can result in significant annual savings on services costs.).

30


Utilising a hybrid approach

Selection of detection approach What are the strengths and weaknesses of the methods

chosen? What techniques / tools can I use to build in validation /

confirmation steps to improve detection accuracy?

Understanding “Unknown knowns” How can I use data mining and outcome data to uncover

currently “unknown knowns”? How can I use any insights to strengthen current detection

approaches?

Improving the value of monitoring “Unknowns” What methods / techniques can I use to enhance “anomaly”

detection analytics?

31


Utilising analytics across fraud management process

Data

Data

Data

Data

Alert Manageme

nt

Case Manageme

ntData Access & Integration

Data Analysis

& Detection

3. Utilise Analytics Holistically

32


Result: 75% reduction in false positives

SAS ApproachSAS applied a hybrid approach to analyze BB&T’s past investigations during the prior 6 months. Business rules were applied to normalize the database between relevant work items and irrelevant work items. A number of models were deployed with varying business objectives ranging from workload reduction to SAR retention.

Highlights• $1M savings in 1st year• Reduced work items by

75% with 97% SAR Capture

• Ability to auto-triage work items in objective and repeatable manner

Business ProblemBB&T wanted to apply advanced analytic techniques to learn from past investigations and SAR filings in order to improve the quality of SARs, improve the relevancy of work items to analysts, reduce false positives, and reduce staffing costs.

Results• Estimate savings of $1 million in first year based upon 25 investigators.• Deployed an operational process that is transparent, auditable, and explainable to

regulators.• Adopted a methodology that will scale as the institution acquires other banks.• Significant reduction of workload.• Improvement in SAR quality.• Reallocation of resources to high risk events.

33


Identifying other points of value addFraud Management Stage

Specific Analytic Approaches

Primary Benefit(s)

1. Data ingestion 1. Name / entity resolution2. Text mining analytics3. Data quality4. Social Network

Analytics

1. Identifies anomalies earlier which drives incremental detection of fraud

2. Detection 1. Hybrid Analytics 1. More accurate detection

2. Earlier detection of unknown events

3. Alert management 1. Scoring models 1. Improved prioritisation

4. Case management 1. Scoring 2. SNA

1. Improved ability to detect complex fraud

5. Refinement 1. Data mining / model management

1. Lower false positives

34


Key Points

Build a program around detecting both known risks but also monitoring environment for unknown risks

Build a process that uses a wide range of validating / confirming techniques

Consider using analytics more holistically in your operational process

Measure success by business outcomes, not models developed

SUNZ 2011 - Suren De Silva - SAS Fraud

Documents

Transcript of SUNZ 2011 - Suren De Silva - SAS Fraud