Building in-house risk controls vs outsourcing fraud monitoring to a vendor
If you work in a risk or fraud function, it's likely your team at some point has engaged in a debate over which controls, if any, can be outsourced to a third party vendor, and what needs to be built in house. Today we'll go over some of the pros and cons of each option and talk about how to marry both worlds to create a robust program most suitable to your company.
Building in-house
Building a risk program in house will give your team the most control over their workflows but is often the most expensive option.
Pros
Building your program in-house is the most flexible option. You can have your engineers build the exact monitors and workflows your team needs. If your in-house team is nimble, you can also use this to your advantage to build in quicker iteration loops and improve your program in response to real-world events.
In-house solutions will have full access to internal data and there's no need to send data offsite to a third-party vendor. This could be lower-risk from a security and privacy standpoint.
You can build a very tailored system specific to the type of abuse your company sees. For example, if your company enacts an account transfer limit of $8,000 and you see fraudsters on your platform cash out $7,999 in quick succession, you can enforce specific rules around that behavior.
Cons
Resources needed to build and maintain an internal system are non-trivial. Hiring, training, and managing engineers and risk analysts is an intensive endeavor and putting those resources towards building internal risk monitoring tooling is at least a multi-month investment for even an MVP. If you take into account ongoing maintenance and improvement costs, you're looking a multi-year journey.
Since you're operating off of your own internal data only, you don't have access to data enrichment information across other companies and other networks.
Similarly, you don't get to benefit from aggregated fraud intelligence patterns and analysis.
Finally, you're on your own with support and don't have the benefit of accessing solutions engineers and customer support personnel vendors may provide to guide and augment the skills and knowledge of your own internal team.
Outsourcing to a vendor
Outsourcing your risk program to a vendor is typically a faster and cheaper process but you end up having less control over your systems.
Pros
Vendors can aggregate data from across the industry so you can benefit from data and fraud intelligence lessons learned from other clients. For example, some vendors can aggregate bad IP addresses, and an IP address identified as fraudulent by one client can be shared as signal for other clients.
Your company may have to conduct common processes like KYC, ID verification, and Sanctions list screening that other companies have had to stand up in the past. Going with a vendor that specializes in these processes can prevent you from re-inventing the wheel here.
Some vendors, like LogicLoop, offer additional benefits like the Trust Operators Risk & Fraud Community where you can connect with and share knowledge and resources with other professionals in the space.
Some vendors can provide access to advanced technologies like Machine Learning that you may not be able to staff for in-house.
Spending internal resources on fraud monitoring tooling can take time and be expensive, so having access to a tool right out of the box can help you get up to speed quickly.
Cons
Vendors software can act like a black box. You may not have full transparency into what types of controls are enacted and why certain activities were flagged as fraud and why others weren't. This can make it difficult to improve and iterate on processes over time.
Vendor software can be inflexible, making it hard to customize for the exact controls you need for your company. If your vendor does not have a responsive support team, you may be stuck waiting on them to enable something you need badly.
Vendors may not be able to integrate their systems with your own internal workflows, leaving someone on your team to have to manually export data back and forth.
Data is sent to an external party, which creates another vector of risk from a privacy and security standpoint.
Marrying the best of both worlds
To take advantage of the pros and cons of both worlds, you can took into two popular options:
Using a vendor that gives you the power to enact your own rules
The first option is to use third party tooling that acts like your own internal tool. A good example of this is LogicLoop - we enable users to set up fraud alerts and automations on top of their own database. Our customers do not need to spend intensive engineering resources building an internal rules engine or case management system themselves. However, they do still need to staff their own risks analysts in order to write their own custom rules.
Pros
No need for your engineers to spend time building internal tools.
Retain the flexibility of being able to enact custom controls specific to your company.
Certain vendors like LogicLoop give you full access and transparency into the effectiveness of your alerts, allowing you iterate and improve your program over time. Understand what is working and what is not and have full control over what you want to change. LogicLoop also integrates quickly with your own internal data and internal systems via API.
Many vendors are SOC2 certified and are required to treat your data with the same level of privacy and security as you do.
Cons
You still need to spend some internal resources on staffing risks analysts to enact rules. The process cannot be completely outsourced for you.
Machine learning and fraud intelligence data sharing may be limited on platforms that are meant to be more industry agnostic.
Layering an external vendor on top of your own internal monitoring
Another popular strategy is to use a combination of your own internal systems, vendor tooling, as well as aggregated vendor intelligence and data. You can mix and match different strategies in the areas where you think your company would benefit the most. For example, you can rely on certain vendors to give you a Machine Learning score to estimate a user's risk profile, and you can feed that risk score into your own custom rules to ultimately decide whether to shut down that user's account. You can outsource KYC processes to a ID verification service but use your own automations to outreach to users if you need them to re-upload their ID docs. You can rely on third-party vendors to flag suspicious IPs but also enact your own rules to flag accounts with activity from multiple IP addresses in quick succession as suspicious. Over time, most sophistocated institutions will end up using a mixture of all these options.
%202.png)
