Starting a Risk & Fraud Program

Building a risk & fraud team from the group up.

You're tasked with building your product's risk/fraud program, what now?

If you're one of the first hires on a marketplace, financial services, or software product responsible for managing fraud, risk or compliance, the challenge in front of you can feel like a daunting task. You're simultaneously juggling expectations for the top line growth and rapid success of your product with platform quality control, fraud losses, potential reputational risk and many other difficult-to-predict downsides, all in the face of limited operational and engineering resources. Luckily, this is a path that others have trod, and today we'll go over some pointers to help you prepare.

Where does your company's risk tolerance lie?

The first thing to get a sense for is your company's leadership team's growth priorities and risk appetite. Risk is never something you can solve 100%, and solving for the long tail of risk events can be time consuming and expensive. However, being too lenient can result in large losses and reputational damage. It's your job to educate your executive team on the risks they should be concerned about and get a sense for where the company's risk appetite is. Many executives will want to prioritize growth, so it's your job to speak up for the risk side of the equation and come to a shared understanding so there aren't miscommunications between your work and your leadership's perceptions.

What part of the product lifecycle are you in?

Each company has a different point in their lifecycle when they decide to invest in risk & fraud:

New startup pre-launch - Heavily-regulated industries like financial services will require controls to be in place from day one in order to handle consumer transactions and bank accounts, while others industries will be more lenient. Regardless, preparing early is a wise decision. Given the proliferation of bad actors on the internet today, if your product launch attracts a large audience it will attract bad actors. Putting controls in place early will help your product onboard more good users faster and shut out the destructive ones. Underinvesting can invite bad actors to take over your platform, inviting chaos even for good users, followed by a shut down or delayed product launch.

Mature company but on a new product line - If you're working on a new product at a mature company, much of the same principles apply, but you're likely to have more established practices and resources to guide you.

Mature product needing to catch up on fraud debt - Finally, you may be in a situation where you're brought in to "clean up the mess" for a product that has grown quickly and is now fairly mature, but has historically underinvested in risk controls and is now playing catchup. This is a difficult position to be in as implementing the right controls will require integrating with existing processes.

Having the right tools in place

The is key setting up the right tools and processes in place when malicious activity occurs. You can start out with something simple but flexible to enable you to adapt as patterns change and as the product scales. There are a number of risk & fraud vendors that help you power up while saving your own team's resources. A survey of different types of tooling to have in place: 

Rules engine - a rules engine helps you enforce certain rules and raise alerts based on patterns you are seeing in your data (more about rule engines here). For example, you can enact a rule such as "raise an alert for an analyst to review all transactions larger than $10,000." Flexible rules engines like LogicLoop, which allows you to enforce these rules directly on top of your database using SQL, allows you to quickly spin up very custom and complex rules based on any data your company has, giving you the flexibility to react to fraud patterns most relevant to your company. Commonly monitored patterns include account and transactions velocity, payment and order failures, and missing or non-matching data (view templates here).

Fraud Rules Engine: Using Rules-Based Alerts to Monitor Risk on your Platform

Identity verification - If you're in an industry where you have to conduct KYC (know your customer) / KYB (know your business) checks, identity verification providers such as Persona, Alloy, Socure, and Sentilink can verify customer data to ensure your customers are sharing their real identities rather than using stolen information.

Fraud intelligence and aggregation - More sophisticated and mature products may consider implementing machine learning models in addition to heuristic rules. If your company does not have the resources to support its own machine learning platform, you can outsource it to a third-party vendor that can pick up signals from across its entire user base to detect fraud. This is useful because if an IP address is flagged as fraudulent elsewhere, you can use that information to inform your decision making. Some vendors can even enrich the data you give them to give you more information e.g. if you send over an address, they can tell you how long the user has lived at that address. Some fraud intelligence vendors include Sift Science, Signifyd, and Kount.

Other compliance tooling - Depending on your industry, you'll want to make sure you're following practices for AML (anti-money laundering) / transaction monitoring, BSA regulations, requirements for filing SARs (suspicious activity reports), AAN (adverse action notices), and more. Companies will typically hire a dedicated compliance officer for this function.

Having the right processes in place

Once you have the right tooling in place, you also need to have the right processes in place. If anomalous or suspicious activity is captured by your monitoring tools, the next step is to review or action them.

Phase 1 - getting alerts quickly: If your product is pre-launch, you can start out easily by just having your alerts report to Slack, Google Sheets, or email and have analysts manually review them ad-hoc.

Phase 2 - managing alerts at scale: Once you have enough volume, you will want to manage alerts in a case management system where you can track, assign, and action alerts.

Phase 3 - automation: At a certain scale, you will want to automate your workflows, allowing certain flags to result in automatically banning a user or taking an action without needing human approval.

Tools like LogicLoop can help you graduate throughout each of the phases by allowing you to flexibly plug into a variety of downstream actions.

Improving your program over time

Once you have monitoring in place, improving it will be a constant process. The first step is to make sure you measure rule effectiveness and keep track of which rules are triggering false positives/false negatives and tweak your thresholds accordingly in tight iteration loops. You can A/B test different rules or backtest your rules against previous data to estimate performance. You can also keep track of other metrics like time to acknowledgement and time to close to keep track of analyst productivity.

You're not alone

Finally, fraud patterns are constantly changing and shifts in the macro environment can cause behavior to change rapidly. Staying connected with other professionals in the industry can help you stay up to date with the latest news and technologies. Two helpful communities include:

LogicLoop is a flexible risk & fraud monitoring rules engine, case management system, and workflow automator. We've worked with many clients building up their risk & fraud program. We are happy to help out if you have any questions. Feel free to book a demo today.

Get started with a free trial

Improve your business operations today
Start Now
No credit card required
Cancel anytime