Tackling Fraud at Scale: Challenges and Solutions
At Unit21's Fraud Fighters San Francisco event, we met with Sridhar Kotamraju, Head of Fraud at Goldman Sachs, to discuss the challenges he's faced scaling fraud prevention programs and what strategies he's seen be the most effective. Watch the video or read the transcript below for details.
Goldman Sachs: Tackling Fraud at Scale
"Well, thank you, Sridhar, for taking your time to discuss the challenges, experiences that you've had at scaling fraud strategies at companies at Goldman Sachs, PNC, and many more.
So maybe, why don't you just start off with a quick introduction of yourself and what you're working on right now?"
"Great, hello, everybody. I'm Sridhar Kotamraju. I'm currently at Goldman Sachs, managing the transactional fraud product and strategy.
And I've been in similar roles in other companies like Wells Fargo, PNC, both in product and technology areas, and eBay, PayPal, trust and safety.
So, pretty similar roles in fraud for most part of my career, although I've transitioned from technology into product areas."
"Awesome, well, Sridhar, you've had experiences at some really mature companies, and some companies that are mature but you're starting things from scratch, as well as really young companies, what are some of the challenges that you see in scaling for fraud?"
"Yeah, I think that's a good question in sense, most of the banks, when they look at the different fraud patterns or vectors, I think the traditional methods of looking fraud at a particular channel don't work anymore.
And one of the biggest challenges is fraudsters, threat actors look for the weak spots.
What I mean by that is they look at control gaps. A channel might have a set of controls and so digital channels could have a set of capabilities. Fraudsters will just walk into a branch and show a fictitious ID, and these do happen, or call into a care center, and then second, two-factor authentication. So I think one of the biggest challenges for FIS is to look at the cross-channel activity, number one.
And then there are also too many, what I call is data silos, there too many data sets, there are too many decision points, and the challenge to integrate different risk inputs is something that I think a lot of FIS still deal with. Those are the two things. And the last thing I would say is, fraudsters don't have to deal with regulations, banks do, and the time to respond is really, really critical.
And by the time you detect a fraud pattern, you try to put a rule, you have to go through a tedious implementation process and fraud shifts, and so quick time to market is still a challenge in the banking space."
"It's so interesting, whether you are a small company scaling to be, growing Fintech, or you're a larger company, data silos is something that somehow seems to be an invariance and constant in this space.
Curious as to when you're seeing fraud scale, how do you determine, what kind of proactive approach do you take when you don't know that, 'Okay, this is gonna be a new vector of fraud.' So, for example, the social engineering example that you gave?"
"Yeah, and this is one area where I think now when I look at traditionally how the FIS handled this is, it's reactive. So in typical fraud management, if you just simplify it, you have the preventative set of capabilities, and then you detect, and then if you can't do both, fraud does happen, and therefore there's more emphasis on resolution.
So the traditional mix has been, 'Let's make sure we focus on good customer experience' for people who have already experienced fraud. And so there is a lot of emphasis was on resolution because that was also regulatory heavy.
And over a period of time, that changed, which is more emphasis on front door security, more preventative things in the nature, and so forth.
The two things that come to my mind in that, one is looking at the customer activity and looking at how you understand the data profiling and things is still the biggest challenge. And the second thing, what I see is most of traditional fraud, if you look at 10 years ago how banks used to detect or the data attribute set that you get is not relevant anymore in the sense there's a lot of synthetic data that comes along with the interaction that you see with the customers.
And the question is, most of the money movement nowadays happens is shifting large money movements happens not in the traditional way, but in the API to API framework. And so your traditional risk models don't work anymore because they often lack a lot of attribute sets. So your scores will be not relevant anymore.
So I think these are two or three, some opportunity landscape that I see where fragmentation of data, and then two, the ability to look at the transaction patterns more and not just come up with a risk score, I think, that was a good discussion I was just hearing, that doesn't work anymore. So I think those are some of the areas I would say."
"Yeah, that's really interesting. And we were chatting before this panel that a lot of the types of fraud Sridhar sees is unique because the payments are initiated through an API call and not through a user going through an interface.
So much of the data you might be able to capture through regular systems is just not available. When there is no precedent and you are in some ways creating the standard for what should be done, how do you determine that, 'Okay, this is what I need to look for?'"
"Since the pandemic days, a new form of fraud has picked up in terms of momentum. And this traditional discussion where I experienced fraud, so I can pick up some data signals from that, and I'm going to uplift my model using some tweaking, and I'm going to deploy some rules, great.
But most of the time, it's reactive.
And in the last two years or three years, what we have noticed is there's a lot of first-party fraud emerging.
And what that means is, and that is in line with some synthetic IDs, there's also first-party fraud where people are deliberately involving in scams, what we call is collusion. And so the question really is, if we don't have information upfront about these activities, then how do we detect them?
And I think that it's still a challenge. There's a good argument depending on whom you speak to, where there's one school of thought that says, 'To get a better model score or detect fraud, I need to know at least a good sample set of data. Or else whatever I do will result in a lot of false positives.'
And there's a different school of thought that may disagree with that. And so a consortium-like approach, where proactive sharing of inputs between various entities is, I think, is probably one of the better things, because then even if you or your organization has not experienced fraud, you know that it'll come, maybe not relevant today, but at some point, we'll have to prepare for it.
So that's, I would suggest that that is something that we like to see more momentum where entities should come together and collaborate more and share fraud vectors more."
"Yeah, we see the problem a lot for fraud where I don't have data, and now you're expecting me to write a model, like I have no data to be able to train on.
With Unit21, we are launching a Fintech Fraud DAO, a Decentralized Autonomous Organization, to be able to enable our customers to share data with each other on fraudulent activity as well as general activity of non-fraudulent users as well.
So if you're interested, reach out to our team. Sridhar, I'm curious, so the consortium is a good way to kick things off. However, a consortium is, again, as good as the data is in the consortium. What other, when you are looking to start and define the strategy at scale for a new product, what are other techniques that you use?
What are the other types of trainings that you have to give to your team?"
"So often, if you look at the way fraud used to occur a couple of years ago versus how it's happening now, in the traditional way, we used to see fraud rings, like individual frauds happening at, not like a scale level, like a couple of users, and then they used to target new account takeovers and stuff like that.
And then recently what we have noticed is, a lot of banks have experienced this, where there's targeted attacks being happening like fraud rings operate. And there's a lot of data, there's lot of intel that one can get out of that.
And in other words, what I would call is let's not look at fraud in silos, let's look at fraud in conjunction with other aspects like cybersecurity. And there's also a physical security component involved because ATM frauds do involve physical security attacks as well.
Data mining and understanding your customers and their transaction pattern is much better because now you can look at preventing false positives more as opposed to trying to go and chase something that you haven't experienced would be critical.
If you know your customer's transaction patterns well and they can be done with a traditional rule set, it has to be done systemically at scale. And it's a challenge in large enterprises because you have data sets at different levels. You have customer data sitting on one side of the equation, transactions data sitting on one side of the equation, and login data sitting in somewhere else.
It's just very difficult to mine it. And there's data-sharing aspects too."
"Yeah, data silos are the recurring theme of the conversation. And it's fascinating because whenever people talk about fraud, they talk so much about machine learning, machine learning, machine learning, and of course, you have to apply and be able to find a way to leverage your data in an effective manner.
But the biggest component that we see is, if you unlock the data from your data silos, you'll actually see a much better reduction in fraud loss.
The final question I have for you, Sridhar, is what's some advice that you would give to the fraud professionals in the audience today? You've grown your career in a really amazing way, and what could they learn about how you approached your career and fraud?"
"I actually transitioned from tech companies into financials, and I should say I went in for a little of a culture shock at that point in terms of the pace at which we respond and react and so forth. But I think it's a good learning that I was able to take, which is the ability to embrace new technologies, try out something new, innovation, is something that is important to detect or fight fraud at this point.
Most of the time what I've seen is, when a tool works, we tend to assume that it's something that we have to continue to leverage. I don't think that's good enough, because along with technologies, fraudsters have come up with new techniques to go after. And that requires scale, and traditional tools don't work anymore.
There is a lot of talk about machine learning, but I haven't seen a lot of places where we do leverage it at scale in large institutions. So that is one opportunity still out there.
And then the second thing I would say is, often, we think that writing a good rule or good control is good enough, but customers are still the weakest link. There are a lot of regulations due to which policies are not really robust. So I would say, focus on embracing good technologies, certify your policy, and be consistent.
And then three, customer education is super critical, whether it is social media engineering or whatever they do, they do fall victim to that. And scams are on rise. If you look at FBI bulletins nowadays, FBI is actually, if you Google, you'll see FBI is actually naming the type of scam.
And just on a another note, there is something called 'Pig Butchering' Scams. I don't know how many of you have heard that. Despite the weird names, these scams are on rise so customer education is key."
Audience Q&A with Sridhar Kotamraju and Trisha Kothari
Question 1: How do you think about your interview and recruitment process to find the best fraud fighters?
"There are different ways to look at it. Traditionally, if it's a financial institution like a large bank, the focus is more on the experience, leadership aspects, and awareness of the regulatory landscape.
And I think that's because there's a school of thought that basically thinks that these things are super critical, and then the actual detection could be handled in multiple ways.
But I also have been part of an ecosystem where it's very different, where hands-on experience is needed or hands-on expertise, doesn't matter whether you have one year experience or 10, doesn't matter, so let's go for it.
And I like that, frankly. And I think we still haven't seen that fully embraced, at least in my observations. And I think that is changing, with good solutions coming out of the market, because to understand machine learning or to understand the cloud, there's still a lot of apprehension on clouds in FIS.
I don't think it is fully understood by many FIs when it comes to leveraging fraud solutions through cloud services. So those are some of the things, I would say, are important and critical, and I haven't seen that fully embraced yet."
Question 2: What kind of questions should folks be asking in their interviews when hiring fraud fighters?
"I don't mind if somebody has experience with a tool or not, really, that's not something that's a critical thing at all.
I look for the ability to adapt and learn quickly, and it should be hands-on.
And maybe because I've started my career in technology and then moved to product, maybe I do that, but I've often found that coming up with good solutions requires quick reaction with a little bit of a good understanding of the data space well.
I think somebody who is able to play well with data is someone I would love to be part of the team, because if you can coach them about type of fraud, they'll pick it up very fast, right? So I would look at somebody hands-on.
And I'm not really a big fan of process, although I have to deal with that. When I look for interviews, hands-on is something that I would love to do. And I always make sure there's a little bit of a room that we provide to the team to innovate, and so somebody who can come up with something, it doesn't matter if it's a good or bad, but something different, I think that kind of an attitude is super critical in my view."
Question 3: Who's in charge of educating new fintechs on how to operate their fraud? Should they learn it themselves? Or should they rely on a bank, or vendor like Unit21?
"It's a great question, and what was most interesting about starting the company is how there are a lot of founders who maybe have some background in technology or marketing and do not know the first thing about AML, KYC fraud.
And the way that they often operate is that they start whatever service they're starting, and they have a fraud attack, or they almost, say, fall into lack of compliance and cannot operate anymore. And so, really where we stand or where we are in this broader picture is that we're, of course, providing the software to companies, but a big part of what we do is also providing the education of, 'This is what you need.'
Unit21 has resources like Alex Faivusovich, who can help work actively with customers to put a fraud strategy in place. But that's really the training wheels.
Ultimately, as a Fintech, you have to own and control the fraud program, because the fraud losses are ultimately on your book of business. It's not on your bank, it's not on Unit21. It is something you have to own.
And so we help our customers, also, in identifying whom they should hire, what type of people they should hire, and what type of strategy they should put in place. But it's a really interesting question because I think for traditional banks, no one would ever ask that question.
It's only for Fintech companies that people even think about that. And it's because anyone can start a company today."
Getting started is easy
can help bolster your risk & compliance operations