Fraud Risk Management Systems: To Build, Buy or Rent?

Fraud Risk Management Systems: To Build, Buy or Rent?

by September 1, 2021

With financial institutions (FIs) in the APAC region preparing for a rising trend in financial fraud, fraud risk management systems continue to receive close attention.

As of 2020, FIs based in the APAC region were expected to spend millions on fraud prevention technology, a report last year said. Thailand (US$95.4 million), China (US$91.4 million) and Indonesia (US$88.9 million), reported the highest average estimates. The report noted that with an increasing number of FIs expanding into digital financial services, end to end fraud management has become a key differentiator.

Meanwhile, FIs that have invested in fraud protection programs saw attack response expenses lowered by 42%, and remediation expenses lowered by 17% over the last 12-18 months, Jayant Raman said at a webinar by identity verification, location intelligence and fraud prevention company GBG.

Raman, Partner and Head of Anti-Financial Crime, APAC, Oliver Wyman, was part of a panel of experts brought together by GBG at the webinar, to evaluate how FIs can go about implementing fraud risk management systems.

Moderated by GBG’s Managing Director for APAC, Dev Dhiman, panelists explored themes of digital trust, managed services, data agility and interfacing. They also discussed factors influencing the decision to build, buy or rent fraud risk management systems, in the backdrop of cyber and financial crime.

Technology has transformed the fraud risk management landscape

FIs are increasingly seeing tech as critical to their business, Research Director at Chartis Research, Sidhartha Dash, said during the webinar. Dash added that there was a growing confidence amongst these institutions to leverage open source libraries and general purpose machine learning (ML) infrastructure, with a lot more open source options now entering the market.

A March 2021 report found a correlation between technology budgets and risk management. FIs that had larger financial crime compliance spends on technology ended up spending a little over half compared to firms that allocated more funding for labour.

Raman noted in the webinar that digital trends such as open banking, and national-level infrastructure such as Singapore’s Singpass and PhilID in the Philippines, is further boosting the applications of technology in fraud risk management areas.

The case for managing fraud in-house

Patricia Sanz, Head of Financial Crime Investigations at HSBC Singapore, noted in the webinar that FIs often house complex, interconnected legacy systems. Deployment of fraud risk management systems, therefore, needed to consider “the right level of oversight,” based on which critical areas needed tighter control.

In this respect, building these systems in house could lend an advantage to FIs.

Fraud Risk Management Systems: To Build, Buy or Rent?

At the same time, panelists also highlighted a number of challenges that FIs may encounter as they work on building their own fraud risk management systems. These include integration with existing ecosystems within the enterprise, data control, information security and privacy, and interfacing APIs.

“There’s a temptation to do quick interfaces between your internal applications and not formalise that interface as rigorously as you should, which then has some downstream consequences,” Dash said.

Although there is no “perfect answer” to how companies have been able to build, Raman highlighted how neobanking institutions have approached this challenge by sourcing specific modules from vendors, and then building around them in-house. The crux of the decision is in delineating which parts to control in the internal ecosystem, and which ones to hand to partner vendors.

Sanz added that once built, maintaining systems and ensuring efficient knowledge transfer was essential to ensure that system integrations and interfaces continue to work.

Ultimately, “[Building internally] is one of those tasks where you could never get it entirely right, and hopefully not get it entirely wrong,” Dash noted.

Are managed services a constructive alternative?

Raman noted during the webinar that renting a fraud management service allows vendors to manage updates and address bugs more effectively, with a dedicated team. These managed services could result in lowered operating costs, and a quicker resolution of any system issues.

Meanwhile, they allow FIs, especially smaller ones, to tap into a broader set of data pooled by managed services vendors, Dash said. They also help to resolve cross-organisational interfacing issues, which can become progressively complex as FIs grow in size.

Moreover, renting services may be more preferable for hyper-specialised areas Sanz said during the webinar. A vendor may be able to offer access to more sophisticated technology, have a pool of expertise, and know market trends in depth.

At the same time, Raman noted that integration and control of data can be a challenge in buying or renting. Relying extensively on a partner means that an FI’s systems become vulnerable to any changes in their business model, or any data leaks they may face.

Echoing this though, Dash noted that outsourcing of fraud management needs to be carefully planned, considering the complexity of the value chain involved in providing a managed service in this space.

Other considerations in fraud risk management

In the decision to build, buy or rent, the panelists highlighted several hygiene factors that come into play.

For instance, Raman said that FIs were extensively looking into machine learning and hybrid analytics to understand emerging fraud typologies, whereas Sanz has seen a kind of cross-pollination of knowledge between international teams at HSBC.

Further, Dash noted that FIs needed to formalise anonymised data sharing internally and externally through heuristic algorithms and machine learning models to overcome privacy challenges.

Panelists also brought up the role of digital trust in the fraud management landscape. “It’s all about the customer at the end of your business journey who’s relying on you to keep their information safe and to protect them as they transact with you,” Dhiman explained.

“It’s really important that businesses continue to be able to trade on that trust, and realise that losing trust is a huge issue for their ongoing credibility and their growth prospects,” Dhiman added.

Sanz noted that transparency in how data is collected, used, shared and managed, was essential to building digital trust.

Meanwhile, the ability of an FI to respond to an incident is the true test of digital trust, Sanz continued, adding that, “Digital trust can be lost very quickly, so we should be [able to] quickly recover as well.”

In this respect, technology can enable FIs to increase the information available to customers, and control when and how often they make it available, to boost transparency and communication in building digital trust.

To build, buy or rent?

The webinar culminated with the panelists laying out different considerations for FIs in deciding whether to build, buy or rent fraud risk management systems.

To go about making the decision, Sanz recommended that FIs understand their objective with fraud risk management — whether they are looking at specific trends or challenges, or for broader applications. They will also need to evaluate the resources that are available in terms of investment and costs, expertise, infrastructure, and ease of implementation.

Finally, Sanz highlighted that the approach to sustaining these systems over time also needed to be factored into the decision to build, buy or rent.

Raman pointed out that it was likely for FIs to rely on a hybrid system, where some parts of the system are built or bought, and some others are managed. In this respect, FIs that had the right datasets, devops structure and data agility to develop a model that can both prevent and detect fraud, could consider building, Raman said.\

In the same vein, Dash noted that FIs needed to be cognisant of whether they had access to data locations and their core banking system. If this kind of access was not available, they were likely to struggle with critical capabilities in their fraud risk management systems.

Further, noting that “almost every organisation will have some kind of mix,” Dash added that FIs needed to map and manage their data infrastructure and interfaces. This will be key in helping FIs decide where to build or buy, and where to rely on a third party partner.

Ultimately, it all ties back to digital trust, Raman noted. Managing fraud risk effectively is about integrating privacy into the cultural fabric of an organisation to truly make it a business priority.

“Leadership fundamentally needs to support and promote a shift to privacy by design, employees at all levels should take an interest [in] privacy. Privacy and security teams have their full time mandates, but unless you get buy-in from the rest of the business, privacy will just become a process. It needs to really turn into a cultural transformation,”

Raman said.

Featured image credit: Computer photo created by –