David J. Hand, Imperial College London, is one of our Contributing Editors. He writes about the role statistics can play in detecting and combating fraud:
I do not need to remind the readers of the IMS Bulletin that the discipline of statistics is ubiquitous, being applied in all walks of life and helping to improve understanding, decision-making, and the human condition just about everywhere. It is encouraging that non-statisticians are also beginning to recognise this, with the sudden awareness of the power of data science and the recognition that the core discipline at the centre of data science is statistics.
One of the drivers behind this sudden growth in awareness has been the increasing quantification of our lives: the fact that data describing what we do and how and why we do it is accumulated in large quantities and often automatically. That, coupled with the recognition that understanding (not to mention value, often monetary) can be squeezed from this data has attracted considerable interest. Numbers of applications to college and university to study statistics and data science have rocketed.
One area which demonstrates the power of using advanced statistical tools to analyze large data sets is fraud detection. While fraud will always be with us, increasingly sophisticated methods for detecting it can make life tougher for fraudsters. The scope for application of statistical methods to detect fraud is unlimited.
Fraud detection systems need to satisfy certain criteria. Obviously, they need to detect a reasonable proportion of fraud cases (though hoping to detect all of them is unrealistic) while not raising questions about too many legitimate cases. Also, in many situations, they need to be fast: there’s little point in raising concerns about a credit card purchase long after it has been made and the fraudster has disappeared over the horizon. A credit card fraud detection system should, ideally, flag up a suspicious transaction while it is being made rather than three months later.
One criterion that many other statistical decision-making systems have to satisfy—often by law—is that an explanation for the decision must be available if requested. This can obviously be problematic for some advanced and complex tools, such as deep learning neural networks. But this is not really important in fraud detection: you don’t have to justify your concern that a transaction might be suspicious.
In general, the entire breadth of statistical tools might be applied in fraud detection operations. Statistical summaries and profiles of behaviour, anomaly and outlier detection, graphical methods, methods based on how real data behave, such as the Benford distribution, and network analysis have all been extensively used. Both supervised and unsupervised classes of methods are applied, the first based on contrasting properties of fraudulent behaviour with legitimate behaviour, and the second simply summarising and describing legitimate behaviour.
But there are challenges. Many domains are fundamentally nonstationary. People’s behaviour changes over the course of time, perhaps in response to changing life circumstances, changing economic conditions, or other reasons. More critically, the behaviour of fraudsters will change in response to the detection mechanisms put in place: the system is reactive. Using a signature and a print of an embossed credit card was replaced by magnetic stripes, which were replaced by chip-and-PINs, and in turn by contactless. But none of these entirely stopped fraud. As I sometimes put it, organised crime does not say, “Ah, you’ve got me. I’ll stop and find something legitimate to do instead.” What it does instead is try to find some other way around the system. The analogy of an arms race is sometimes made, and this is no exaggeration.
Another problem in many situations is that the classes are often dramatically unbalanced. If one in a 1000 credit card transactions is fraudulent, a system which correctly identifies 99% of the fraudulent transactions and 99% of the legitimate transactions will mean that 91% of the transactions the system flags as possibly fraudulent will in fact be legitimate. Putting a block on all those cards might not go down too well with customers.
And that, of course, leads on to a general feature of fraud detection systems in many domains. The statistical tool is just a part of the overall system. The customer and their expectations are also key parts. The statistical modelling and analysis has to be carried out within the wider context.
In general, in fraud detection a Pareto principle applies. While, as I commented above, we will not be able to prevent all fraud, we can in many situations detect 80% of it with relatively simple methods (my proportions here are purely illustrative). But then the same amount of further effort will be required to detect 80% of the remaining fraud. And the same amount of effort will be required for the next 80%, and so on. And at bottom we must remember that it is counter-productive to spend $1 billion to detect and prevent $1 worth of fraud. One reason that fraud will always be with us is that the amount of effort required to stop it eventually becomes more expensive than the fraud itself.
A further complication in many fraud situations arises from the fact that the definitions of what is fraud are not determined by nature, but by social and legal considerations. This means that what is fraud today might not be fraud tomorrow, or the other way round. Or worse: consider someone who (legitimately) spends a large amount on their credit card, but then (in horror at their own extravagance) declares the card as having been stolen and the transactions as having been made by a thief. Their declaration switches the transactions from legitimate to fraudulent, though nothing about them has changed.
Fraud detection presents some interesting challenges—and opportunities—for statisticians.