In today's fast-paced digital world, the need for corporate compliance professionals to stay ahead of risk, fraud, and government regulations is more crucial than ever as they try to transform their companies’ risk management strategies and safeguard the future
Banks, credit unions, and all types of financial institutions must constantly adapt to new styles of fraudster attacks and techniques. Now, fraud is evolving more quickly, quietly, and efficiently than ever before.
To combat this, financial institutions must leverage both internally and externally developed fraud models. Ideally, these models aim to identify, prevent, and deter risky behavior on their platforms with minimal friction for their valid customers.
Internally developed fraud remediation models are proprietary systems created within the financial institutions themselves. These models are tailored to the specific needs and risk profiles of the institution, allowing for a highly customized approach to detecting and preventing fraudulent activities. By leveraging internal data, historical fraud patterns, and insights from their own customer base, financial institutions can develop models that are finely tuned to their unique environment.
Such internally developed models provide the advantage of direct control and flexibility to make adjustments as new fraud patterns emerge. They also allow institutions to build on their existing technological infrastructure and integrate fraud detection more seamlessly into their operations. However, developing these models can be resource-intensive, requiring significant time, expertise, and ongoing maintenance to ensure these solutions remain effective against increasingly sophisticated fraud tactics.
Third-party models drive fraud recovery
On the other hand, external or third-party models are attractive to financial institutions for multiple reasons.
First, third-party models may offer financial institutions their fastest go to market option. If a financial institution has an urgent, time sensitive exposure to fraud, for example, it may choose to quickly implement a third-party model instead of taking months or years to develop one internally. In doing so, the institution can save significant amounts of exposed funds.
Internally developed fraud remediation models are proprietary systems created within the financial institutions themselves that are tailored to the specific needs and risk profiles of the institution.
Second, a third-party model may be more technologically sophisticated or nuanced to measure risk variables that many financial institutions couldn’t otherwise. As fraudster techniques evolve, fraud modeling organizations may be more able to predict and react quickly to the latest fraudster developments. And for financial institutions that have competing priorities, effectively outsourcing fraud research, development, and management can offer a huge benefit.
Third, third-party models can leverage multiple clients’ data to benefit a single institution’s entire customer group. If one financial institution is hit with a fraud attack, for instance, the model could analyze the exposure, remediate it, and apply the remediation protections across the entirety of the model’s customer base. In doing so, other financial institutions may benefit from the third-party’s broader industry vision. This group benefit aligns all the financial institutions involved towards the common goal of improving fraud loss prevention.
Although third-party models can be valuable tools to mitigate fraud exposure, they often bring additional regulatory and compliance scrutiny. Over the past five years, regulators in the United States have increased their intensity and scope when reviewing fraud model use. Primarily, regulators — such as the Office of the Comptroller of the Currency (OCC), the Federal Reserve, and the Federal Deposit Insurance Corporation (FDIC) — use model risk governance and model risk management programs or frameworks to ensure that financial institution models are applied appropriately, effectively, as expected, and without bias.
Regulators hold model owners — those who ultimately implement and use the models (most commonly the financial institutions) — responsible for complying with regulators’ requirements. Even if the model was developed by a third party, the financial institution is still most often liable for compliance in the on-boarding, validation, and regularly cadenced monitoring of the model. Unfortunately, many financial institutions struggle to satisfy these regulatory requirements for their third-party models precisely because they do not own them.
Confidentiality can cause compliance complexities
For a third-party model developer, their ultimate value to customers is found within the model itself: how fast it can be implemented, what it uniquely measures, how it acts, and how well it performs. These characteristics — a developer’s secret sauce, if you will — are proprietary to each model, and if their unique blend is published or known outside of the company, the model could be replicated. This, of course, would cause the developer to lose any competitive advantage and value to the marketplace. Thus, even after selling the model to financial institutions, third-party fraud model developers are incentivized to keep their valuable model characteristics private.
However, this private nature presents difficulties for regulators, that want to know about the model’s risk variables, weights, and who and what they generally identify; but developers, not surprisingly, want to protect the dissemination of their data. This places the model users, often financial institutions, in the precarious position between the regulators and developers.
Although third-party models can be valuable tools to mitigate fraud exposure, they often bring additional regulatory and compliance scrutiny.
Financial institutions want the fraud protection that third-party models can provide, while regulators want to ensure the models in market don’t adversely impact consumers. For all parties to align towards stopping fraud with minimal consumer impact, they may choose to meet in the middle. As model use proliferates, regulatory burdens may increase as well.
Thus, while financial institutions prepare for increasingly thorough documentation requirements from the OCC, FDIC, and other regulatory authorities, third-party fraud model developers would be prudent to similarly prepare and create sharable documents that present more information than historically given, while protecting the minute details. For their part, regulators might consider easing their requirement timelines, knowing that those parties they might question may not have immediately available answers.
In summary, a compliance headache can feel nearly as costly as fraud losses. These compliance difficulties and fraud losses can be remediated most quickly if developers, financial institutions, and regulators can align on reasonable documentation parameters and expectations to reduce the burden on all parties.
You can find more about the regulatory and compliance challenges faced by financial institutions here.
