resources Article

BA £183m GDPR fine demonstrates critical need for new approach to fighting fraud in financial services

The news that British Airways is facing a record fine of £183m from the Information Commissioner’s Office (ICO) clearly shows that current fraud detection and prevention methods are failing – and all companies that process consumer data need to sit up and take notice.

This fine is the biggest penalty ever handed out by the ICO and is the first to be made public under the General Data Protection Regulation (GDPR) which came into force last May.

The message from the ICO is clear – if you don’t treat your customers’ data with the utmost care then the consequences will be severe.

Critically, it highlights that the current fraud detection methods must be completely reevaluated for all organizations that handle consumer data, and particularly financial services.

Why can’t we prevent fraud attacks from happening?

Combating fraud is an enormous task and comes with substantial costs and risks. Some of the challenges are as follows:

  • Current approaches to fraud analytics are limited to historical data, which is not rich enough to develop better controls.
  • The static nature of today’s controls means they often fail to detect the adaptive behavior of criminals.
  • It’s difficult to procure and get approval to use real transaction data due to privacy laws like GDPR – and this will undoubtedly become harder following this record fine.
  • Rules-based transaction monitoring systems result in a high number of (expensive) false positives.

Is there another way?

Organizations should consider a new method of tackling crime: agent-based simulation. Agent-based simulation has proven to be indispensable to tackling several real-world challenges, including fighting financial crime. But how?

Agent-based simulation allows the creation of synthetic data. This data contains no personal information or disclosure of legal or private customer transactions, so it is completely compliant with privacy regulations like GDPR. It has the added benefit of being easier to acquire, faster and at less cost for experimentation.

This is particularly relevant in fraud analytics; for example, banks may want to produce a simulation that resembles a payment system based on real customer transactions.

By using this labeled data in a simulated environment, banks or other organizations that hold consumer data can carry out exploratory analysis of foreseen or upcoming fraud scenarios and evaluate current or newly developed fraud controls.

Benefits include:

  • Keep customer data private: Create synthetic data that contains no personal customer information and is completely compliant with privacy regulations.
  • Reduce false positives: Use labeled data to generate information about missing fraud (false negatives) and calculate the real reduction of financial fraud.
  • Introduce machine learning: Introduce learning agents into the simulation to uncover fraud that has not even been committed yet.
  • Self-evaluate your fraud system: Use simulation to add increasingly complex scenarios of fraudulent behavior and suspicious activity, then evaluate your controls.

You can also read research on GDPR by Simudyne’s Fraud Analytics Expert Dr. Edgar Lopez Rojas here.

Chloe Hibbert