AWS for Industries

Banking Fraud Detection with Machine Learning and Real-time Analytics on AWS

The banking industry faces a constant battle against financial fraud. With the rise of online transactions, mobile banking, and digital payment methods, the risk of fraudulent activities has grown exponentially. To combat this ever-evolving threat, banks are turning to modern technologies on the cloud, specifically using machine learning to augment the rule engine and to improve and fortify their fraud detection capabilities.

We will explore how banks are leveraging Amazon Web Services (AWS) Cloud and machine learning to modernize their account takeover and anti-money laundering fraud capabilities. We’ll highlight the benefits they offer in creating a safer financial environment for customers.

Before we get into the solution, let us take a quick look at the types of fraud this solution will help detect.

Account Takeover Fraud

Account takeover (ATO) fraud in banking refers to a type of cybercrime where fraudsters gain unauthorized access to a customer’s account using stolen login credentials or exploiting security vulnerabilities. Once inside the account, the fraudsters can manipulate funds, make unauthorized transactions, and access sensitive information.

ATO fraud is a severe threat to both banks and their customers, as it compromises financial security and can lead to significant financial losses.

Anti-Money Laundering Fraud

Anti-money laundering (AML) fraud in banking refers to criminal activities where individuals or entities attempt to disguise the illicit origins of funds through the financial system. Money launderers exploit banks to convert illegal proceeds into seemingly legitimate assets.

Banks are required to implement robust AML measures to detect and prevent such fraudulent activities. This includes thorough customer due diligence, ongoing transaction monitoring, and reporting suspicious activities to regulatory authorities.

AML fraud poses significant risks to the financial sector, as it enables criminals to fund terrorism, drug trafficking, and other illicit activities, necessitating constant vigilance and proactive measures by banks to combat it.

Fraud Detection and Management

In the banking industry a comprehensive fraud detection and management solution is essential to protect financial institutions, their customers, and the overall financial ecosystem from the increasing threat of fraud. Using a combination of advanced technologies like machine learning, real-time fraud analytics using business rules capabilities, and a proactive approach can help ensure the highest level of security and trust in the banking sector.

Following is a modular event-driven architecture approach to fraud detection and fraud management for a bank’s digital channels (Figure 1). It consists of multiple independent blocks enabling different capabilities to build end-to-end fraud detection and management requirements. This provides flexibility in the architecture and allows the bank to expand the fraud platform’s scope seamlessly for future needs.

Figure 1 Proposed Building Blocks for Fraud Detection and Management SolutionFigure 1 – Proposed Building Blocks for Fraud Detection and Management Solution

Fraud Events Injection: This block supports the real-time seamless ingestion of fraud event details to the fraud detection solution to store and evaluate fraud events. It includes event details, session details, user profile details, beneficiary details, watch-out list information and other required details.

Fraud Events Store: This block’s purpose is to securely and reliably store event details in data stores that enable high-performance read and write operations. It caters to the needs of fraud event processing and analytics by facilitating real-time data access.

Fraud Detection: Auto-Trained Machine Learning Model and Decision Engine: These blocks implement machine learning models and real-time analytics powered by the Decision Engine block to detect fraud more effectively. It provides pre-built machine learning (ML) model templates that automate processes selection and orchestration for producing an accurate ML model. It also enables you to implement bring-your-own-business-rules or author new rules functionality to support customer-specific fraud detection requirements.

Fraud Event Orchestration: This block orchestrates fraud events advanced processing using machine learning services and purpose-build analytic services—publishing fraud evaluation results to a fraud event bus.

Fraud Response: After fraud detection using machine learning and business rules, this block supports integration with various channels to take action.

Solution Overview

The following solution offers a scalable and secure platform powered by cloud-native, serverless services to help banks build their fraud detection platform on AWS.

Figure 2 Proposed AWS Services for Fraud Monitoring solution architectureFigure 2 – Proposed AWS Services for Fraud Monitoring solution architecture

As shown in Figure 2, The solution consists of AWS serverless services that map to the phases of fraud detection and management building blocks described in Figure 1.

Following are the AWS services used to build an end-to-end workflow of account takeover fraud detection and anti-money laundering requirements. The core AWS services used in this architecture are Amazon Fraud Detector and AWS WAF Fraud Control for account takeover detection, Amazon Timestream for rule-based fraud detection and Amazon Neptune for AML. The other services are used to build end-to-end fraud detection and management workflows.

Fraud Detection features with AWS services mapping

Events Injection:

API Integration:

Events Store:

Fraud Events Database:

Fraud Events Training Dataset store:

Fraud Detection:

Account Take Over Fraud Detection:

Anti-Money Laundering Fraud Detection

Fraud Detection Orchestration:

Fraud Event bus:

Fraud Event workflow:

Fraud Detection Response:

Case Management:

AWS Marketplace Products:

  • Salesforce, Jira, Zendesk and more

Email/SMS Notifications:

Fraud Analytics:

Fraud Dashboard:

Architectural Considerations

Platform architecture is based on serverless technologies and helps you move from an idea to market faster, adapt at scale, build better applications, and lower your costs.

  • Move from an idea to market faster: Eliminate operational overhead so your teams can release quickly, get feedback, and iterate to go to market faster.
  • Adapt at scale: Utilize technology which can auto-scale (up or down) to match demands, so you can adapt to customer needs faster than ever.
  • Build better applications: Serverless applications have built-in service integrations, so you can focus on building your application instead of configuring it.
  • Lower your costs: With a pay-as-you-go service rates billing model, resource utilization is automatically optimized and you never pay for over-provisioning. (See each service page for full pricing details.)

Amazon Fraud Detector—Detect Online Fraud Faster with Machine Learning

Amazon Fraud Detector uses machine learning and over 20 years of fraud detection expertise to automatically identify potentially fraudulent online activities. It provides machine learning model templates that automate the selection and orchestration of processes for producing an accurate ML model. In this proposed solution, we use Amazon Fraud Detector out-of-the box offered semi-supervised machine learning model Account Takeover Insights for account takeover fraud detection.

How to use an Account Takeover Insights (ATI) ML model type with Amazon Fraud Detector

The Account Takeover Insights (ATI) model type is specifically designed to detect accounts that have been compromised through stolen credentials, phishing, social engineering, or other forms of account takeover. The ATI model makes it easier for customers to improve account takeover detection by incorporating ML models without needing to collect fraud labels or perform advanced data engineering.

To get started, you can upload or stream raw unlabelled data from online logins. Behind the scenes, the ATI pipeline handles all of the necessary steps for validating and transforming data, building a model, and deploying it to production. The model is designed to learn from the behavioural patterns of the users and thereby distinguish familiar logins from the anomalous ones.

Amazon Fraud Detector is designed to automatically scale to handle up to 200 fraud predictions per second (or more upon request) and can return fraud evaluations with minimal latency. This can help you evaluate all of the production traffic synchronously and with less friction for your users.

Figure 3 Data and process flow between AWS services in the proposed architectureFigure 3 – Data and process flow between AWS services in the proposed architecture

How it works

A Bank can integrate the AWS Fraud Detection solution into its digital banking architecture using the ATO and AML FraudCheck API endpoint powered by Amazon API Gateway. During the user login or transaction phases, the Bank’s application will invoke the FraudCheck APIs with event attributes (like UserID, IpAddress, DeviceFingerprint, SessionID and more), for an ATO fraud check with additional transaction details for an AML fraud check.

Sample input to FraudCheck API: "{\"queryStringParameters\":{\"entity_id\":\"A3565850309\",\"credentials_valid\":\"true\",\"ip_address\":\"138.175.135.7\",\"device_fp\":\"FP-942db56fc75e749b\",\"session_id\": \"FP-9abfaed71e5b40e5\", \"country\": \"BAH\",\"isp\": \"zain\", \"beneficiary\": \"A0524056127\"}}"

The FraudCheck APIs will activate the fraud detection workflows configured in AWS Step Functions using AWS Lambda functions on the input event attributes. The ATO fraud check workflow consists of Amazon Fraud Detector using an Account Takeover Insights machine learning model with Amazon Timestream analytics to evaluate ATO fraud and store findings in the DynamoDB table against the eventID.

Sample Fraud rules to:

Customer logged in from two or more different countries in two hours and ISP is new. Two or more customers added the same new international beneficiary within two hours.

The AML fraud check workflow is built using Amazon Neptune and Amazon Timestream-based analytics to identify money laundering fraud patterns and reports in the DynamoDB. When fraud findings are flagged in a DyanamoDB table, using DynamoDB streams processing a Lambda function gets triggered. It reports the fraudulent activities to the fraud response layer services using EventBridge integration.

The Bank can enable its required post-fraud identified functions in the fraud response layer, (like fraud prevention) by blocking the transaction or post-login activities. Fraud notifications through various channels including email and short message service (SMS) using Amazon Pinpoint. The fraudulent event with additional details is stored in Amazon S3 for advanced analytics and dashboarding using preferred business intelligence tools like Amazon QuickSight or others.

The Bank can integrate case management solutions like Jira, SalesForce, ZenDesk or others with EventBridge/Lambda. The bank’s Fraud Management team can review the fraud tickets in the case management tool and take appropriate action. When a reported fraud is deemed legit, using Amazon AppFlow (or their native case management API), the data can be extracted and stored in Amazon S3 for later updating of the ML model using the retraining process.

Sample ML Model performance metrics:

Figure 4 The overall performance of Machine Learning Model with Anomaly Separation IndexFigure 4 – The overall performance of Machine Learning Model with Anomaly Separation Index

The solutions offer advanced near real-time fraud analytics and customized dashboards (using Amazon QuickSight for risk management and risk analysts) team members can understand current fraud trends in their Digital Banking and help investigate the fraudulent event attributes.

Using Amazon QuickSight, risk analysts and business users can create interactive dashboards, perform ad-hoc analysis, and quickly get fraudulent events insights from their data anytime, on any device. The following Amazon QuickSight dashboard displays the aggregated view of fraudulent compared to legitimate events (retrieved from Amazon OpenSearch Service used for fraud analytics). It also shows the pending fraud cases (retrieved from the case management tool) over the last five days from the sample data.

Sample dashboard:

Figure 5 Sample Fraud Cases DashboardFigure 5 – Sample Fraud Cases Dashboard

Conclusion

Fraud detection and prevention are pivotal in ensuring a secure banking ecosystem and maintaining customer trust. In this blog, we provided a solution to detect account takeover frauds and anti-money laundering frauds using AWS machine learning and analytics services. Alerts to your fraud management team could be made through various channel like email, SMS or ticketing and provide fraud analytic dashboards and reports.

The advent of the cloud and the growth in machine learning capabilities in the last decade is revolutionizing the way banks protect their customers, creating a safer and more secure financial landscape for everyone involved. This is just one of many examples of how the banking industry can use AWS services for fraud detection.

The possibilities are endless, and we encourage you to experiment with this technology and explore its potential to enhance the creative process.

Contact an AWS Representative to know how we can help accelerate your business.

Further Reading

Aneesh Mohan

Aneesh Mohan

Aneesh Mohan is a Senior Solutions Architect at Amazon Web Services (AWS) with two decades of experience in solutions architecture and developing value-generating solutions involving business and critical workloads. In this role, he helps customers to innovate and achieve their mission objectives with well-architected solutions on AWS.