Book a Diagnostic Call

Financial Services

Drowning in false positives: a smarter way to fight fraud.

Rule-based fraud systems catch fraud the way a net catches fish: along with everything else in the water. Machine learning, layered correctly, lets your analysts investigate instead of sift.

Gilbert Igwe  |  May 13, 2024

Ask a fraud team about their day and you will hear the same story across banks, insurers, and payment operations: the rules fire thousands of times, analysts clear alert after alert that turns out to be a customer on holiday or a merchant with a new terminal, and the genuinely suspicious cases wait in the same queue as the noise. The unit of work is the alert. It should be the investigation.

Why rules alone hit a ceiling

Rules are necessary. Regulators expect them, they encode hard policy, and they are transparent. But rules see one transaction at a time against fixed thresholds. They cannot weigh thirty weak signals that together scream fraud, and they cannot learn that a pattern which looked risky in 2022 is now normal behavior. So institutions tighten thresholds after each incident, the queue grows, and analyst attention, the scarcest resource in the fraud function, is spent on sifting.

The layered approach

  • Keep the rules as the floor. Hard policy and regulatory requirements stay rule-based and auditable.
  • Add a learned score on top. A supervised model trained on your own confirmed-fraud history weighs the full context: customer behavior over time, device, location, merchant, velocity. Its job is prioritization: every alert arrives with a probability, and the queue is sorted by it.
  • Route by score. High-score alerts go to senior analysts immediately. Low-score alerts from noisy rules can be batch-reviewed or auto-closed with sampling. The same headcount now covers the risk that matters.
  • Feed decisions back. Every analyst disposition, fraud or not fraud, becomes training data. The model improves with use, which is precisely what a static rule set cannot do.
  • Document for the examiner. Model purpose, features, training data, performance, and override paths written for compliance review. In regulated environments, an undocumented model is an unusable model.

What changes

The measurable effect is a smaller, sharper queue: institutions that layer scoring over rules typically cut the false positives routed to analysts by a third or more while holding or improving their catch rate. The cultural effect is bigger. Analysts stop being a clearing house and become investigators. Fraud leadership stops reporting alert volumes and starts reporting losses prevented, which is the number the board wanted all along.

The funnel, in numbers

A typical mid-sized operation generates 4,000 fraud alerts a week. A team of eight analysts, each properly working 30 to 40 alerts a day, can investigate about 1,400 of them. If two percent of alerts are genuine fraud, there are 80 real cases in the week's queue, and the team's odds of having them in the investigated 1,400 depend on queue order, which under rules alone is close to arbitrary. Sort that same queue by a learned score and the real cases concentrate at the top. Nothing else changed: same alerts, same analysts, same week. Prioritization is the whole game, and it is measurable within a single quarter.

What the examiner will ask

Model risk management is part of the build, not an afterthought, and the questions are predictable. What data trained the model, and does it embed prohibited variables or proxies for them? How is performance monitored, and what triggers retraining? Can an analyst override the score, and is the override logged? Who approved the model, and where is the documentation? Institutions that prepare a model document with purpose, features, training data lineage, validation results, monitoring thresholds, and governance sign-off walk through supervisory review. Institutions that treat the model as a black box from a vendor get findings. The documentation effort is measured in days; the finding costs a year of credibility.

Two pitfalls in the feedback loop

  • Label delay. Fraud confirms slowly: chargebacks and investigations take weeks. Train on mature labels, not last week's, or the model learns that unresolved means innocent.
  • Feedback bias. Analysts only disposition what they investigate, which is what the model scored highly. Keep a small random sample of low-score alerts in the review stream, or the model never learns about the fraud it currently misses.

Starting with thin data

Institutions earlier in their data journey often assume this approach is out of reach because their confirmed-fraud history is small or poorly labeled. The staged path still works. Begin with unsupervised anomaly detection, which needs no labels: it surfaces transactions unusual for the customer, the merchant, or the corridor, and routes them for review. Every review creates a label. Within two or three quarters, the labeled history is deep enough to train a first supervised model, which then improves with each cycle. In parallel, tighten the labeling discipline itself: a disposition taxonomy richer than fraud-or-not, fraud type, loss amount, detection source, pays for itself the first time someone asks which fraud patterns are growing. The institutions that never start are usually waiting for clean data that only starting will create.

The practical first step

You already have the training data: months of alerts with analyst dispositions. Start by measuring your current funnel: alerts per week, the share confirmed as fraud, and the hours spent on the rest. That baseline makes the case, and the same data trains the first model.

Facing this problem? This is the work TechEccentric does: analytics, AI and machine learning, and cybersecurity for organizations where the operating systems behind decisions have to hold up.

Book a Diagnostic Call