Rules are great — but when it comes to fraud, it's about how you change them.

In order to curtail theft, banks not only analyze transactions and other types of data in order to find patterns, they also stop customers from moving money in certain instances.

The point at which a bank decides which rules are good, and which are, well, ridiculous differs from company to company.

"It's really about what's commercially reasonable," says Jason Malo, a research director in the bank cards and retail banking practice at CEB TowerGroup. "It comes down to the cost of implementing that solution. So, if you have a large 24-by-7 staff, you can deal with 1,000 or more alerts a week. If you have two people, you can deal with 100 alerts a week."

Banks use rules to trigger alerts sent by text message or an email, or potentially decline a credit card, when a transaction fits a fraud signature.

Malo moderated a panel of bank tech vendors at CEB TowerGroup's annual conference in Boston.

He says rules can of course shift with the size of a bank's staff and continuing struggles for resources.

For instance, fraud rules should vary by customer and bank. "So you have the analytics and some banks overlay some rules on top of that," says Dennis Maicon, a vice president of enterprise fraud solutions at FIS.

"In a past life, I had a customer that put rules on top of their analytics that were seasonal - if it was tax season, for two or three months they had a specific rule looking for certain behaviors and then after the tax season was over" they got rid of that rule.

At the end of the day, he says, it's about what a bank can handle from a process perspective.

"And how do they want to impact the customer experience," Maicon says. "We are talking about two ends of the spectrum. On the one hand, you have the business guys who want to do everything for that customer, and you have the security guys that don't want any transactions to happen — so you have to find the right checks and balances. You are defining those needles in the haystack without [negatively] impacting a large group of customers."

Applying the rules effectively depends on reliable data.

Often, the data is the toughest part to deal with, says Joram Borenstein, a senior director of product marketing at NICE Actimize.

"When it comes to this big data issue in larger financial institutions, the credit risk people and the mortgage risk people don't always know one another ," he says. "And often times [vendors] are the ones connecting the dots."

That means banks must rely on tech vendors that give fraud risk specialists visualization and query tools to drill down on problems when they occurs, says Dena Hamilton, an executive manager at Detica NetReveal.

She adds that this is true even if you have multiple vendors using multiple detection engines in order to find what's fraud and what's just a customer trying to move cash.

Sean Sposito is at the CEB TowerGroup conference this week. Follow him on Twitter @SeanSposito, or the conference in general with the hashtag #CEBTG13