Transcription:
Kate Fitzgerald: (
Okay, we're gonna get started on our last session of the day. I have with me here, two expert members of American Express's fraud team. We have Nikhil Gupta, vice president of compromise and point of sale fraud strategy, which is quite a long title and at American express and Paul Fertig joining us from the just VP fraud, which covers a lot of ground. The topic is machine learning and how to leverage machine learning to further uncover fraud. So, I just wanna talk generally. Nikhil, do you wanna talk about how long you've been in American express and what exactly are the parameters of your job?
Nikhil Gupta: (
Yep. So I've been with the American express rest management function for more than 12 years now. Been with fraud unit for more than three years. My current function is detecting any sort of card compromise. So it could be probabilistic or deterministic, and then we try to remedy it. So it is about any sort of card compromise that we know about the customer, so we can prevent any future fraud. Secondly, I look at transaction fraud risk assessment, which translates to point of sale. So any transaction we have on global American express proprietary cards, we have our machine learning algorithms, data features, strategies to be able to determine what is likely fraud, and then go with it. So we work very closely with our servicing teams while initiating any conversation with customers trying to authenticate them.
Kate Fitzgerald: (
Do you head up this area of machine learning for American express?
Nikhil Gupta: (
Yeah. So my team looks at the core strategy part, which kind of sits in between you can say machine learning and servicing, but we do have our core modeling or machine learning teams.
Kate Fitzgerald: (
Fascinating. We'll get into a little more detail about how that's evolving. Paul, VP fraud. What exactly does that cover? How long have you been at Amex?
Paul Fertig: (
Yes, I've been with Amex eight years and I'm actually responsible for authentication capabilities, anything that deals with authentication of customers, whether they're logging into our website or transacting. For example, in a 3D secure scenario or something like that, as well as the onboarding of new products from a fraud perspective. So you can think about different form factors that we onboard Apple pay or Samsung pay tokenization. Some of those evolutions as new products kind of come into the payments ecosystem.
Kate Fitzgerald: (
So you're not directly involved in machine learning, but it's in the background of all those products that right ?
Paul Fertig: (
Yes. When, yeah, I mean, as we think about how we risk assess new products from a strategy perspective, we're always incorporating from the modeling thought process as well, in terms of how would the models be impacted or how would they interact with these new form factors?
Kate Fitzgerald: (
So, I've been writing about payments for a long time, and I don't remember exactly when I first heard about machine learning, but it started to enter into the conversation. And now it's almost in every sentence, but I think that doesn't tell us what is happening there as machine learning itself evolving.
Nikhil Gupta: (
Yeah. So what I would say, the algorithms that lead to machine learning, those algorithms have been there for a long time, right? But there have been great advancements in computational part that enables us to use those machine learning algorithms at scale. That started to happen for us more than 80 years back is when we started to see how to make use of these algorithms in the best manner possible. And fraud turns out to be one of the best use cases to be able to use and also derive significant improvement. So our journey started quite a while back and yes machine learning, artificial intelligence, these terms are used quite a lot interchangeably. What I would say is artificial intelligence, we can look at it like an umbrella term. But machine learning for us, if I talk primarily about fraud classification, it's like a classification problem.
Nikhil Gupta: (
So we give enough examples or events to the algorithm. Say millions of transactions or events or any interactions that happened in customer life cycle. And then we can let the algorithm learn what is fraud versus not. So as model learns from this data, then model becomes, or the machine learning algorithm becomes better and better to predict fraud which comes real time. So, it's more of evolution I would say that the computational part that has excluded in recent years. Also, the algorithms have become really intelligent to capture new trends. So if we are seeing a new fraud trend and fraud trends are very volatile, like newer will keep emerging. So your models need to be nimble enough to retrain very quickly. So that has also been enabled with the newer algorithms and computation we have today. So that is what I would say has been game changer. If we only talk about the concept of algorithm or machine learning algorithms, they have been there for a while. So it's not something that happened only in last few years.
Kate Fitzgerald: (
No, it's not new, but it's how you deploy it. So, I think I was speaking to your counterpart at VISA several weeks back. And I asked her what happened during the pandemic in a short period of time, the volume of fraud changed. How did that manifest itself and how was machine learning deployed?
Nikhil Gupta: (
Yeah. In terms of pandemic, we did have to retrain our models because the fraud trends do change. For example, there aren't enough avenues for fraudsters to monetize at card present locations. So a lot of fraud, as well as spending shifts online.
Kate Fitzgerald: (
Did that happen very suddenly?
Nikhil Gupta: (
Yeah. I would say a March 2020 onwards, it was shift.
Paul Fertig: (
Just as real people shifted completely online sort of the process.
Kate Fitzgerald: (
Well, do you wanna talk a little bit about Paul. Maybe not so much the machine learning technical side of it, but what did you see from your perspective one day, It's business as usual, then the headlines begin to accelerate about COVID. How did that change? What did you see in terms of the fraud volume and how did your department respond?
Paul Fertig: (
Just in terms of, I think this was probably not just anybody, travel, which is very big at American express went literally negative. We had negative growth, more than a hundred percent because everybody stopped traveling and we had refunds on top of that. So the volumes completely shifted out of travel card present completely, drastically reduced. And so overall spend was really much more focused on card not present and fraud just filed those same trends.
Kate Fitzgerald: (
And did you see new types of fraud because of that?
Paul Fertig: (
Not, not in the card space? Not that I'm aware of. No, but it was just just more of a focus on the card.
Kate Fitzgerald: (
Because you mentioned, I mean, how quickly did that happen? Was it sort of an overnight switch? Did it have to change? Did you have to alter the way you were managing fraud, given the shifting mix of transactions?
Nikhil Gupta: (
I would say we didn't have to change our strategies overnight. What we did need to do is like, there's a lot of spend happening over online now, so we need to be conscious of where the real customers are and try to not have disruptions there. So try to be more intelligent in online space, differentiating fraud versus not because everything is happening online. So that is where we needed to tinker a bit, but we didn't have to change our algorithms or machine learning practices overnight.
Kate Fitzgerald: (
Because you rely on those machine learning algorithms to figure out what's going on and respond to it and tell you.
Nikhil Gupta: (
Yeah. Yeah.
Kate Fitzgerald: (
Okay. And then, given the fact that we understand that, not only were the shoppers and the travelers staying home, so were the fraudsters and the fraudsters had more time and they were thinking up new strategies. Did you see that reflected in anywhere?
Nikhil Gupta: (
I would say for a brief period of time, we did see a lot of card testing happening. So that was in 2020. So card testing, we refer to something as one card number after another, it could be algorithmic. Some of those card numbers may not even exist. So that sort of testing activity, which we predominantly decline, looking at validity of the card, the information that is being entered, we did see some uptake in fraudsters trying to test out the cards.
Kate Fitzgerald: (
Now this may not be something you can answer, but what do you guess, are fraudsters using machine learning?
Nikhil Gupta: (
So, this is like a double edged sword, right? So technology is not only for the financial institutions, even fraudsters are using a lot of these tools. And I think Paul and I were talking about sometime, earlier these days you have one time passcode bots that fraudsters could deploy and they are kind of using artificial intelligence. They're trying to get information for one time passcode from consumers in an automated fashion.
Kate Fitzgerald: (
One of the things that I have always wondered is, every year I hear about new fraud solutions and improved machine learning and improved AI. And we're told about vendors come to us, we're wowed by the solutions and yet fraud doesn't go away. And then we say, ah, fraud keeps evolving. But if the fraudsters are also using these machine learning and AI tools, tell me where you think you're going in terms of, will you eventually find ways to outsmart these people or are we gonna continue to see the same dynamic?
Nikhil Gupta: (
Yeah. So, if we look at past few years, at least what we see on our side, our fraud rates have been going down. So we have one of the best industry fraud rates, and they have been trending downwards as technology has been evolving. So we talked about even fraudsters are making use of AI using these newer tools, acting in automated fashion, so that all is there, but at the same time fraud rate being defined as of the total percentage do we see, where Fraud happened, that percentage has been coming down over the years.
Kate Fitzgerald: (
Okay. So, my impression is, we actually are getting somewhere seeing progress. At least at Amex.
Nikhil Gupta: (
I think it's true for all financial institutions over years. The fraud rates have trended downwards though there are maybe more fraud in the system, but at the same time they are able to decline as well or protect customers.
Paul Fertig: (
It's not just that frauders are using machine learning, which they are, but it's also bots and it's not necessarily, it's also an efficiency game, right. By using machine learning and bots, the volume of fraud that can be attempted is, is growing. And it's making the fraud's operations more efficient and increasing their throughput base.
Kate Fitzgerald: (
Now bots bots have been of interest to us recently. A company called PayPal had to restate some of its accounts because they had discovered they had 4.5 million bots had somehow emerged in their user base in responding to a promotion. And I think everybody heard something about bots the other day with the Twitter potential news. So, why are we hearing about bots all of a sudden, is that a new threat? And does machine learning have either, is it a cause or an effective machine learning?
Nikhil Gupta: (
I think it is the tools that are available in the market for fraudster to use. So instead of manually setting up accounts, they try to set it up automatically and then try to commit fraud or monetize. So that is where the bots discussion comes up in every space related to fraud. But as to Paul's point, there are more bot attempts, or there are more fraud attempts, but we are still able to address a larger portion of them compared to what we used to do earlier. So our incidences of fraud that ultimately go through, they have been coming down.
Kate Fitzgerald: (
Is machine learning deployed by these fraudsters to develop bots?
Nikhil Gupta: (
I won't call it machine learning because, as we talked about, that's more like a classifier as we talked about.
Paul Fertig: (
It's like an automation tool. Again, back to the efficiency point. And it's not just fraudsters, there are many, many different, there are good customer use cases where people are trying to gain it may not, it may not be pure fraud as we think about it, but they may be trying to gain the system. Like the Twitter example where they're trying to get lots of accounts or lots of accounts to make purchases that make them look like they are many different people, not just one single person trying to make a purchase.
Kate Fitzgerald: (
And is that something that we're getting? I feel like bot threat seems to be on rise. Am I wrong?
Nikhil Gupta: (
Not lately. I would say we did see it rise in 2020, as you said.
Kate Fitzgerald: (
Okay. So bots were maybe a phenomenon of the pandemic.
Nikhil Gupta: (
Yeah.
Kate Fitzgerald: (
So if machine learning, since that's the topic here, where do you see, is machine learning the future, or is machine learning something that's gonna sort of, are we gonna outgrow machine learning and enter into some new level of I don't know what the next dimension might be? What do you think is the shelf life of machine learning or will machine learning continue to be with us and evolve? And tell me a little bit more about the science of that.
Nikhil Gupta: (
So machine learning is absolutely the future. It's already the present, I would say, and it will continue to be there in the future. The way we understand machine learning is, it is just intelligent use of data at scale.
Kate Fitzgerald: (
Okay. So it's just a general term.
Nikhil Gupta: (
Yeah. So in next few years you will see models getting bigger and bigger. They are able to consume more features. They are able to consume more data, more examples. So you can train your models with as much data as you throw at them. So it's still machine learning, but computational power will enable us to retrain the models faster with more data. So the models will continue to improve, but it's still the classify, which is machine learning.
Kate Fitzgerald: (
Without getting too deep in the weeds or over my head. What is enabling those capabilities that you're talking about, that we're gonna see in the next few years, what exactly is happening that's enhancing it.
Nikhil Gupta: (
One is being able to consume more and more data. For example, when I see a model, it is more like you throw million examples onto it. And then the model learns from these examples. If it takes a day for the model to learn today, tomorrow it might take an hour. And instead of million, you can throw a billion examples. So the scale of data that you can throw at the model keeps increasing.
Kate Fitzgerald: (
Wow. What exactly is enabling that? Is it some kind of capacity in the cloud? Is it some kind of chip?
Nikhil Gupta: (
Yeah. Mix of all these, I would say efficiencies and also like the cloud computing.
Kate Fitzgerald: (
Is human ingenuity a part of that.
Nikhil Gupta: (
Yeah. The algorithms, if I talk about say security boosting algorithms, there have been some advancements onto those algorithms making them more nimble from efficiency perspective. Okay. So it's not as much of a performance gain, but it's an efficiency gain, which is built by humans.
Paul Fertig: (
Back to your previous question that is, I mean, there's also an evolution. The technology, when you think about we've gone from models that have to be trained where we have to kind of manually go through these processes to self learning models, which I think is Nikhil is trying to talk about, where you can just kind let the model go and it will learn over time instead of every six months kind of creating a new model, retraining the model. So that kind of rapidity of learning is also evolving.
Kate Fitzgerald: (
I'm sure that's been an evolution, but when did we start to see that self learning momentum begin to really accelerate?
Nikhil Gupta: (
For us, it has been last three years I would say.
Kate Fitzgerald: (
And is that very exciting?
Nikhil Gupta: (
Like if we are able to train models, say in a week today, tomorrow, it can be in a day. So it's the piece and scale just keeps increasing.
Kate Fitzgerald: (
Does it mean that smaller organizations can do more on their own that you don't need to be as big an organization or have all these tools? Is it becoming more accessible? I guess that at American express, you have proprietary methods. So tell me a little bit more about what you're learning and how that's being evolved.
Nikhil Gupta: (
I would say most of this is open source, so there are not as much barriers to entry today. So the same algorithms are available for everybody to use. But what also as a differentiator as the legacy that you have built with your data systems, what kind of features that are going into your model? So models are as good as the data that they consume. Right. So if your features, they react very rapidly, say something happens at a particular merchant in terms of fraud event, your features are able to pick it up instantly versus a weekly. That makes all the difference.
Kate Fitzgerald: (
But then again, if it's so accessible, the fraudsters have access to the same open source tools.
Nikhil Gupta: (
Yeah. Fraudsters are going more in automation space, as all said. So it's not about models or machine learning for them. It's more about about replication.
Kate Fitzgerald: (
Yeah. You hope.
Paul Fertig: (
Yeah. I mean, but if you think about it from our perspective, we're looking at this vast network of data, right. And in AMEX's case, it's the closed loop. We've got inquiry side, we've got issuing side, we've got the networks, we have all this data, but even for a smaller issue, they still have visibility to a wide kind of set of data elements. A fraud start coming at us is impersonating one merchant or one set of cards. And so of course they can do things with machine learning, to kind of tailor things and maybe try and trick the system. But it's just more narrow. So I feel like there's less scope there for them to leverage machine learning than on the issuer side.
Kate Fitzgerald: (
Now, what is the most exciting thing that you see on the horizon? I mean, you mentioned getting to do more things faster, but is there any sort of new innovations that are on the very leading edge of this and who's developing that stuff. What field of science is it coming from?
Nikhil Gupta: (
Yeah, a couple of things that I'll mention is one, trying to explain the output of these machine learning models. So we are kind of already there, but just trying to be very nimble in understanding why something is likely flawed, because there are hundreds and thousands of features going into a model. Now, something is risky that is why you might be declining a transaction because your model reacts.
Kate Fitzgerald: (
Are you saying sometimes there it signals risk and you don't know why.
Nikhil Gupta: (
Yeah. It's just, how to explain the model output as I would say in layman terms. So I think that is going to expand in coming months and years.
Kate Fitzgerald: (
So the machines are getting better at explaining themselves?
Nikhil Gupta: (
It's again, Yeah. Our development there, like we training our algorithms to be able to extract that output in a meaningful way.
Kate Fitzgerald: (
Interesting. Very Cool.
Nikhil Gupta: (
Another thing I would say is which Paul can also expand on more is the new form factors that are emerging. We had another session before, right? We talked about authentication, new ways to authenticate tokenization. So all those inputs are also going to go into machine learning, but just stronger ways to authenticate, they are going to be a game changer as well.
Kate Fitzgerald: (
So basically enriching the resources you have, not just data. You wanna expand on that at all?
Paul Fertig: (
I Mean, the tools that we're using as fraud fighters, the final session was really interesting. Tokenization all these different things that are not machine learning focused, but are just tools that are gonna be part of the part of the toolkit, but I also think when you think about machine learning, we always tend to think about authorizations, but you can have models for authentication. You can have models for new accounts and you can have those models start to share data amongst themselves so that you have this kind of global view across the entire ecosystem, which I think there's a lot of power in that as well.
Kate Fitzgerald: (
Well, speaking of which I feel like in recent years, I heard people talking about how the various fraud solutions were working together. You talk about AMEX's own data and your own fraud controls. But to what extent could you collaborate with other organizations, payment companies and are you already doing that in real time around the world to maybe exponentially increase all of this data and what it could tell you?
Paul Fertig: (
And there are a number of consortiums out there that kind of facilitate the sharing of data. And there's some vendors out there like email age that have kind of global visibility to data sets that we do participate in and others do as well.
Kate Fitzgerald: (
Any thoughts on whether there's a potential universal solution, if everybody were sharing the same information or what are the limitations or the drawbacks of that?
Nikhil Gupta: (
I think so, every party in the ecosystem will have its own fraud solutions. So nobody wants to have fraud, but everybody's individual fraud solution is not going to be as good as when people collaborate. So there are multiple parties here at issuers, network, merchants. There are fraud data vendors. When you combine all data, you look at the complete picture. So more collaboration is definitely going to help, but there isn't I would say one thing that solves for all that, because it can't be something generic, which everybody can place. I think it's all about collaboration. For example, as American express, we can collaborate more with merchants, data vendors, and then bring everything together in our machine learning.
Kate Fitzgerald: (
So maybe there's a benefit in specializing in what you do know, and if that's better than trying to promise something or expect outcomes that you don't have direct control over there. I don't know whether there's a fine line between competition and proprietary tools, but you wanna talk a little bit about where a lot of this is the thinking is coming from, who are the geniuses in machine learning? What geographies do you admire for what they've come up with?
Nikhil Gupta: (
I won't say it's limited to any particular geography. I think it's kind of similar solutions that we see being deployed by everybody, but ultimately the data that enters these solutions, that is what makes all the difference. So that data can be richer if there is more collaboration as we talked about, and there are going to be solutions like FIDO that was talked about. That could be one of the universal solutions that helps everybody.
Kate Fitzgerald: (
Okay. We've heard about FIDO for years too. Why is it taking so long for some of these things to come together? Is there, I know there's probably not an easy answer to that.
Paul Fertig: (
Yeah, I don't know that there is, I think it's like so many things in the payment industry, it takes a lot of time to bring all of the various players together and I think one of the speakers in the last conference was just saying, this is gonna be the year. And we've said that before, and we've said that before, but the momentum is there. But there's just so many different parties. If you think about five there's, Google, there's Apple there's ecosystems there's different operating systems. There's different players. And just to make that all come together is pretty massive effort with huge benefits. It's really exciting what's happening.
Kate Fitzgerald: (
But it's gonna require realistic timeframes and development. Like a lot of things, it always takes longer than we think to put it on a whiteboard is one thing, but to actually execute. But, so if we were to speculate now, well, let me ask you this. Do you think that the pandemic accelerate or change in any way where we stand today in terms of our capabilities?
Nikhil Gupta: (
Not in terms of capabilities, but we do see some fraud trends that have shifted. So during pandemic you have Card not present fraud or online fraud that picks up. In 2022 we are again seeing a shift towards card present fraud.
Kate Fitzgerald: (
Back toward brick and mortar.
Nikhil Gupta: (
Yeah. So it's kind of back, right. As economy opens up, there are many cases where customers would've lost their card and it sees frauded card present locations. That is one, another trend that has been on uptake for every bank is wishing fraud. So you have 3DS transactions, one time passcode is what is required to authenticate transaction and fraudsters need to intersect that one time passcode. A lot of it happens through wishing which is a trend on uptake as we have heard from other financial institutions as well. Another trend that I'll talk about fraud, which is coming up more this year is username, password compromise. So if you have your accounted X, Y, Z business, and that user and password is compromised and your credit card is linked there. If fraudster compromises that user account, they can do transactions.
Kate Fitzgerald: (
And can't machine learning spot that, or you had something you had to train it to do.
Nikhil Gupta: (
So we need to do more there. I would say these are the new challenges we are seeing. So, I would say on traditional fraud, we are able to do better than these ones. But as I said, these are the ones we are focusing on.
Kate Fitzgerald: (
User name compromise is one of the new areas. Merchant username okay. And so does anybody have any questions. Here we are. Go ahead. That's you.
Audience 1: (
Can you talk the scale of the types of threat and volume, and also you talked about on the solution side, how technology's getting better and models are getting better. Can you share some insights on where you're not seeing the technology keep up?
Nikhil Gupta: (
Yeah. The trends that I talk just about for say, if as a customer, somebody has great spending history at XYZ merchant, and now that user and password is compromised for the merchant, it is difficult for algorithm to pick it up as fraudulent. So it could be fraudster transacting through that account now, but earlier it was the real consumer. So that is something we are thinking more about. Another case I would say is, which is not typically a fraud problem, right? Like everybody would've heard of scams, where scammers somehow convinced the two card member to make some purchases. It could be gift cards or something else.
Kate Fitzgerald: (
Or romance fraud? How do you catch that?
Nikhil Gupta: (
So, yeah, so that's where I was coming to. That is where it's difficult to capture through machine learning or our traditional solutions where we need to do more as an industry in terms of identifying. The servicing part or the talk of with customers, that's a separate area altogether, but just identifying what could be probable scam going on. But that's not a typical fraud area, right? Because customer themselves may be authenticating the transactions.
Kate Fitzgerald: (
But I think the expectations are that somehow you guys are supposed to solve that because I think in the UK recently they just didn't signal that there will be new legislation to address scams and I'm still puzzled as to how that will work or where the liability will fall because if I choose to do something crazy, you are supposed to read my mind but no, that's crazy. Don't do it. Do you foresee some challenges there or do you think there are systems that can actually try to anticipate when someone is making a mistake?
Nikhil Gupta: (
Our systems do pick up on like if something is very out of pattern or unusual that the algorithms will still pick up. But I think the key challenge is, if customer themselves authenticated the transactions, then It's a bit of a challenge in terms of addressing it readily when it is taking place. After the fact, you can look at it, but it's an evolving space.
Kate Fitzgerald: (
That would require adding friction to systems which is like in many cases, I feel like we were streamlining and frictionless is the future, but then in the European union, they've introduced the requirement for two factor author authentication with every single transaction. It's like taking two steps back to prevent fraud. So do you foresee that there's gonna be more friction introduced to prevent against types of fraud or are we moving still toward more of the sort of automatic, seamless transactions in the midst of all this ongoing broad?
Nikhil Gupta: (
I think it's going to be a mix of both because in European union as well, it's not every transaction that is going through previous or step up.
Kate Fitzgerald: (
Okay. Not every.
Nikhil Gupta: (
So the regulation kind of defines when you need to step up. So there is a large section of transactions that go through and the regulation has been coming up in different countries. Some of the countries like India and Singapore, you need to step up each and every transaction, but European union, there are certain conditions you use to decide which one you have to step up. Similar kind of regulation may come up in other geographical regions as well. So, it also helps in authenticating and curtailing fraud. But at the same time does add friction.
Kate Fitzgerald: (
It's really interesting because you have the visibility of all these markets, unlike a lot of other issuers.
Paul Fertig: (
Yeah. And not to keep coming back to FIDO, but there is going to be this trend where we are going to disrupt less as some of these solutions come into place because we're gonna have much greater certainty over who the end customers that we're interacting with.
Kate Fitzgerald: (
And using the data with these policies across these different markets to get a better outcome.
Paul Fertig: (
Yeah. So not where you have a regulatory requirement necessary, but where you don't have a regulatory requirement, you'll be able to disrupt much less.
Kate Fitzgerald: (
Excellent. Well, that's positive. Any other questions? Excellent session and thank you very much.