Gambling companies are ignoring data that could stop fraud
Gambling companies are ignoring data that could stop fraud
Charlie Walker, fraud specialist at Ravelin for the gambling sector, shares with Totally Gaming his insights on how gambling companies could make more use of their data to stop fraud
Online gambling produces a lot of data, petabytes of the stuff every single day. Every bet, every search, every user interaction, every deposit and every withdrawal creates a new digital record that is stored more or less forever.
But in countering fraud, the degree to which this data is made full use of is unclear.
Let’s look at one example in detail - the process of withdrawals management for a bookmaker. How many reviews are made of suspicious customers comes down to an individual analyst taking an educated guess on whether the transaction feels right or not?
It’s probably worth a trip to your revenue protection team to find out how often this happens. You might be surprised by the answer.
So think for a minute about what this means. This lonely guardian at the gates of fiscal rectitude is taking a punt on whether a transaction feels right. This view is usually based on whether or not it looks a bit, or a lot, like good withdrawals in the past.
Yet this analyst, and your organisation, is already sitting on a ton of data that will tell him or her with almost perfect accuracy, see whether or not the withdrawal is legitimate.
There are essentially three reasons why more companies don’t take advantage of this data as well as they might.
1. The belief that fraud processes are optimised already
Most withdrawals are automatically approved - they need to be or the company would grind to a halt and customer churn would be enormous as their winnings are delayed. These approvals are usually determined by a set of rules that are maintained within the revenue team or perhaps by a third-party supplier under a managed contract.
These rules are based on past behaviour that the team has seen before. The hope is that the fraud pattern recurs exactly as the rule defines it. If it does then the transaction will be blocked. If it has some but not all aspects of a rule then it will be passed for review. These reviewed withdrawals are then handed to a fraud analyst who checks an enormous number of variables, often on gut and experience, to validate the withdrawal.
But is this process optimised? Gut and experience are almost always possible to model in data. Where this is not possible, it is usually possible to replicate the checks and procedures more efficiently through access to better visualisation of connections in the data (i.e. is this customer connected in some way to a previously suspect withdrawal?)
Real optimisation is human experts assessing an increasingly small number of withdrawals and making more accurate decisions more quickly over time. If this does not describe what’s happening in your risk and treasury teams then there is room for improvement.
2. Companies are overwhelmed by data and miss the magic within it
There is so much data available to businesses it can become overwhelming.
However, I wonder how much time you spend looking, and how closely you look, at the data that is actually relevant - especially for a withdrawal assessment.
When you do you will realise it’s actually a lot less to trawl through than you would think.
What’s important is not a data point on its own, but how that data point is connected to others in the database. These connections are where the magic is.
Imagine you could instantly see if a suspicious account was created with a device that had been seen previously in the database. Or that a payment instrument is shared with a previous chargeback. Or a user shares a number with a known fraudster.
Any of these pieces of information would be useful but imagine if you could see them all at once, instantly and for any user, with up to 20 different dimensions mapped out in beautiful technicolour highlighting connections both good and bad.
You have optimised data lying dormant in your database right now. It is dying to tell you a story about your users. So let it.
The key to creating these stories is graph database technology and it can be integrated into even the most data-rich environment with surprising ease.
It’s simply a question of identifying the six to ten most relevant data points and mapping them, rather than trying to swallow the entire data elephant. That is where things start to go very wrong.
3. Fraud is an ever growing problem
Fraud rarely appears as an item of concern on the annual report - so does that mean there is not a serious concern?
Gambling companies tend to be pretty good at certain types of fraud but others get recorded as costs of sale.
Third party chargebacks is largely a solved problem. Collusion fraud or fraud rings, while still a risk due to potential size of losses, are something that is well-monitored.
However, voucher and/or promo code fraud is an enormous and growing problem. Every site has more and more codes as the battle for first time users is relentless.
The risk and the reality of misuse is huge. Some estimates in gaming put it at 15% of total revenue is a result of promotion abuse (albeit much of that ‘abuse’ might be technically legitimate play within the terms of service). The time spent on monitoring usage is also arduous. With the battle for first-time users raging, it is also not a problem that is going to go away anytime soon.
Fraud teams are increasingly being charged with monitoring and managing the redemption of promotions codes. Fraudsters are using more and more sophisticated and cheaper methods to create accounts and exploit those accounts for fraud.
Bots are continually being adapted to route round the checks we have to spot them - increasingly they are able to read the blurry numbers that Captcha presents (not to mention the user drop-of those checks result in).
Yet the tools our fraud teams are using have largely remained static. What use is a rule-based fraud system for voucher abuse?
What’s needed are systems that analyse behaviour, maps connections in a database and, if needed, can risk score that behaviour and those connections in order to flag abuse.
The good news is most online businesses are recording this data through the website, mobile site and in-app. But the bad news is that as far as fraud detection goes, this data is largely being wasted.
The variety, scale and sophistication of fraud attacks continue to grow. The onus is on the industry to respond in increasingly smart ways to combat this growth. That can only be based on using the data that is there in smarter and more connected ways.
Highlighting risks more accurately exposing links more thoroughly will help in this battle, but more imprortantly a higher level recognition that the game has changed and fraud risk needs to be looked at again in the context of compromised accounts exploiting a variety of system vulnerabilities. It is not a solved problem.