Episode 13: From Two-Factor Authentication to Human Verification

Show Notes

The podcast discusses advancements in fraud detection and customer verification in finance. Initially, simple phone confirmations were used, but increasing risks have necessitated robust methods like two-factor authentication and human review for high-risk cases. The success of verification is measured by actual financial losses, not just customer confirmation. Clean data and accurate modeling are essential for improving detection systems. Emerging technologies, such as AI and voice recognition, offer new tools but also face challenges like deepfake technology. Fraud analysts play a crucial role, balancing digital alerts and human intervention based on transaction risk.

Transcript

0:00

Hi, welcome back listeners. This is Ravi from Fraud Technology Podcast. And today we have another superstar guest. Last week we met somebody from Buckley's who was a global fraud head as well. And then today we have another superstar who is also a global head of fraud analytics from Citi. We have with us, Virag Mosoha, and he has over a decade experience in dealing with fraud. in PNC and now at Citi and it's a great pleasure to have him here and please welcome him along with me. Welcome Virat to the podcast itself. Thank you Ravi. And good listeners. Good morning. Good evening. Good afternoon. I know we could be geographically dispersed, so we can never forget. Yeah, definitely. And there are people who are even listening on the flights and things like that. So the people on the move and they are listening to this kind of stuff. So it's actually great to have such a community. That was even the vision of how we went about creating the fraud technology broadcast itself, right? So now I know Virat, you are leading the analytics and data for some complexity, I wanted to understand how does data analytics fit into the overall ecosystem of fraud? I mean, what are the different teams that from your point of view are essential in the ecosystem and where does data analytics fit? Sure. If I look at the fraud prevention journey in last five to 10 years, it has become more of an engineering really led solution. So it used to be more operational and policy driven. And, uh, now because of the complexity, it involved speed, agility that the fraudsters are displaying. It has become an engineering problem. When I say engineering, it is at the intersection of analytics and technology. We are one of the largest consumer of data within the financial industry because you are using the most granular data, which is transactions, generally billions and billions of rows and thousands and thousands of variables and profiles that you are using to mine the data and identify fraud patterns. Then the second part comes in is execution of what you find something anomalous behavior. You're trying to stop it. As real time as possible, and that's where the technology comes in. So it is a combination of where you're trying to find a needle in the haystack, which is all about the analytics modeling AI, and then trying to execute these insights in real time in close to milliseconds, sub seconds response time. And that's where the technology comes. Okay. I understand. So you talked about having humongous data, like. billions of records of transaction data, right? And what I also notice is that the transaction data is not very rich. Sometimes in some business units, which is using very digital interface with the user, you may have a lot more signals coming in. But sometimes if you want to do a model for all the products with like, have a generic model, you have very few data points coming from the transaction itself, right? And so you're trying to predict a very serious behavior with very little Input coming into you. My thought process and my assumption here is that that's typically what contributes to your false positives, because you have very little, this problem used to happen in my telecom days, by the way. So in the telecom, we used to try to figure out which customer is a good one, but sometimes people used to have multiple SIMs. And so you could not tell just because he's using very little of mine doesn't mean that he was a poor guy, essentially. Right? Because in your transaction, you have limited data. Again, please do correct me if that assumption is wrong. And then you're trying to model something like a fraud behavior. So it feels like you're building a very serious decision on a very little amount of data. So how does that work? How do you go about having more stability in those models itself? Let me just decipher it when you say little amount of data, either you have a transaction with a monetary or non monetary, or in cases of you talked about the digital, somebody is trying to log in into your website or even just trying to interact, you are generating some sort of data. That data isn't plentiful in the sense you have millions and billions of hits that you're having. Some of those hits. are really of use. So first part is really parsing it out. When you talk about the little data, you're talking about the dependent variables in the sense the fraud that are happening. Now, in the entire system, you are having a fraud, which is close to one or two basis points. And basis points is one of a hundreds of a percentage, right? So very, very small. So suppose you're having millions of transactions, you will still have, you know, Fraud that is in thousands and when you bisect dissect into various segments, you are left with very small data. In that case, you got to look. I mean, this is a classic problem of needle in the haystack as I refer to you have a modeling techniques that you utilize it. You also aggregate the data over time. To make sure your signals are strengthened. And then the last part is, look, when you get the data, it's not necessarily, it's rich in terms of Mm-Hmm. the predictive power. And when I say predictive power, look, when somebody logs in, you can get tons of data, but nothing that differentiates good from bad. In that case, what you are constantly trying to do it is trying to enrich your data with newer profiles, newer variables that can give you that predictive power. Give you one example in terms of a digital. Somebody's trying to log in if you get the device or IP address, IP address is a garbage, right? Because people can generate at a free will in terms of that. However, if you can somehow find the variable that is a location mismatch, means you claim to be in Hyderabad, but you are doing it in Nairobi, that profile variables could be very, very rich in terms of differentiating. So we are constantly in a lookout for those enriched variables. Either ourselves or through partnership with various vendors that give us that what we call is a predictive power in terms of that. I was talking about enrichment when I said you probably have predictive power. I was trying to essentially talk about is that you have little data to be able to let's say you don't have the variable to even predict. Then you will always have. Essentially a lot of false positives, right? So the other point that we talked about is sampling itself, that fraud itself. You talked about one basis point just for the readers itself. If they're not aware, one basis point roughly translate into one fraud transaction in a 10, 000 transactions that you're doing basically. So you have so little data points of fraud for you to even generalize how a fraud happens. You are like, it's a needle in a haystack. It's actually very rare that happens, right? Again, even though a lot of us see a lot of fraud, There is statistics around customers having like almost 60, 70 percent customers being target of fraud. Right now, when we talk about in the financial space itself, now we are talking about one in a 10, 000 sampling. So how does this data correlate? So for example, there's statistic that every customer, there's a 70 percent chance that they will be targeted with fraud. And I do think that statistic is true because most of my friends have been targeted by fraud. So how does that correlate with the data that you're seeing internally? Yep. Yeah. So both statistics, both data are true, right? One we are talking about the transactions and the second one you refer to is the customers and you, what you alluded to is that 70 percent of the customers, those who will see some sort of attempt of fraud within a time interval and the time interval could be one year, let's say, put it out there. Now, if you look at it in one year, how many transactions one might conduct? Yeah. Thousands. Literally. So chances of that in. Let's say thousands of transactions, the one might be bad, or they would be hit on that attempt. So that's why I said there is an increasing amount of fraud is in the system. Customers that who are experiencing, but we are also doing much more digital transactions, right? The money is flowing in and out all the time. And therefore, as I've mentioned, both the statistics. Wonderful. Wonderful. So you talked about data enrichment as a way to. improve predictability, right? I also want to understand where does technology come into play. One, you need to have rich data to be able to predict, but what sort of data, what are some of the cool technologies that you have used to solve these problems, fraud problems? I know people keep talking about AI, generative AI and stuff like that. So I do want to hear some of the practical ways how these technologies are being used. So, simply put, look, our rule sets and models, right, the target is the predictability. When we say predictability, what you are trying to do is you are differentiating good from bad, which means we can identify fraud more accurately. But not impacting our bad customers, our good customers. And generally, you will see the mix of good customers are also increasingly impacted. You generally target in the fraud. Look, there are several what we call as a key performance variables, but for the simplicity, I'll keep it to. One, how much fraud that you have in the system? What share of that fraud are you capturing through your strategies before really it hits the system? Which means you prevented those fraud for the firm, right? So, and that is the word uses fraud capture rate. Second is, how many less false positives really impacted? Which means the good customers are really not bearing the brunt of it. Now, your original question is, how can we enrich this? Simplicity, there could be two ways, right? One. I think I already mentioned get differentiating features or variables, right? Which means to get the insights that we never had before. I think I alluded in one of the examples. So we are aiming through enabling data intelligence, right? Shared across customer lifecycle, where we combining digital, device, acquisition, transaction, all of that data to really Enrich our decision making so you are getting better insights than you had before, right? I think I alluded to one of the examples. So that's one way to enrich. Second part is, which will answer your AI or ML question, is better and improved model algorithms. And look, Simply put, machine learning is one of the model algorithms, right? Aim here is not to be fixated on winning algorithms and saying, Hey, you know what? We got to use only machine learning or advanced machine learning on neural networks, but instead gain what we call is a deployment flexibilities for both traditional algorithms, such as regression, decision trees, and so on and so forth. And then advanced modeling techniques, which is gradient boostings and others. Now, to listeners, I'll simplify it and not go into detail. Point is, think about the traditional model approach as a linear, right? Which means you are in x and y axis, you are drawing a line very straight. One side is good, one side is bad. Fraud doesn't happen in a linear fashion. So it happens much more in a pockets in terms of segmentation. So therefore, a lot more advanced machine learnings have come. One of those techniques have been popular is random forest, GBM, gradient boosting, and so on and so forth, right? What you want to have it is flexibility. Sometime simple techniques could be good. Like I gave you one example of one variable, that one variable could be differentiating. You don't want to confuse with more variables because otherwise what we call is a analytical problem is overfit means is suppose I gave you that there is a mismatch of location and I put a variable along with the various things and said, if there is a mismatch and more than a hundred dollar transaction, Therefore, go ahead and decline that. Frosters is a game of chess, right? So they'll learn and they'll test and they'll say, okay, if I do a hundred dollars, they decline me. But if I do 99, I get to pass. So they quickly do 99. And then as soon as you stop in 99, they'll go to 98 and so on and so forth. So you're constantly chasing it down. And therefore, ideas to be nonlinear. In that case, you just keep them guessing. And that allows us to enrich the power. Now, where you alluded to in terms of the AI, I would say it's a very generic terms that is used, artificial intelligence. In simplicity, what you are doing, it is, as I mentioned, machine learning models. Those are non linear models. You have simply what we call is a static model techniques. Static model techniques is your algorithms, which will be a long equations, right? And sometimes those equations spread over a few pages. That equation is fixed. So you draw the equation based on the prior data and then you run the algorithms for the model score and then you identify it. That's what we call is a static AI techniques. Those are used plentiful both in terms of the fraud. You know, increasingly, I would say is most of our models are actually static. Moving slowly towards what we call is a dynamic machine learning. Dynamic machine learning is, as the new patterns arrive, so today it's 100, tomorrow it will be 98, then day after tomorrow it could be 97, frosters are moving, and therefore you take the new data and you refresh your algorithms. Much more powerful, right? Because now you're not impacting as many good customers and you're still catching fraud. So that's a secondary, which we've started to use, but there are a governance and other frameworks. And the last part I'll stop here for you to ask question is a cognitive AI. Which is trying to guess how the brain works or how the fraud patterns in the future could work. And therefore they are much more predictive in fashion that we are slowly paving the way, but not there yet, because there are regulations have to come in. You need to see the stability. You have much more chances of getting it wrong. And therefore you could impact the large customers. And then the fourth part is generative AI to a certain degree, which is still. A lot of companies are paving the way and preparing it, and it's still a few years, if not decades. Okay, I understand, because there's a lot of hype around, and I do agree that these terms are being generally used. I wanted to understand where does this fit well, and again, I do agree that fraud probably is a good area to even try some of these problems, because fraud is equilibrium, because You do something, somebody else is going to respond to it. So it's not never going to be that you ever are going to be on top of it. It's a catch up game. It's a game of chess that you talked about, right? So you're playing with somebody in front of you. And so the risks are always moving. And so you need to have dynamism into the ecosystem itself. I just wanted to summarize to the audience itself. When you talked about static as well as nonlinear, then predicting the, how the brain works and the generative AI itself. So static, the way I understand it is you have the process, a technical process, that process is fixed, a input comes in, the decision comes out. Nothing changes in the process itself, depending on how the input is coming in, if it is not pre configured, right? Whereas in the nonlinear space, it learns and even modifies some of the process itself. And I'm assuming something like anomaly detection algorithms. That are very popular in a lot of other industries as well. I'm assuming are in the nonlinear space itself. Right. And the third one that you're talking about is neural networks. I'm assuming. Yes. Simple way to think about this. There is an input comes out. Consider there's a black box input coming out. Thousands of variable output is just one single model is code. And in between the box is your brain, which is what we call equation. That equation is fixed. That's a static. Now dynamic, which we is that box could change. It's a guess. Okay. Today it will be A, tomorrow it will be B, and day after it will be C, so you never know what it is. And it will keep adjusting to what the signals are coming in. That's a simple way to understand. Got it, got it. And you also used a specific term, and I've not heard that before, so I wanted to understand a little bit more of what you mean by that, is deployment flexibility. It's a, what do you mean by that? Yeah. So I think I'm going back to my first question is a fraud is becoming more of an engineering led problem. And engineering led problem has two components. One is the analytics and the second part is the technology. Please remember, it's not good enough to know. The anomalous behavior, but we need to stop it. Most of the credit card transactions or even online transactions that you're doing, they are sub seconds transactions, credit card transaction, end to end you might have, let's say 150 to 200 milliseconds. By the time you swipe it, by the time the decision comes out, you see it happening very quick in that the sub seconds. There are a bunch of things running, your engine is running with the de seasoning, you know, there are associations like MasterCard, Visa, Amex, they are running, and then various others in between, merchants are running their algorithm. So again, knowing is not good enough, you should be able to stop it. To stop it, all of these algorithms that we have, which is complex algorithms, should be able to respond within that time interval, which is very important. Milliseconds, generally 100 to 150, 200 milliseconds. You have to be able to respond. Your systems, your technology should be powerful enough to absorb these thousands of inputs. run complex algorithms and be able to generate an output and then using that output, be able to make a decision. And that's what I meant by execution problem, right? And that's where it is. So you're talking about the performance of the models along with the accuracy itself. So typically people think about, you know, accuracy being the most important one, but what you're alluding to is also that the performance of the model and how fast it responds and how reliable and robust it is also is a huge indicator of the performance. Platform that you're building. Right. So generally in the model execution, you will look at two things. One is the performance as you talked about, right? Which is the predictability and predictability is how do you differentiate good from bad? And second is, is your platform powerful enough to execute this in a strong, you know, what we call latency, but it means is, is, can it be quick? Sub milliseconds in many cases. I also want to understand a little bit on, I know you talked a lot about the time itself, the 150 to 100 milliseconds that are needed to make the decision. These are probably in the credit card space, but what I've seen in general banking transactions, because bank transacts, for example, in the U. S. doing a bank transfer is a 24 hour or 48 hour. That's. Not true for the world. For the rest of the world, it's actually far more faster. But in countries like US, it's actually slower in terms of payments itself. And I want you to understand what is the importance of timing. And I've seen cases where people doing fraud and the transaction has gone through and the modeling happens post. Factor or sometimes even happens like 15 days later to run the model again, and then somebody goes through it. And so there's a delay from happening to detection. And by the time you have very little to do in terms of decision itself. So I wanted to understand, I know credit card is an ecosystem is very, very streamlined, but the rest of the ecosystem, how far is it from a real time standpoint? Grid card, as you said, those are mostly below second response time. Now coming to what we call is a digital transaction. So in India, people are doing UPI. Here in U. S., you're doing Zelle or PayPal and others. Two components in there. One is the decision part of that transaction. And then second is when is that transaction settled? Means the clear date. And these are the two different things. Decision, You have a bit more time than the credit card. So credit card, as I mentioned, 150, 200 milliseconds here, your response time to the season might be second or two seconds, depending upon what the organization may choose to. It's still not days. It's still not hours. It's still response time is few seconds. Second part is the clearing of that transaction. So your systems is still have to be powerful to be able to respond in seconds for it to be the season. Why do you create and say, Hey, you know what? We wouldn't clear it. The transaction now will clear it after 24 hours or 48 hours. It is just buying ourselves more time. So take an example. If we did. Let's say Zelle is immediately cleared, but if we give ourselves more time and we say, okay, it's 24 hours clearing, customer may realize that, hey, the transaction has gone through, I see this and this is 5, 000 transaction, which I did not perform, they'll call the bank and bank in that case can call up the other bank and stop that transaction from happening or not settle it, not clear it. So buying more time, you're really stopping from the fraud and giving customers more time to really realize if something has gone wrong. Again, to differentiate your decision is still in seconds. Clearing could take a little bit more time to stop the fraud or slow down the fraud. Third part also happens by more time, you're stopping the frequency from happening. So example is if you're happening, the transaction fraudsters got hold of your account. They do one transaction, they went through, they'll do multiples, and by the time you realize they have done tons of transactions, taken a lot of money. By slowing it down, you buy yourself more time, and therefore you are also reducing the frequency of what fraudsters can do. Okay, I understand. So, there was another friend of mine who had talked about fraud from a cultural sense in the US vis a vis the rest of the world, right? In the rest of the world, and again, I'm using countries like India, Singapore, Malaysia, the countries that I've lived in, where it is generally harder to get a credit card. And if there is a transaction which is fraudulent on that credit card, it's very hard to get it reversed as well. Whereas in the US, what my friend was saying is, If somebody is doing a transaction on my card, I'm actually not bothered because I'm always very confident that I actually call back the bank and say this is fraud and then I can reverse it very easily. Whereas the onus of proving as a customer in other countries is higher to say that this is a fraudulent transaction. In the US, nobody even asks that question or the onus is not as high. So I wanted to understand how does that actually play into decisioning itself because you would have then a lot more leeway in a country like US. You're absolutely right. And, uh, what we call is a regulations, federal or state regulations really play a role. So the one that you alluded to is take an example of either India or other developing nations. The liability would be of a customer unless and until you file a police case and then prove that the transaction does not belong to you. So the onus is on you to prove that this is not your transaction. Reverse it with many developing nations, including the U. S. Right is the onus is on the financial institution. We need to prove that this transaction is yours unless and until we are able to prove it, then we have to refund it. In that case is the culture also seeps in and the customers become more relaxed. cases, That also lead to them contributing to the fraud, right? Because you're so easy. You think, okay, you know what? Let me do the transaction, not bother about the due diligence. And that leads to somehow contributing to more fraud in the system. There are ways to, there are, because you in the system, you're seeing more fraud and those are customer led. And therefore, firms are trying to collect more signals that can put a bit more challenge. But again, regulatory side is still anathema to put anything further. And if anything, it is becoming more reversed. Like UK has passed what we call is a scam bill. Means if a customer is a scam, by somebody that they can claim that transaction to financial institutions. And in some cases that puts undue burden because the customers then think it's, they can take advantage of it, right? And lose their own. Yeah. So we are just coming up with a white paper on this particular. And actually, I mean, India, I think a few months ago was considering a similar law. like the APP fraud law in the UK, where the onus of proving is on the financial institution. And there's a clear timeline of when the reimbursement has to happen and who takes the burden of that and things like that. Right. And again, investigation has to happen on the bank side within a five day working period, which is the UK rules. Right. So again, I am in two minds about that because on one, you may be promoting fraud itself. By doing that, because I lose nothing as a customer, if something like this happens to me, I just go claim that it is fraud. And it's very hard for the bank. And it's also not in the branding interest of the bank itself to prove to me that I was wrong, even though I was wrong, right? Optics may not seem very good, because bank is a large company with no face, whereas a individual is like individual and everyone can understand what the individual is. Actually going through. So actually I'm in two minds whether that's the right way to go about it. I still think that there has to be some optimization, some responsibility still given to the customer. But in some cases, I also welcome that because I've known some cases where it was clearly fraud and it was very hard to prove to the bank. So Ravi, the answer would be somewhere in between, right? One of these answers. It's not either this or that. It's somewhere in between. If customers are relieved of their responsibility, you will have much more fraud or a scam in the system because that could be a weak link. However, if the entire responsibility is abdicated from the financial institutions, customers will bear the burden and in many cases of no fault of theirs, right? Let's say financial institutions data is stolen and as a result, the fraud really happened. I'm paying the bill, yet it's none of my fault. The answer is a little bit more nuances. So for an example, take an example of the scam in itself, and it's being differentiated, including in the U. S. as well. If customer participated in that transaction, so let's say for an example, if I sent an OTP or it coming from the customer's device, which is a proven device. and the transaction really is led by the customer on their device, they could still be liable. However, if the transaction happened from some foreign device, I didn't mean by the geography foreign, I meant by somebody else's device, which customer has no access to or it doesn't belong to, yet they somehow, fraudsters or scammers got hold of those systems. In that case, the liability could be customer can be abdicated of the responsibility and liability. So you see it's a nuances and that's why again I'm going back is it's becoming more of an engineering like problem. More signals you have, better you can differentiate. The government regulations should also differentiate on that ground. Is either customer participating in that fraud or scam or they are non participant. And if they're non participant, I don't know. duly believe that the responsibility should not lie or the other way, you know, if it is, they, they participate. So the UK law, the way I read it again, I could be misunderstanding it is that the authorized push payment is I authorized it. I sent the money myself. I only realized after the transaction that it was a scammer. promising me that I will get 100 times my investment in a month, right? In that I actively participated myself and I authorized the transaction itself. So that is the regulation that is actually coming in October 7th this year is the APP fraud. We'll be 100 percent reimbursed within five working days and the onus of proving that the bank or the user was warned for one at enough timeframe, even then they went through and only then you'll not need to pay the reimbursement stuff. So it feels very, very pro customer, which makes sense from a regulator standpoint, but I think the onus on the financial institution is going to be huge. I would love to see how it plays out, but let's see how things proceed by the end of this year. It's going a little bit too far and the responses are not always linear either or there would be if financial institutions have to protect themselves from losses, they'll respond it more tightening and things like that. Right. So, yet to be, the verdict is out. And so we'll see. So, one thing I wanted to go back. So we talked about engineering led and previously it was more operations led. So I wanted to understand, let's say one in 10, 000 transactions is fraud. I'm assuming that's actual fraud, but the detection I'm assuming, including false positives, let's say you are detecting twice that amount. And out of that, it still falls back to humans, I'm assuming here. So I wanted to understand how some of these statistics work and what are those numbers, if we can talk. Generally, because if I remember correctly, fraud, false positives can be anywhere from 90 percent to 99%. I've even heard of fraud. 99. 9 percent as well. So I want you to understand it's out of 10, 000, how many are flagged and out of that, how many are real, how many become false negatives? How many become false positives? I want you to just understand that matrix itself. First part is the engineering led problem. But again, the customer here, the individual can be the weak link because you're creating through these models, this strategy, you're just creating a little bit hurdle, slowing fraud down. But ultimately, as you said, it generates an alert, it goes out to the customer, right? And then customer either confirms or deny whether it was fraud or not. And if you accidentally did the other way, or. Frost has got hold of your device and to authentication, then they could confirm on your behalf and they can go ahead. And we are seeing that problem increasingly getting more and more what we use the term call authentication or customer verification. And as I said, equal amount of energy. And innovation is going into first part, which is the detection capability. And second part is going into your ability to verify, take simply earlier. It used to be the verification is that I sent it to your phone. You press the button. Yes. And it will go through. And that was the practice in the U S. Now, over time, you realize, depending upon the risk, sometimes you do it simply for the customer ease, but if the risk is much higher, you may have what we call two factor authentication or three factor authentication. You may use, combine what we call digital with the analog. Digital means you're using online or something that you believe the transaction may have happened in the same way. And then analog is you're using some more archaic methods to really identify that risk. And in that case is you're trying to confirm whether that is a fraud or not for very, very high risk. You actually send it to humans. So you send it to operational center to be really verified. And that is. equal amount of a problem area that is happening and we are constantly researching and saying, okay, how do we really deal with that problem? So when a customer says, let's say they do A2FA through FA and they approve it, would that be considered the ground truth or how do you know your residual risk? So for example, your system did not even flag something was a problem, right? False negative. It never went even the customer. So you don't even know, how are you even going to say that I have a false negative problem? Or, hey, even after doing this, somebody even had to FA3FA and then got through and I still have a residual risk. So how do you, from a modeling standpoint, establish ground truth so that your models can learn over time? Good point. So look, the ground truth is not by the customer confirmation. The ground truth is whether the money was lost or not. And that will come a few weeks later or a few days later. So let's say you did a transaction. Somebody on your behalf confirmed that transaction was true. Few days later, you saw your bank account and you saw, Hey, this is the transaction really happened. It wasn't mine. And you complain and the money was refunded. That is the ground truth where the money has gone out. In some cases that might not be the right ground truth. You may have fooled us, right? But that's a different matter. That is the ground reality. That is where your models really work and learn. Not from based on your responses. Now we take your responses, which could be your response or Frost's response and align it with the ground truth, which is the, whether the dispute and the money was lost and see the mismatch that is to deal with differently in terms of authentication, whether we have authentication problem or not, and that's a secondary problem that we deal with. But your models are securely based on whether we have a financial losses or not. And then there are other modeling techniques to clean out that ground truth, where you see a systemic risk in terms of segmentation, which looks closer to your transaction. You clean out that data, you throw away the outliers and so on and so forth. Those are just the modeling techniques to make sure your data set is clean. And you're predicting, right? Okay. I understand. I understand. So can I also understand because is it normal to have fraud analysts in the financial institution itself to review some of the alerts or is everything going to the customer direct? Is that the typical practice that let's say a flag is generated or alert is generated. Let's say there's an alert that is generated for a particular transaction. And then would it be directly going to the customer or is there a process where sometimes it goes to a fraud analyst team internal to the bank? Who is trying to determine whether something like that, because it's a customer experience issue also, right? Let's say some transaction is actually okay. And you're passing to the customer saying that, Hey, can you confirm this transaction? It's a customer experience issue as well. So is there teams which are internal to the financial institution, which deal with fraud analysis as well? Oh yeah, absolutely. So just let me elaborate your question or understand it. It's a digital versus whether that alert is going to a live agent. Answer is based on the risk. Please remember, the digital alert is cheaper, much, much cheaper. If you send that to analyst, it's a lot more time and both customer experience also, right? Your day is interrupted if that agent is calling you. So depending upon the risk, if it is a significant high risk or amount is very high of that transaction, then you probably want to send it to live agent who does the due diligence, who identifies whether that's the right device, whether your phone is compromised, whether your email is compromised and so on and so forth. Right. So they do a lot more due diligence versus just for generic. If you did some minor transaction and we think it's risky, we just send you an alert. You confirm it and you go back. So you do have that in the process, but based on the risk that you are. So final question from my side is what are some of the cool technologies or things that you are Excited for in the fraud space. Yeah. Fraud is an interesting space. And for a lot of viewers, look, should consider your career. If you are inquisitive, if you are more technology or analytics based education or experience that you have, and that is the field that you should choose, a lot of innovation is happening. One, as I think I mentioned, both in terms of analytics, because it's a needle in a haystack problem, much harder to solve. Therefore, modeling and the decision science is super high in terms of their innovation. Second part is the technology, because it's both a low latency, extremely, extremely low response time. Therefore, the computer scientists are also challenged to come up with a platform and the performances that can meet. Third part is also you're using these new technologies, which is equally promising AIML or Gen AI in future. And fraud is one of the strongest use case. It is not the only use case, but it is one of the strongest use case that either financial institution, retailers and others are looking in and dive. Because the promise of gold there or the value is there a super high. So those are the technologies coming in. There is a lot more is going on in terms of you might have heard, to give you one interesting. Voice recognition was one of the key authentication verification, which means, hey, Ravi, I know I tapped into your voice in the past. And then anytime you call in, I can compare that voice and say, hey, it's Ravi and therefore go in. Much more stronger signal than you are confirming through OTP, because somebody can see your OTP or it can get compromised. That has also been challenged in the Gen AI. Because now there are deep fakes and others who can generate the voice like yours and the video like yours. So then there are technology counter responses, which are coming in and say, okay, you know, how can we differentiate the noise from the signals and can we get a stronger models or can we couple it with other responses to what we call is a passive authentication where the customers don't have to response. And this is few of the examples that I gave. Some sort of innovations that are happening in fraud. I've heard of this voice biometric where I think somebody was talking about accounting code where I call the bank up and say, Hey, my account, I lost access to my account. And then voice biometrics was one of the signals that was used at the call center level to say it's the actual original customer that I've talked to before. Right. And that is. heavily being challenged with the journey I've been having. So again, uh, thank you so much, Viraj. That was really, really insightful, a lot of detail and color to some of the problems that I think some of the listeners are aware of, but probably the color itself is what helps them understand. The depth and as well as probably the excitement as well, the challenge and the hunt is probably what is more exciting in the fraud space itself. Yeah. So thank you so much for that. And, uh, we'd love to have you on the podcast some other time and we'd love to catch up with you in person as well. Ravi, thank you for having me and all the listeners. Thank you. Thank you guys for listening and have a good evening, good morning, good night, wherever you are at.