Driving Performance Improvements in the Health Service

Fraud Detection in the Financial Services Industry

A SAS White Paper1

Table of Contents

Introduction: The Cost of Fraud ................................................................................... 1

Fraud in Financial Industries ........................................................................................ 1
Fraud: Characteristics, Types and Examples ............................................................. 2
False Insurance Claims................................................................................................ 2
Healthcare Fraud.......................................................................................................... 3
Non-insurance Fraud.................................................................................................... 3
Credit Card Fraud ..................................................................................................... 4
Mortgage Fraud ........................................................................................................ 4
Stock Market Fraud .................................................................................................. 4
Money Laundering .................................................................................................... 4

Traditional Techniques of Fraud Discovery................................................................ 5

Fraud Detection with Data Mining ................................................................................ 6
Approach 1: Unusual Data ........................................................................................... 6
Approach 2: Unexplained Relationships ...................................................................... 7
Approach 3: Generalizing Characteristics of Fraud ..................................................... 8
Summary of Data Mining Fraud Detection Techniques ............................................. 9
Case Study: Detecting Mortgage Fraud .................................................................... 10
Exploratory Analysis................................................................................................... 10
Predictive Modelling ................................................................................................... 11
Association and Sequence Analysis .......................................................................... 11
Link Analysis............................................................................................................... 12
Conclusions ................................................................................................................ 12
Case Study 2: Credit Card Fraud................................................................................ 13
Data Model ................................................................................................................. 13
Analysis ...................................................................................................................... 13
Conclusion.................................................................................................................. 15
Summary....................................................................................................................... 16
Appendix: Enterprise Miner ........................................................................................ 17
References and Further Reading ............................................................................... 18
Topical ........................................................................................................................ 18
SAS Institute White Papers ........................................................................................ 19

Fraud Detection in the Financial Services Industry was written by Julian Kulkarni and Ed
Walker, based on a SAS Best Practices paper by Bernd Drewes.
 Fraud Detection in the Financial Services Industry

Introduction: The Cost of Fraud

Nobody can put a figure on the full and exact costs of financial fraud, which is defined as the use
of criminal deception for financial advantage. This definition admits a wide variety of
interpretations. So estimates differ widely. All we know for sure is that the costs are high and
probably getting higher.

The US Coalition Against Insurance Fraud estimates the annual cost to be $85 billion, which it
describes as “a hidden tax of more than US $1,000 per family each year on the costs of goods
1
and services.” A 1998 report Taking Fraud Seriously by the Australian Institute of Chartered
2
Accountants estimated the annual cost of fraud in Australia at US $3.5 billion. A 1997 report by
3
the Association of British Insurers estimated UK insurance claims fraud at § 595 million, while a
4
US insurance association estimated global insurance fraud costs at US $17 billion. US mortgage
industry professionals and the FBI estimate that “between ten and 15 percent of loan applications
5
contain material misrepresentations”.

In 1996 one in every ten Americans had been the victim of a credit card fraud, and half feared
6
they would become victims. Already by 1992 the cost of credit card fraud in the US alone was US
7
$864 million, and while the percentage of transactions that are fraudulent is falling, the rapid
growth in the volume of transactions – including now Internet-based transactions – puts the likely
current global figure upwards of several billion dollars.

In this white paper we consider some specific examples of fraudulent practice that affect the
financial services industry, and look at some tools and techniques for anticipating and uncovering
fraud. In particular we look at Fraud Detection solutions from SAS Institute, part of the SAS
Solution for Customer Relationship Management. Readers seeking a more detailed description of
the methods and case studies are advised to contact SAS Institute and enquire about the data
mining Best Practices Papers.

Fraud in Financial Industries

The costs of insurance fraud alone are probably now in the region of US $ 100 billion per year in
the United States, and there is little reason to suppose that it is less of a concern in other regions
including Europe. Typical fraudulent practices include fake accidents, fraudulent disability and
property claims (including arson), false medical billing and theft of insurance premiums (for
example, by unauthorized insurance companies). Detection of fraud is generally hampered by the
need for highly skilled investigators ploughing their ways through backlogs of computer data, with
successive findings triggering new questions and requiring painstaking searches; in the meantime
fraud and abuse continue. Here are some examples that have recently been presented in news
stories:

1
Coalition Against Insurance Fraud, July 1999
2
Melbourne Age, 17 November 1998
3
BBC News, 7 December 1997
4
Pennsylvania Association of Mutual Insurance Companies, quoted by Lititz Mutual Insurance Company January 1998
5
Robert J. Sadler, The Mortgage Mart, July 1999
6
The Detroit News, January 31 1996
7
Federal Trade Commission

1
Fraud Detection in the Financial Services Industry

In one area, vehicle accidents were staged and the fraudsters collected on property and medical
claims. Investigators conducted database searches in order to find common denominators of
organized fraud groups. They found that people involved in seemingly unrelated accidents had
received medical treatment from the same provider. Further investigations revealed that many of
the claims were part of an organized scheme where people were hired to participate as a victim in
an accident. Forty-two such cases were identified that had generated $700,000 in fraudulent
claims.

Fraudulent medical claim. A slip-and-fall injury claimant demanded payment of US $200,000,

hired an attorney, but refused to disclose her identity, her medical records, or the complete nature
of her injury. Using the claimant’s Social Security number to check database for past claims
revealed that the claimant had filed 12 bodily injury claims using the same Social Security number
but different names. Further data mining revealed a relationship among the claimant’s treating
physicians (chiropractors) and attorneys. Outcome: the insurer, which had offered a settlement
before the investigation, withdrew its offer, and the claimant’s attorney withdrew from the case.

Employees’ compensation. A claimant sought US $220,000, alleging multiple injuries from an auto
accident had left him unable to work. Database checks revealed that the claimant had filed a
compensation claim for the same injuries a few months after the accident. A separate check of
employment records established that the claimant held a position with a new employer similar to
the position he held when the auto accident occurred. When confronted with these facts, the
attorney representing the claimant immediately withdrew the lost-wage claim.

Fraud: Characteristics, Types and Examples

As the foregoing cases suggest, there is a list of typical scenarios that can be found in fraud
cases in the financial industry. The main areas are as follows.

False Insurance Claims

The fraud rate for such claims is estimated at ten percent and uses a variety of schemes, some of
which are listed below. Most of these cases are difficult to detect, because they represent “non-
revealing” fraud, in other words there is no explicit event (such as a stolen credit card) that will
eventually identify the claims as fraudulent. Investigative efforts such as the uncovering of repeat
behaviour or connections between conspiring individuals, is usually needed. Here are some
typical scenarios:

• A man uses his wife’s jewellery as the basis for a policy taken out on behalf of another lady
friend. The friend then claims that “her” jewellery has been stolen.

• A person insures a vehicle and arranges to have it disappear. He then reports it stolen and
collects the insurance, perhaps also selling parts of the vehicle (airbags are very popular
currently).

• Garage repairers install used parts rather than new parts, but bill for the latter.

2
 Fraud Detection in the Financial Services Industry

• A car causes an accident by stopping suddenly in front of another car. The passengers then
make medical and property claims.

• A head injury is claimed by someone who has not actually had an accident; injuries are
certified and treated by one of several doctors who were part of the scam.

Healthcare Fraud

Today’s claims payment system must deal with a wide range of medical procedures and practices
and a growing number of public and private health care programmes. There is the typical problem
of too much data and not enough information. As a result it has been said that healthcare fraud
works best when automated billing works perfectly.

There is also often a thin line between ordering more tests than are medically necessary, making
the detection of system abuses difficult for non-expert investigators. Common scenarios include:

• Charging for unnecessary services such as performing $400,000 worth of heart and lung
tests on people suffering from no more than a common cold.

• Administering more expensive blanket screening tests, rather than tests for specific
symptoms.

• Billing for services not rendered such as diagnostic interventions that never took place. An
extreme case of this involved the claim to perform a bronchoscopy once a week on a patient,
when once per lifetime is the norm.

• Billing for treatment by a senior doctor when it was actually performed by trainees.

• Unbundling group tests (such as a standard collection of blood tests), and billing the tests at
the higher individual rates.

• Upgrading tests by billing for a related but more complex and expensive procedure.

Another type of healthcare fraud is wholly unauthorized billing. This often involves setting up a
billing company and submitting fictitious bills for treatments done by unsuspecting doctors to
unsuspecting patients. After the reimbursement cycle the fraudulent billing company moves on
elsewhere. Effected patients and doctors may suffer serious consequences, patients records now
showing serious diseases, and doctors being audited for suspected tax fraud.

Non-insurance Fraud

In the non-insurance sectors of the financial industry there are also a number of common frauds.
The most well known involve stolen credit cards.

3
Fraud Detection in the Financial Services Industry

Credit Card Fraud

The methods used in credit card fraud are likely to be quite simple: steal the credit card or the
credit card information, then use this to purchase big ticket items. The actual purchase is often
preceded by small test purchases (for example at a filling station) in order to verify that the card is
operational, without drawing much attention in case it is not. In the case of a stolen card, the fraud
is likely to be revealed after a short time, so the purchase pattern tends to start immediately and is
intense until the card limit is exhausted. When only the credit card information is stolen, the
purchase pattern may be less intense and stretch over much of the billing cycle. The lack of a
physically presentable card requires that the purchasing be done remotely, by telephone or
electronically. Ingenious schemes may be invented in order to come up with a non-incriminating
delivery address, such as staking out a currently non-occupied house.

Mortgage Fraud

Mortgage fraud involves the misrepresentation of a real-estate value and its use for fraudulent
purposes. In a common scheme houses are bought by a group of people and are then resold
among one another at inflated prices; the resulting (virtual) equity is used to take out mortgages
and/or is resold to unsuspecting buyers.

Stock Market Fraud

Various schemes qualify as stock market fraud:

• Insider trading involves the actual trading of stock based on illegally used knowledge. The
knowledge may contain information affecting the stock market price or consist of impending
customer orders. In the latter case a person will execute a similar order for himself before
executing the customer order (front-running a trade).

• A fraudulent advertisement attempts to procure customers by providing misleading

information, such as guaranteed rates of return from a stock investment or falsified titles of an
investment object (such as “prime bank certificates”) that appear to signal a secure
investment.

• Driving up stock prices, for example by selling between brokers.

Money Laundering

Money obtained through illegal means (such as drugs) is processed by direct deposit into various
(often foreign) accounts or by converting it into legal revenue. For the latter purposes a fictitious or
real business may be created with the deposited money appearing to be real revenue coming
from this business.

4
 Fraud Detection in the Financial Services Industry

Traditional Techniques of Fraud Discovery

Common methods of discovering and preventing fraud consist of investigative work coupled with
computer support and client education. Basically, both computers and clients are helping to alert
insurance investigators to suspicious cases, which are then screened by the investigators one
after the other. The alerting phase is an important component in detecting fraud; many cases
would otherwise go unnoticed, in particular single-time, single-person offences.

Computers can help in the alert for example by flagging all claims that exceed a pre-specified
threshold. The obvious goal is to avoid large losses by paying close attention to the larger claims.
The drawback is that the details of such practices (in particular the thresholds) will become
apparent to the fraudster, who may then adjust to it and file claims just below the threshold. More
sophisticated monitoring may employ additional thresholds (such as claim rates) as well as other
measures designed to capture fraudulent practices (for example age constraints, such as
identifying the case of chiropractic treatment for a six-month old baby). As a benefit of this
“computer monitoring” approach, fraud may be detected before payment is made, which is much
more effective than trying to retrieve the payments later.

Education of consumers or clients is the other means of alerting investigators to suspicious cases.
In health insurance, a method as simple as sending the beneficiary the claim statement from the
doctor may be effective. It should, for example, detect those cases of fraud where health service
numbers or health insurance cards are stolen and used for fraudulent billing. On the other hand,
even in this clear setting there are problems. People making reports on apparently inflated claims
run the risk of antagonizing their doctors. They may also misunderstand the claim and fail to make
reports, or make mistaken reports. Lastly, providers in many countries may have a long billing
cycle, which will make it difficult for patients to recall the specifics of a situation.

The strengths and weaknesses of the two approaches are complementary. The automated
computer monitoring approach lacks knowledge of what actually happened but offers a degree of
objectivity and certainty which is sometimes lacking in the patient’s monitoring. Consequently,
both approaches may be required. Both approaches suffer, however, because most of the actual
investigative effort is done by a manual exploration of cases. This concerns some of the common
triggers for suspecting irregularities, such as the absence of witnesses to an accident, lengthy
recovery periods, unusual medical treatments, improperly issued insurance policies, cash
transactions, lack of Cupertino, excessive demands by claimants, large numbers of patients seen
on weekends. Some of the triggers (such as claim forms heavily altered with corrective fluid) are
even more difficult to automate. Investigation often takes months, if not years. If computer
monitoring could be enhanced, so that suspicious claims were not simply flagged but you could
identify fraudulent cases with some reliability, this would help to expedite the fraud discovery
process.

Fraud detection and prevention can be greatly facilitated by legal reporting requirements that help
to make it clear to potential fraudsters that their schemes are unlikely to succeed, and make it
easier to detect fraud when it occurs. For example, to counter money laundering, companies
dealing in high-value items such as jewelry and vehicles may be required to report more details of
the identity of customers and the method of payment. Doctors can be required to provide specific
details on patient case histories.

5
Fraud Detection in the Financial Services Industry

Fraud Detection with Data Mining

Data mining offers a range of techniques that go well beyond computer monitoring and can
identify suspicious cases based on patterns that are suggestive of fraud. These patterns fall into
the following categories:

1. They are unusual in some sense, for example unusual combinations of clinical treatment,
unusually high sales prices, or an unusually high number of accident claims.

2. Unexplained relationships between otherwise apparently unrelated cases, such as a high

proportion of accident victims being treated by the same doctor, real estate sales involving
the same group of people, different organizations with the same address.

3. Common characteristics of fraudulent cases such as intense shopping or calling behaviour of

items or in locations that have not occurred in the past, or billing for treatment and
procedures that a doctor rarely billed for in the past.

These patterns and their discovery are detailed in the following sections. Most of these
approaches attempt to deal with “non-revealing fraud”. Only in cases of “self-revealing” fraud
(such as stolen credit cards) will it become known at some time in the future that certain
transactions had been fraudulent. At that point only a reactive approach is possible, since the
damage has already occurred; this may however also set the basis for attempting to generalize
from these cases and help detect fraud when it reoccurs in similar circumstances. (Approach 3,
below). In order to facilitate fraud discovery in other situations, governments and their agencies
are enforcing special reporting requirements in a variety of areas (such as the logging of bank
transactions in order to detect money laundering). These requirements generate additional data
that can be exploited with data mining.

Approach 1: Unusual Data

In the first set of examples above the data is unusual in some respect: unusual combinations of
otherwise quite acceptable entries; a value that is unusual with respect to a comparison group; or
an unusual value of and by itself. The latter case is probably the easiest to deal with and is an
example of “outlier analysis”. We are interested here only in outliers that are unusual, but are still
acceptable values, for example a value 12 for the number of accidents reported by a policyholder.
The entry of a negative number would simply be a data error in this case, and presumably bear no
relationship to fraud. A “legitimate” but unusually high value could be detected by outlier analysis
or simply by employing descriptive statistics tools, such as measures of mean and standard
deviation, or a box plot; for categorical values the same measures for the frequency of occurrence
would be a good indicator.

Somewhat more difficult is the detection of values that are unusual only with respect to a
reference group. The significance of the number of accidents in the foregoing example was either
based on common experience or its reference group was irrelevant for the problem at hand.
However, in the case of a real estate sales price, the reference group is highly significant: the
price as such may not be very high for houses in general, but it may be high for dwellings of the
same size and type in a given location and economic market. These reference groups are
implicitly specified, at best, when the data are recorded. The judgement that the value is unusual
would only become apparent through data analysis techniques, such as considering

6
 Fraud Detection in the Financial Services Industry

neighbourhood data or comparing the sales price to the prices of similar houses. The technique
for this situation might therefore involve the determination of a reference value by means of
cluster analysis, followed by an outlier analysis to detect cases deviating from this reference
value.

The detection of unusual combinations of values (such as unusual combinations of diagnostic or

therapeutic interventions) may become involved, requiring substantial programming in addition to
the data mining routines. Data mining algorithms are much better at the opposite, namely
determining common combinations, including combinations over time (such as treatments done to
a patient over a certain period). These are called “associations” and “sequences”. However there
may be a huge number of combinations that are quite ordinary, even though they may not be
quite as common as others. When applied to the problem of identifying potentially fraudulent
medical bills, many of the bills may represent rare treatment combinations, perhaps because of
the length of the billing cycle rather than the treatment itself. It is more difficult to find
combinations that are automatically indicative of fraud. In practice, therefore, you need to rely on
medical knowledge in order to focus on particular combinations that should not occur. This
requires augmenting the general-purpose association algorithms with post-processing, sifting
through associations and sequences and testing for the presence or absence of items in a rule-
like fashion. Depending on the rules satisfied, each such bill can then be scored for the probability
of fraud.

Unusual data is not in itself a reliable indication of fraud. Using data mining in this way will extend
the concept of computer monitoring, feeding suspicious cases for manual investigation. In some
of these cases the investigation may succeed in proactively avoiding an impending fraudulent
event.

Approach 2: Unexplained Relationships

In the three examples in (2) above, the unexplained relationships may occur because apparently
unrelated records have the same values for some of the fields (such as same doctor or same
address), or turn out in fact to be related (for example, a group of people exchanging property).

The first possibility is the simpler of the two. The coincidence of values must be genuinely
unexpected, discarding such obvious similarities as the same sex or nationality. For example, in a
suspected case of money laundering, funds may be transferred between two or more companies.
It would be unusual if some of the companies in question had the same mailing address (“mail
box” companies). Assuming that the stored transactions consist of hundreds of variables and that
there may be a large number of transactions, the detection of such similarities is unlikely if not
investigated. From a computational perspective, the problem is in principle simple. It is merely
necessary to count the frequency of occurrence of values in the variables selected. Typically in a
table of companies, each address should be unique, occurring once. In practice, it may not be so
simple to carry this out for large amounts of data and variables with a huge number of values,
such as account numbers or addresses. When applying this technique to many variables and/or
variable combinations, the presence of an automated tool is indispensable. Again positive findings
do not necessarily indicate fraud but suggest that further investigation is necessary.

A variant of this technique involves finding “almost duplicate” records. In the case above this
might apply to companies with slightly different addresses, but otherwise pretty much identical
information. In this situation it may be useful to perform a cluster analysis with a high number of

7
Fraud Detection in the Financial Services Industry

clusters on the variables in question. Obtained clusters can be inspected for suspicious groupings
(for instance doctors submitting claims under different names, such as a maiden name) and
investigated in greater detail.

Other scenarios require the identification of connections between records. In a simple case, the
connection may be through a single record, for example cases where supposed victims of car
accidents seek treatment by the same doctor. Such a connection can be uncovered by the “filter
outlier” technique discussed above, focusing on the “treated by” field of all accident claims and
discarding all records where the doctors listed in the “treated by” field only treated a single or very
few accident patients. The doctors remaining on the list are scrutinized further. This is an iterative
process and may result in some number of false leads; but accident schemes such as this are
usually geographically localized and therefore the size of the database and complexity of result
management are limited.

A more complex case exists when the connection between records occurs through multiple
intervening records. For example a situation where a group of people keeps selling houses to one
another with increasingly inflated prices at each transaction, as a preparatory step for mortgage
fraud. Identifying this collection of records would require navigating from seller to buyer to buyer
and eventually closing the circle. As most buyers of a property will have sold their previous
property, this can be a data intensive search process.

This can be programmed explicitly, for example using SQL to construct a database query. There
are also special purpose tools for this sort of “link analysis”.

Approach 3: Generalizing Characteristics of Fraud

Once specific cases of fraud have been identified you can use them to help predict which other
transactions are likely to be fraudulent. These transactions may have already happened and been
processed, or they may occur in the future. In both cases, this type of analysis is called “predictive
data mining”. Applying this technique requires a sufficiently large set of transactions to allow
generalization and the building of predictors, usually employing one of three data mining tools:
regression, decision tees and neural networks. Depending on the tool used, the predictors may be
more numerically oriented (regression, neural nets) or may be similar to ordinary rules of thumb,
expressed, of course in domain-specific detail.

As useful predictors begin to emerge, they can be applied to historical databases and help identify
fraudulent transactions that have so far gone unnoticed. With the increase of the collection of
identified fraud cases over time, the quality and reliability of the predictors is likely to improve and
eventually stabilize.

The potential advantage of this method over all alternatives previously discussed is that its
reliability can be statistically assessed and verified. If the reliability is high, then most of the
investigative efforts can be concentrated on handling the actual fraud cases, rather than
screening many cases, which may or may not be fraudulent.

8
 Fraud Detection in the Financial Services Industry

Summary of Data Mining Fraud Detection Techniques

In the foregoing section, a number of fraud detection goals have been discussed. Table 1 maps
these goals to appropriate data mining techniques.

Task Goal Data Mining Technique

Find Unusual Data
Identify Unexplained
Relationships
Generalizing
Characteristics of Fraud
Table 1: Data mining fraud detection techniques
Detect records with globally abnormal values Outlier analysis
Detect multiple occurrences of values
Detect direct link between records
Detect records with abnormal reference Cluster analysis and outlier
values analysis
Determine profile of suspects (e.g. claim Cluster analysis
hoarders)
Detect duplicate and almost duplicate records
Detect indirect links between records Social network or link
analysis
Detect records with abnormal value Associations and/or
combinations sequences
Find criteria, such as rules, for detecting fraud, Predictive modelling
based on historical data
Score transactions for likelihood of fraud

In Table 2, some common fraud scenarios are mapped to particular combinations of data mining
techniques that can be used in discovering fraud, for each scenario:

Fraud Scenario Data Mining Techniques Used

Detect over-ordering of medical tests.
Detect fictitious bills: billing by
fraudulent agency, unknown to doctors.
Detect fictitious bills: billing for
impossible claims (such as sex or
age-specific treatments).
Detecting fictitious bills: billing oneself
as a patient (e.g. using maiden name).
Table 2: Data mining techniques used in different fraud scenarios
Uncover associations between tests that are commonly
performed together; this technique will identify doctors who
habitually prescribe unnecessary test or treatment combinations.
Perform doctor clustering with the above results, identifying
groups of doctors with similar prescription or treatment
behaviour. Target them for cost-saving education.
Use associations to generate common billing patterns for each
doctor; for each new bill issued by a doctor compare each
patient’s treatments against the billing pattern and flag, count,
and score unusual combinations
Use outlier analysis to detect direct links between billing
companies, such as multiple occurrences of company address or
executive names
Outlier analysis for globally impossible values in different
reference groups.
Outlier analysis, finding a link between patient’s and doctor’s
record by detecting multiple occurrences of values for presumed
unique entries, such as telephone numbers and addresses.

9
Fraud Detection in the Financial Services Industry

Case Study: Detecting Mortgage Fraud

Misrepresentation of real-estate values can be used in property insurance fraud or mortgage
fraud. In a common scheme houses are bought by a group of people and are then resold among
one another at inflated prices; the resulting (virtual) equity is claimed in property losses or is used
to take out mortgages and/or is resold to unsuspecting buyers. A sample analysis discovering this
kind of fraud is presented in this section.

The first stage is to build a data set consisting of transaction records showing seller, buyer, price,
date and a real estate object ID, which can be mapped to or derived from an address. In this
example, the concentration of fraudulent transactions revealed at each stage is typical of real
findings using Enterprise Miner. We start by supposing that five percent of the original set of
transactions are actually fraudulent.

There are several approaches that can be taken. An obvious exploratory analysis would focus on
properties that have increased in value strongly above average and/or have been subject to
multiple sales.

Figure 1: Exploratory analysis and modelling with and without over-sampling

Exploratory Analysis

Multiple sales can easily be identified with the Filter outlier tool of SAS Enterprise Miner (see
Figure 1). Discarding all objects with fewer than three transactions results in a data set which
contains 20 percent fraudulent transactions, a substantial increase over the initial five percent. In
the context of a large transaction database, it would still be difficult, however, to identify the
fraudulent records. Adding a time constraint on multiple sales will increase the proportion of
fraudulent records even more.

In order to identify objects with strong increases in value, it is convenient to construct a

condensed data set, with one record per object showing starting and ending values over certain
time periods or transaction histories. Using the Transform Variables node additional variables,

10
 Fraud Detection in the Financial Services Industry

such as value increase per time period and number of sales in the time period considered can be
constructed. In this data set fraudulent records are approximately two percent of the data set.
Using the Filter Outlier tool to exclude objects that occur in one transaction only, and allowing only
high value increases and transaction frequencies per time period result in a concentration of
approximately 25 percent fraud cases. In a large data set, this may still be too small for manual
investigation; however, a smaller subset can be created and manually analysed in this way.
Identified fraud cases can then be generalized in a larger data set using predictive modelling.

Predictive Modelling

Predictive modelling attempts to generalize from training data, requiring the presence of historical
or preclassified data that has already been analysed, with the fraudulent cases identified.
Consolidated data (one record per real estate object) is enhanced by additional variables (such as
the ratio of time period to number of transactions that an object was involved in). The flow then
splits into two parts, one part working with the entire data set, and the other with a sample thereof.
Since the fraudulent cases are rare, sampling in this case provides a means to concentrate their
occurrence to the point where a generalization of their properties may become successful. Such is
the case below, where a stratified sample using 20 percent of the data results in an increase of
concentration of fraudulent cases from two percent to ten percent.

The data are then partitioned into training and validation data sets and fed into a Variable
Selection node, which assesses the relative importance of the variables with respect to the target.
The model could be built using regression, decision tree or neural networking tools.

Overall, correct classification is at 97 percent, more importantly all of the fraudulent cases are
correctly classified. This analysis shows how exploratory data mining can be used to initiate
predictive mining, which in turn will lead to the identification of the unknown fraudulent cases and
the associated real estate objects. Knowing the objects will then allow the retrieval of the
implicated sellers and buyers in the original transaction file. It is important to realize that the
transaction-based data set does not reveal any useful predictors. In this type of fraud, any single
transaction looks perfectly legitimate.

Association and Sequence Analysis

The data set also contains groups and subgroups of people who are repeatedly involved with ring-
selling/buying different properties. Association analysis will be able to identify these groups.

11
Fraud Detection in the Financial Services Industry

Link Analysis

For the type of fraud discussed here, link analysis would be the most direct way of identifying
fraudulent chains. These types of graphs can be created with a combination of data manipulation
and plotting using SAS/OR® software (see Figure 2).

Figure 2: Link plot sub-setted to circular activities

It needs to be noted, however, that this particular code will only discover fully circular selling
transactions, not other types of fraudulent chains, which are better uncovered with exploratory
analysis. While link analysis is a useful technique, there are other techniques, such as
associations, which often achieve the same results.

Conclusions

Data mining can bring different technologies to bear on complex issues, such as the identification
of fraudulent transactions. It is usually necessary to use several of these technologies in order to
succeed in solving the problem. The exact choice and mix of these technologies depends to a
large extent on the specific application as well as characteristics of the available data.

In the examples presented above, predictive analysis was employed as well as several types of
exploratory analysis. The predictive analysis results in SAS code that can be applied to new data
and predict their likelihood of being fraudulent. The various exploratory techniques attempt to
directly identify the fraudulent transactions in the data at hand. Most successful in this regard
were the association and link analysis techniques that identified all fraudulent transactions.

12
 Fraud Detection in the Financial Services Industry

Case Study 2: Credit Card Fraud

Data Model

This investigation begins with 4736 credit card transactions, containing approximately 20 percent
fraudulent cases.

Analysis

A standard predictive mining flow is shown in Figure 3, involving the use of the Data Replacement
node to impute missing values, the Data Partition node to generate training and validation data
sets, and the Variable Selection node to bin variable values, determine predictive interactions and
reject unneeded variables. Two modelling tools are used, namely the decision tree and the neural
net, their results are compared in an Assessment node.

Figure 3: Predictive modelling

The comparison of the results in the Assessment node can be visualized with a variety of charts
and tables, the most popular of which is the “lift chart”, shown in Figure 4. In this chart, the data
set records are sorted by their likelihood to be fraudulent, as predicted by the two models – the
decision tree (middle curve), and the neural net (upper curve). The curves shows that the top ten
percent of the data that the neural network predicted to be fraudulent actually contains
approximately 78 percent fraudulent data. The corresponding figure for the decision tree is
approximately 66 percent. The figures for the top 20 percent are approximately 61 percent and 50
percent respectively. This is much better than the baseline (lower curve) which represents the
likelihood that a randomly drawn record is fraudulent. The results also show that the neural
network performs better than the decision tree.

13
Fraud Detection in the Financial Services Industry

Figure 4: Lift chart comparing the results

A decision tree has the advantage, however, of being much easier to interpret than a neural
network. This can be confirmed by looking at the results for the decision tree, as outlined in Figure
5, showing the first three splitting levels. Due to reasons of space, the decision tree has been
partitioned at the root, and the left and right half are shown in separate figures.

Figure 5a: First three levels of the left half of the decision tree

14
 Fraud Detection in the Financial Services Industry

Figure 5b: First three levels of the right half of the decision tree

The most important variables are the credit card usage count, the amounts spent during a day
and its ratio to the cumulated time intervals between transactions (in other words focusing on high
amounts spent during a short time). Most of the high fraud cases correspond to transactions with
high usage and high amounts during a day.

In general, the more important tests for the target investigated (here fraud) occur higher up, near
the root of the tree. In our case, the most important criterion differentiating fraudulent from non-
fraudulent data is the daily usage count, that is to say, how often a card is used per day. The next
most important test concerns the daily amount charged, followed by a ratio of amount charged to
time passed since the last usage.

Conclusion

Using predictive data mining allows the construction of a model that can be used to predict the
likelihood of a transaction to be fraudulent. In the case of decision trees, this model can be easily
visualized as a sequence of tests or questions. These can be verified by business specialists and
implemented in a program, or early warning manual system. Results from a neural net cannot be
easily interpreted, but may outperform decision trees, as happened in this case. The comparison
between the modelling tools takes places in the Assessment node and allows the selection of the
most efficient model for a task. Each modelling tool will generate program code that can be
applied to new data, thereby predicting the likelihood of fraud for future transactions, which is the
purpose of this investigation.

15
Fraud Detection in the Financial Services Industry

Summary
Fraud is broad ranging and in many cases difficult to detect. For financial services companies it
represents a serious threat to company profitability and public confidence. As the volumes of data
held by financial services companies increases, traditional techniques of fraud detection are time-
consuming and will not uncover many types of fraud. Therefore many companies are looking to
their IT departments to assist them. However, most IT departments do not have the technology
required to support the more complex investigations, which is a source of frustration for senior
managers and IT professionals alike.

Fraud Detection is an integral part of the SAS Solution for CRM. It provides financial services
companies with ways of identifying or predicting fraudulent transactions. In this white paper we
have given a couple of examples of how the solution works in practice. The solution is based on
SAS software, the world’s leading software for predictive analysis. The data mining capabilities of
SAS software have been packaged in Enterprise Miner, a GUI-based solution that supports joint
projects between IT, analytical and other professionals in the financial services sector.

16
 Fraud Detection in the Financial Services Industry

Appendix: Enterprise Miner

Data mining involves an interactive, iterative procedure in order to generate new information from
data. SAS Institute defines data mining as “the process of selecting, exploring, and modelling
large amounts of data to uncover previously unknown patterns of data for business advantage.”

What is required to structure the data mining process is a framework of data mining tasks and the
sequence of these tasks. SAS Institute defines this framework as the SEMMA Methodology.
SEMMA (Sample, Explore, Modify, Model and Assess) describes a sequence of steps that may
be followed during a data mining analysis.

This logical superstructure provides users with a scientific, structured way of conceptualizing,
creating, and evaluating data mining projects. The graphical user interface (GUI) and functionality
of Enterprise Miner are constructed to support this methodology. As the following figure (Figure1)
shows, the Tool window on the left consists of all the analysis options organized according to the
SEMMA process. Users can choose the tool nodes either from the Tools window or by
customizing their own Tool Bar at the top of the window. By dragging and dropping the tool nodes
onto the diagram editor, the user can construct a process flow diagram (PFD) of his own data
mining project.

Figure 6 Enterprise Miner’s GUI, supporting the SEMMA Methodology

For a detailed description of the SEMMA Methodology, please refer to the SAS Institute White
Paper, From Data to Business Advantage: Data Mining, SEMMA Methodology, and the SAS
System, Cary, NC: SAS Institute Inc. (1997).

17
Fraud Detection in the Financial Services Industry

References and Further Reading

Topical

“Unwitting Doctors and Patients Exploited in a Vast Billing Fraud”, New York Times,
February 6, 1998.

“Fraud Scheme Involving 91 Is Broken Up, Officials Say”, New York Times, October 14,
1998.

“Health Care’s Giant: Artful Accounting – A special report. Hospital Chain Cheated U.S. On
Expenses, Documents Show” New York Times, December. 18, 1997.

“U.S. Auditing Five Hospitals In New York” New York Times, April 5, 1998.

Hoffman, Thomas. “Empire strikes back against legacy system” ComputerWorld, Vol. 30, No.
43 (October 1996), 12.

Hoffman, Thomas and Nash, Kim S. “Data mining unearths customers,” ComputerWorld, Vol.
29, No. 28 (July 1995), 1, 28.

Sparrow, Malcolm K. “License to Steal: Why Fraud Plagues America’s Health Care System”
Westview Press, 1996.

Way, Paul. “Decision time for decision support” Insurance & Technology, Vol. 21, No. 8
(August 1996), 30-34.

Way, Paul. “Managing knowledge: the CIO’s next challenge” Insurance & Technology, Vol.
21, No. 8 (August 1996), 52.

Williams, Nia. “Data mining with neural networks” Insurance Systems Bulletin, Vol. 9, No. 7
(March 1994), 3-4.

18
 Fraud Detection in the Financial Services Industry

SAS Institute White Papers

SAS Institute Inc., (1996), SAS Institute White Paper, SAS Institute’s Rapid Warehousing
Methodology, Cary, NC: SAS Institute Inc.

SAS Institute Inc., (1999), SAS Institute White Paper, Finding the Solution to Data Mining – A
map of the features of SAS® Enterprise Miner™ Software, Version 3, Cary, NC: SAS
Institute Inc.

SAS Institute Inc., (1999), SAS Institute Best Practice Paper, Data Mining and the Case for
™
Sampling: Solving Business Problems Using SAS Enterprise Miner Software, Cary, NC:
SAS Institute Inc.

SAS Institute Inc., (1999), SAS Institute Solution Overview, The SAS® Solution for Customer
Relationship Management, Cary, NC: SAS Institute Inc.

SAS Institute Inc., (1997), SAS Institute White Paper, From Data to Business Advantage:
Data Mining, SEMMA Methodology, and the SAS System, Cary, NC: SAS Institute Inc.

SAS Institute Inc., (1997), SAS Institute White Paper, Business Intelligence Systems and
Data Mining, Cary, NC: SAS Institute Inc.

19
Fraud Detection in the Financial Services Industry

20
Fraud Detection in the Financial Services Industry

21
Driving Performance Improvements in the Health Service

SAS UK & Ireland SAS International SAS World Headquarters

Wittington House PO Box 10 53 40 SAS Campus Drive
Henley Road, Medmenham Neuenheimer Landstr. 28030 Cary, NC 27513 USA
Marlow, Bucks SL7 2EB D-69043 Heidelberg, Germany Tel: (919) 677 8000
Tel: +44 (0)1628 486933 Tel: (49) 6221 4160 Fax: (919) 677 4444
Fax: +44 (0)1628 483203 Fax: (40) 6221 474850 www.sas.com
www.sas.com/uk
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries.
2
® indicates USA registration. Other brand and product names are trademarks of their respective companies. Copyright ©2002, SAS Institute Inc. All rights reserved. 0166UK1001