Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility
DECEMBER 2019
Julie Conroy
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. Photocopying or electronic distribution of this document or any of its contents without prior written consent of the publisher violates U.S. copyright law, and is punishable by statutory damages of up to US$150,000 per infringement, plus attorneys’ fees (17 USC 504 et seq.). Without advance permission, illegal copying includes regular photocopying, faxing, excerpting, forwarding electronically, and sharing of online access.
Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
TABLE OF CONTENTS IMPACT POINTS ...... 4 INTRODUCTION ...... 5 METHODOLOGY ...... 5 THE MARKET ...... 7 VENDOR SOLUTIONS ...... 14 ACI WORLDWIDE ...... 23 BAE SYSTEMS ...... 24 BIOCATCH...... 25 BOTTOMLINE TECHNOLOGIES ...... 25 CA ...... 26 EARLY WARNING SERVICES ...... 26 ENTERSEKT ...... 26 EQUIFAX ...... 27 EXPERIAN ...... 27 FEATURESPACE ...... 28 FEEDZAI ...... 29 FICO ...... 30 GBG ...... 31 GEMALTO ...... 31 GIACT ...... 31 IBM ...... 32 IDENTITYMIND ...... 32 IDOLOGY ...... 33 LEXISNEXIS RISK SOLUTIONS ...... 33 NICE ACTIMIZE ...... 34 ONESPAN ...... 36 SAS ...... 36 SIMILITY ...... 37 TRANSMIT SECURITY ...... 37 TRANSUNION ...... 38 TSYS 38 CONCLUSION ...... 40 RELATED AITE GROUP RESEARCH ...... 41 ABOUT AITE GROUP...... 42 AUTHOR INFORMATION ...... 42 CONTACT ...... 42
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 2 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
LIST OF FIGURES FIGURE 1: THE HUB ...... 8 FIGURE 2: THE HUB MATURITY CURVE ...... 9 FIGURE 3: FIS’ TOP FRAUD PAIN POINTS ...... 11 FIGURE 4: FIS’ PLANS TO IMPLEMENT RISK HUBS ...... 12
LIST OF TABLES TABLE A: PARTICIPATING VENDORS ...... 5 TABLE B: MARKET TRENDS AND IMPLICATIONS ...... 12 TABLE C: DEPLOYMENT OPTIONS ...... 14 TABLE D: HUB CAPABILITIES ...... 16 TABLE E: HUB CAPABILITIES ...... 17 TABLE F: HUB CAPABILITIES ...... 19 TABLE G: CONTRACTING AND MULTI-TENANT SUPPORT ...... 22
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 3 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
IMPACT POINTS
• Hubs are a buzzy concept in risk and authentication. The vendor landscape is increasingly crowded since there is so much interest among financial services firms in investing in providers with these capabilities. The category begins with fraud or authentication hubs, which are platforms that enable a business to connect to one vendor via API or on-premises integration, which then facilitate access to multiple detection and/or authentication point solutions and provides a risk engine to integrate the results. The evolution of this theme expands to orchestration, in which the risk engine is able to ingest and analyze clients’ internal contextual customer and transactional data in order to contextualize risk and authentication decisions.
• Twenty-six vendors participated in the research. In addition, Aite Group surveyed fraud and anti-money laundering (AML) executives about their plans to invest in hubs at its 2018 and 2019 Aite Group Financial Crime Forum conferences.
• Thirty-six percent of financial institutions (FIs) surveyed indicate that they have already implemented a hub. Another 45% of FIs surveyed in 2019 indicate that they are likely or very likely to implement a hub in the next one to two years.
• Hubs can solve multiple pain points for financial services firms. While in recent years, account takeover has been the number one pain point for retail FIs, application fraud has achieved equal status as a key pain point. Harnessing internal data to feed analytics is also a top challenge for risk executives. The good news is that sophisticated hubs can help address all these challenges
• While the concept manifests in a few different ways, some key attributes include having one API; a central communication layer that can facilitate input from external point solutions; the option of a single contract with the hub vendor; and a sophisticated risk engine that can ingest alerts from multiple solutions, assess the transaction risk, and leverage the client’s internal customer data to orchestrate next steps based on the risk scores from the various inputs.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 4 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
INTRODUCTION
Hubs are a buzzy concept in risk and authentication, and the vendor landscape is increasingly crowded since there is so much interest among financial services firms in investing in providers with these capabilities. The category begins with fraud detection and authentication hubs, which are platforms that enable a business to connect to one vendor via API or on-premises integration, which then facilitate access to multiple detection and/or authentication point solutions and provide a risk engine to integrate the results. The evolution of this theme expands to orchestration, in which the risk engine is able to ingest and analyze clients’ internal contextual customer and transactional data in order to contextualize risk and authentication decisions.
These hubs solve many pain points as FIs and fintech firms struggle to keep pace with the steadily escalating threat environment while enabling excellent customer experiences. This Impact Report sets forth the key functional elements and details the capabilities of multiple vendors that have offerings in this arena. While on the surface, the vendors’ marketing messages sound similar, once the covers are peeled back, the various offerings have a number of differences.
METHODOLOGY To augment its ongoing conversations with financial services executives and vendors about the rising interest and investment in orchestration platforms, Aite Group sent requests for information to market players. Twenty-six vendors participated in the research, as shown in Table A. In addition, Aite Group surveyed fraud and AML executives about their plans to invest in hubs at its 2018 and 2019 Aite Group Financial Crime Forum conferences, and those survey results are also discussed within.
Table A: Participating Vendors Company Headquarters Product name(s) ACI Worldwide Naples, Florida UP Payments Risk Management
BAE Systems London NetReveal Fraud Hub
BioCatch Boston BioCatch
Portsmouth, New Digital Banking IQ Secure Bottomline Technologies Hampshire
CA, a Broadcom company San Jose, California Layer7 Rapid App Security
Early Warning Services Scottsdale, Arizona EWS Engine Platform Solution Suite
Entersekt Cape Town Entersekt Secure Platform (ESP)
Equifax Atlanta Luminate
Experian Dublin CrossCore
Featurespace Cambridge, U.K. Aric Risk Hub
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 5 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Headquarters Product name(s) Feedzai San Mateo, California Feedzai Pulse
San Jose, California Data Management Platform
FICO Data Orchestrator FICO Falcon 6
Falcon X
GBG* Chester, U.K. GBG Instinct
Gemalto, a Thales company Paris IdCloud Fraud Prevention
GIACT Allen, Texas Epic Platform
Armonk, New York IBM Cloud Identity
IBM IBM Safer Payments
IBM Trusteer
IdentityMind Palo Alto, California IdentityMind Platform
IDology* Atlanta ExpectID
LexisNexis Risk Solutions Alpharetta, Georgia Dynamic Decision Platform
Hoboken, New Jersey Integrated Fraud Management Platform Nice Actimize (IFM) Authentication-IQ
Chicago Intelligent Adaptive Authentication
OneSpan Secure Agreement Automation
Risk Analytics
Cary, North Carolina Business Orchestration Services (BOSS)
SAS On-Demand Decision Engine (component of SAS Fraud Management)
Simility, a PayPal service San Jose, California Adaptive Decisioning Platform
Transmit Security Boston Transmit Security Platform
TransUnion Chicago IDVision
TSYS Columbus, Georgia TSYS Authentication Platform
Source: Aite Group, vendors *While GBG acquired IDology in February 2019, the companies currently maintain separate hub platforms for different geographies, so the two are discussed individually in this report.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 6 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
THE MARKET
Time is money when it comes to effective fraud prevention. Absent a nimble ability to evolve tactics in the face of increasingly sophisticated attacks, financial services firms are faced with the tough choice of implementing risk controls that constrain the user experience, inserting authentication mechanisms that can induce friction, or absorbing more losses.
Given the rapid pace with which cybercrime is progressing, many FIs and fintech firms are trying to find ways to iterate their fraud and AML strategies more rapidly. This evolution is not simple, however; financial services firms (FIs in particular) face a series of challenges in deploying new technology:
• IT resource constraints: IT resources are an in-demand commodity, with business cases and lengthy lead times required to get a project in queue.
• Vendor risk management overhead: The internal processes associated with vetting new vendors are particularly problematic at FIs; executives interviewed by Aite Group report that vendor risk management overhead can add at least six months to the implementation process.
• Additive alerts: Ensuring that the alerts produced by multiple point solutions are not additive but are instead evaluated in a holistic manner is another challenge. This requires evaluation by a risk engine, either homegrown or supplied by a third-party vendor.
• Contextualizing the customer risk journey: In the optimal scenario, financial services firms will be able to leverage their existing knowledge of client behavior to tailor their stepped-up authentication decisions down to the customer level. In this way, the decision to insert friction is no longer the product of an if-then rule (e.g., if a person-to-person (P2P) transaction exceeds US$500, then send a one-time password (OTP)) and instead takes into account the customer’s past behaviors to determine whether friction is appropriate.
• Harnessing data: Bringing together the requisite data to achieve that level of contextualization is another key challenge. The data is usually siloed by product and channel, in differing formats and schemas, and is often not in the best state of hygiene. This makes it very difficult to develop an omnichannel, holistic view of a customer.
Over the past few years, the hub concept has emerged to help address these challenges. While this manifests in a few ways, some key attributes follow (Figure 1):
• Single contract: Some platforms maintain the contractual relationships with the myriad vendors available on the hub, so the client only needs to sign one contract with the hub vendor. This can alleviate the overhead associated with internal vendor risk-management processes as well as reducing the ongoing vendor-management burden and expense.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 7 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• One API: The client only has to code to one API to the platform vendor. The platform vendor, in turn, has API connections to multiple detection and authentication point solution vendors. This enables businesses to evolve their fraud, authentication, and, in some cases, AML strategies without the need to tap into IT resources on an ongoing basis.
• Communication layer: The communication layer can not only facilitate input from external point solutions but optimally will also enable ingestion and integration of the client’s internal customer data, which is instrumental in effective decisioning and orchestration.
• Risk engine: True orchestration requires a sophisticated risk engine that can ingest alerts from multiple solutions, assess the transaction risk, and leverage the client’s internal customer data to orchestrate next steps based on the risk scores from the various inputs. Orchestration entails the ability to take action based on the outcome of the risk decision, (e.g., if the P2P transaction is to a new payee and from a device that was added to the profile less than X days ago, then invoke a step-up challenge).
• Profiling and decisioning layers: These layers perform the contextualization, and drive decisions for what to do next, (e.g., go to vendor C for more data, or go to vendor F to invoke stepped-up authentication).
Figure 1: The Hub
Source: Aite Group
Once adopted, this technology can enable businesses to be much more nimble in the face of evolving threats. Not only can the platform allow companies to quickly integrate additional technologies as needed, but it can also theoretically streamline the technology evaluation stage by facilitating value tests among vendors with competitive capabilities without requiring business-line executives to wait in line for internal IT resources. The orchestration capability can also help with cost management by enabling selective use of external vendors based on a
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 8 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019 customer’s risk profile. The concept displays a variety of stages of maturity, as illustrated by the curve in Figure 2.
Figure 2: The Hub Maturity Curve
Complex orchestration hub • One API call to one provider that enables Hub-and-spoke with risk access to multiple engine detection and/or • One API call to one authentication provider that enables solutions access to multiple • Risk engine to facilitate Hub-and-spoke detection and/or scoring driven by • One API call to one authentication machine learning provider that enables solutions analytics access to multiple • Risk engine to • Ability to ingest firm’s detection and/or facilitate scoring internal customer data authentication driven by machine to contextualize solutions learning analytics authentication • Primarily rules-based • Primarily rules-based decisions policy manager to policy manager to • Native consortium- drive authentication drive authentication data-driven decisions decisions intelligence
Source: Aite Group
The first stage of vendor solutions on the maturity curve includes solutions whose primary value centers around the hub-and-spoke concept, with multiple external partnerships and out-of-the- box API calls to a variety of detection and/or authentication point solutions. The analytic engine that aggregates alerts is largely driven by judgmental inputs, and stepped-up authentication routines are handled by policy managers that are primarily rules-based.
In the second stage of maturity, the platforms include more sophisticated risk engines that incorporate machine-learning analytics to drive the aggregation of alerts. These models are often vendor-supplied, but many platforms also enable clients to upload their own custom models via predictive model markup language (PMML), the industry’s standard XML-based predictive model communication format. The second phase of maturity also includes the ability to support distinct multi-tenant requirements across different product portfolios and geographies, since verification and authentication needs vary widely from country to country.
The third stage of maturity includes the ability to do everything described in the first two stages and adds the ability to ingest and analyze firms’ own internal customer data to provide contextual relevance to the risk decision. This is not an easy feat since this requires building customer-level behavioral profiles, which is non-trivial, and instrumenting decisioning logic based on them, even more difficult. The risk engine and its associated data ingestion and analytic capabilities are the secret sauce for any hub. This is the cornerstone of the hub’s orchestration capabilities and, properly equipped and executed, can enable the platform to truly
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 9 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019 tailor risk assessment at the customer level. The third stage of maturity often includes the ability to add a native, consortium-based intelligence capability.
This is much easier said than done; only a handful of providers in the market are approaching this final stage. This technology also depends heavily on the client’s ability to effectively wrangle its own internal data so that it is available to the solution on a timely and high-quality basis. A further consideration is the requisite feedback loop to the various back-office systems at the FI— this is an incredibly complex undertaking, which means that there is no one-size-fits-all solution at this third stage of maturity.
The market is seeing a convergence of different types of vendors offering hub solutions. Vendors that started with the hub-and-spoke concept for fraud and/or authentication and then added more sophisticated risk engines have been joined by vendors that started in the analytic risk engine space and subsequently added the hub-and-spoke capability to their risk engines for detection and stepped-up authentication.
This means that there are two types of orchestration that the platform at the optimal state of maturity must support—data orchestration and process/action orchestration. Data orchestration is traditionally more in the domain of fraud hubs, while process/action orchestration has been more in the purview of vendors that started in the authentication space. Vendors that started with an authentication hub have focused on orchestrating the cross-channel customer journey, while those that began as fraud hubs have a core competency in orchestrating the detection process. That said, these previously distinct areas of focus are rapidly converging.
ONE SIZE DOESN’T FIT ALL As discussed above, there is a wide range in the level of capabilities and sophistication of the hubs in the market. Financial services firms in the market for a hub should consider their key business case drivers and how their needs will evolve over the next few years. For some firms, the most pressing need is the one-stop shop, and they don’t have the appetite (or budget) for the complexity of true orchestration. For those firms, a solution earlier on the maturity curve would be the right fit. Other firms are ready for the challenge of orchestration and therefore will need a solution with the sophisticated risk engine and in-house expertise that can enable that level of data wrangling.
MARKET APPETITE FOR ORCHESTRATION HUBS Hubs address multiple pain points for financial services firms. While in recent years, account takeover has been the number one pain point for retail FIs, application fraud has achieved equal status as a key pain point (Figure 3). Harnessing internal data to feed analytics is also a top challenge for risk executives. The good news is that hubs can help address all of these pain points.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 10 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Figure 3: FIs’ Top Fraud Pain Points
Q. What are your current top two pain points in your fraud operation? (n=27)
Harnessing internal data to feed analytics 37% Application fraud 33% Account takeover 26% Too many false positives 22% Real-time payments fraud 19% Too much friction in the client experience 19% Card fraud 11% Inability to find talent to fill staffing needs 7% Check fraud 7% Ineffective detection routines 4% Other 11%
Source: Aite Group survey of 30 fraud and AML professionals, September 2019
The extent to which this concept is resonating with the market is evident in Figure 4. Thirty-six percent of FIs surveyed at Aite Group’s 2019 Financial Crime Forum indicate that they have already implemented a hub—11% greater than the proportion of FIs that had already implemented when surveyed at the same event in 2018. Another 45% of FIs surveyed in 2019 indicate that they are likely or very likely to implement a hub in the next one to two years. Some large banks have built their own solutions—most of these embarked upon this journey before vendor solutions were widely available. With the wide variety of vendor solutions in the market, many FIs interviewed for this report are either partnering or planning to partner with a vendor for their orchestration hub solution, rather than try to build it internally.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 11 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Figure 4: FIs’ Plans to Implement Risk Hubs
Q. How likely is your FI to implement an orchestration hub in the next 1 to 2 years?
2018 (n=20) 25% 45% 15% 15%
2019 (n=22) 36% 36% 9% 18%
Already implemented Very likely Likely Not likely
Source: Aite Group survey of 32 fraud and AML professionals, September 2018, and Aite Group survey of 30 fraud and AML professionals, September 2019
Regional regulation is also a key factor driving interest in enhanced risk assessment and authentication orchestration capabilities. A prime example of this is the European Strong Customer Authentication (SCA) requirement mandated by the second Payment Services Directive (PSD2). This requires that electronic payments in the EU are performed with multifactor authentication but also sets forth a series of exemptions to that requirement. Many issuers are keen to take onboard more sophisticated risk-analytic and orchestration capabilities so that they can maintain compliance while minimizing the amount of friction that will result from this mandate.1
Table B summarizes the key trends driving the market to invest in orchestration hubs.
Table B: Market Trends and Implications Market trends Market implications Criminal attacks continue to Financial services firms are forced to either absorb more fraud losses escalate, while bureaucratic or insert friction, which adversely impacts the customer experience. overhead slows responses.
1. See Aite Group’s report PSD2: Advent of the New Payments Market in Europe, March 2019.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 12 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Market trends Market implications Digital identity indicators With more than 14.7 billion data records compromised since 2013, have become a crucial input organized crime rings have an unprecedented amount of data at their 2 into risk assessment disposal to fuel application fraud and account takeover attacks. With decisions. static data in the hands of the bad guys, the use of digital identity data such as behavioral biometrics, device identity and reputation, mobile phone ownership, and email tenure and reputation are critical to firms’ risk assessment decisions, and integration of those inputs via a sophisticated risk engine is key to success.
Positive customer Risk executives increasingly feel like they are wearing two hats—one experiences are a key is the traditional hat of loss prevention and catching the bad guys, competitive differentiator. and the other is ensuring that the mitigation strategies do not encumber the customer experience. The latter is increasingly the hat with greater weight and is driving the majority of investment decisions, and thus the importance of adding contextualizing authentication. Ensuring a great customer experience is a core driver of orchestration because it requires instrumenting continuous, ongoing, incremental risk decisioning throughout the customer journey. For example, instead of letting a customer get all the way through an account opening flow and then decline them because of the battery of fraud detection checks, the fraud screenings are incremental and orchestrated. In this way, the FI can either decline the customer earlier, or steer them toward the appropriate account type.
Many vendors are seeking to Many vendors have recognized the challenges listed above and come address market challenges to market with solutions. The marketing messages often sound with a variety of iterations of similar, which makes it difficult for buyers to understand which the hub. solutions best map to their needs.
Regulatory mandates require Financial services firms are looking to risk analytics to help them stronger risk controls. achieve compliance while minimizing the disruption of the client experience.
Source: Aite Group
2. “Breach Level Index,” Gemalto, accessed October 19, 2019, http://breachlevelindex.com.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 13 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
VENDOR SOLUTIONS
The vendor landscape is crowded and diverse, thanks to the convergence of various vendor types that are embracing the hub concept. Vendors enable a variety of deployment options, as shown in Table C. While the industry is seeing increasing appetite for cloud-based deployments for fraud and AML,3 the use cases for the hub and their tolerance for transaction latency are key considerations when choosing between on-premises and cloud deployments.
Table C: Deployment Options Company Deployment options Public cloud Vendor-hosted Private Hybrid On premises SaaS ACI Worldwide ● ○ ● ● ●
BAE Systems ● ○ ● ● ●
BioCatch ● ● ○ ○ ○
Bottomline ○ ○ ● ○ ○ Technologies
CA ● ○ ● ● ●
Early Warning ● ● ○ ○ ○ Services
Entersekt ● ● ● ○ ●
Equifax ● ● ● ○ ●
Experian ● ● ○ ● ○
Featurespace ● ○ ● ● ●
Feedzai ● ○ ● ● ●
FICO ● ● ○ ● ●
GBG ○ ○ ● ● ●
Gemalto ● ○ ○ ● ○
3. See Aite Group’s report AIM Evaluation: Fraud and AML Machine Learning Platform Vendors, March 2019.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 14 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Deployment options Public cloud Vendor-hosted Private Hybrid On premises SaaS Giact ○ ● ○ ○ ○
IBM ● ○ ○ ● ○
IdentityMind ○ ● ○ ● ○
IDology ○ ● ○ ○ ○
LexisNexis Risk ○ ● ○ ○ ○ Solutions
Nice Actimize ● ● ● ● ●
OneSpan ● ○ ● ○ ●
SAS ● ● ● ● ●
Simility ● ○ ● ○ ●
Transmit ● ● ● ● ● Security
TransUnion ○ ● ○ ● ○
TSYS ○ ○ ● ○ ○
Source: Aite Group, vendors Key: ○= Not supported; ●= Supported
As discussed earlier, a foundational element of hubs is the ability to access multiple detection and authentication capabilities via a single query to the platform vendor. As shown in Table D, Table E, and Table F, many of the vendors have combined native capabilities with a robust partner ecosystem.4 There are a few variations on this model—a couple of the vendors take a white-labeled approach and decline to disclose their vendor partners, while BAE Systems employs a vendor-agnostic approach, in which it establishes the vendor connections on an ad hoc basis based on the client’s preference, and it also has a few out-of-the-box capabilities, as noted in the tables below. Most vendors also state that their approach is to add vendor connections based on client demand; many of these vendors state that additional vendor connections can be added in as little as two weeks.
4. For more detailed information on each of these detection and authentication capabilities, see Aite Group’s report Digital Authentication: New Opportunities to Enhance the Customer Journey, September, 2017.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 15 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Table D: Hub Capabilities Company SMS one- Mobile Transaction Dynamic Document Behavioral time app push signing knowledge- scanning and biometrics password based authentication authentication ACI Money- Money- ○ ○ ○ BioCatch Worldwide Guard Guard
BAE Systems ○ ○ ○ ○ ○ ○
BioCatch ○ ○ ○ ○ ○ ●
Bottomline Twilio ○ ○ LexisNexis Risk ○ ○ Technologies Solutions
CA ● ● ● ● ○ ○
Early Syniverse ● ● ○ ○ ○ Warning Services
Entersekt ● ● ● ○ ○ BioCatch
Equifax ● ● ○ ● ○ ○
Telesign ○ ○ ● Acuant, Mitek, BioCatch, Experian Onfido NuData Security
Kobil, Entersekt, Kobil ○ Jumio ● Telrock, Kobil Featurespace Adeptra, Entersekt
Feedzai ○ ○ ○ Experian Mitek BioCatch
FICO ● ● ● ● ● ●
GBG ○ ○ ○ ○ ● ○
Gemalto ● ● ● ● ● BehavioSec
Giact ● ● ○ ● ● ○
IBM ● ● ● ● ○ ●
IdentityMind Twilio ○ ○ ID Analytics Acuant, Mitek BioCatch
IDology ● ○ ○ ● ● ○
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 16 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company SMS one- Mobile Transaction Dynamic Document Behavioral time app push signing knowledge- scanning and biometrics password based authentication authentication LexisNexis ● ● ● ● ● ●, Risk BioCatch Solutions
Tele- Tele- Daon, Au10tix, Daon, Buguroo, Nice ○ message message, Facebanx Facebanx, BehavioSec Actimize Daon Jumio
Clickatell, ● ● Equifax, Jumio, Mitek, BehavioSec OneSpan Twillio, Experian Veridas Tyntec
FICO, Fiserv FICO, Giact Intellicheck, BioCatch SAS ○ Fiserv Gemalto
Simility ○ ○ ○ ○ ○ ○
● Telesign, ● ● ● Incorporates iProov, Onfido ● Transmit Early data inputs BioCatch, Security Warning from multiple Secured- Services, providers Touch Nexmo
Partners, Partner, TransUnion ● ○ ● ○ undisclosed undisclosed
TSYS ● ● ○ ○ ○ ○
Source: Aite Group, vendors Key: ●= Native, ○= Not an out-of-box capability
Table E: Hub Capabilities Company Verification Facial Fingerprint Voice Device identity/ of PII biometric biometric biometric reputation ACI TransUnion Facebanx ○ ○ iovation Worldwide
BAE Systems ○* ○* ○ ○ ○
BioCatch ○ ○ ○ ○ ●
Socure, ○ ○ ○ ThreatMetrix Bottomline LexisNexis Technologies Risk Solutions
CA ○ ● ● ○ ●
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 17 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Verification Facial Fingerprint Voice Device identity/ of PII biometric biometric biometric reputation Early ● ● ● Windstream, ●, InAuth Warning Nuance Services
Entersekt ○ ● ● ○ ●
●, Partners, ○ ○ ○ ● Equifax undisclosed
Daon, Oiti, Daon Daon, AimBrain Experian ● ● AimBrain
TransUnion AimBrain InAuth, iovation, Featurespace ○ ○ ThreatMetrix
Ekata, Jumio ○ Pindrop Experian, InAuth, Feedzai Emailage, Security iovation, Experian ThreatMetrix
FICO ● ● ● ● ●
Partners, GBG ● ● ○ ○ undisclosed
Neuro- ● ○ ●, InAuth, Gemalto technology ThreatMetrix
Partners, Giact ○ ○ ○ ● undisclosed
●, ●, Partners, ●, Partners, ●, Partners, ● IBM Partners, undisclosed undisclosed undisclosed undisclosed
Experian, Acuant, ○ ○ ●, Augur, iovation GBG, Mitek IDology, Neoway, Circulo de IdentityMind Credito, Renapo, Telesign, Neustar, ID Analytics
IDology ● ○ ○ ○ ○
LexisNexis ● Acuant ● Nuance ● Risk Solutions
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 18 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Verification Facial Fingerprint Voice Device identity/ of PII biometric biometric biometric reputation Nice Ekata Daon, Daon, Daon, Facebanx Buguroo, Actimize Facebanx Facebanx BehavioSec, Daon
Equifax, Aware, OneSpan ● ○ ● Experian Veridas
Giact, ThreatMetrix, SAS ○ ○ ○ Socure iovation
Ekata, ○ ○ ○ ● Equifax, LexisNexis Risk Solutions, Simility United States Postal Service, TeleSign
Equifax, ●, Cognitec, ● Nuance ● Transmit Experian Security FaceTec, Mobile SDK
TransUnion ● ● ● ○ ●
Emailage, InAuth TSYS ○ ○ ○ Payfone
Source: Aite Group, vendors Key: ●= Native, ○= Not an out-of-box capability
*BAE Systems can send and receive SMS, email, and push notifications through the FI’s communication hub
Table F: Hub Capabilities Company Mobile Email Malware/ Global Link analysis phone reputation jailbreak sanctions lists ownership detection Emailage Eunexus, W2, Experian e-Sight, ACI Worldwide ○ iovation Pegasystems
Arachnys, BAE Systems ○ ○ ○ ● Dow Jones
BioCatch ○ ○ ● ○ ●
Bottomline Socure Socure ThreatMetrix Experian ○ Technologies
CA ● ○ ● ● ○
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 19 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Mobile Email Malware/ Global Link analysis phone reputation jailbreak sanctions lists ownership detection Early Warning Payfone ○ InAuth ○ ○ Services
Entersekt ○ ○ ● ○ ○
Equifax ● ● ○ ○ ●
Experian Boku Emailage ● ● ●
Boku, Ekata, InAuth, Dow Jones, ● Featurespace Payfone Emailage ThreatMetrix LexisNexis Risk Solutions
Ekata, Ekata, Experian, Global Radar ● Zumigo Emailage InAuth, Feedzai iovation, ThreatMetrix
FICO ○ ○ ● ● ●
Partners, Emailage Partners, GBG ○ ○ undisclosed undisclosed
○ ○ ●, InAuth, Dow Jones ○ Gemalto ThreatMetrix Zimperium
Giact ● ● ○ ● ○
Partners, IBM ● ● ○ ● undisclosed
Telesign ●, Augur, ●, KYC2020, ●
IdentityMind TowerData iovation NominoData, Info4C
Partner, Partner, Partner, IDology ○ ○ undisclosed undisclosed undisclosed
LexisNexis Risk ● ●, Emailage ● ● ● Solutions
Ekata, Arkowl, Ekata Buguroo, RDC, Steele, ● Nice Actimize Telesign Behaviosec World Watch Plus
GBG, OneSpan ○ ○ ●, Promon ● TransUnion
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 20 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Mobile Email Malware/ Global Link analysis phone reputation jailbreak sanctions lists ownership detection Boku, Giact, Emailage, BioCatch Giact, Socure ● SAS Payfone Giact, ThreatMetrix
Neustar Emailage, Simility ○ ○ ● Socure
Boku, Apility, ● mobile, Apility, ○ Transmit Neustar, Monapi Monapi Security web via Payfone partners
Partner, Partner, ● (jailbreak ● ○ TransUnion undisclosed undisclosed only)
TSYS Payfone Emailage InAuth ○ Featurespace
Source: Aite Group, vendors Key: ●= Native, ○= Not an out-of-box capability
Hub vendors’ approach to managing the contracts with the point solutions on their platform varies. In one model, the hub vendor manages all contractual elements with the vendors on the platforms. The vendor risk management process associated with contracting with a new vendor, as well as managing that vendor on an ongoing basis, is onerous, especially for banks. Thus, there is considerable value in offering a one-stop shop. However, many clients prefer a direct contractual relationship. In some cases, they have already negotiated preferential terms; in others, they believe that the direct relationship gives them a greater ability to influence the point solution vendor’s product roadmap, better visibility into the intricacies of how a point solution works, or they want to shield themselves against the possibility that the relationship between the orchestration hub and the vendor will break down in the future, leaving the client in the lurch.
Table G discusses the participating vendors’ approach to contracts. In some cases, all contracts are managed by the hub vendor. Some vendors offer either option, while other vendors have a hybrid approach—they have subcontractual relationships with some vendors, but others require a direct contract to engage their services.
Table G also discusses firms’ support for multi-tenancy. This means that the platform’s risk engine and policy managers can support different analytical models and different step-up strategies for different products, portfolios, and/or geographic regions. This is particularly important for clients with a global footprint as multiple regulatory requirements for risk assessment and authentication emerge around the globe, such as the SCA in the EU. Also, many FIs within a single geographic region will have different risk and authentication tolerances across their client base (e.g., subprime versus mass affluent versus wealth management).
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 21 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Table G: Contracting and Multi-Tenant Support Company Contractual approach Multi-tenant support ACI Worldwide ◪ ●
BAE Systems ◪ ●
BioCatch ■ ○
Bottomline Technologies ◪ ●
CA ◪ ●
Early Warning Services ■ ●
Entersekt ◪ ●
Equifax ◪ ●
Experian ■ ●
Featurespace ◪ ●
Feedzai ◪ ●
FICO □ ●
GBG ◪ ●
Gemalto ■ ●
Giact ■ ○
IBM ◪ ●
IdentityMind ■ ●
IDology ■ ●
LexisNexis Risk Solutions ◪ ●
Nice Actimize ◪ ●
OneSpan ◪ ●
SAS ◪ ●
Simility □ ●
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 22 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
Company Contractual approach Multi-tenant support Transmit Security ◪ ●
TransUnion ■ ●
TSYS ◪ ●
Source: Aite Group, vendors Key: ■= Contracts directly with hub for all services; ◪ = Supports contracting directly with hub and contracting with partner; □= Client must contract directly with vendor partner; ○= No current multi-tenancy support; ●= Multi-tenant support
The risk engine and its associated data ingestion and analytic capabilities are the secret sauce for the hub. This is the cornerstone of the orchestration capabilities and, properly equipped and executed, can enable the platform to tailor risk assessment and authentication at the customer level. The ensuing sections further explore each vendor’s approach to their hub’s risk engine, detailing their approach to each of the following:
• Integration of clients’ internal contextual customer data: The ability to ingest contextual data from the client’s customer information file (CIF) as well as ongoing transactional activity is a key element to orchestrating authentication down to the individual customer level.
• Risk engine and analytics: Do the risk engine and policy manager employ advanced analytical techniques, or are they primarily rules-based? Does the solution enable clients to upload their own internally developed custom models via PMML?
• Native consortium-based intelligence provided by the hub: Can the hub take advantage of its visibility across multiple client endpoints and derive intelligence that benefits its customer base?
ACI WORLDWIDE The hub component of ACI’s UP Payments Risk Management launched in 2015 and focuses on payment fraud and authentication use cases. The Universal Payments framework was designed from the ground up to address the challenging requirements of faster payments.
• Integration of contextual data: Two architectural elements in ACI’s hub address this requirement. ACI’s channel endpoints allow clients to initiate payments of all types and are based on industry standards (in particular, ISO 20022). When payment instructions are normalized, they are mapped to a canonical data model that can be extended using the configuration capabilities of the hub to allow specific metadata to be captured with the payment. This contextual data can be carried in the payment message from the client as arbitrary tagged data and is then mapped to the extended data model. As a result, the payment hub orchestration logic can be configured (without software change) to use the contextual data when making decisions about processing the payment—possibly affecting the routing or achieving special customer reporting, for example.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 23 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Risk engine: ACI’s hub orchestrates risk assessment services, data enrichment services provided through partners, and various back-office synchronization services. The hub either integrates directly or through ACI’s payments intelligence solution with available ACI machine learning modules. The risk service also provides the ability to define, test, and deploy customer-specific rules.
• Custom model support: ACI’s Universal Scoring Engine module, which is part of UP Payments Risk Management and is natively integrated by the orchestration hub, allows customers to deploy their own custom models via PMML. ACI’s Adaptive Machine Learning modules, ACI Model Generator, and ACI Universal Scoring Engine also enable the end user to define, test, and deploy custom models in a single application.
• Consortia data: Consortia data is supported through a logical deployment of multiple tenants under a single application. The hub facilitates isolation of service requests, while the services take advantage of the consortium data.
BAE SYSTEMS The NetReveal Fraud Hub launched in December 2018. Clients are using a variety of individual components, and the fully integrated hub is being rolled out in phases throughout 2019 and into 2020.
• Integration of contextual data: NetReveal’s data acquisition framework streamlines real-time integrations and loading of files. It reads messages from a wide range of input queues or files in parallel, performs a set of applicable functions on them, and reports the results back to the sender. NetReveal supports multiple communication formats, including Apache Spark, Apache Structured, Apache Streaming, Kafka, RESTful API, SOAP, flat file, XML, JSON, BouncyCastle, and web containerization.
• Risk engine: NetReveal supports its own native machine learning detection routines and enables clients to build and deploy their own custom rulesets:
• Managed Analytics Service: Through its Managed Analytics Service, clients can leverage BAE Systems’ data science team to help build and maintain custom models on a professional services basis. The resulting models can then be deployed in NetReveal via PMML. • Advanced Analytics Platform: The NetReveal Advanced Analytics Platform (AAP) is an add-on to the NetReveal detection engine to enable clients’ data scientists and/or data analysts to build custom machine learning models themselves. The AAP provides the full suite of solutions that help with feature identification and creation of machine learning models using a variety of algorithms (e.g., logistic regression, random forests, gradient boost, neural networks), then facilitates side-by-side comparisons of model performance using the client’s historical data. Once the client has identified the optimal model configuration, the model can be deployed in NetReveal using PMML.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 24 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Custom model support: The risk engine supports the upload of internal client- developed models via PMML.
• Consortia data: The BAE Systems Fraud Hub does not currently provide native consortium capabilities.
BIOCATCH BioCatch is one of the pioneers and leaders in the behavioral biometric space, and in September 2019, it added a policy manager capability to its platform. The firm will introduce a hub-and- spoke ability to incorporate partner inputs in Q1 2020.
• Integration of contextual data: BioCatch enables clients’ payee and amount to be uploaded. In Q1 2020, BioCatch is further opening its API for customers to send any data item that they wish to be used in the policy manager.
• Risk engine: BioCatch’s scoring to determine the probability of the user activity that is not legitimate is based on machine learning analytics of users’ behavioral interactions and analysis of cognitive behavior. The solution has a policy manager that supports self-service deployment of custom rules to determine the action to be taken (allow, deny, authenticate, review) based on the results delivered by the risk engine. The risk engine does not currently support the ability for clients to upload their own custom analytic models via PMML.
• Consortia data: In development, this emerging capability will provide a cross- customer device ID or universal identifier that will link confirmed fraudster data and common fraudster behavioral profiles across various customers.
BOTTOMLINE TECHNOLOGIES Bottomline Technologies’ platform was natively designed as a hub and launched in 2012. The solution was rebranded as Digital Banking IQ Secure in August 2019.
• Integration of contextual data: The hub is accessed via a real-time SOAP API, which has a schema that encapsulates all major transactional and customer elements (CIF profile information, geolocation information, products/services applied for, etc.) For any elements that are not part of the standard data model, the model also supports custom elements, and any contextual information can be passed into the hub.
• Risk engine: The risk engine and policy manager do not currently support machine- learning-based analytics; both are rules-driven. Clients can develop and deploy their own rules via self-service interfaces. Import of custom analytic models via PMML is not currently supported.
• Consortia data: The system provides a proprietary scrub against an anonymized database of transactions run through the platform to detect patterns of fraud/misuse. This solution is called FortiFI, and it looks at patterns of velocity and data inconsistency.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 25 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
CA CA’s orchestration product, Layer7 Rapid App Security (Layer7), launched in July 2017. Various components of the solution, including the API gateway, strong authentication, and risk-based authentication, had been available for many years. Linking them together as a hub occurred at the urging of a number of customers.
• Integration of contextual data: Layer7 does not currently enable the client’s internal contextual data to be uploaded to the risk engine.
• Risk engine: The solution has a risk engine that incorporates machine learning analytics and supports the ability of clients to develop and deploy their own rules. Standard rule capabilities include user and device checks (e.g., known user and/or device, behavior), IP checks, geolocation checks, velocity checks, and time zone hopping. APIs enable third-party integration with an external service and/or data stores that can be used to influence the risk score. Upload of custom models via PMML is not currently supported.
• Consortia data: Layer7 does not currently have any native consortium intelligence capabilities.
EARLY WARNING SERVICES Founded in 1998, Authentify was designed as an authentication platform for online businesses. Early Warning acquired the firm in 2015.
• Integration of contextual data: Authentify provides a RESTful API for ingestion of the client’s internal customer data. The platform also is able to import data in batch to be used in subsequent decisioning.
• Risk engine: The Authentify platform provides a rules-based solution for evaluation of data and policy management. The solution does not currently enable upload of custom models via PMML.
• Consortia data: The Authentify platform has direct access to Early Warning’s consortium-based Payment Chek and Account Owner Authentication services for qualified customers. The platform also enables a platform-level alias structure that can track individual consumers across the breadth of its client base; the firm will be deploying models and rulesets to leverage this capability in 2020.
ENTERSEKT Entersekt’s ESP platform enables FIs and fintechs to secure their customers’ digital interactions with a minimal amount of friction.
• Integration of contextual data: ESP has data connectors that facilitate input from external components (e.g., customer-identity access-management systems, as well
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 26 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
as core banking and other third-party providers, such as payment aggregators and card networks) to gather additional information as needed.
• Risk engine: Entersekt provides a rules-based decision engine and policy manager, and partners with third-party providers such as Featurespace to provide advanced risk engine capabilities and custom model import.
• Consortia data: ESP does not currently provide native consortium data capabilities.
EQUIFAX Luminate is a new offering from Equifax. This orchestration hub launched in the U.S. in October 2019, with product launches in Canada and India scheduled for 2020.
• Integration of contextual data: Luminate provides an API for ingestion of the client’s internal customer data.
• Risk engine: A machine-learning-based risk engine that is capable of employing both supervised and unsupervised techniques is at the core of the Luminate offering. As certain fraud scenarios are identified, the platform will learn from those engagements and begin to flag future activity for review or as known fraud. At the time of implementation, a standard set of rules are defined, and each client is then able to add, remove, edit, and customize rules at their convenience.
• Custom model support: Luminate enables clients to import and deploy custom models via PMML.
• Consortia data: At launch, a type of consortium capability will exist within the multi- tenant platform, through which the machine learning technology will leverage information across all tenants to learn and identify various fraud scenarios. Equifax is also building a broader consortium with the intention of integrating that platform into Luminate to create a more comprehensive fraud solution. This is planned for launch in 2020.
EXPERIAN CrossCore launched in 2016, and its first clients went live in early 2017. It was designed as a hub for clients needing a plug-and-play platform for their fraud and identity needs. Its platform enables clients to orchestrate services to optimize the right level of identity-based authentication while minimizing consumer friction.
• Integration of contextual data: CrossCore offers a RESTful API integration with a single endpoint for ingestion of the client’s internal customer data.
• Risk engine: CrossCore includes both an orchestration engine to manage decisioning flow and a hybrid machine-learning-based risk engine. The solution includes unsupervised and supervised models as well as a rules engine. The unsupervised models enable CrossCore to generate new features from the raw data, which can
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 27 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
then be used in the supervised machine learning models. CrossCore’s risk engine is able to apply machine learning models against the complete and combined raw output of all the vendor systems, not just the scores that those systems may generate, which allows CrossCore to access the richest set of features for modeling.
• Rules: CrossCore allows clients to manage their own rules and provides more than 800 preconfigured rules out of the box. Rules include list modification, thresholds, velocity parameters, scores, and combinations across thousands of data attributes. These rules can also contribute to the overall machine- learning-based modeling that is used to drive ultimate outcomes. During initial deployment, and throughout the client relationship, the Experian delivery team works with clients to identify any unique data attributes and risk conditions that might require rulesets that don’t already exist in the system. In the event that a client has such a need, those rules are quickly validated from a risk performance/false-positive performance perspective and are delivered into the platform by the Experian team. • Custom model support: Experian provides clients with the specifications against which the client’s data science team can create models. Additionally, Experian’s analytics teams can develop custom models for clients, which are then deployed into the CrossCore environment. In both cases, given the multi-tenant, hosted nature of the platform, the Experian team is responsible for end-to-end performance and integration testing prior to launching models into production, to ensure the integrity of the models and the integrity of the ecosystem.
• Consortia data: CrossCore connects clients to a variety of consortium data sources to enrich transaction data before a risk assessment is made. Experian maintains industry-vertical-specific closed user groups that share fraudulent data elements among over 400 members. These consortia save US$5 billion dollars in fraud losses annually for members. In addition to these Experian-led consortiums, CrossCore connects to other external fraud consortiums. Experian plans to release a new CrossCore-based consortium to facilitate data sharing between CrossCore clients without the need to connect to third-party consortium services within the coming year.
FEATURESPACE The technology behind Featurespace’s adaptive behavioral analytics technology was created at Cambridge University in the late 2000s. In 2019, Featurespace added hub-and-spoke capabilities with out-of-the-box external calls to partners to its core risk engine competency.
• Integration of contextual data: Aric has a variety of data connectors that enable any mix of contextual data to be transmitted in a variety of ways, including a RESTful API using JSON or XML documents, message queues (e.g., Kafka, ActiveMQ, RabbitMQ, MSMQ), flat files, and SFTP server uploads.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 28 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Risk engine: The Aric platform produces machine learning models using its own proprietary Bayesian analytics-based approach. The processing tier runs inside a complex event processing framework, takes the messages from the internal message queue, and executes Bayesian models and business rules, producing scores and making decisions. The database tier stores all profiles and data required for the Aric engine. While Aric employs both supervised and unsupervised modeling techniques, a supervised machine learning algorithm is used as the final scoring mechanism. The platform also supports real-time rules creation and deployment by the client.
• Custom model support: Clients can build their own models and upload them into Aric’s open modeling environment using PMML or formats produced by other data studio products such as H2O.
• Consortia data: Consortia intelligence is available via Aric’s multi-tenancy capability, in which all tenants in a single deployment can benefit from a data consortium.
FEEDZAI Feedzai added orchestration hub capabilities to its Pulse platform in 2015. To produce accurate risk analyses based on high-quality data, Feedzai centralizes an array of data sets captured via data collectors, APIs, and data files, and augments this with external data and enrichment partners. The platform automates fusing of disparate data sources by supporting a range of capabilities natively through partner integrations, as well as through custom integrations as required by clients.
• Integration of contextual data: There are two ways for clients to send contextual data:
• Transactional events via RESTful API calls or message brokers (such as Kafka or RabbitMQ) into the platform: For the event data, Feedzai provides a user interface (UI) that allows clients to set up the event data workflow, including the creation and management of contextual profiles, which are configurable to store previous client behavior and state. This can then be accessed when future events are processed to allow decisions and orchestration to occur using the complete context. • RESTful APIs or flat files into Feedzai's Reference Data Service: This provides the ability to store contextual data about any entity that may be useful to process the event stream. This can be data populated from the CIF, such as customer entities, account entities, products, and balances. The reference data is managed via flat-file uploads or through a RESTful API by the customer systems and processes. • Risk engine: The risk engine offers full support for multiple rules and models to be run within the event workflow to trigger a subsequent action. Machine learning models perform risk scoring or classification and then trigger subsequent actions in the workflow. Clients can also configure rules and deploy directly within the Feedzai Pulse user interface using Feedzai's rule-definition language.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 29 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Custom model support: With Feedzai’s machine learning engine, data scientists can either build their machine learning models in the platform (leveraging Feedzai proprietary algorithms or libraries of algorithms from multiple external tools) or import machine learning models that were developed externally to the platform (e.g., H2O, scikit-learn, DataRobot). This allows data scientists to create models in the programming language of their choice.
• Consortia data: Feedzai Pulse integrates Feedzai's consortium-based Risk Ledger. Risk Ledger provides the capability to share data in a privacy-safe way between Feedzai clients who have opted in, enabling them to make better decisions for fraud screening, account opening, account takeover, and AML use cases. Inside the Feedzai Pulse workflow, the Risk Ledger data can be incorporated as another source of data to augment any decision or action.
FICO A combination of several FICO products forms the basis for the firm’s hub capabilities, enabling clients to perform trade-offs for use case scenarios, functionality, deployments, complexity, compliance, and cost. For many of its client deployments, the hub is based on the Decision Management Platform and FICO Data Orchestrator, which enables digestion of over 60 vendor sources of information, in addition to FICO’s native capabilities. FICO’s next-generation fraud and AML platform, Falcon X, also meets the requirements.
• Integration of contextual data: FICO has a variety of data connectors that enable contextual data to be transmitted in a variety of ways, including a RESTful API, message queues (e.g., Kafka, ActiveMQ, RabbitMQ, MSMQ), flat files, and SFTP server uploads.
• Risk engine: All of FICO’s core platforms unify data management, rules, strategies, and machine learning analytics throughout the decision lifecycle into a single orchestration system. This engine allows clients to define authentication, fraud, and financial crime client journeys within a single platform. In addition, components in FICO’s hub can be used to manage multiple custom workflows for multiple client journey personas, depending on any of a hundred different factors from the wide variety of data sources.
• Custom model support: Falcon 6, Falcon X, and FICO’s Decision Management Platform all include the ability for clients to deploy their own custom models.
• Consortia data: The use of consortium data is central to the value provided by FICO’s analytic and decision engines. Each Falcon customer contributes their own data, coupled with tags, to the consortium data. From this consortium data, FICO creates new analytic models or updates current models and redistributes them to the FICO client base to update their own instantiations of FICO’s hub.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 30 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
GBG GBG’s Instinct offering launched in June 2019, and it targets firms in Europe, the Middle East, Africa, and the Asia-Pacific. The firm’s roadmap centers around delivering a cohesive platform experience, leveraging the capabilities from its products, and delivering them to customers through a single window.
• Integration of contextual data: Contextual transactional intelligence and data from the CIF are ingested directly in real time or batch through industry-standard APIs. Once ingested, the data can be enriched with additional intelligence/metadata through third-party data providers, both internal and external, to the client.
• Risk engine: Instinct’s risk engine employs machine learning algorithms in the detection routines and has the ability to develop customer-tailored algorithms to detect risk. A rules-based policy manager facilitates stepped-up authentication logic. Clients can also build and deploy their own rules in real time. Import of custom analytical models is not supported at this time.
• Consortia data capabilities: GBG hosts a fraud bureau in Malaysia, the output of which is integrated into its hub in that market.
GEMALTO IDCloud Fraud Prevention is a cloud-based solution designed to facilitate management of end- user authentication for its clients. The solution combines multiple layers of real-time risk management capabilities with a policy manager that sets the level of appropriate authentication steps for a given user authentication session.
• Integration of contextual data: A RESTful API allows clients to upload information from their systems to aid with risk evaluation.
• Risk engine: The solution provides a risk engine and policy manager. Clients can also build and deploy their own rules in real time. Adding machine learning analytics to the risk engine’s capabilities is on the roadmap for 2020. Import of custom analytical models is not supported at this time.
• Consortia data: Gemalto’s hub does not currently offer native consortia capabilities.
GIACT Giact’s Epic platform launched in April 2017 and is designed to safeguard the customer lifecycle, from enrollment to payments and compliance.
• Integration of contextual data: Epic provides a number of configurable fields in its API that allow customers to transmit additional data.
• Risk engine: Clients ingest the output of Epic’s verifications and validations into their own onsite risk engines.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 31 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Consortia data capabilities: GIACT’s hub does not currently offer any native consortia capabilities.
IBM The IBM orchestration hub has built-in identity risk feeds from multiple IBM technologies and services, including IBM Trusteer and IBM Safer Payments, as well as the ability to accept contextual data enrichment related to application transaction information, authentication outcomes, and more.
• Integration of contextual data: IBM’s hub supports a variety of data integration options, such as MQ, Webservices, Kafka, flat files, or RESTful APIs.
• Risk engine: IBM Safer Payments, the hub’s primary risk engine and policy manager, comprises all analytics and simulation tools needed to continuously monitor the risk detection performance and to adapt the decision model to emerging and modified fraud patterns. IBM Safer Payments continuously monitors the efficacy of all defined fraud countermeasures and decision rules, highlighting the ones that demonstrate declining performance over time to the fraud experts for review. At the same time, IBM Safer Payments’ algorithms devise new fraud countermeasures and rules automatically from its internal database and present them to the users for review.
• Custom model capabilities: IBM Safer Payments is an open data science platform and enables the export and import of models in portable PMML format as well as the ingestion of models or feature extractions in Python code.
• Consortia data: Continuous digital risk assessment content is delivered via the Trusteer cloud service. It is based on hundreds of signals from the users’ digital interactions, including device identification, infection detection, spoofing and device risk evidence, as well as session data such as geolocation, IP, and Internet service provider (ISP). This is combined with a fraud consortium of bad devices, IPs, ISPs, as well as known bad-session patterns built from over 45 billion sessions processed per month from over 500 brands connected to the Trusteer service.
IDENTITYMIND IdentityMind’s platform combines more than 30 third-party technology partners performing identity proofing, risk-based authentication, and identity verification. The firm’s patented technology utilizes digital identities to reduce fraud risk and decrease compliance costs throughout the customer lifecycle.
• Integration of contextual data: Data can be transmitted both in real-time and batch to the hub for processing. IdentityMind has a set of predefined contextual data fields and custom fields that can be configured by the client and used downstream in the risk engine.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 32 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Risk engine: The hub’s results can be enhanced with the IdentityMind machine learning graph score, and clients have the ability to configure rules and set stepped- up authentication logic via a self-service interface. The solution does not currently support import of custom models via PMML.
• Consortia data: IdentityMind’s Digital Identities Network provides consortium-based fraud insights that can be shared as part of the hub’s configuration and rules engine. The platform is based on its patented technology of Electronic DNA (eDNA). This technology builds and maintains a private graph representation of identities that is enhanced based on behaviors. These behaviors fuel risk models (e.g., reputation, link analysis, graph scoring), the results of which are shared across the IdentityMind platform.
IDOLOGY ExpectID is IDology’s hub solution designed for the U.S. market. The goal of the solution is to enable clients to evaluate and manage customer risk with as little friction as possible.
• Integration of contextual data: ExpectID does not support the ingestion of the clients’ internal contextual data.
• Risk engine: ExpectID employs proprietary, supervised machine-learning algorithms to create a numerical score that aggregates the various data inputs. Clients can build, customize, and deploy rules in a self-service manner, or with support from IDology’s fraud team. Clients can also add weighted values to the rulesets to develop their own numerical score.
• Consortia data: IDology operates a reciprocal fraud consortium, in which clients can flag identities associated with fraud and set rules to trigger alerts when their inquiry matches to records in the consortium. These fraud flags also feed back into ExpectID’s scoring algorithms. In addition, the system has network-level velocity flags that examine the frequency with which the same data element passes through the platform.
LEXISNEXIS RISK SOLUTIONS The Integration Hub capability of the LexisNexis Dynamic Decision Platform was introduced in 2016 to offer the ability to integrate external data inputs into the ThreatMetrix decision engine as well as to access pre-integrated third-party services. The LexisNexis Risk Defense Platform launched in February 2017 and was rebranded to serve as the Authentication Hub in January 2019. It integrates with the LexisNexis Dynamic Decision Platform.
• Integration of contextual data: Contextual data can be sent or received using RESTful API, SOAP, message queues (e.g., Kafka, ActiveMQ, RabbitMQ, MSMQ) in both a push or pull capacity.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 33 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Risk engine: The Dynamic Decision Platform employs machine learning analytics and has a rules-driven policy manager to drive stepped-up authentication decisions. Clients also can build policies based on custom rules. New integrations are built by the ThreatMetrix professional services team and are used as building blocks for orchestration. Orchestration is configured by customers via the ThreatMetrix policy editor which is a web-based drag-and-drop UI allowing customers to make contextual decisions on if and when to invoke additional services, thus allowing customers to control the cost and latency of the workflow with complete granularity. All of the above is done with zero code or installation requirements from the client’s IT team.
• Custom model support: The platform supports custom models created by the client’s fraud teams with or without support of the LexisNexis Risk Solutions professional services team, although PMML import is not supported at this time. It supports both judgmental and statistical models using different machine learning algorithms including linear regression, nonlinear (GBM), and ensemble models. The system also provides its Smart Learning system, which is an AutoML system for building a model with a wizard approach. Risk models can work with native LexisNexis Risk Solutions data services, data coming from the customer in the API call, and data coming from other systems via the integration hub.
• Consortia data: LexisNexis Dynamic Decision Platform is both a producer and a consumer of data. Its crowdsourced database’s 4 billion devices, 1 billion emails and phone numbers, and over 35 billion events are data points that the solution brings into the modeling process. Customers using the LexisNexis ThreatMetrix solution can share fraud data to more effectively protect against organized fraud across an enterprise or targeting an industry, region, and/or ecosystem. The solution’s consortium capability provides clients with real-time data sharing across organizations to provide intelligence on fraud activity targeting a common group of customers. Consortium clients share information resulting from investigations of fraudulent activity, including misrepresentation, identity fraud, or identity theft.
NICE ACTIMIZE Nice Actimize’s (Actimize’s) IFM-X is the foundation of its orchestration hub. In 2016, Nice Actimize launched Authentication-IQ, a solution for omnichannel orchestration of customer authentication processes, on top of the IFM platform. This enables clients to bridge their authentication and fraud management strategies. In Q2 2019, Actimize launched its Marketplace partner ecosystem to augment the hub-and-spoke capability set across its financial crime portfolio. A unique aspect of Actimize’s approach is the variety of partners in its Marketplace that enable AML capabilities—most hubs to date have focused more on fraud and authentication, but Actimize’s ecosystem has an ample number of AML vendors as well.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 34 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Integration of contextual data: Actimize supports a variety of integration options, such as MQ, Webservices, and Kafka. IFM-X can consume a large volume of messages from Kafka in order to either risk-score them or to persist them in the system data repository (entity profiles, investigation database, etc.) and use the data for detection on subsequent events. IFM-X enables a straightforward onboarding of third-party systems, with integration of new semistructured data streams that are instantaneously available across the platform for analytics, decisioning, and investigation purposes. This capability enables quick and cost-effective integration of data into the system. It therefore encourages customers to integrate more sources of data into their fraud strategies at a lower cost and without any dependency on Actimize. A data stream consists of an unlimited number of elements encapsulated within a semistructured data format (e.g., JSON). The data elements can be configured using Actimize’s UI-based Data Integration Manager by the data administrator in the system to maximize the value and usability of the integrated data.
• Risk engine: The hub provides machine learning analytics in a couple of manners. Actimize Managed Analytics provides models developed, monitored, and optimized by Actimize. X-Sight Studio enables clients to develop their own models using an integrated data-driven model development environment. IFM-X also includes a browser-based policy manager that enables business users to define the decisions and actions based on the scores, transaction and customer attributes, and reference data such as whitelists and blacklists. A number of actions may be defined, but the key outcomes of the decisioning logic include, but are not limited to, taking no action, blocking a transaction, generating an alert or sending a message to an internal system (such as SMS gateway), or using a logical combination of these actions. This interface is designed for business users to minimize the need for IT projects to modify decision logic, but it includes control capabilities such as four- eyes review, rule testing, auditing, and authorization-based deployment control.
• Custom model support: IFM-X is integrated with Actimize X-Sight Studio, a machine learning analytics development platform dedicated to financial crime. X-Sight Studio provides clients with the ability to build and operationalize machine learning models for real-time fraud detection using advanced analytics and fraud expert features in a highly agile model update cycle. Clients can also import their own models as either Docker containers or via PMML.
• Consortia data: ActimizeWatch is a cloud-based managed analytics service that continuously monitors fraudster behavior and model performance. ActimizeWatch monitors analytics performance and transactional data in the cloud across multiple organizations, using machine learning analytics to discover patterns that affect a wide range of organizations. The solution puts this intelligence to work by optimizing each organization’s analytics using the risk variables and patterns found across the market. Ultimately, ActimizeWatch delivers optimized models for each member, incorporating market-wide insight.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 35 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
ONESPAN Launched in 2018, OneSpan’s Trusted Identity platform is a cloud-based platform that enables FIs to secure digital user journeys and mitigate fraud with proven capabilities delivered through OneSpan’s Risk Analytics, Intelligent Adaptive Authentication, and Secure Agreement Automation solutions.
• Integration of contextual data: OneSpan’s platform can consume contextual data including, but not limited to, transaction details, location, IP address and device details.
• Risk engine: Machine learning models are employed to drive risk assessment across its Risk Analytics, Intelligent Adaptive Authentication, and Secure Agreement Automation, and a rules-based policy manager drives stepped-up authentication logic. OneSpan’s risk engine is able to execute real-time, machine learning-based risk scoring to support key digital user workflows including adaptive authentication, identity verification, and e-signature. OneSpan provides preconfigured rules out of the box, and clients have the self-service ability to customize the rules. Import of custom models is not supported at this time.
• Consortia data: The platform can dynamically query an anonymized customer database of dispositioned transaction elements to enhance the fraud score for any customer using its Risk Analytics solution. OneSpan plans to build this capability out further in 2020.
SAS BOSS is an intelligent middleware designed specifically to support millisecond request and response event processing. BOSS has been available since 2018.
• Integration of contextual data: BOSS facilitates the integration of customer systems among each other and with SAS products and solutions. Firms have the ability to send data through messaging middleware (JMS, AMQP), TCP/IP sockets, Webservices (SOAP/REST), and FTP. BOSS can understand all common file formats, including text, JSON, XML, and industry-standard formats such as SWIFT and ISO 8583 and ISO 20022. BOSS can fetch data from databases with JDBC drivers.
• Risk engine: Orchestration and enrichment through the data management integration component allows all internal and third-party data sources, each with a variety of detection benefits during the customer interaction, to be referenced and used in the detection and prevention initiatives. The risk engine component of the solution is driven by the On-Demand Decision Engine. It incorporates a range of analytical capabilities alongside supervised and unsupervised machine learning in order to provide real-time transaction scoring. The client can also deploy rules in the On-Demand Decision Engine. The estimation process allows back-testing of rules to optimize their performance before deployment.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 36 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Custom model support: The client can deploy custom machine learning models in the SAS language or open-source languages in the On-Demand Decision Engine.
• Consortia data: BOSS does not currently enable native consortia intelligence.
SIMILITY Simility’s Adaptive Decisioning Platform launched in 2014 and was built with a data-first approach to help businesses harness their data and better assess and respond to transactional risk. Simility customers benefit from a comprehensive data lake of enterprise and third-party data that is created as part of the standard implementation process, which is then enriched to optimize fraud-mitigation capabilities.
• Integration of contextual data: The solution can ingest clients’ contextual data in a variety of ways, including a RESTful API using JSON or XML, message queues (e.g., Kafka, ActiveMQ, RabbitMQ, MSMQ), flat files, and SFTP server uploads.
• Risk engine: The risk engine allows clients to deploy sophisticated machine learning models based on input data and fraud prevention goals. It provides a comparison of models and allows the deployment of the selected models. This also includes feature engineering, feature selection (to enhance, delete, or add features), model selection (neural-net, linear model, ensemble, tree-based model), and, finally, model ranking to find the most accurate model. The policy engine enables orchestration of stepped-up authentication, and the platform can support clients’ self-service rule deployment needs.
• Custom model support: Clients can build and upload their own models in Simility’s open modeling environment, or the client can import third-party models via PMML.
• Consortia data: As a PayPal Service, Simility has access to one of the largest data sets built for risk and fraud detection across billions of users and hundreds of millions of merchants. Simility utilizes the intelligence from PayPal within customized fraud detection models to help improve accuracy.
TRANSMIT SECURITY The Transmit Security Platform abstracts identity-related business logic and decisioning away from channel applications (i.e., web, mobile, contact center, kiosks, and others) to a centralized orchestration and decisioning layer. After a one-time implementation of the Transmit Security Platform, identity-related user journeys can be created using graphical policy tools, reducing time-to-market for new identity features, and allowing these to be reused across applications.
• Integration of contextual data: Transmit’s platform can consume contextual user information from a variety of sources, including identity store, transaction details, entitlement store, location, IP-address-derived data, and device details. Transmit conducts real-time risk analysis by pulling contextual information from any configured sources while processing the identity journey policy. Additionally,
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 37 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
contextual data can be pushed to Transmit when invoking the journey, such as providing additional parameters to the SDK function call. Typical parameters in a transaction may be transaction type, beneficiary/recipient, amount, etc.
• Risk engine: Transmit includes a cross-channel risk engine built into the platform, which uses machine learning analytics for risk assessment and a rules-based policy manager to dictate stepped-up authentication logic. Clients can build their own rules using a graphical interface or an advanced rule language and deploy it across applications and channels.
• Custom model support: Transmit allows clients to leverage various models available on-premises and in the cloud, and plug them easily into the decisioning process.
• Consortia data: Transmit is rolling out consortium data capabilities in 2020 to aid in its ability to risk-assess identities and devices across its customer base.
TRANSUNION TransUnion’s IDVision can operate as a stand-alone fraud orchestration engine and is interoperable with TransUnion decisioning services and consumer credit solutions.
• Integration of contextual data: IDVision cannot currently ingest data for the purpose of contextualizing authentication, although this is on the roadmap.
• Risk engine: IDVision’s risk engine can orchestrate necessary authentication prompts based on the level of risk of a transaction and/or customer business requirements. The TransUnion analytics team uses machine learning analytics to optimize the configuration of rules within the engine for customers. Self-service rules management/configuration is planned for future enhancement, but customers’ requested rules configurations can be deployed by the TransUnion team. The solution does not support import of custom models via PMML.
• Consortia data: TransUnion builds a 360-degree profile of the identity using customer-contributed data, TransUnion data, third-party data sources, and real-time touch points through external services. It then baselines across the data sets to detect previously missed anomalies and predict potential threats using modeling techniques. Relevant touch points include customer-contributed application data, inquiry data, and credit bureau data. TransUnion also offers the ability for its customers to share real-time application data to uncover anomalies such as fraudulent loan stacking.
TSYS TSYS’ Authentication Platform launched in Europe in September 2019 and is available to TSYS’ European issuer clients. The platform will be available to TSYS’ issuer clients in North America in 2020. The Authentication Platform uses Featurespace’s Aric platform to enable an industrywide view of new fraud vectors for advanced decisioning.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 38 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
• Integration of contextual data: From a data perspective, the platform allows TSYS issuer clients to send data from their customers as part of the API request. The APIs allow clients to integrate into specific touch points along the customer journey (e.g., new account opening, account registration, loyalty redemption, account management) and send in the requisite data along with the specific event in order for the Authentication Platform to perform the necessary risk checks. Additionally, the Authentication Platform has a process in which clients can enable risk checks to be completed in the background, without impacting the overall event process, and enable the issuer to perform a real-time analysis to see if they would desire future authentication functionality for the given event(s).
• Risk engine: The adaptive machine learning solution spots anomalous behavior, and the engine learns to identify normal behavior for each customer, while simultaneously understanding the context profile within the customer peer group. Underpinning the adaptive model detection is a real-time rules engine. The rules engine can be used to author business and policy rules to give a combination of analytical techniques, ensuring a holistic approach to fraud detection for our customers. The TSYS Authentication Platform allows for alerting of suspicious activity, all in real time. It can handle thousands of events per second, with millisecond response times. The platform will continuously analyze events as they occur, even before the data is persisted in a data store, enabling real-time, analytically sound decisions to be made. Import of custom analytical models via PMML is not supported at this time.
• Consortia data: The TSYS Authentication Platform is set up to be a consortium that looks across all customer data to help provide insights to rules, velocities, etc. One of the goals is that the platform can help provide alerts to its clients when fraudulent activity takes place. For example, the Authentication Platform can alert Bank B that a device was utilized to commit fraud at Bank A and can therefore help Bank B deny that device in future interactions. Additionally, by leveraging this data, the platform can help decipher normal versus abnormal behavior and allow for intelligent rule conditions to fire appropriately in order to drive toward adaptive authentication measures.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 39 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
CONCLUSION
The financial services threat landscape is rapidly evolving and escalating for firms of all sizes. At the same time, executives are under intense pressure to minimize friction as they are deploying new risk-mitigation strategies. Hubs can be a key way to do this, but the devil is in the details. Here are some recommendations for financial services firms as they formulate their strategy:
• Financial services firms in the market for a hub should consider their key business case drivers and how their needs will evolve over the next few years. Some firms’ most pressing need is the one-stop shop, and they don’t have the appetite (or budget) for the complexity of true orchestration. For those firms, a solution earlier on the maturity curve would be the right fit. Other firms are ready for the challenge of orchestration and thus will need a solution with the sophisticated risk engine and in-house expertise that can enable that level of data wrangling.
• Understand the benefits and risks associated with the single contracting model. The single contract business model alleviates the overhead associated with internal vendor risk-management processes as well as reducing the ongoing vendor- management burden and expense. However, the direct contractual relationship with the point solution is preferred by many financial services firms. In some cases, they have already negotiated preferential terms; in others, they believe that the direct relationship gives them a greater ability to influence future product direction, or they want to shield themselves against the possibility that the relationship between the hub and the vendor will break down in the future, leaving the client in the lurch.
• Look for firms committed to maintaining and evolving a robust partner ecosystem. Fraud and financial crime are not static; they are constantly evolving. A key benefit of the hub is its ability to provide clients with access to a wide range of detection and authentication point solutions that enable them to nimbly adapt their defensive strategies.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 40 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
RELATED AITE GROUP RESEARCH
Trends in Account Takeover Fraud for 2019 and Beyond, June 2019.
AIM Evaluation: Fraud and AML Machine Learning Platform Vendors, March 2019.
Current and Future FI Fraud Loss Trends: It’s Time for New Technology Investments, January 2019.
Application Fraud: Fighting an Uphill Battle, December 2018.
Global Consumers’ Authentication Preferences: Have Your Cake and Eat It Too, September 2018.
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 41 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility DECEMBER 2019
ABOUT AITE GROUP
Aite Group is a global research and advisory firm delivering comprehensive, actionable advice on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, insurance, wealth management, and the capital markets, we guide financial institutions, technology providers, and consulting firms worldwide. We partner with our clients, revealing their blind spots and delivering insights to make their businesses smarter and stronger. Visit us on the web and connect with us on Twitter and LinkedIn.
AUTHOR INFORMATION Julie Conroy +1.617.398.5045 [email protected]
CONTACT For more information on research and consulting services, please contact:
Aite Group Sales +1.617.338.6050 [email protected]
For all press and conference inquiries, please contact:
Aite Group PR +1.617.398.5048 [email protected]
For all other inquiries, please contact: [email protected]
© 2019 Aite Group LLC. All rights reserved. Reproduction of this report by any means is strictly prohibited. 42 101 Arch Street, Suite 501, Boston, MA 02110 • Tel +1.617.338.6050 • Fax +1.617.338.6078 • [email protected] • www.aitegroup.com