Alerts are generated when the selected risk exceeds a threshold. By adjusting the threshold you can control the number of alerts. As the threshold is lowered, the number of alerts increases. At the extreme, if the threshold is reduced to zero then every transaction will be alerted and although a 100% detection rate could be claimed there will also be an overwhelming number of False Positives. Choosing the threshold that provides the best detection-rate with an acceptable number of alerts is often difficult.

The graph below illustrates this:

We can see that there is a threshold where the percentage of alerts that are correct (the True Positive Ratio or TPR) is at a maximum. Below this threshold we miss fraud (False Negatives)

Above this threshold we catch fraud at the cost of more false alerts (False Positives).

So far we have discussed Alerts in general. DETECT actually supports several different types of alert and each has three priority levels: high, medium and low. By setting the thresholds for medium level alerts to the optimal value, as discussed above, we can then set thresholds for the high level alerts to catch high-risk incidents and the low-level alerts to sweep up the low-risk ones. By differentiating alerts levels in this way users can target resources and opt to be informed by email or SMS of particular alert types and levels.

As we have said, there are several types of alert:

System Alerts

System alerts are generated by the Risk Engine. The computation of the risk measures is based on DETECT’s built in algorithms as discussed above. Each measure generates alerts so that you can see immediately when the expected loss on an account exceeds a threshold.

Pattern Alerts

A user of DETECT can set up patterns that experience has taught them are good detectors of fraud or to capture short term situations such as transactions from a particular merchant. Patterns allow the bank to use their specialist knowledge of their particular client-base. Further, variables derived from the raw transaction data are also exposed (for instance, Rate of Spend) and can be included in patterns.

Customer Alerts

A separate risk threshold (the customer risk threshold) can be enabled so that customers can be sent an SMS message alerting them that their card has been used and detailing certain aspects of the transaction (amount, time, merchant, etc). The customer only needs to reply to this message if they wish to confirm that the transaction is fraudulent. A window in which a customer must respond is configurable. After this time the transaction is assumed to have been confirmed.

There are many advantages to this mechanism:

1. Better detection. Not all transactions will result in a message to customers, only those that exceed the customer risk threshold. This threshold can be set to be lower than the system risk threshold allowing a greater number of false-positives. These alerts do not impose an operational burden on the bank but are filtered by customer responses, allowing a higher overall detection rate.

2. Immediate Feedback. The immediate feedback from customers allows all subsequent transactions on the account to be blocked and causes the system to produce high-level alerts.

3. Performance. The information is available for immediate use by the system for calibration, which again improves system performance.

SMS alert messages need to be sent via a Short Message Service Centre (SMSC) who will typically charge about €0.05 per message. So as a very rough guide; a medium-sized bank might expect to send about 1,000 messages per day at a cost of €50.

To use customer-alerting the system needs access to a list that pairs mobile-phone numbers with account numbers. This list can be imported into DETECT or DETECT can access this remotely. Maintenance of such a list can be a costly burden if the bank does not have an online means of capturing this information, hence DETECT can provide a means whereby a customer can send an SMS message to the system quoting their account number. DETECT will record the mobile number against the account number but does not enable customer-alerting until an operator has checked with the customer and explicitly enabled it.