In their paper Mitigating Fraud Risks in Real-Time Payments: An Agent-Based Strategic Analysis, Katherine Mayo, Nicolas Grabill, and Michael Wellman explore real-time payments (RTP) and use an agent-based model to study potential bank strategies against fraud. We interviewed Katherine about this work, its importance, and the team’s approach to the problem.
What is the research topic of your paper, and why is it such an important area of study?
Payments typically follow a sequence: initiation by the sender, processing by the bank, and final delivery of funds to the recipient. Standard debit or credit transactions often experience processing delays of one or more days. However, recent technological advancements have introduced a new type of faster payment, drastically reducing processing times. Real-time payments (RTP) can be processed in about 10 seconds, allowing near-instantaneous receipt of funds. Many RTP systems are now in use worldwide, including FedNow in the United States and the Faster Payments Service in the UK.
The immediacy of RTP can be highly beneficial for customers, especially when a payment is significant and/or urgent (e.g., bill payments). But customers are not the only ones who benefit. Malicious actors, known as fraudsters, can exploit the challenges RTP poses to fraud detection systems. To meet the near-instantaneous processing requirement, banks may rely on automated systems that use quickly inspectable information, which may be less accurate indicators of fraud. Previous studies have highlighted the RTP fraud issue in the UK. One study reported a 132% increase in fraud the year the faster payment service was introduced. Another study identified authorized push payments, common in RTP, as the second most significant type of payment fraud in the country in 2018.
Given the fraud risk posed to these systems, we aim to study how banks can strategically mitigate their RTP fraud risk by balancing different mitigation tools at their disposal. This paper focuses on investing in an RTP fraud detector (which has lower detection capabilities than standard payment detectors) and the ability to limit customer use of these riskier payments. We also note the subsequent effects of bank choices on the strategic behavior of a fraudster and the overall impact on the payment network.
How did you approach the problem?
We used an agent-based model of the payment system and analyzed a game played within it using empirical game theory analysis. The model consists of banks, customers, and a fraudster, all represented by nodes in a network. The nodes are connected by directed edges representing financial relationships. Between bank nodes, the edges form the interbank network representing banks’ willingness to interact with each other on behalf of themselves or their customers. Banks hold deposits in bank accounts for their customers, which they can draw from to make payments within the network. These payments are modeled as a series of updates to the values on the edges between the payment sender and its recipient, capturing the exchange of funds between all parties.
An RTP fraud game played by bank nodes and a fraudster node within the model is defined to capture the salient details of the fraud mitigation issue. The bank nodes in the game attempt to mitigate their fraud risk while attracting customers with their RTP offering. They select from a set of strategies determining an investment level for RTP fraud detection and setting a maximum payment value above which they will not allow their customers to send RTPs. A higher investment in fraud detection yields a more accurate fraud detector but at a higher one-time cost to the bank. Since the goal of this work is to reason about the use of fraud detection systems rather than build one, we abstract away the implementation details surrounding fraud detection by representing all detectors solely as black boxes characterized only by their accuracy in detecting fraudulent or non-fraudulent payments. By choosing their strategy, banks seek to maximize their end-game payoff, which incorporates the benefits customers offer the bank and the costs incurred by the bank for fraud and detector use. The fraudster’s strategies dictate its behavior, including how it selects banks to target and the types of payments to attempt, standard or real-time. The fraudster’s goal is simply to maximize the number of frauds it commits during the game.
Once banks and the fraudster have chosen their strategies, customer and fraudster payments are randomly generated over several time intervals. Then, banks and fraudsters receive their rewards for their strategy performance. The game is analyzed using a method known as empirical game-theoretic analysis (EGTA), which uses extensive simulation of strategy profiles (assignment of strategies to agents) in the game to identify the Nash equilibrium behavior of the agents.
Could you discuss the main contributions of your work?
Our main contributions are twofold. First, we provide insights into the strategic behavior of banks under RTP fraud risk. We find that banks responsible for RTP fraud will invoke both mitigation measures: heavily investing in RTP fraud detection and restricting customer access. However, the ability to invoke two mitigation methods allows banks to find a balance that does not require overly stringent limitations on customers. Banks also appear willing to accept partial liability for RTP fraud without imposing customer restrictions. Importantly, we discover that strategically adopted mitigation techniques by banks significantly impact fraudsters with minimal effects on customer experience.
Our second contribution is introducing a new method for evaluating the strategic space known as Strategic Feature Gains Assessment. This method uses empirical game theory analysis to understand the benefits that different subsets of the strategic space offer agents. In this work, we apply the assessment to better understand the importance of the two possible mitigation techniques, individually and relative to each other. Through this assessment, we discover the importance of customer limits in mitigating fraud risk. In particular, if a bank can only start with one technique, it should consider customer usage limits before implementing fraud detection. This is an important confirmation that RTP systems invoking restricted access measures are on the right track and those that do not may want to consider them.
Could you tell us a bit about the experiments you conducted and what they revealed?
First, we apply EGTA to identify Nash equilibria for several configurations of the RTP fraud game defined by customer demand for RTPs and the liability banks incur for fraudulent RTPs. Our results indicate that the possibility of being liable for fraud has the greatest effect on banks’ strategic choices. We find that, without fraud liability, banks implement no mitigation measures, and with partial liability, they begin to implement at least one measure. As banks become fully liable for occurring frauds, they are more likely to heavily invest in RTP fraud detection and set customer limits, though not overly restrictive. The fraudster, in response to banks, will target only RTPs when it is lucrative with little risk. However, as banks begin to implement both mitigation measures to combat fraud, the fraudster is pushed to attempt fraud with both types of payments to maximize its success. In all configurations, it is better for the fraudster to use historical success rate information to select its target bank.
We are interested not only in the behavior of banks and fraudsters but also in understanding the effect of their strategic choices on the network as a whole. To study this, we measure various outcomes for network participants under Nash equilibrium for each configuration. A particularly interesting measure is the success rate of fraudsters and customers attempting to pay, which we compare to the case where banks allow RTPs without implementing any mitigation techniques. The results show that Nash equilibria yield much lower success rates for fraudsters while having minimal impact on customers.
Finally, we introduce Strategic Feature Gains Assessment to better understand the individual and relative importance of the two mitigation techniques. This assessment measures the benefit a group of strategies (the deviation set) offers an agent for deviating from a base set of strategies, quantified as the maximum gain an agent would receive for deviating from a strategy in the base set to one in the deviation set. For this analysis, we perform several assessments. The first studies the relative advantage of each technique given prior access to the other technique (i.e., the advantage of investing in fraud detection given the base set consisting of only limiting customer access and vice versa). From the results, we can see that restricting customers first offers the most significant gains. The second set of assessments determines which technique will be implemented first, in the case where only one can be selected. We examined this under two scenarios: banks initially do not allow RTPs, and RTPs are allowed without any mitigation measures. In all cases, a bank would first choose to apply restrictions to customers.
About Katherine
 | Katherine Mayo recently earned her PhD from the University of Michigan, where she was a member of the Strategic Reasoning Group. She is passionate about leveraging artificial intelligence to understand complex phenomena in economics and finance. Her recent work, presented at venues such as ICAIF and IJCAI, applies agent-based modeling and empirical game theory to study strategic decision-making in financial payment networks. |
Read the full paper
Mitigating Fraud Risks in Real-Time Payments: An Agent-Based Strategic Analysis, Katherine Mayo, Nicholas Grabill, and Michael P. Wellman, IJCAI 2024.
Lucy Smith, Editor-in-Chief of AIhub.
