Select Page

Building a Robust Fraud and Risk Management (FRM) System

Jun 8, 2023

  • Over 95,000 UPI fraud cases were reported in 2022-23.
  • More than 42% of Indians experienced financial crimes.
  • 95% of Indian firms experienced new types of cyber frauds.

Cyber frauds are surging every day.  You may have experienced it, or you would have come across a cyber fraud victim. Living in an era of the highest technological sophistication and still falling prey to cyber frauds sounds like an irony. 

The global digital payments market is expected to grow at 15.5% and reach $111 billion in 2023 and hit $198 billion by 2027. Payment modes such as UPI, credit/debit cards, digital wallets, and other contactless modes have gained a lot of prominence due to their speed, convenience, and security. Despite phenomenal advances, cyber frauds in the form of phishing, spamming, SIM swapping, account takeover frauds, etc., increase by the minute. Hackers are evolving with technology and adopting sophisticated strategies to infiltrate banking infrastructure and commit cybercrimes. 

This is why organizations need a robust Fraud and Risk Management (FRM) system to defend against data theft, breaches, and other forms of cybercrimes. Before getting into the details, let’s first understand what is fraud and risk management.

What is Fraud and Risk Management? 

Fraud Risk Management is a systematic approach to reduce frauds, especially transaction related. It encompasses identifying, managing, and mitigating breaches in addition to preventing frauds and risks. Businesses that include financial institutions, ecommerce companies, healthcare providers, government agencies, and insurance companies, use FRM systems to combat risks associated with digital transactions. 

In this blog, we’ll discuss how to design an FRM system and best practices to follow while designing. Before diving into it, let us go through the usual cyber frauds because knowing how hackers function can help you create an FRM system capable enough to handle those frauds. 

Here we go! 

Types of Cyber Fraud 

Account Takeover (ATO) Frauds  

Account takeover fraud occurs when hackers gain unauthorized access to a victim’s online account and take control, often without their knowledge or consent.  


Phishing is an attacking method used in ATO where the hacker sends an email to a user posing as a genuine entity. The user gets tricked by believing the email to be legitimate and discloses their private information. 

Brute-force Attack 

Hackers try a combination of username/password on multiple accounts till they crack into a user’s account. 

SIM Swap and Device-related Fraud 

SIM swap is a technique used by fraudsters to get control of a user’s phone number. By controlling the phone number, hackers can take advantage of two-factor authentication to access the user’s devices, their bank accounts, social media accounts, and more. 

Authentication Protocols to the Rescue

Most organizations have some sort of strategy to defend themselves from frauds. Some organizations use a proper FRM system, some follow stringent security protocols such as 3-D Secure Authentication (3DS) and Two-Factor Authentication (2FA) as an additional security layer. But the deployment of these security protocols depends on the marketplace. Many markets (such as the United States) do not use 3DS because they prefer customer convenience over security. This may lead to frauds unless strong controls are in place. On the other hand, in markets such as India where there is a mandate for 2FA, fraudsters still persuade gullible customers to share OTPs. Not taking requisite measures can give fraudsters access to stolen card credentials. They try their luck at different merchants to see if they can go through and bypass risk controls. 

The best way to battle cyber frauds is to design a risk engine capable of not only identifying existing frauds but also new ones. 

How can you Design a Robust FRM to Tackle Fraud?

  • Accessing requisite data
  • Introducing the right balance between frictionless flows and challenges
  • Interfacing FRM with external systems
  • Embracing advanced risk checks
  • Adopting a combination of rules and models

 Accessing Requisite Data 

In this data-driven world where frauds are mutating in novel ways like the Corona virus, we need requisite data to develop an efficient and holistic FRM system. 

Types of data we need for fraud management 

Transaction data 

All financial data related to digital transactions, including credit card transactions, bank transfers, wire transfers, etc. This data must include the transaction amount, date, time, location, and other details. This data is used to build a historical profile of the customer. 

User data 

User information such as name, address, phone number, email address, employment, income, credit history, etc. 

Device data 

Device type, operating system, browser type, and other technical details. 

Geolocation data 

Location of the transaction – IP address, GPS coordinates, and other data that can be used to determine the user’s location. 

Behavioral data  

Browsing history, search history, and other online activities that may be relevant to the transaction. 

External data

Information from external sources, such as credit bureaus, public records, and other third-party sources that can provide additional insights into the user’s risk profile. 

Now that you have all the requisite data for building an FRM system, what next? 

Customer profiling 

Customer profiling is a process in which a business or organization collects and analyzes information about their customers and analyzes their behavior, preferences, and potential risks.  

Comprehensive customer profiling enables business & risk teams to design the most appropriate models & rules to mitigate fraudulent transactions.  

Introducing the Right Balance between Frictionless Flows and Challenges 

A natural question arises when developing an FRM system,  

Why not increase the number of authentication steps to increase security and prevent cybercrimes?

Yes, the authentication journey can be made more complex but will definitely impact the user experience.

What will the user feel if they are subjected to strenuous procedures just to make a normal digital transaction? 

On the other hand, if the number of authentication steps are fewer/none, the probability of a hacker breaking into the system tends to go high. That is why, while designing a risk engine, it is important to strike a balance between frictionless user experience and introducing a challenge. Having a configurable, customizable challenge experience is critical to identifying different fraud strategies.  

Interfacing FRM with External Systems

To enhance the security capabilities with the ever-evolving frauds, you need to interface the FRM engine with external systems such as whitelists, hotlists, spam lists, disposable lists, etc. By regularly pulling data from these systems, you can keep the FRM updated in real time. 

Let’s take a scenario.  

A user lost his credit card. He immediately alerts the card issuer to block the card. The issuer hotlists the lost credit card, meaning the card is permanently blocked. Now, when a hacker tries to make a transaction using the lost card credentials, an FRM system can classify it as fraudulent if it is interfaced with hotlists. 

Integrating hotlist information into the Fraud Risk Management (FRM) system can significantly enhance an organization’s ability to identify and manage potential risks. These risks may include money laundering, fraud, terrorist financing, etc. By leveraging this integration, organizations can proactively mitigate these risks and ensure compliance with relevant regulations. 

Embracing Advanced Risk Checks

Behavioral biometrics distinguishes genuine users from criminals by analyzing users’ physical and cognitive digital behavior. By assessing user behaviors such as mouse movements, typing cadence, swipe patterns, device orientation, etc., and comparing it with the historical user profile, the behavior can be classified as either good or bad.  

For example, genuine users practice different paces and navigation patterns, whereas cybercriminals rely on copy, paste, and automated programs. Genuine users use the autofill feature to fill in personal details, whereas criminals enter the data manually. 

Adopting Rules and Models

When building an FRM system, many organizations solely rely on Machine Learning (ML) models for fraud detection. ML models help the FRM system scale, adapt, and visualize emerging threats and frauds.  

Does that mean you should stop following a rule-based approach? 

After all, why should anyone still follow the rules when there are efficient ML models that can learn by themselves? 

Though the ML-based approach facilitates real-time processing and can automatically detect anomalies and unique frauds, it takes time to set up and train the models. Moreover, an ML-based approach can get tricky and complicated, whereas rules are good for certain edge cases where a rule must be deployed quickly to arrest a threat.  

That is why it is important to design a risk engine that combines rules and models. 

After building a risk engine based on the above steps, it is important to test the engine periodically in real-time and get feedback on its performance. That is the job of a fraud/risk analyst. Then, they improve the system by fine-tuning the rules and models. 

M2P Fraud and Risk Monitoring System

M2P’s Fraud Risk Monitoring system leverages all the best practices in designing a risk engine. It evaluates the risk associated with various use cases (transaction, onboarding, login, and other non-payment scenarios) across all channels, including cards (authentication & authorization), BNPL, core banking, payment gateway, UPI, etc. 

Our FRM system combines many sources of data and performs customer profiling by interfacing with external system. We deploy advanced risk checks such as behavioral biometrics to classify genuine users and follow a holistic approach that combines rules and models. 

Why M2P FRM? 

Effective Rule and Data Management 

Our FRM lets the user upload historical data, review rule performance, and deploy it after fine tuning the rules. Depending on the implementation of risk rules, the users can run the system in a listening mode (without uploading any historical data). In this case, the source system receives the risk score but does not make business decisions. Users can turn off the listening mode once the risk rules have been finalized. 

If users do not have any pre-defined rule set, our system provides a standard rule set covering all mandatory and a few optional/ conditional parameters. 

Customizable Case Management Modules 

The case management section allows the issuer to flag a certain type of transaction as a case (based on a case definition) and conduct further analysis to determine if the transaction was genuine/fraudulent. The case management flow can be customized as per business & risk preference. 

Our Case Management module can help you: 

  • Set case definition (automatic rule) to flag certain transactions as cases 
  • Prioritize cases as high/medium/low 
  • Assign cases to be investigated by analyst 
  • Automate case investigation via IVR/SMS/WhatsApp 
  • Assign and reassign cases based on category, ageing, priority, etc. 

Comprehensive Reports and Dashboard section 

From fetching detailed transaction report, rule performance report to case management report till managing overall FRM system performance, filtering the dashboard by score, transaction outcome, genuine vs. fraudulent transactions, etc., our FRM gives a comprehensive reports and dashboard section to the users. 

Seamless Feedback  

Our FRM eases the life of the fraud analysts. Whenever the analysts come with feedback, it is easy for them to incorporate into our risk engine.  

At M2P, we have had the privilege of collaborating with a diverse range of clients, and built lasting relationships with banks, NBFCs, and neobanks. Our team consists of seasoned professionals who possess a deep understanding of market trends and industry standards. With this knowledge, we craft innovative solutions that effectively combat cyber fraud and provide our clients with the protection they need. 

Do you want to protect your customers from cyber frauds? 

Reach out to us at! 

This blog was co-written by Madhusudhan Ramakrishnan, Associate Vice President – Product Management, M2P. 

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox. 

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you. 



Submit a Comment

Your email address will not be published.

You May Also Like…