AQFM began with a realization that took years to fully crystallize: fraud systems can improve local performance metrics while simultaneously increasing systemic risk. I first encountered this while leading fraud controls at a previous company. At the time, the work looked successful.

The surface-level indicators were moving in the right direction:

• Fraud events prevented increased
• Alert volume increased
• False positive rate decreased
• Rule hit rate increased

By conventional operational interpretation, the system was improving.

At the same time, the system-level outcomes told a different story:

• Total losses increased
• Fraud severity increased
• Attacks became more sophisticated

These two views were not aligned. In fact, they were diverging.

After leaving that role, I spent a long time reviewing what had happened. My conclusion is that the system I built and operated was not performing well in any meaningful sense. The organization paid for what looked like progress, while absorbing growing downstream risk. Ultimately, I must admit, I did a bad job of controlling fraud risk.

I now realize exactly what went wrong: I hollowed out the center.

What is Thinning Out the Center?

To understand that, you must understand the central axiom of AQFM-style fraud mitigation.

Risk is the distribution of possible loss outcomes conditioned on the current system state and controls. In terms of Fraud Risk, it is the probability distribution over possible fraud losses.

The goal is not to reduce fraud losses, but to reduce fraud risk. The system state is the environment and your controls together determine how much risk exists. The problem is that as stated above fraud risk is a probability distribution, and probability is a conserved quantity, it must always add up to 100%.

This presents a problem. If your controls reshape the probability distribution, all that you can do is push loss probabilities around. You can concentrate them, you can disburse them, but the unbreakable law is that the probabilities must always add up to 100%. Note that this does not imply that risk is conserved. Risk is how that probability is distributed. A subtle point is that distribution of probability is not equivalent to conservation of probability. Changing the shape of the distribution of probability changes the risk you experience.

So when you introduce controls, you shift the mass of probability around, and thus change your risk profile. Standard methods of fraud management do this implicitly. AQFM seeks to make this operation explicit. That’s because there is a trap in the implicit shaping of the loss distribution. That is that you can hollow out the center of the distribution.

Essentially, what happens is that that you focus on picking up the most common cases of fraud. You grab the frauds that are easiest to see, so they are all alike. This causes your losses to decrease, at least initially. Under the surface, that means that fraudsters are getting more sophisticated, bolder, or just trying new things. Statistically, what is happening is that the distribution is becoming flatter. Remember, probability is conserved. Your loss distribution is constrained below by the lower bound of not having a loss. So where does all the mass of probability go? It must go to the right tail of the loss distribution.

Notice what happens when you thin out the center. There are two statistical effects. Your average loss increases because there is more mass in the tail of the distribution. Second, the variance of your losses increases, meaning that your loss amount becomes less predictable.

This is what happens when you concentrate on stopping the most predictable fraud patterns. You end up thinning out the center and making the organization’s fraud management less predictable. This is what I was guilty of doing. I was focused on finding, detecting, and preventing the most common forms of fraud. I did that because I thought that was the surest path to reducing fraud losses. Intuitively, that makes sense. If you reduce the most common types of fraud, fraud losses will go down, but that is the paradox it actually has the opposite effect by concentrating probability of loss in the tails. It causes backfire. Fraud losses paradoxically gets worse by concentrating on reducing the obvious fraud!

So what is the solution?

The solution is to not worry about the common. Instead, understand how the fraud control you are implementing affects the loss distribution. This is a far more quantitatively intensive task. However, the rewards are immense. Instead of focusing on “catching fraud” a good decision reduces fraud risk as measured by tail concentration.

Remember, probability is conserved. Your goal should be to push fraud loss probabilities to the left. You should never assume that a control will do that. A control’s effectiveness is measured by variance compression or by tail risk reduction, not by how much fraud it catches, alerts on, or event prevents. That can cause the type of backfire I am talking about.

Notice how reducing tail risk has the opposite effects, average loss decreases, variance compresses, and probability piles up to the left. This would manifest as predictable and ordinary losses, while maintaining operational capacity. The point is stop focusing on outcomes and start focusing on the underlying state, which is the shape of the loss distribution to control your fraud losses.

Don’t Miss the Forest

I’m not saying that by chasing detections and preventions is a fool’s errand. I’m trying to make a subtler point. Increasing your alert rate, decreasing your most common fraud types, and so on can reduce tail risk. So chasing those is valuable in some situations. The subtle point that I am making is that to understand your controls requires a deep understanding of what your controls are doing to risk. You need to have a firm understanding of the loss distribution to control your risk.

It requires good methods for measuring and modeling how your controls will interact with the environment to produce loss distributions. You can’t just presume that because your control is catching fraud that it is reducing systemic risk, because it may actually be increasing your risk while simultaneously be increasing your operational overhead.

The call for action here is to be cautious and to build the analytical capability to measure the risk distribution, and how your proposed controls affect it.