Fraud protection

From CDL
Jump to: navigation, search
Managed element
Last edit 15 January 2018 09:10:04
Support contact 
A member of the CDL Team who is responsible for a specific element of the CDL infrastructure.
Kai Hüner

Companies are facing an ever increasing number of digitized frauds, meanwhile on a very professional level. Among other types, falsified invoices are causing significant financial damage, in some cases more than 1 Mio. USD by just one attack. One critical challenge to uncover those fraud attacks is to identify bank accounts (e.g. given by an invoice) which are not owned by the declared business partner (e.g. the supplier of an invoice) but by a third party, i.e. the attacker. The CDL is addressing this challenge by sharing information on known fraud cases and on proven bank accounts. The Fraud Case Database comprises known fraud cases, shared by CDL Members. Other CDL Members can lookup these cases by bank account data (e.g. IBAN) to automate screening for critical accounts. On the other hand, the Whitelist comprises bank accounts which are declared "save" by CDL Members. You can lookup shared Trust Scores to check a new bank account and to ensure that this account is already used by another CDL Member.

Fraud Case Database

CDL Members document known fraud cases in a CDL database and use this database to check if a given bank account was used for a known attack or if a given business partner was affected by a known attack. Beside the CDL API, the Fraud Protection App can be used to manage fraud cases in the CDL cloud.

Types of fraud cases

The following types of cases are collected by the CDL Members in the Fraud Case Database:


Bank Account Whitelist

Bank account whitelist
CDL Members import valid (according to a commonly agreed metric) bank accounts on a regular basis into a CDL database. This "whitelist" with millions of valid (i.e. proven by operations) bank accounts can be used by all CDL Members to check new bank account information before operational use. CDL Members only provide data for bank accounts which they have successfully used for multiple transactions. "Shared" bank account data is not shared between the CDL Members directly, but is kept securely and anonymized in the CDL cloud. And bank account data is not mixed-up with other business partner data, but is only used for plausibility checks, i.e. you cannot lookup bank account data for a business partner but you can check, if given bank account data is known and prove by another CDL Member.

CDL Trust Score

Trust score calculation
The CDL Trust Score indicates the validity of a bank account based on use statistics of the account data. To protect transactional data of the CDL Members, the trust score of a bank account has to be calculated by a CDL Member before data is shared. This way, the trust score summarizes transactional information which might by sensitive from a competitive perspective. However, following this approach, all CDL Members have to agree on a common understanding of "validity" for a bank account. The following table provides the current definition:
ID Criteria Trust Score
C0 No transaction within the considered time span (i.e. younger than 2 years and older than 90 days, regarding day of analysis) 0
C1 1 or more transactions within the considered time span +1
C2 10 or more transactions within the considered time span +1
C3 More than 100 kEUR transferred within the considered time span (for other currencies, ±10% tolerance, e.g. 100k CHF or 100k USD) +1
C4 Manually validated (according to common procedures, e.g. via ad-hoc phone call) NOT CONSIDERED

The following table provides some examples to illustrate the criteria:

ID Example Trust Score
E1 16 transactions within the considered time span (i.e. younger than 2 years and older than 90 days, regarding day of analysis), all 5 kCHF 2
E2 1 transaction within the considered time span, 55 kCHF 2
E3 1 transaction within the considered time span, 5 kCHF, manually validated 1
E4 27 transactions within the considered time span, all 5 kCHF 3

Exemplary Trust Score calculation (SAP based)

Most CDL Members are using SAP ERP based systems for their financial transactions. So here is an example how to calculate the CDL Trust Score based on data from those systems. With a standard configuration, bank account data is stored in the REGUH table. The following table shows some exemplary data from this table with some additional colums:

  • HWAER is a lookup on table T001 with data from column ZBUKR, just to "explain" the given amount in RBETR.
  • EUR_BETR is calculated by data from column RBETR and from currency tables TCURR, TCURF, and TCURX, to normalize amounts on EUR.
ZBUKR ZALDT LIFNR ZBNKS ZBNKL ZBNKN ZBNKL2 ZSWIF ZIBAN RPOST RBETR HWAER EUR_BETR
1321 2016-10-21 00XXXXX19 DE 21040010 XXXXXXX074 21040010 COBADEFF210 DE93210XXXXXXX074 2 -8,197,785.45 COP -250,671.81
1346 2016-10-13 00XXXXX19 DE 21040010 XXXXXXX074 21040010 COBADEFF210 DE93210XXXXXXX074 2 -41,538,967.86 VND -170,026.63
1346 2016-10-20 00XXXXX19 DE 21040010 XXXXXXX074 21040010 COBADEFF210 DE93210XXXXXXX074 3 -126,477,961.45 VND -517,697.54
1274 2016-10-07 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 6 -2,971,057.87 THB -77,567.14
1276 2016-10-25 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 2 -32,543.56 MYR -7,088.17
1276 2016-10-13 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 3 -67,803.33 MYR -14,767.95
1276 2016-10-06 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 2 -133,097.95 MYR -28,989.48
1276 2016-10-24 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 2 -72,591.09 MYR -15,810.75
1346 2016-10-13 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 3 -11,194,377.98 VND -45,820.65
1346 2016-10-20 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 2 -1,002,427.87 VND -4,103.12
1395 2016-10-21 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 1 -46,025.53 HRK -6,128.73
1395 2016-10-25 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 1 -16,937.38 HRK -2,255.37
1395 2016-10-25 00XXXXX20 DE 37540050 XXXXXXX044 37540050 COBADEFF375 DE74375XXXXXXX044 1 -38,959.95 HRK -5,187.88
0167 2016-10-12 00XXXXX10 DE 37570064 XXXXXXX071 37570064 DEUTDEDK375 DE02375XXXXXXX071 1 -5,207,029.27 GTQ -632,877.26
0197 2016-10-11 00XXXXX10 DE 37570064 XXXXXXX071 37570064 DEUTDEDK375 DE02375XXXXXXX071 1 -37,842.57 PEN -10,275.35
0610 2016-10-10 00XXXXX10 DE 37570064 XXXXXXX071 37570064 DEUTDEDK375 DE02375XXXXXXX071 1 -21,828,437.61 HNL -863,461.55
0801 2016-10-13 00XXXXX18 PL 17500012 XXXXXXX000 17500012 RCBWPLPWXXX PL05175XXXXXXX000 7 -146,867.54 PLN -33,948.00
0801 2016-10-31 00XXXXX18 PL 17500012 XXXXXXX000 17500012 RCBWPLPWXXX PL05175XXXXXXX000 5 -40,922.10 PLN -9,459.02

The following SQL snipped might help to extract similar data from your systems:

DECLARE @dat_start DATE = '2016-10-01',
        @dat_end   DATE = '2016-10-31'

SELECT r.zaldt,
       r.zbukr,
       r.kunnr,
       r.lifnr,
       r.zbnks,
       r.zbnkl,
       r.zbnkn,
       r.zbnkl,
       r.zswif,
       r.ziban,
       r.rpost,
       r.rbetr
FROM   reguh r WITH (nolock)
WHERE  r.xvorl = ''
       AND r.vblnr <> ''         -- 'real' payment   
       AND r.rbetr < 0
       AND r.zbnkl <> ''         -- outgoing transfer (partner bank known), e.g. not cheque    
       AND r.zaldt >= @dat_start
       AND r.zaldt <= @dat_end 

To calculate the CDL Trust score from such data, you have to group the transactions by the identifying account attributes ZBNKS, ZBNKL, ZBNKN, ZSWIF, and ZIBAN. For each group, you can then calculate parameters which you need for the calculation:

  • Number RPOST: Number of transactions, i.e. number of records in REGUH for the given account.
  • Sum RPOST: REGUH lists the number of positions per transaction, which could by summed per group. However, it is better to count just the number (see above) for evaluating validity.
  • Sum EUR_BETR: Effective payments on the given bank account, in EUR.

With these parameters per bank account, the Trust Score can be easily calculated based on the criteria above. The following table shows grouping and Trust Scores for the REGUH data from above.

LIFNR ZBNKS ZBNKL ZBNKN ZSWIF ZIBAN Number RPOST Sum RPOST Sum EUR_BETR Trust Score
00XXXXX10 DE 37570064 XXXXXXX071 DEUTDEDK375 DE02375XXXXXXX071 3 3 -1,506,614.16 2
00XXXXX18 PL 17500012 XXXXXXX000 RCBWPLPWXXX PL05175XXXXXXX000 2 12 -43,407.02 1
00XXXXX19 DE 21040010 XXXXXXX074 COBADEFF210 DE93210XXXXXXX074 3 7 -938,395.98 2
00XXXXX20 DE 37540050 XXXXXXX044 COBADEFF375 DE74375XXXXXXX044 10 23 -207,719.23 3

Data exchange

To protect CDL Members' transactional data (i.e. particular transaction volumes to particular bank accounts), this data is aggregated by each CDL Member (see Trust Score calculation above), and only aggregated information is sent to the CDL cloud. However, querying for required historic data over several years may cause significant performance issues and even may be technically limited in particular system architectures. In the SAP example above, a query would have to analyze millions of records of the REGUH table and might impact the performance of operational SAP systems significantly. Thus, you can choose between several data exchange approaches.

The simplest approach is to identify all relevant transactions on a regular basis, calculate the Trust Scores, and submit all bank accounts and Trust Scores to the CDL cloud. CDL services then delete all your bank accounts and Trust Scores in the whitelist database and use the new data for future requests.

Data model and cloud services

Data model concepts that are used for fraud protection services are integrated in the CDL data model. The core entity is the bank account, e.g. for whitelist requests, for whitelist updates, or as part of fraud cases. The following example shows a "complete" bank account.

{
  "bankAcountIdentifier": "6192.7841.2000"
  "bankCountryCode": "CH"
  "internationalBankAccountNumber": "CH8800781619278412000"
  "internationalBankIdentifier": "KBSGCH22"
  "nationalBankIdentifier": "781"
} 

However, a valid bank account must not comprise data for all attributes. For example, the IBAN is sufficient to identify a bank account. For example, the following message is sufficient to update a a whitelist record:

{
  "bankAccount": {
    "internationalBankAccountNumber": "CH8800781619278412000"
  },
  "trustScore": "4"
}

Web services to update and use the CDL Bank Account Whitelist are provided by the CDL API and are documented here.