The role of data and machine learning within the financial sector has exploded in recent years, with broad implications for the industry at large. Sam Devakumar leads Fourthline's data strategy, overseeing everything from product analytics to machine learning models that power the company's AI-driven identity verification services. In this conversation, he shares insights into how data shapes product development and drives innovation in fraud detection at Fourthline.
What role does data play at Fourthline and how does it inform the product development process?
It's safe to say that without data, Fourthline wouldn't exist. We have a lot of different AI services and AI-powered products that make up our services — different modules that do different things, all of which work on top of data. So, data is part of our DNA.
We like to think of it as using data to solve business problems — whether it's data engineering, data analytics, or machine learning that powers all our AI services. For example, one of the business problems we want to solve is conversion, because that's something our business partners really care about. They spend a lot of marketing money to get people up to the point where we, as an identity provider, make sure they are who they say they are and ensure compliance with regulations.
So, in what way does Fourthline use data to improve conversion rates?
There are two aspects to this. The first is identifying what features we should focus on. We anonymise data on what happens throughout a customer's user journey, and one of the basics of product analytics is looking at drop-off rates across the journey to pinpoint where we should focus if we want to improve conversion.
The second aspect is feature validation. Because we’re a regulated company (as are many of our business partners) we don't just blindly release a feature and assume everything will be perfect. Instead, we do something called a “feature pilot,” where we launch a feature to a very small volume of users. The point here is to track end-to-end conversion and other metrics. This way, we can compare traffic going to the new feature versus everything else. If it's not working, we go back to the drawing board. If it is, we know exactly how much improvement we're seeing.
How do you balance the trade-off between risk and conversion when working with different business partners?
It can be helpful to think of the conversion problem as a gate. You could let everyone through and have 100% conversion, but then you’d also let in all the fraudsters. Or you could close the gates entirely and catch all the fraudsters, but then you wouldn't have a business to run. The balance is obviously in the middle, but where that middle point is varies depending on the industry and the business partner.
For example, if we're talking about a tier-one bank, they’ll have a much lower risk appetite than if we're providing an identity solution for the transportation industry, where they primarily care that the person is who they say they are and has a valid document.
How do you quantify these different risk appetites?
We have discussions well before we go live with a business partner. We ask questions like: “What's your risk level? What are the things you care about?” This is where metrics come in — specifically False Acceptance Rate (FAR) and False Rejection Rate (FRR), which is how we quantify these things.
FAR is a measure of how many incorrect or fraudulent identities they're willing to accept. Obviously, it’s a low number, but it's never going to be zero. FRR is basically how many legitimate users they’re willing to accidentally reject. Once you put numbers to those, we can decide which product modules need to be added and configure how strict they need to be.
Given Fourthline's history primarily serving financial services, how are you adapting your approach as the company expands into other industries?
Fourthline is very well-positioned for this expansion because we started with the hardest problem first — the most regulated market (the EU) and the most regulated industry (finance). If we had picked a less regulated market like the US, or a less regulated industry like transportation, then trying to move to more regulated environments would be harder. But we're doing the opposite.
It also helps that our product is very modular. We're able to tweak a lot of things for that FAR-FRR balance and the conversion-friction-fraud balance. This makes us extremely well-positioned to adapt as we expand into different industries.
Let's talk about Fourthline's approach to AI and machine learning. How do Fourthline's data scientists think about the "black box" challenge of building AI, wherein AI models make decisions that aren't easily explainable?
This topic is at the heart of the EU AI Act, which is now being progressively implemented across the EU. The way we handle this at Fourthline is through a modular approach. Which is to say, we have products — and, on a deeper level, we have product modules. For example, we have Selfie Photo and Selfie Liveness as individual modules within our biometrics product.
We have specialised AI models for each specific task. For example, we have one proprietary model that assesses whether selfie liveness exists (i.e., Is it a live person?), and we have another model that compares the face in the selfie to the face in the document. Then we've got another model that assesses document authenticity — meaning: does it have all the security features? Is it a deepfake? Is it an injected video?
Having very specialised models for each task makes the problem statement smaller, easier to understand, and very specific. Each AI model gives us an output, then we have other risk-based models running on top, which helps people understand the decision-making process.
What happens when your AI models flag something as suspicious?
If any of the models detect something suspicious, it always goes to a human agent. Only successful verifications may be automated — and even then, depending on the risk profile, we might still route it to human review.
How has the threshold for human review evolved as your models have improved?
The percentage of cases going to human agents certainly decreases over time as we become more comfortable with our models. But we always make sure there's a human agent involved before we mark something as suspicious or fraudulent. Even if all models are confident that something is suspicious, we don't automate a rejection — it still goes to a human agent.
This human-in-the-loop approach helps with accountability. We don't have an overarching AI model that just says "this is fraud" without explanation. Our modular approach means our human agents can see exactly what's suspicious and make a call from there.
Looking ahead, do you see a future where human review becomes unnecessary?
The role of human agents has already been drastically reduced. Ten years ago, everyone had to verify their identity in person. Back then, there were very few players doing video calls for verification, which was 100% manual. Now, when we have a human in the loop, it's only for suspicious cases, which is a much smaller percentage — typically in the single digits.
I think predicting 20 years out is quite hard, but looking at five years, I expect we'll see much more digitalisation. Ten years ago, none of the big banks were even on the cloud — everything was on their own servers. Now many have moved to the cloud, and onboarding is moving online. COVID obviously accelerated some of that out of necessity.
How is the rise of deepfakes and generative AI affecting your fraud detection efforts?
Over the last two years, it has become much easier to generate deepfakes, especially with generative AI. Given this, we're seeing many more magnitudes of fraudulent attempts.
But we're well-positioned thanks to our multilayered fraud detection and fraud prevention setup. Our approach involves multiple layers: the specialised AI models I mentioned, plus an additional machine learning fraud detection model that uses the output of everything and gives a score on likelihood of fraud. We also have technology that can detect if someone injects a video into our flow — meaning they essentially insert a pre-recorded video where a live one should be. Because if it's injected, it's essentially a deepfake.
What other anti-fraud measures do you employ beyond deepfake detection?
We have multiple additional layers. For example, with French ID cards, there's a QR code that can be scanned — that's another layer that's hard to fake. We also have machine learning models that use behavioural data and device data, which are much harder to fake and mimic than visual content.
Can someone bypass one of these things? Of course. But can someone bypass all the layers we have in place? That would be much more difficult.
How are you approaching expansion into new geographic markets from a data perspective?
Trends vary significantly because they depend on the business partner. Sometimes we see crime syndicates really focusing on one specific business partner for various reasons. So, it's very important that we're not just looking at overall trends, because averages can be misleading. We look at trends across business partners, across different industries, and across different document types. For fraud insights, we're always granular.
With the new AML regulation, the promise is standardisation across the EU, which would obviously help. There's some scepticism about how well that will work in practice, but if it delivers, it will make it easier to launch in new markets. At the same time, there are always market-specific regulations that add some complexity.
But like I said, we started with the hardest markets. If you can crack those, other markets become easier.
Sam Devakumar is Head of Data at Fourthline, where he oversees data strategy, analytics, and machine learning initiatives that power the company's identity verification platform.
