How to do a good job in risk control strategy

The risk control decision engine is essentially a set of rules. Risk control rules are also called risk control policies and risk control strategies. Fraud, number theft, cheating, cashing, malicious brushing in marketing activities, and malicious preemption of resources are all risks, all of which require complex but efficient rule engines. Here we only focus on credit risk control.

Principles for formulating risk control rules:

Supervision level

The regulatory commission will restrict institutions from granting loans to minors. After implementation, the access rules will force users to be older than or equal to 18.

There will also be more regulatory requirements for student loans, because most students have no stable source of economic income and lack the ability to repay on time, which is easy to breed excessive lending and fraud.

Company level

Admission usually sets an upper age limit, such as 60. The upper age limit is often set for the consideration of public opinion, and the elderly may have more accidents after lending, such as overreacting to collection. This is generally not within the scope of supervision, but a principle at the company level.

The same is true in high-risk areas. In the history of some areas, there have been concentrated frauds. In order to prevent being attacked by gangs, there are also practices at the company level that do not allow direct access to these high-risk areas.

In addition, the company will stipulate that the same applicant cannot apply for a loan again within one month after being rejected. This is because the user's information will not change obviously in a short time, and the user's risk assessment results will not differ much. Once rejected, re-evaluation will often be rejected. However, there is a cost in evaluating a person, and it is not advisable to repeatedly query data inefficiently.

Risk control level

According to industry experience, it is self-evident that strong rules should be formulated for fraud, blacklist, bulls and bad credit.

Fraud can be mainly divided into one-party fraud and three-party fraud. One party fraud refers to the applicant's own fraud; Tripartite fraud refers to the third party stealing and using another person's identity without the applicant's knowledge. For example, criminal gangs use illegally collected identity cards for fraud.

In fact, there are two frauds, which are internal collusion frauds and are generally not considered.

Fraud on one side is often difficult to define, just like bad credit. Some experts' judgments can be set a priori. For example, the shortest access time of mobile phone number is generally limited to 6 months or 12 months. Applying for registration with a new number is obviously more likely to be fraud. Of course, these rules can easily be bypassed by the army. The Tao is one foot high, and the devil is ten feet high.

Face recognition is obviously an effective method to prevent and control three-party fraud, but it is also a very cumbersome method to hurt the user experience. The prevention and control of tripartite fraud relies more on big data mining, and embezzlement and fraudulent use are generally traceable in equipment behavior and relationship networks. Anti-fraud model based on big data is one of the important contents of risk control.

Blacklists are generally divided into internal product blacklists and external industry blacklists. Internal blacklist refers to fraudulent users and seriously bad credit users among historical users, while external blacklist refers to overdue hit credit list or court enforcement list provided by tripartite data or other high-risk users. Blacklist prevention and control overlap with fraud by one party.

Blacklisted customers will generally refuse directly. In the process of sustainable business development, the number of blacklisted customers may accumulate too much, which is often due to the strict rules of hacking, and the situation of manslaughter will be more serious. It needs to be divided into blacklist and grey list according to risk differences, and users of grey list can test and publish. So as to realize list optimization.

Dragon refers to users borrowing from multiple platforms, and there is a risk of borrowing new and returning old, so as to support loans. Users may be able to borrow money from other platforms to pay back the money of their own platforms, but for any single platform, gambling that they will not become victims is just like gambling that Bitcoin will not take over, which is not the practice that risk control should allow.

Industry knowledge is to make long rules. Long indicators are often formulated as variable rules, because long is a matter of degree and the threshold can be adjusted. The multi-head rule is frequently adjusted in the whole risk control rule.

In fact, it is very convenient to make rules based on data analysis. It is a univariate analysis process to select some variables with high risk discrimination based on feature library. As long as we follow the three indicators of accuracy, recall and stability, we can find out the effective and available rule set.

Accuracy means that the proportion of bad users in the click crowd should be as high as possible.

The recall rate means that there are enough bad users, and it is meaningless for a rule to find only a few people, even if they are all bad people.

Stability is of course important. The proportion of clicks and bad users in the click crowd needs to be stable. Otherwise, it is necessary to track and adjust frequently.

It should be noted that this model can also be understood as a rule, but it combines many weak variables into a strong variable. Strong variables are used for rules and weak variables are used for models.

Their essence is to stratify users, which is convenient for us to divide users into two parts, pass or reject them.

For some variable rules, it is necessary to test the timeliness of the rules regularly, and some rules need to be updated frequently. Confidentiality is also needed, especially anti-fraud rules.

Talk about the key skills of strategy students.

Business will always iteratively optimize policies, which often leads to the complexity of the policy system. How to prioritize from complex systems is the core competence of strategic students.

What should I do if I start over? What are you going to do as a strategic consultant for a new company? None of these can be solved by copying the existing system. Imagine, if you need to do the output of risk control ability, do a set of risk control process from 0. What would you do?

Decision engine is a set of decision-making processes, and its elements are the list of rules and the order in which the rules are executed. The former requires comprehensiveness and high differentiation, while the latter is very important for cost optimization.

In order to keep the rules of wind control output clear and effective, it is necessary to consider both the feasibility of rule variable extraction and the necessity of rule implementation. Low hit rate, difficult implementation and high cost are the common characteristics of invalidation rules. Repeated hits are also a common problem in policy systems.

After the rule list is made, it is necessary to dynamically monitor the number of hits of each rule. The rules of activation may be different in different periods, that is, some of them may be activated and the other may be suppressed. It is necessary to dynamically adjust the threshold of rules and the state of activation inhibition.

For example, the overdue time in some months is relatively high, and some new rules have been added. After monitoring, it is found that these rules obviously reduce the discrimination ability and should be abolished appropriately.

Whether it is a rule or a model, there will be many manslaughter, but manslaughter is allowed, because the loss of loan principal is often dozens or even hundreds of times the interest income.

Balancing the influence of decision-making on pass rate, risk, cost and income is a professional sense that risk control strategy practitioners need to cultivate.

Long-term lending generally participates in the whole risk control process as a strategic refusal dimension. Different institutions, different credit products and different scenarios have different rejection lines for long-term loans.

How to find the most suitable multi-head loan refusal line at present is the core task of risk control strategists.

Most importantly, if a loose policy is adopted, the threshold can be set to 2 or more as the rejection line, then the rejection rate only accounts for 3.2%, and the bad debt rate of excluded users is higher.

However, if a strict policy is adopted, if it is greater than 0, it can be changed to rejection, then the rejection rate will increase to 10%, and the number of rejected users is still significantly higher than that of users who pass.

These two rules are effective, and what threshold to adopt in actual business depends on the company's policies. Strict or broad.

Of course, the primary goal is to maximize profits.

It is worth noting that the coverage of multi-head data is often limited, which is reflected in the high value of variables. At this time, we can consider taking the part greater than 0 as the multi-head exclusion rule.

Using decision tree to make more variables and richer cross combinations can get more effective rules.

In addition to formulating strong rules to directly reject users, long variables are also considered as soft rules for customer group division. After bulls are classified as serious or not, they are used interchangeably with other dimensions of risk assessment.

What China lacks is never a strategy, but the determination and environment to implement it.

The above article is from Ray-Ban, written by Lei Shuai.