![Native[risk]](http://images.squarespace-cdn.com/content/v1/65704856a75e450a6d17d647/f3aa0ca7-8a4d-4034-992f-9ae514f1127e/Native+risk_logo-invert.png?format=1500w){kind=logo}
#66 - Are you using these 3 rule types?
We talk about fraud rules all the time.
But what do we actually mean when we mention “rules”? What are rules for? Who writes them? How should they be monitored?
Here’s the thing:
During my career, I found out that there are actually three distinct categories of rules, but most teams treat them all the same.
And what are these categories? Strategy rules, behavioral rules, and trend rules.
Each designed differently, written by different teams, and with completely different roles to play in your fraud defenses.
Mixing them up means you’ll either over-monitor some while under-monitor others, assign ownership to the wrong teams, or worse - expect them to perform in ways they were never designed to.
Today I’ll break down each category and show you exactly how to handle them.
Let’s talk about it.
Strategy Rules: Your base defense layer
Strategy rules segment your population and define the overall design of your fraud defense.
Which segments get approved? Which segments get blocked? Which segments go through a step-up like authentication or manual review?
In most cases, these rules are written around a score calculated by an ML model, an AI agent, or - if your organization is still living in the ‘80s - a scorecard that tallies the result of other rules.
A good strategy segments the population according to risk bands and, ideally, other general risk factors like payment method, transaction amount, or user tenure.
Side note: I wrote about how to approach such segmentation in the very first TSFS issue!
It usually looks something like this:
Keep in mind that strategy rules are usually interconnected, especially if you manage multiple segments. Changing a threshold in one rule would dictate mirroring changes in other rules in the same set.
This also means you may want to measure them as a full ruleset, and not only individually.
Performance:
As these are generic rules that operate on the entire population and mostly translate an ML score into a deterministic action, accuracy tends to be quite low.
However, this also means they’re more resilient to degradation. ML models tend to degrade much more slowly than rules, so you don’t need to monitor them daily or weekly. A monthly cadence is usually more than enough.
Who owns them:
Since strategy rules are tightly coupled to a model’s score distribution, it makes sense that they’d be designed, reviewed, and deployed as part of the model release process.
Should the ML team write them? Perhaps, if it makes sense within your team’s context. But even if data fraud analysts write them, they should work closely with the ML team to do so.
And what if the model you use is supplied by a vendor? Then ideally you should request them to support you with the required data analysis and segmentation.
Behavioral Rules: The backbone of fraud prevention
Behavioral rules detect typologies that bypass your fraud model and strategy rules.
This can happen for a few reasons: the typology is new and didn’t appear in the model’s training set, it’s too intricate or small to describe with a model, or you’re targeting false positive behaviors that models aren’t designed to catch.
Regardless of the reason, the point of these rules is to describe suspicious (or legitimate) behaviors, and not a particular fraud attack.
By doing so, your rules can catch different rings that have similar MOs, without the need to constantly tweak them.
A good example would be velocity rules. They describe a certain typology that can manifest in different attacks and by different fraudsters. Here’s an example:
Performance:
Ideally, behavioral rules should be quite accurate, and in all cases, more accurate than the strategy rules themselves. Otherwise, why bother with them?
While behavioral rules degrade faster than models, because they describe general typologies rather than specific patterns, they don’t degrade that fast. Even if a fraud ring leaves your platform, the rule would still catch new fraudsters attacking you in similar ways.
From a monitoring perspective, you want to review your behavioral rules on a weekly or monthly cadence.
Who owns them:
Behavioral rules sit squarely with the fraud analytics team, as they require both deep domain expertise and data literacy.
Side note: If you want to drill down into how to build behavioral rules, I described their architecture in issue #26.
Trend Rules: Stemming the bleeding
Trend rules are designed to stop specific trends, attacks, or fraud rings.
When nothing else works, when fraudsters bypass your model, strategy rules, and fancy behavioral rules - you need to bring the hammer down.
These rules focus on a specific, narrow pattern to maximize the effectiveness of your defenses. They usually look like this:
Performance:
Trend rules usually start with being very accurate, as they’re tailored to a specific attack. On paper, they should be your most accurate rules and by a wide margin.
But they also degrade fast.
It’s often easy for fraudsters to tweak something in their behavior and bypass a trend rule. This means these rules should be monitored daily to weekly, especially if they’re part of stopping an ongoing attack.
Who owns them:
Trend rules should be within the toolset fraud ops teams have at their disposal when dealing with fraud attacks.
However, you should consider your trend rules as stopgap solutions. The idea is they buy you time to deploy more substantial defenses that degrade more slowly, allowing you to eventually get rid of them completely.
Left unchecked over time, they can really cause havoc by accumulating false positives.
Side note: Want to read more about stopping severe fraud attacks? I just wrote a whole blog post on how to run a fraud fire drill. Check it out!
The bottom line
Understanding the differences between the three types of rules isn’t just academic - it’s operational.
When you treat all rules the same, you:
Waste resources monitoring things that don’t need daily attention while missing degradation in rules that do.
Assign ownership to the wrong teams.
Harm your overall effectiveness by mismanaging the success criteria for each rule category.
Get this right and your fraud defense would be more resilient and easier to scale.
Getting better performance after reorganizing your rules? I'd love to hear about it. Hit the Reply button and share your wins.
In the meantime, that’s all for this week.
See you next Saturday.
P.S. If you feel like you're running out of time and need some expert advice with getting your fraud strategy on track, here's how I can help you:
Free Discovery Call - Unsure where to start or have a specific need? Schedule a 15-min call with me to assess if and how I can be of value.
Schedule a Discovery Call Now »
Consultation Call - Need expert advice on fraud? Meet with me for a 1-hour consultation call to gain the clarity you need. Guaranteed.
Book a Consultation Call Now »
Fraud Strategy Action Plan - Is your Fintech struggling with balancing fraud prevention and growth? Are you thinking about adding new fraud vendors or even offering your own fraud product? Sign up for this 2-week program to get your tailored, high-ROI fraud strategy action plan so that you know exactly what to do next.
Sign-up Now »
Enjoyed this and want to read more? Sign up to my newsletter to get fresh, practical insights weekly!
