From signal to substantiated: rebuilding fraud detection around outcomes, not alerts

Fraud detection in insurance has been measured wrong for a decade. The dominant metric across most carriers is alert volume — how many files the fraud system flagged, sometimes with a confidence score attached. Alert volume is easy to measure. It is also nearly orthogonal to the outcome that matters, which is whether the SIU team can substantiate the file and whether the recovery, denial, or rescission was sustainable.

The right metric for a fraud program is substantiated referral rate. The metric immediately upstream of it is referral acceptance rate from SIU. Everything else is noise.

The alert volume trap

Most fraud programs operate inside a tradeoff that nobody has explicitly chosen. Lower the threshold and alert volume climbs, SIU gets buried, and acceptance rate falls. Raise the threshold and acceptance rate looks better, but coverage falls and the program misses the patterns it should have caught.

Either side of the tradeoff is bad. The fix is not finding a better threshold. The fix is changing the unit of work the fraud program produces. Instead of producing alerts, produce referral packets that are good enough that SIU accepts them on the merits.

What a good referral packet actually contains

A SIU investigator does not want a confidence score. They want the facts of the file, the contradictions in the documentation, the prior history that is relevant, and a clear hypothesis they can test. A good packet does the work the investigator would have done in the first hour.

• A timeline of the claim with the relevant evidence anchored to dates.
• A list of contradictions across statements, documents, and external signals.
• Prior-claim history that is materially related, with the related-ness explained.
• A pattern paragraph that identifies which fraud pattern is suspected and why.
• External signals — provider history, vehicle history, social signals — when relevant and properly cited.
• A draft set of questions the investigator might ask the insured, designed to test the hypothesis.

When a packet shows up with that content, SIU's acceptance decision becomes binary in a productive way. Either the packet supports a substantiated hypothesis or it does not. Either way, the disposition is fast.

Networks are visible at the book level, not the file level

File-level detection finds the obvious cases. Network-level detection finds the cases that are obvious only when you can see across files. A staged-loss ring, a clinic billing pattern, a body-shop pattern, a contractor pattern in property — none of these are visible inside a single claim file.

An agent operating at the book level resolves entities across files, builds the relationship graph, and surfaces clusters that have the signature of organized activity. The output is again not an alert but a packet — this time documenting the network, the relationships, and the recommended investigation order.

What not to do

1. Lower the detection threshold and call it improvement. You are creating work for SIU that they will not accept.
2. Buy another rules engine and stack it on top of the existing one. Stacked rules engines do not produce better packets. They produce duplicate alerts.
3. Optimize for the alert-volume KPI. Whatever KPI you optimize for, you will get. If it is alert volume, you will get alerts and not substantiations.
4. Treat detection as separate from referral packet preparation. The two are the same workflow. Decoupling them creates the trap above.

What deployment looks like

Carriers that move from alert-driven to packet-driven fraud detection see three observable changes inside a quarter. Referral volume drops. Referral acceptance rate climbs sharply. Substantiated outcome rate climbs in parallel.

1. Pick one LOB. Auto medical, soft-tissue is the canonical place to start in personal lines. Contractor patterns in property is canonical in homeowners.
2. Deploy the packet-preparation agent on the existing alert population for two weeks in shadow mode.
3. Move to production. Have SIU compare acceptance and substantiation on agent-prepared packets versus their pre-deployment baseline.
4. Add the network-detection agent at the book level after one full sprint of packet-preparation results.
5. Report metrics in pairs: acceptance rate and substantiated rate, never one without the other.

Organizational implications

SIU teams that have been operating under volume pressure tend to be the most receptive to this shift. The work becomes more investigative and less administrative. The acceptance and substantiation metrics give the team something they can stand behind in a budget conversation. Hiring conversations become about investigator depth rather than triage capacity.

Claims leadership benefits because the carrier's loss ratio reflects more of the fraud that is actually in the book. The percentage of recoverable, deniable, or rescindable exposure that gets converted into a substantiated outcome goes up. That number rolls up into the actuarial review and the loss ratio line.

The headline a carrier should be able to say

A working fraud program looks like a small number of carefully prepared referrals, a high acceptance rate by SIU, a high substantiated rate post-investigation, and a recovery dollar number that grows year over year against a stable referral pipeline. If your fraud program is producing more alerts than it is producing substantiated outcomes, you are running the alert-volume trap. The way out is not a better threshold. It is a better unit of work.