Behavioural Analytics in Indian Insurance Fraud Detection

For most of Indian insurance history, fraud detection was a documentary exercise: verify the identity, check the documents, validate the claim narrative. The frontline was the underwriter or claim handler reviewing a file. The shift to digital onboarding and claim submission has changed both the fraud pattern and the available signal.

Indian fraud rings now operate at scale through digital channels: mass-spam onboarding, automated quote scraping, document tampering with off-the-shelf tools, and synthetic identities assembled from leaked or purchased Aadhaar-PAN combinations. Documentary verification alone, even when augmented with optical character recognition and ID verification APIs, cannot keep pace.

Behavioural signals (how a user interacts with the platform, the device they use, the patterns in their submission, the network around them) carry information that documents do not. A genuine customer types their name; a fraud-ring operator pastes it. A genuine claimant uploads a hospital bill that they photographed; a fraudster uploads a regenerated PDF with metadata patterns that betray it. The signal is in the behaviour, not the artefact.

A working behavioural fraud-detection programme draws on five categories of signal.

Device intelligence: device fingerprint, browser configuration, operating system, time zone, language preference, presence of automation indicators. Vendors like Sift, Sardine, Bureau, and India-grown providers like Bureau.id and IDfy package this with anti-bot detection.

Session behaviour: typing rhythm, mouse movement patterns, page navigation flow, time spent on each field, copy-paste detection in identity fields, and tab-switching patterns. Subtle but predictive: a 23-year-old genuine customer interacts with an onboarding flow differently from a ring operator processing the 200th application of the day.

Document forensics: image metadata, regeneration indicators, OCR consistency, font and template recognition, and cross-reference against known good and bad samples. NLP applied to typed narratives flags unusual phrasing patterns and template re-use.

Network signals: shared phone numbers, addresses, bank accounts, IP ranges, device fingerprints, agent codes, and beneficiary accounts across what should be unrelated submissions. Graph analytics surfaces clusters that linear rule sets miss.

Temporal patterns: time of submission, sequence of applications, time-to-claim after policy issuance, and burst patterns suggesting coordinated activity. A spike of similar-profile claims in a 48-hour window after a marketing campaign is a known fraud pattern.

No single signal is conclusive. A user with a fresh device, slow typing, and a regenerated document might be a fraudster or might be a senior customer using their grandchild's tablet. The combination is what carries the signal.

A practical scoring architecture:

1. each signal produces a sub-score (typically 0 to 100) with calibrated meaning
2. signals combine through a supervised model trained on historical labelled fraud cases
3. the combined score routes the case: low-risk to automated approval, medium-risk to enhanced review, high-risk to manual investigation or denial
4. outcomes (confirmed fraud, false positive, genuine claim) feed back into the model

Graph analytics is the highest-impact behavioural tool for Indian insurance fraud, given the prevalence of organised rings. A graph database links entities (members, agents, hospitals, doctors, beneficiaries, devices, addresses, accounts) and edges (relationships between them), allowing pattern queries that relational databases cannot efficiently express.

Worthwhile graph queries include:

• shared-attribute clusters: groups of members sharing phone, address, IP, or bank account beyond plausible familial connection
• agent-cluster anomalies: agents whose portfolio shows abnormal concentration of claim-prone members, especially with concentrated geography or shared providers
• hospital-doctor-member triangles: cases where the same doctor and hospital recur across multiple members making large claims, especially soon after policy issuance
• chain-claim patterns: members whose claims are followed by claims from connected members at the same provider with similar profiles
• beneficiary-overlap signals: insurance pay-outs flowing to a small set of bank accounts across multiple unrelated members

The analytical power scales with the volume of linked entities. Indian insurers running graph fraud platforms typically run with millions of nodes representing the full customer, agent, and provider base, refreshed daily. Vendors include Neo4j-based platforms, Quantexa, Linkurious, and several India-grown options.

For motor insurance, telematics adds a behavioural signal stream that goes beyond pre-claim onboarding into the event itself. Indian motor insurers are increasingly offering telematics-linked products that record driving behaviour, vehicle position, and impact events through OBD-II dongles or mobile apps.

Fraud-relevant signals from motor telematics:

• impact validation: claim narratives describing a collision can be cross-checked against accelerometer and GPS data
• time and place reconciliation: where the vehicle actually was when the claim says it was elsewhere
• driver identification: pattern-of-use signals suggesting who was actually driving when an incident occurred
• staged-accident detection: kinematic profiles inconsistent with the claimed accident type

Motor telematics in India has been hampered historically by privacy concerns and limited consumer appetite. The IRDAI's 2024 motor insurance circular on telematics-linked premium and the DPDP Act 2023 framework together create a clearer space for telematics, with consent flows that policyholders accept when the price benefit is material. Adoption is growing fastest in commercial fleets and high-mileage personal vehicles.

Behavioural analytics is data-rich. Most of the signal categories above involve processing personal data of policyholders and prospects, which engages the DPDP Act.

Three DPDP considerations are operationally significant.

First, lawful basis. Behavioural data captured during onboarding for fraud detection purposes typically has lawful basis as long as the purpose is disclosed and proportionate. Capturing the same data for unrelated marketing or model training without separate basis is problematic.

Second, purpose specification and minimisation. The behavioural signals should be retained only as long as needed for fraud-detection purposes. Indefinite retention of typing-rhythm data on every prospect is not defensible.

Third, explanation and review. Where behavioural scoring contributes to an adverse decision, the insurer should be able to articulate the basis. "The model said so" is not a defensible explanation under either the DPDP Act's evolving expectations or the IRDAI's policyholder-protection regime. Score contributions should be documented and reviewable by the policyholder on request.

Behavioural analytics is a vendor-heavy market. Building the device-intelligence, session-behaviour, and graph-analytics capabilities in-house is hard, requires specialist talent, and lacks the cross-industry training data that vendors accumulate.

For an Indian insurer choosing a vendor, three evaluation criteria matter most.

Indian fraud-pattern coverage: the vendor's models should perform well on Indian-specific fraud patterns. Global vendors with limited Indian deployment often miss patterns specific to Indian fraud rings (Aadhaar synthetic identities, agent-driven rings, hospital network triangles). Insist on a proof-of-concept with the insurer's actual data.

Integration model: the vendor's API should integrate cleanly into onboarding, policy admin, and claim systems. Vendors that require the insurer to send all data to their cloud for processing carry data-residency implications under the DPDP Act and the IRDAI Outsourcing Master Circular.

Model transparency: the vendor should explain what their model is doing and provide score components and explanations. Black-box vendors are increasingly difficult to defend in regulatory and conduct-risk reviews. Vendors that have invested in explainability features are positioned for the regulatory direction of the next 18 months.