TL;DR: Fraud teams can misread chargeback rate, block rate, and false positive data when they benchmark without business context, seasonality, or the right timing model, according to Sift’s Blueprint session. The real risk is optimizing one number while missing the fraud, conversion, or customer-friction tradeoff that actually drives revenue.
At a glance
What this is: Sift’s fraud benchmarking session argues that raw fraud metrics only become useful when teams interpret them against business stage, seasonality, and reporting model.
Why it matters: For IAM and trust teams, the lesson is that measurement design shapes security decisions, and the wrong KPI can hide fraud, identity abuse, or unnecessary user friction.
By the numbers:
- 46% of attendees said chargeback rate was their primary KPI, with block rate coming in second.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
👉 Read Sift's Blueprint session on how to benchmark fraud performance and find hidden gaps
Context
Fraud benchmarking fails when teams treat isolated metrics as proof of control rather than as indicators shaped by product stage, seasonality, and customer behaviour. In identity-adjacent programmes, the same problem appears when verification, access, and fraud metrics are measured separately instead of as part of one trust model.
The article is about fraud operations, but the governance lesson is broader: a metric can look healthy while the underlying identity or account-abuse risk is shifting elsewhere. That is especially relevant for teams that manage human identity, account security, and NHI-backed automation in the same environment.
The session’s starting position is common among growing fraud programmes. Teams usually have data; what they often lack is the discipline to interpret it in context and tie it to business outcomes.
Key questions
Q: What breaks when fraud teams benchmark performance without business context?
A: They mistake movement in a metric for movement in risk. A chargeback rate, block rate, or false positive rate can look healthy while seasonality, product stage, or customer friction is hiding the real problem. The result is a programme that optimises the dashboard instead of improving trust.
Q: Why do chargeback and block rate KPIs often mislead fraud teams?
A: Because they measure different outcomes, at different points in the customer journey, and often on different time horizons. A low chargeback rate can mean strong controls, but it can also mean the team is rejecting legitimate customers. Teams need context, not single-metric certainty.
Q: How do security and fraud teams know if friction is working?
A: Friction is working when it reduces abuse without creating avoidable abandonment or customer support burden. The best signal is a balanced view of approval rate, dispute rate, and user drop-off at the control point. If one improves while the others worsen, the control is mispositioned.
Q: Who is accountable when fraud controls create too much friction?
A: Accountability usually sits across fraud operations, IAM, product and customer experience leadership because friction is a governance outcome, not just a tuning issue. If controls are causing avoidable abandonment, the organisation needs ownership for the decision logic, the supporting data and the customer impact. That is why fraud governance must be shared.
Technical breakdown
Benchmarking fraud performance against the right baseline
Fraud benchmarking is not a single number exercise. A useful baseline has to reflect business maturity, transaction mix, geography, seasonality, and the specific loss path being measured. A chargeback rate can mean very different things depending on product stage and customer cohort. If you compare a growth-stage marketplace with a mature card programme, the same percentage may hide very different risk conditions. The technical problem is that metrics without normalisation collapse distinct behaviours into one figure, which makes false confidence easy. Effective benchmarking therefore needs aligned time windows, cohort slicing, and a clear definition of the fraud outcome being measured.
Practical implication: build baselines by product segment and customer cohort before using any fraud KPI for executive reporting.
Chargeback rate models and timing distortion
Chargeback reporting is sensitive to the model used. The Mastercard-style current-month view is fast but mismatches the transaction month and the dispute month. The Visa-style lagged model reduces that distortion, while the data science model ties chargebacks back to the original transaction month for the clearest causal picture. Each choice changes what the team thinks happened and when it happened. This is a measurement problem, not just a reporting preference, because the wrong model can make a control look better or worse than it is. Mature programmes often need both a fast operational view and a slower analytic view.
Practical implication: separate operational dashboards from causal analysis so leaders do not treat a lagging metric as real-time truth.
Seasonality, friction, and the fraud conversion tradeoff
Seasonality changes both attack patterns and legitimate customer behaviour. Peak events, refund cycles, tax season, and promotional surges can all look like fraud spikes if the team has no demand context. The same applies to friction placement. Strong verification too early in a journey can suppress legitimate conversion, while the same control later in the journey may be accepted because the user has already invested effort or value. This is where fraud governance overlaps with identity verification governance: controls must be timed to user motivation, not just to risk score. Otherwise the team optimizes for blocking rather than for sustainable trust.
Practical implication: map friction to the point of highest user commitment and compare fraud signals against seasonal demand patterns.
Threat narrative
Attacker objective: The attacker’s objective is to convert weak measurement and control placement into profitable abuse while avoiding detection or triggering the wrong response.
- Entry occurs when attackers exploit weak or poorly timed verification controls to create, test, or abuse accounts at scale before the business context is understood.
- Escalation follows when fraud activity is measured only through a narrow KPI, allowing account abuse, false approvals, or blocking errors to move into a blind spot.
- Impact is sustained revenue loss, customer churn, or overblocking that suppresses legitimate transactions while leaving the real abuse pattern partially hidden.
NHI Mgmt Group analysis
Measurement without context creates fraud governance debt: teams that optimise isolated KPIs accumulate blind spots faster than they reduce loss. Chargeback rate, block rate, and false positive rate each tell only part of the story, and each can move in the wrong direction for legitimate business reasons. Fraud operations that do not account for business stage and seasonality end up defending a number instead of defending trust. Practitioners should treat metric design as a governance control, not a reporting afterthought.
The named concept here is metric-context mismatch: a control state where the right signal is collected but interpreted against the wrong baseline, cohort, or timing model. That failure mode is common in fraud, identity verification, and access governance because the same number can signal either healthy tightening or dangerous overrestriction. The lesson for programmes that span human identity and account security is that a clean dashboard can still conceal poor decision quality. Practitioners should validate the baseline before they validate the result.
Friction placement is a trust decision, not just a fraud decision: where a team places verification or challenge steps changes customer behaviour as much as it changes adversary behaviour. Asking for proof too early can collapse conversion, while asking too late can let abuse scale. That puts fraud teams in the same governance conversation as identity and access teams, because timing determines whether a control is protective or merely obstructive. Practitioners should evaluate friction by journey stage, not by control preference.
Fraud programmes fail when executives reward the wrong success condition: zero chargebacks is not a realistic operating target, and pretending otherwise pushes teams toward overblocking. The better governance model balances loss reduction, approval rates, and customer experience so the business can absorb residual fraud without damaging legitimate growth. This is especially relevant where automated account activity or delegated identity flows blur the line between user behaviour and system behaviour. Practitioners should align fraud objectives to business outcomes, not purity metrics.
Identity verification and fraud detection are converging governance problems: the more a programme depends on account trust, the more it needs shared measurement between onboarding, step-up verification, and abuse detection. That is the bridge between identity security and fraud operations. If one team only sees conversion and another only sees loss, neither sees the full control picture. Practitioners should build one trust scorecard across the journey.
What this signals
Fraud benchmarking is moving toward a broader trust model in which identity verification, account abuse, and customer friction are measured together rather than treated as separate functions. That matters because the control that looks strongest in isolation can still damage the business if it is mis-timed or misread.
Metric-context mismatch: teams should expect more scrutiny of how they normalise fraud metrics across seasons, cohorts, and product stages. The operational answer is not more dashboards, but better baselines and tighter alignment between fraud, product, and identity operations.
Where machine-generated activity or delegated account behaviour enters the flow, the same measurement discipline should extend to NHI-backed automation and step-up controls. Teams that do not unify trust signals will keep discovering the same problem from different angles, too late to prevent it.
For practitioners
- Build cohort-based fraud baselines Split chargeback, block, and false-positive reporting by product line, customer segment, and acquisition channel so the team can compare like with like rather than averaging unrelated risk profiles.
- Use dual reporting models for chargebacks Maintain a fast operational view for weekly decision-making and a lagged transaction-month view for causal analysis, so timing distortion does not drive the wrong control decision.
- Map verification friction to commitment points Place stronger checks after customers have already invested value or effort, then measure whether the control reduces abuse without creating avoidable drop-off at the start of the journey.
- Add seasonality overlays to fraud reviews Annotate dashboards with known demand spikes such as holidays, payroll cycles, or promotional events, and compare current patterns with the same seasonal window from prior periods.
- Align identity and fraud scorecards Bring onboarding, account security, and abuse metrics into one review cycle so the team can see whether verification controls are reducing loss or simply moving the problem elsewhere.
Key takeaways
- Fraud benchmarking only works when teams interpret metrics against business stage, seasonality, and user behaviour.
- A single KPI such as chargeback rate can hide both fraud loss and overblocking if it is not tied to the right timing model.
- The strongest programmes measure trust across the whole journey, not just at the point where a loss appears.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | Fraud benchmarking depends on how authenticator and verification signals are judged. |
| NIST CSF 2.0 | ID.AM-1 | Metric context depends on knowing which assets, accounts, and channels are in scope. |
| GDPR | Art.32 | Identity and fraud controls often process personal data and require proportional security. |
Apply Art.32 by ensuring fraud analytics and verification controls are proportionate to the personal data they process.
Key terms
- Fraud Benchmarking: Fraud benchmarking is the practice of comparing fraud outcomes against internal history, peer norms, or business targets to judge whether controls are working. It is only meaningful when the team accounts for product stage, seasonality, and metric timing, otherwise the benchmark can hide risk rather than reveal it.
- Chargeback Recovery Rate: The percentage of disputed transactions that a merchant successfully overturns or recovers. It is a practical measure of how well evidence, workflow design, and review prioritisation are working together, rather than a simple count of disputes processed.
- False Positive: A false positive is a scanner result that looks like a secret but is not actually sensitive. In secret governance, false positives matter because they consume analyst time, weaken trust in alerts, and can delay response to the findings that truly change exposure and access risk.
- Friction Placement: Friction placement is the decision about where in a user journey to ask for verification, challenge, or additional proof. The timing matters as much as the control itself because users are more willing to complete a check after they have invested time, value, or intent in the process.
What's in the full article
Sift's full discussion covers the operational detail this post intentionally leaves for the source:
- The live session framing behind the benchmarking approach, including how the speakers defined the tradeoffs between growth, fraud loss, and friction.
- The full breakdown of chargeback timing models and why different reporting methods change the numbers leaders see.
- The specific poll results from attendees on chargeback rate, block rate, account takeover rate, and false positives.
- Examples of how teams should think about seasonality and customer commitment points when placing friction.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, workload identity, and secrets management for practitioners who need stronger control over non-human access. It is designed for security and identity teams that want to connect governance concepts to day-to-day programme decisions.
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org