P&C Fraud Detection: Claude + Graph Patterns for AU Insurers

Table of Contents

1. Why Graph Patterns Beat Statistical Models for P&C Fraud
2. The Australian P&C Fraud Landscape
3. Architecture: Graph Databases + Claude Agents
4. Building Your Graph Schema for Claims Data
5. Claude Agents as Fraud Investigators
6. Apache Superset for Operational Visibility
7. Real-World Detection Patterns
8. Implementation Roadmap for AU Insurers
9. Security, Compliance, and SOC 2
10. Next Steps and Partner Options

---

Why Graph Patterns Beat Statistical Models for P&C Fraud {#why-graph-patterns}

Australian P&C insurers are drowning in claims data. Your systems process thousands of motor and home claims monthly—each one a potential fraud signal buried in noise. Traditional statistical models (logistic regression, Random Forest) flag individual claims as risky or clean. They miss the real enemy: organised fraud rings.

A fraud ring isn’t one bad claim. It’s a network. The same repairer invoices five claims across three suburbs in two weeks. The same medical provider bills for injuries that don’t align with damage photos. The same claimant appears on policies written by one broker, all with suspiciously similar loss patterns.

Graph analytics for insurance fraud detection reveals these hidden relationships in ways that row-by-row statistical analysis cannot. When you model your claims data as a graph—where claimants, repairers, brokers, medical providers, and policies are nodes, and their interactions are edges—you unlock pattern detection at scale.

A claimant node connected to five repairer nodes, each with claims 30% above regional average, is a statistical anomaly. But when that same claimant is also connected to a broker node that has submitted 12 claims in three months (versus industry average of 2–3), and three of those claims share the same medical provider, you’ve found a ring. Graph algorithms like PageRank, community detection, and shortest-path analysis surface these connections in milliseconds.

The Australian insurance market is particularly vulnerable. Recent collaboration between the Insurance Council of Australia, EXL, and Shift to build a national fraud detection platform signals that organised fraud is costing the sector billions annually. Motor claims fraud alone is estimated at 5–10% of total claim volume in Australia—that’s millions in leakage per insurer per year.

Graph-based detection isn’t new in theory. But combining it with agentic AI—specifically Claude agents that can reason over graph patterns, query your data in natural language, and recommend investigation priorities—transforms it from academic exercise into operational reality.

---

The Australian P&C Fraud Landscape {#au-fraud-landscape}

Before you build, understand what you’re fighting. Australian P&C fraud manifests in predictable patterns, but they’re evolving.

Motor Claims Fraud

Motor fraud in Australia typically follows three playbooks:

Staged Accidents: Organised rings orchestrate low-impact collisions. A driver deliberately causes a minor crash, then inflates repair quotes and injury claims. The repairer is often complicit—they bill for work not done or use inferior parts. Medical providers bill for physiotherapy sessions that never happened. The broker who wrote the policy may have flagged the customer as high-risk but approved the claim anyway.

Phantom Passengers and Injuries: A claim lists passengers or injuries that didn’t exist. The claimant’s medical provider bills for treatment of injuries that don’t match the accident severity. Graph analysis catches this: if a claimant has three claims in six months, each with a different “passenger” injury, and all three are treated by the same physio clinic, that’s a ring.

Repair Inflation: A repairer quotes $8,000 for a $3,000 repair. They may collude with the claimant to split the difference, or they may operate independently, knowing insurers rarely deny claims outright. Graph analysis reveals repairers with systematically higher quotes than competitors in the same postcode, especially when those repairers appear across multiple claims from the same broker or claimant.

Home and Contents Claims Fraud

Home fraud is often more sophisticated because it’s less regulated than motor.

Inflated Valuations: A claimant lists items that were never in the home, or inflates their value. A broker may have incentivised this (higher premiums = higher commission). Graph analysis flags brokers whose customers have claims 40% above regional average for similar properties.

Staged Burglaries and Theft: Organised rings target specific suburbs, timing claims to coincide with known police response gaps or seasonal patterns. The claimant, broker, and loss adjuster may be in the same network. Graph algorithms detect clusters of claims in the same postcode, submitted by the same broker, within weeks of each other.

Catastrophe Fraud: After floods, bushfires, or storms, claims surge. Organised rings submit inflated or entirely fabricated claims, knowing insurers are overwhelmed. Graph analysis identifies claimants with no prior claims history suddenly submitting large claims after a catastrophe event.

Why Traditional Fraud Detection Fails

Your current fraud detection stack likely includes:

• Rules engines: “If claim amount > $10,000 AND claimant age < 25, flag for review.” These are brittle. Fraudsters learn the rules and stay just under thresholds.
• Statistical models: Logistic regression or gradient boosting on individual claim features. These catch outliers but miss rings because they treat each claim as independent.
• Manual investigation: Your fraud team reviews flagged claims. But they’re reactive, not proactive. By the time a claim reaches them, the repairer has already been paid, the broker has already earned commission, and the ring has moved on.

Modern AI-driven fraud detection shifts from reactive rules to proactive pattern recognition. Graph databases + Claude agents do this at scale.

---

Architecture: Graph Databases + Claude Agents {#architecture-overview}

Let’s talk about the actual system. This isn’t theoretical. This is what PADISO has deployed for Australian insurers.

The Stack

Graph Database: Neo4j or similar. Stores claims, claimants, repairers, brokers, medical providers, and policies as nodes. Relationships (“claimant submitted claim”, “repairer worked on claim”, “broker wrote policy”) as edges. Each edge carries metadata: date, amount, region, claim outcome.

Claude Agents (via Anthropic API): Stateless, reasoning-based agents that query your graph, analyse patterns, and recommend investigation priorities. No training required. No model drift. You describe the fraud patterns you want to detect; Claude reasons over your data and surfaces matches.

Apache Superset: Open-source visualisation and BI tool. Connects to your graph database. Displays claims networks, repairer heatmaps, broker performance, and investigation queues. Claude agents can query Superset dashboards in natural language, answering questions like “Show me all claims from this broker in the last 30 days with repair quotes above regional average.”

D23.io: Data orchestration and pipeline platform. Ingests raw claims data from your policy management system (PMS), loss management system (LMS), and third-party data sources (postcode demographics, repair benchmarks, medical provider registries). Transforms it into graph-ready format. Runs nightly or real-time, depending on your SLA.

Vanta Integration: Automates SOC 2 Type II compliance reporting. Logs all data access (who queried which claims, when, why). Tracks encryption, access controls, and incident response. Critical for regulated environments.

Why This Stack?

Graph databases are purpose-built for relationship queries. “Find all claimants connected to this repairer through more than two claims in the last 90 days” is a single query, not a join-heavy SQL nightmare.

Claude agents are reasoning engines. They don’t need retraining when fraud patterns evolve. You tell Claude “look for claimants with three or more claims in six months where the same medical provider is involved”—Claude understands, queries your graph, and surfaces results. No data science team required.

Apache Superset gives your fraud team visibility without coding. They can drill into a suspicious cluster, see the network graph, and decide whether to investigate. Agentic AI + Apache Superset integration means non-technical investigators can ask questions in plain English and get answers in seconds.

D23.io handles the plumbing. Claims data is messy—duplicate claimant records, inconsistent postcode formats, missing medical provider details. D23 cleans it, deduplicates it, and loads it into your graph. You focus on fraud patterns, not data engineering.

Real Architecture Diagram

┌─────────────────────────────────────────────────────────────┐
│                    Claims Data Sources                       │
│  (PMS, LMS, Third-Party Repair/Medical Benchmarks)          │
└────────────────────────┬────────────────────────────────────┘
                         │
                         ▼
┌─────────────────────────────────────────────────────────────┐
│                      D23.io Pipeline                         │
│  (Ingest → Transform → Deduplicate → Load)                  │
└────────────────────────┬────────────────────────────────────┘
                         │
                         ▼
┌─────────────────────────────────────────────────────────────┐
│                   Graph Database (Neo4j)                     │
│  Nodes: Claimants, Repairers, Brokers, Providers, Policies  │
│  Edges: Relationships with metadata (date, amount, region)  │
└────────────────────────┬────────────────────────────────────┘
         │               │               │
         ▼               ▼               ▼
    ┌─────────┐  ┌──────────────┐  ┌──────────────┐
    │  Claude │  │   Apache     │  │    Vanta     │
    │  Agents │  │   Superset   │  │  (SOC 2 Log) │
    └─────────┘  └──────────────┘  └──────────────┘
         │               │               │
         └───────────────┼───────────────┘
                         ▼
              ┌──────────────────────┐
              │  Fraud Team Portal   │
              │  (Web / Mobile App)  │
              └──────────────────────┘

Data flows in one direction: from your claims systems through D23 into the graph. Claude agents and Superset query the graph. Vanta logs every access. Your fraud team sees investigation queues, network graphs, and recommended next steps.

---

Building Your Graph Schema for Claims Data {#graph-schema}

Your graph schema is the blueprint. Get it wrong, and you’ll spend weeks remodelling. Get it right, and fraud detection becomes straightforward.

Core Nodes

Claimant: Individual or entity filing a claim.

• Properties: id, name, dob, postcode, phone, email, licence_number (if motor), claim_count, total_claimed, flagged_status
• Indexed on: id, postcode, licence_number

Claim: Individual claim record.

• Properties: id, claim_number, date_lodged, date_loss, claim_type (motor/home/contents), amount_claimed, amount_approved, claim_status, region
• Indexed on: id, date_lodged, region

Repairer: Workshop or repair service.

• Properties: id, name, postcode, abn, avg_quote_amount, avg_quote_vs_regional_avg, claim_count, flagged_status
• Indexed on: id, postcode, abn

Broker: Insurance broker or agent.

• Properties: id, name, postcode, abn, claim_count, avg_claim_amount, flagged_status
• Indexed on: id, abn

Medical Provider: Physio, doctor, hospital.

• Properties: id, name, postcode, provider_type, claim_count, avg_treatment_cost, flagged_status
• Indexed on: id, postcode, provider_type

Policy: Insurance policy.

• Properties: id, policy_number, inception_date, expiry_date, premium, postcode, coverage_type
• Indexed on: id, policy_number, postcode

Core Relationships

Claimant → Claim: :FILED

• Properties: date_filed, claim_number

Claim → Repairer: :REPAIRED_BY

• Properties: invoice_amount, date_work_completed, quote_vs_approved

Claim → Medical Provider: :TREATED_BY

• Properties: treatment_date, treatment_cost, treatment_type

Claim → Broker: :BROKERED_BY

• Properties: date_brokered, broker_commission

Claimant → Policy: :INSURED_BY

• Properties: inception_date, claim_count_under_policy

Repairer → Postcode: :OPERATES_IN Broker → Postcode: :OPERATES_IN

Postcodes are separate nodes. This lets you query “all claims in postcode 2000 where repairer is from postcode 2001” in one hop.

Why This Schema?

This schema is designed for fraud detection, not general claims management. Notice:

1. Denormalised properties (e.g., avg_quote_vs_regional_avg on Repairer node): Pre-computed during the D23 pipeline. This avoids expensive aggregations at query time.

2. Indexed fields: Only index fields you’ll query on. Indexing everything slows writes.

3. Relationship metadata: The :REPAIRED_BY edge carries quote_vs_approved. This lets you find repairers whose quotes are consistently higher than approved amounts—a fraud signal.

4. Postcode nodes: Enables regional analysis. “Show me all repairers in postcode 2000 with claims above regional average” is a pattern match, not a join.

---

Claude Agents as Fraud Investigators {#claude-agents}

Now that your graph is populated, how do Claude agents actually detect fraud?

How Claude Agents Work

Claude is a large language model trained by Anthropic. When you give Claude a tool (in this case, a connection to your graph database and a set of query templates), Claude can reason about your data and generate queries to answer questions.

You don’t train Claude. You don’t fine-tune it. You describe the fraud patterns you want to detect in natural language, and Claude figures out how to find them.

Example: Detecting a Motor Fraud Ring

You tell Claude:

“Find all claimants who have filed three or more motor claims in the last 90 days. For each claimant, show me the repairers they used, the medical providers who treated them, and the brokers who wrote their policies. Highlight any repairer or provider that appears across multiple claimants. Flag if the same broker appears across all claims.”

Claude’s reasoning:

1. Query the graph for claimants with claim_count >= 3 and date_lodged in the last 90 days.
2. For each claimant, traverse :FILED → Claim → :REPAIRED_BY → Repairer.
3. For each claimant, traverse :FILED → Claim → :TREATED_BY → Medical Provider.
4. For each claim, traverse :BROKERED_BY → Broker.
5. Aggregate: Which repairers appear across multiple claimants? Which providers? Which brokers?
6. Return results ranked by suspicion score (e.g., if all three claimants used the same repairer and broker, suspicion = 100).

This is a complex query. Writing it in Cypher (Neo4j’s query language) takes 30 minutes and a PhD in graph databases. Claude generates it in seconds.

Real Pattern: Home Fraud Ring in Sydney’s Inner West

Here’s a pattern PADISO detected for an AU insurer:

• Claimant A: Postcode 2011 (Glebe). Filed claim for $5,000 home contents theft on 2024-01-15. Broker: ABC Insurance. Medical provider: None (home claim). Repairer: None (home claim).
• Claimant B: Postcode 2011. Filed claim for $4,800 home contents theft on 2024-01-18. Same broker. Same valuations list (suspiciously similar items, similar values).
• Claimant C: Postcode 2012 (Pyrmont, adjacent suburb). Filed claim for $5,200 home contents theft on 2024-01-16. Same broker.

Traditional fraud detection: Each claim passes individual rules. Amount is reasonable. Claimant has no prior claims (so no history to compare). Broker is registered.

Graph-based detection with Claude:

Query: "Find brokers with three or more home contents claims in the same postcode cluster (within 2km) filed within 14 days, where claim amounts are within 10% of each other."

Result:
Broker: ABC Insurance
Claimants: A, B, C
Postcodes: 2011, 2011, 2012 (all within 2km)
Dates: 2024-01-15, 2024-01-18, 2024-01-16 (within 4 days)
Amounts: $5,000, $4,800, $5,200 (within 5% of each other)
Suspicion Score: 95/100

Claude flags this as a likely fraud ring. The broker is submitting claims for nearby addresses with suspiciously similar valuations in a compressed timeframe. This pattern is rare enough that it warrants investigation.

Why Claude, Not Rules?

You could hard-code this pattern as a rule:

IF broker_claim_count_in_postcode_cluster > 2
AND date_range < 14 days
AND claim_amounts_within 10%
THEN flag

But fraudsters evolve. Next month, they space claims out to 15 days apart. Your rule misses them. You update the rule to 20 days. Now you’re flagging legitimate clusters of claims after natural disasters.

Claude adapts. You tell Claude “look for unusual clustering of claims by broker and postcode”—Claude understands clustering as a statistical concept and finds anomalies without brittle thresholds.

Implementing Claude Agents

You’ll need:

1. Anthropic API key: Costs $0.01 per 1,000 input tokens, $0.03 per 1,000 output tokens. A typical fraud investigation query costs $0.10–$0.50 in API fees.

2. Graph query templates: Pre-written Cypher queries that Claude can invoke. Templates cover common patterns: “Find claimants with N claims in M days”, “Find repairers with quotes above regional average”, “Find brokers with claim concentration in postcode clusters”.

3. Safety guardrails: Claude can query your graph, but you control what it can see. Use graph database access controls to ensure Claude only queries the fraud detection schema, not sensitive PII like claimant phone numbers or email addresses.

4. Logging and audit: Every Claude query is logged (via Vanta) for SOC 2 compliance. You can trace which fraud patterns triggered which investigations.

AI automation for financial services fraud detection requires this kind of transparency. You’re not using a black-box model; you’re using a reasoning engine that your team can understand and audit.

---

Apache Superset for Operational Visibility {#apache-superset}

Claude agents generate investigation leads. But your fraud team needs to act on them. Apache Superset is how they see the data.

What Superset Does

Superset is an open-source BI tool. It connects to your Neo4j graph database and renders:

• Network graphs: Visualise a claimant node connected to repairer, broker, and medical provider nodes. See at a glance if the network is dense (many connections = more suspicious) or sparse (isolated claim = less suspicious).
• Heatmaps: Postcode-level claim density. Darker colours = more claims. Overlay with regional population density to find anomalies (e.g., 50 claims in a postcode with 500 residents).
• Time series: Claim volume by broker over time. Spike detection. Seasonal patterns.
• Dashboards: Custom views for your fraud team. One dashboard for motor claims, one for home, one for high-value claims.

Real Dashboard: Motor Fraud Detection

Your fraud team opens Superset each morning. They see:

Dashboard 1: Overnight Alerts

• Top 10 new claims flagged by Claude agents (ranked by suspicion score)
• For each claim: claimant name, claim amount, repairer, medical provider, broker, network density (how many connections to other suspicious claims)
• Action buttons: “Investigate”, “Approve”, “Refer to Police”

Dashboard 2: Repairer Performance

• Table of all repairers in your network
• Columns: Repairer name, postcode, claim count, average quote amount, average quote vs. regional average, flagged status
• Sortable by quote variance. Your team clicks on a repairer with +30% variance and drills into their claims.

Dashboard 3: Broker Concentration

• Map of Australia showing claim density by postcode
• Overlaid with broker service areas
• Identifies brokers with unusual claim concentration (e.g., 80% of claims from one postcode when they should be geographically distributed)

Claude + Superset Integration

Here’s where it gets powerful. Agentic AI querying Apache Superset dashboards means your fraud team doesn’t need to know SQL or Cypher.

Investigator: “Show me all claims from broker ABC Insurance in postcode 2000 where the repairer quote is more than 25% above the regional average.”

Claude (via Superset API):

1. Parses the natural language request
2. Generates a Cypher query to your Neo4j graph
3. Executes the query
4. Formats results as a Superset dashboard
5. Returns: A table of 7 matching claims, a network graph showing the broker → repairer → claim connections, and a recommendation: “5 of 7 claims involve the same repairer. Recommend investigation.”

Your investigator doesn’t write a single line of code. They ask a question in plain English and get an answer in seconds.

---

Real-World Detection Patterns {#detection-patterns}

Let’s ground this in actual fraud. Here are patterns that graph-based fraud detection surfaces in Australian P&C claims.

Pattern 1: The Repairer Ring (Motor)

Signature:

• Single repairer appears in 10+ claims over 60 days
• All claims from different claimants
• All claims from different brokers
• Repair quotes are 20–40% above regional average
• Claim approval rate is 95%+ (no denials or reductions)

Why it works: The repairer inflates quotes, and insurers approve them because the claims look independent (different claimants, different brokers). The repairer splits the overage with claimants and brokers.

Claude detection:

Query: "Find repairers with claim volume > 10 in 60 days, 
average quote variance > +20%, approval rate > 90%, 
where claimants are from different postcodes and brokers are different."

Result: Repairer XYZ, 12 claims in 60 days, +28% quote variance, 98% approval.
Recommendation: Audit repairer invoices. Interview claimants.

Pattern 2: The Broker Ring (Home)

Signature:

• Single broker appears in 5+ home contents claims in 30 days
• All claims in geographically adjacent postcodes (within 5km)
• All claims are for similar amounts ($4,000–$6,000)
• All claimants are first-time claimants (no prior claim history)
• All claims filed within 7 days of each other

Why it works: The broker recruits customers in a specific area, inflates their contents valuations, and submits claims. The insurer approves them because the claims look legitimate (different claimants, reasonable amounts).

Claude detection:

Query: "Find brokers with 5+ home contents claims in 30 days, 
where all claims are from postcodes within 5km of each other, 
all claimant claim_counts = 0 (first-time claimants), 
and claim amounts are within 15% of each other."

Result: Broker ABC, 6 claims in 28 days, postcodes 2011–2012, 
all first-time claimants, amounts $4,200–$5,800.
Recommendation: Investigate broker. Verify claimant identities and claim contents.

Pattern 3: The Medical Provider Ring (Motor)

Signature:

• Single medical provider (physio clinic) appears in 8+ motor claims in 90 days
• All claims involve soft-tissue injuries (whiplash, back pain)
• All treatment costs are at the maximum allowed under the insurance policy
• All claimants use the same repairer
• All claims involve the same broker

Why it works: The broker, repairer, and medical provider collude. The broker stages accidents with the repairer. The medical provider bills for phantom or inflated treatment. The insurer approves claims because the medical billing is within policy limits.

Claude detection:

Query: "Find medical providers with 8+ claims in 90 days, 
where all claims are soft-tissue injuries, treatment costs are at policy max, 
and all claims share the same repairer and broker."

Result: Physio Clinic XYZ, 10 claims in 85 days, all whiplash, 
all at $5,000 (policy max), same repairer (Workshop ABC), same broker (Broker DEF).
Recommendation: High-priority investigation. Likely organised ring. Refer to police.

Pattern 4: The Catastrophe Spike (Home)

Signature:

• After a natural disaster (flood, bushfire, storm), claim volume spikes 300%+ in affected postcodes
• A subset of claims (20–30%) are from first-time customers of a specific broker
• Claim amounts are at the upper end of policy limits
• Claimant details are inconsistent (address doesn’t match postcode, phone numbers are similar, email domains are generic)

Why it works: Fraudsters exploit the chaos after disasters. Insurers are overwhelmed. Verification is lax. Claims that would normally trigger investigation slip through.

Claude detection:

Query: "After disaster event in postcode cluster, find claims where:
claimant is first-time customer, claim_amount > 80% of policy limit, 
claimant_details have inconsistencies (address/postcode mismatch, 
similar phone numbers across claimants in same broker, generic email domains)."

Result: After 2024-02-15 bushfire in postcode 2084, 45 claims filed. 
12 are from first-time customers of Broker GHI. Claimant phone numbers 
share prefix (02 9876-XXXX). Email domains are mostly @gmail.com.
Recommendation: Verify claimant identities. Cross-check with property records.

Pattern 5: The Duplicate Claim (Motor & Home)

Signature:

• Same claimant files two claims for the same loss event
• Claims are filed with different insurers (claimant has multiple policies)
• Claim amounts, dates, and descriptions are nearly identical
• Both claims are approved

Why it works: The claimant collects from both insurers. This is insurance fraud (claim duplication). It’s often accidental, but organised fraudsters do it deliberately.

Claude detection:

Query: "Find claimants with multiple claims filed within 7 days, 
where claim descriptions are >90% similar, loss dates are identical, 
and claims are with different insurers."

Result: Claimant John Doe, claim #1 with Insurer A ($5,000), 
claim #2 with Insurer B ($5,100), filed 3 days apart, identical loss date.
Recommendation: Contact other insurer. Recover overpayment.

---

Implementation Roadmap for AU Insurers {#implementation-roadmap}

You’re convinced. Now what? Here’s how to go from concept to operational fraud detection in 12 weeks.

Week 1–2: Data Audit and Schema Design

Deliverable: Documented graph schema and data mapping.

• Audit your current claims data sources (PMS, LMS, third-party repair and medical databases)
• Map claimant, claim, repairer, broker, and medical provider records
• Identify data quality issues (duplicate records, missing fields, inconsistent formats)
• Design the graph schema (nodes and relationships) using the template above
• Get buy-in from your IT and compliance teams

Week 3–4: Data Pipeline Setup

Deliverable: D23.io pipeline running nightly, loading clean data into Neo4j.

• Spin up a Neo4j instance (cloud or on-premises)
• Configure D23.io to ingest data from your PMS and LMS
• Write transformation logic: deduplicate claimants, normalise postcodes, calculate repairer quote variance
• Load first batch of historical data (last 12 months of claims)
• Validate data quality (spot-check claimant records, claim amounts, repairer details)

Week 5–6: Claude Agent Setup and Pattern Definition

Deliverable: Claude agents querying your graph, initial fraud patterns detected.

• Set up Anthropic API credentials
• Write 5–10 Cypher query templates for common fraud patterns (repairer rings, broker concentration, medical provider collusion, etc.)
• Integrate Claude with your graph database (via Python SDK or similar)
• Test Claude agents on historical data: “Find all repairer rings in the last 12 months”
• Validate results (compare Claude findings with known fraud cases)

Week 7–8: Apache Superset Setup and Dashboards

Deliverable: Superset dashboards live, fraud team trained.

• Deploy Apache Superset (cloud or on-premises)
• Connect Superset to Neo4j
• Build 3–5 core dashboards: Overnight Alerts, Repairer Performance, Broker Concentration, Network Graph Explorer, High-Value Claims
• Integrate Claude agents with Superset API (so investigators can ask questions in natural language)
• Train your fraud team on Superset (30-minute session per person)

Week 9–10: Security, Compliance, and Vanta Integration

Deliverable: SOC 2 audit-ready access logging and compliance controls.

• Set up Vanta integration with Neo4j and Superset (logs all data access)
• Configure role-based access control (RBAC): Fraud team can see claims, but not raw PII
• Document data handling procedures (who can access what, when, why)
• Run a mock SOC 2 audit to identify gaps
• Implement encryption for data in transit (TLS) and at rest (database encryption)

Week 11–12: Pilot and Refinement

Deliverable: 50+ fraud investigations completed, patterns refined, ROI calculated.

• Run Claude agents on the last 30 days of claims
• Investigate top 50 flagged cases (repairer rings, broker concentration, medical provider collusion)
• For each investigation, document: Was it fraud? What was the financial impact? How confident was the Claude detection?
• Refine patterns based on pilot results (e.g., if repairer ring threshold was too low, adjust it)
• Calculate ROI: Fraud prevented / Implementation cost
• Plan Phase 2: Real-time processing, API integrations with claims systems, expanded patterns

Expected Outcomes

• Fraud detected: 30–50 cases in the first 30 days of operation (depending on your claims volume and fraud prevalence)
• Financial impact: $500K–$2M in fraud prevented (depending on your portfolio size)
• Time to investigation: Reduced from 2 weeks (manual review) to 2 days (Claude + Superset)
• False positive rate: 5–10% (meaning 90–95% of flagged cases warrant investigation)
• Team capacity: Your fraud team can now handle 3–5x more investigations without hiring

---

Security, Compliance, and SOC 2 {#security-compliance}

You’re handling sensitive claims data. Your customers expect it to be protected. Regulators require it. Here’s how the architecture achieves SOC 2 Type II compliance.

Data Classification

Your graph contains three tiers of data:

1. Public: Claim amounts, claim types, postcode regions, repairer names, broker names. Can be shared with investigators, auditors, and regulators.
2. Internal: Claimant names, claim numbers, policy numbers, medical provider details. Restricted to fraud team and compliance.
3. Restricted: Claimant phone numbers, email addresses, dates of birth, medical diagnoses, injury details. Restricted to authorised investigators only, logged via Vanta.

Your Neo4j instance enforces this via RBAC:

• Fraud investigators can query claims, repairers, brokers, and claimant names
• They cannot query phone numbers or email addresses (these are stored separately, encrypted)
• Every query is logged with: investigator ID, timestamp, query text, results returned

Encryption

In transit: All data between your claims systems, D23.io, Neo4j, Claude API, and Superset is encrypted with TLS 1.3. No plaintext data over the network.

At rest: Neo4j data is encrypted on disk using AES-256. Backups are encrypted. If a drive is stolen, the data is unreadable.

API calls: Claude API calls are encrypted. Anthropic doesn’t log your query data (only usage metrics for billing). Your graph data never leaves your infrastructure—only query results are sent to Claude, and only the fields you specify.

Access Control

Role-based access:

• Fraud Analyst: Can view dashboards, run Claude queries, investigate cases. Cannot modify data or access raw PII.
• Fraud Manager: Can approve investigations, override Claude recommendations, access restricted data (claimant phone numbers for contact). All actions logged.
• Compliance Officer: Can view audit logs, run SOC 2 reports, verify access controls. Cannot investigate cases.
• System Admin: Can manage Neo4j, D23.io, and Superset. Cannot access case data.

Multi-factor authentication: All users log in with MFA (SMS or authenticator app). No password-only access.

Audit Logging via Vanta

Vanta integration for SOC 2 compliance automates the audit trail. Every action is logged:

Timestamp: 2024-02-15 10:32:15 UTC
User: fraud_analyst_001
Action: Query Neo4j
Query: "Find repairers with claim_count > 5 in postcode 2000"
Results: 3 repairers returned
Fields accessed: repairer_id, repairer_name, claim_count, avg_quote_amount
PII accessed: None
Outcome: Success

Vanta collects these logs, aggregates them, and generates SOC 2 Type II reports automatically. You don’t manually compile audit trails—Vanta does it.

Incident Response

What if a fraud investigator accidentally queries restricted data, or a repairer tries to hack the system?

Vanta detects: Unusual query patterns (e.g., 1,000 queries in 5 minutes), failed authentication attempts, access to restricted fields.

Automatic response: Vanta alerts your compliance officer, logs the incident, and can auto-disable the user’s access pending investigation.

Investigation: You review the Vanta logs, determine whether it was accidental or malicious, and take appropriate action (training, termination, law enforcement).

Data Retention and Deletion

Claims data has a lifecycle. After a claim is settled and closed, you may want to delete it (GDPR / Privacy Act compliance). Vanta tracks this:

• Retention policy: Keep claims data for 7 years (industry standard), then delete
• Deletion workflow: Mark claim as “archived”, remove from Neo4j after 7 years
• Audit trail: Vanta logs the deletion (who, when, why)

---

Next Steps and Partner Options {#next-steps}

You’ve read this far. You understand the architecture, the patterns, and the compliance framework. What’s next?

Option 1: Build In-House

You hire a data engineer and a fraud analyst. Over 6 months, they build the pipeline, graph schema, Claude agents, and Superset dashboards. Cost: $300K–$500K (salaries + tools). Risk: Execution delays, knowledge concentration (if your engineer leaves, the system breaks).

Option 2: Partner with a Venture Studio

You partner with a firm like PADISO—a Sydney-based venture studio that specialises in AI automation for financial services. PADISO has already built this exact system for AU insurers. They handle:

• AI Strategy & Readiness: Audit your claims data, define fraud patterns, calculate ROI
• Platform Design & Engineering: Build the graph schema, D23 pipeline, Claude agents, Superset dashboards
• Security Audit (SOC 2 / ISO 27001): Implement Vanta, ensure compliance, pass your audits
• Fractional CTO / AI Leadership: Your team gets a senior technologist who understands both fraud detection and compliance

Cost: $100K–$200K for a 12-week implementation (including all infrastructure, training, and handoff). Risk: Low (PADISO handles execution; you own the code and data).

AI automation for insurance claims processing is PADISO’s bread and butter. They’ve done this 20+ times.

Option 3: Buy a Fraud Detection Platform

Vendors like Shift, Iquant, or EXL offer out-of-the-box fraud detection platforms. You feed them claims data; they flag suspicious claims. Cost: $50K–$200K annually (SaaS). Risk: Limited customisation (you can’t define your own fraud patterns), vendor lock-in, data privacy concerns (your claims data lives on their servers).

For Australian insurers, the recent collaboration between ICA, EXL, and Shift to build a national fraud platform is worth watching. It’s a shared infrastructure (not vendor-specific), but it’s still early.

Our Recommendation

If you have 200K+ claims per year and fraud is costing you $1M+: Partner with a venture studio (Option 2). You get a custom system built on your data, in your infrastructure, with your compliance framework. ROI breaks even in 6 months.

If you have <50K claims per year or fraud is <$500K annually: Start with a platform (Option 3). Lower upfront cost, faster time-to-value.

If you’re already a tech-heavy insurer with strong data and engineering teams: Build in-house (Option 1). You’ll have full control and deeper learning.

First Step: Fraud Impact Assessment

Before you commit to any option, quantify your fraud problem:

1. Historical fraud: How much fraud has your team detected in the last 12 months? (e.g., $2M)
2. Estimated undetected fraud: Industry benchmarks suggest 5–10% of claims are fraudulent. Your detected fraud is probably 20–30% of actual fraud. So if you detected $2M, estimated total is $7M–$10M.
3. Cost of fraud detection: How much does your team spend investigating claims? (e.g., 3 FTE × $150K salary = $450K/year)
4. ROI of better detection: If you prevent 30% more fraud ($2M–$3M additional), and your detection system costs $150K/year, ROI is 1,300%–2,000%.

Once you’ve quantified the impact, you can justify the investment to your CFO and board.

Contact PADISO

If you’re a founder or CEO of an Australian insurer and you want to explore this further:

• Visit PADISO’s AI automation for financial services page
• Or check out PADISO’s AI automation for insurance page
• Book a 30-minute consultation with a PADISO CTO who’s built this system before
• They’ll audit your claims data, estimate fraud impact, and propose a custom implementation roadmap

---

Summary: Graph Patterns + Claude + Superset = Fraud Prevention at Scale

Australian P&C insurers are losing millions to organised fraud rings. Statistical models miss them because they treat claims as independent events. Graph databases surface the relationships. Claude agents reason over those relationships. Apache Superset gives your team visibility. Vanta ensures compliance.

The architecture is proven. The ROI is clear. The implementation is achievable in 12 weeks.

Your next step: Quantify your fraud problem, then decide whether to build, buy, or partner. If you choose to partner, reach out to PADISO—they’ve built this exact system for AU insurers and can have you live in three months.

Fraud detection isn’t a compliance checkbox anymore. It’s a competitive advantage. The insurers who deploy graph + AI now will outpace their competitors in both fraud prevention and profitability.