The Federal Reserve Board recently finalized a rule granting card issuers the opportunity to collect an extra cent per debit card transaction if they have effective fraud reduction strategies in place. The finalized rule will take effect on Oct. 1, and applies to issuers with more than $10 billion in assets. The rule mentions fraud-mitigation tools generally, as opposed to mandating any specific technologies. While the lack of specificity is challenging, it correctly recognizes the fraud problem is evolving and that effective fraud controls are a moving target.
While card fraud is generally under control in the U.S. market, the fraud landscape is changing as new consumer payment options create fresh vulnerabilities and inspire new scams. Mobility serves to multiply risk of compromise, yet banks are keener than ever to accommodate consumer preferences and preserve customer experience. Fraudsters have recognized that online purchases, in particular, are a lucrative and anonymous means of attack. Consequently, card-not-present fraud losses have increased at twice the rate of counterfeit card losses.
The expected introduction of the Europay, MasterCard and Visa (EMV) technology standard in the U.S. promises to boost protection against counterfeit losses. EMV provides for a dynamic authentication protocol that can't be skimmed and copied like today's standard mag-stripe cards. EMV has been extremely effective in reducing counterfeit and point of sale fraud in Europe, driving even more fraud towards card-not-present mechanisms The adoption of EMV here in the U.S. will also be a huge step towards reducing cross-border fraud as fraudsters will no longer be able to monetize the mag stripe credentials of compromised European cards in our (as-of-now) chip-less point of sale environment.
The top three point of sale sources for debit card fraud during the past year were ATMs, grocery stores and gas pumps. Top merchant categories for credit card fraud were grocery stores, restaurants and online retailers. Given the rapidly changing fraud landscape, as well as the pending introduction of EMV technology, it makes sense for issuers to capitalize on the Fed's new fraud rule and plan for investments required to maintain effective fraud controls.
Issuers should keep three things in mind when choosing fraud protection. First, many issuers are considering self-calibrating and self-learning technologies. These systems look for emerging fraud patterns and automatically adjust, even taking into account macroeconomic factors, such as price fluctuations and changes in consumer spending patterns. Such systems provide the obvious benefit of tightening controls when new risks emerge, but they also automatically loosen approval criteria when risks subside. Leveraging self-calibrating technologies, issuers can recognize and react to problems before they realize substantial loss, optimize customer experience and enable their staff to stay focused on investigations (as opposed to rule-writing and system maintenance).
There is also the issue of managing the risk of compromised debit cards. Most issuers recognize that the majority of active cards in circulation today have likely been compromised, but most breaches won't result in fraud or any substantive loss. Today, issuers need to understand the risk of compromise and the risk that any given card will experience a loss. Avoiding the cost and customer impact of re-issue for low-risk compromises, while still reacting affirmatively to high-risk compromises, is critical to success.
Finally, as EMV is rolled-out in the U.S., issuers should look to leverage lessons learned by their peers. The leading card fraud detection and analytics solutions are consortium-based, and are quickly updated to incorporate the fraud experience of thousands of issuers and billions of active cards. While banks are becoming increasingly proprietary regarding most aspects of risk management, collaborating in fraud remains the best-practice. Choosing tools that are consortium-based provides banks with the means of rapidly absorbing the lessons of other issuers in hard-won battles against fraud from around the world – including lessons from regions that have already completed their EMV migration.
For most issuers, fraud losses are generally under control, but the reality is that fraud is a constant and evolving threat. The migration to EMV will provide additional security, but will also challenge fraudsters to invent new ways to game the system. While issuers don't always carry the liability for losses, the new rules ensure that they have an incentive to provide meaningful protections for the industry, retailers, consumers and their own shareholders. New, self-calibrating technologies and collaborative, consortium-based approaches provide the opportunity for issuers to pre-empt the risk of uncertainty that is attached to this changing landscape – and preserve the benefit allowed under the rule.
Doug Clare is vice president for FICO's fraud solutions product management team. He writes for the FICO Banking Analytics Blog.