New regs aren't nearly enough to stop fraud
Payment fraud prevention is an increasingly complicated and constantly evolving business. Issuers and merchants everywhere are being challenged by a growing variety of payment methods, which are fueling the rise of ever more sophisticated card fraud techniques.
Despite awareness of the scale of the problem, and the proliferation of innovative new technologies, the volume of fraudulent transactions is continuing to grow across Europe. To stem the tide, financial institutions need a new approach.
Part of the problem is that regulations do not stop payment fraud; they simply encourage it to migrate between departments and regions. The case for payments regulation like PSD2 goes like this: the Strong Customer Authentication (SCA) requirements mandated are so stringent that they will stop fraudsters in their tracks.
Except…not quite. In reality, criminals will react to the EU legislation by changing their modus operandi. Fraudsters are very agile and used to adapting to new landscapes. For them this is not the end of the road, but merely a fork in it. In the long term, they will develop new, more advanced tactics that will enable them to resume targeting European consumers and merchants once more. In fact, as early as January 2018 we were seeing criminals preparing for and testing how they will commit fraud in a post-PSD2 world using shell companies and sophisticated social engineering.
This lack of understanding has created a cycle in which financial institutions are trapped: fraudsters work out how they can navigate current systems; banks implement reactive measures (either of their own volition or as mandated by regulators); fraudsters work out how to navigate the updated security measures and resume criminal activity; and on, and on, and on….
To win, issuers need to change the rules.
So, how can the financial services and payments industries resolve this growing problem?
By recognizing the cyclical nature of fraud prevention. Instead of playing catch-up with fraudsters, it’s time for financial institutions to get ahead of the curve by focusing their efforts upstream in the value chain.
The good news for issuing banks and payment processors is that they are starting at an advantage. They hold vast amounts of data on billions of payment card transactions, from sender and recipient identifiers to merchant category code (MCC), card type, input method and more. All of this data can be extracted for analysis and leveraged in the fight against fraud.
As humans cannot compete with computers when it comes to data interrogation, artificial intelligence (AI) will be the key enabler. That’s why AI holds so much potential – because it presents an opportunity to analyze and act on patterns too complex for the human brain to even identify.
AI, though, must be combined with better awareness of how criminals navigate technological and legal changes to commit fraud. Only a combination of best-of-breed technology and skilled human resources can achieve the wide-ranging analysis needed while also identifying new data sources to include and monitoring for errors in data capture The latter are two areas that current AI systems cannot succeed in without human input.
Any fraud expert worth listening to will tell you that risk can never be entirely mitigated. This doesn’t mean that banks shouldn’t go to market with new payment use cases or focus on frictionless user experiences, but that they need an approach that enables them to evolve ahead of fraudsters and proactively prevent fraudulent transactions.
Investment in cutting-edge AI and human expertise can no longer be "nice to haves" for issuing banks. They are necessary if financial institutions are going to fight fraud in the 2020s, and win.