Archive

Setting the standard for combating fraud

Appeared on GTNews on December 9, 2008

Tuesday, December 09, 2008

United we stand and divided we fall. This is an ancient and oft-quoted phrase that the payment industry would do well to heed if it is to take the next step in the long, expensive and damaging war that is being fought against fraudsters. Put simply, the industry needs to not only find more ways to share information and experiences on fraud but to actually design new standards that will deliver a more cohesive frontline in the war against fraud.

Clearly, the design and implementation of standards for fighting fraud, even at a national level, is quite complex. This is regardless of whether the standards in question are self-regulated, run by one of the card schemes or driven through an industry body. If standards are contemplated at an international level, which many would argue to be a sensible course of action when dealing with payment fraud, then this complexity grows by several magnitudes. As such, small but significant steps should be considered, the first being around the point of detection (PoD).

At the moment there is little industry-wide agreement on what defines fraud levels and the cost to a country or industry. Levels of fraud are typically reported in purely financial terms and then broken down into the various sub-categories making up that fraud - i.e. card, cheque, online and identity fraud. However the data, which comes from the banks' fraud departments, is purely numerical and does not take into account more sophisticated ways of measuring the true performance of a fraud prevention strategy, such as false-positives and detection rates. PoD, for example, could provide a more cohesive approach to an industry-wide anti-fraud strategy.

Fraud Measurement with PoD

PoD measures how many missed fraudulent transactions occur prior to a bank's system generating its first alert on an account. As such, PoD is the metric that is most closely tied to fraud losses as it directly describes the number of lost transactions that occur before an analyst, or system, has the chance to stop a fraud. In practice this means that a PoD of 'five' means that, upon the fifth suspect transaction, the system raised an alert within the bank. This, of course, means that the four transactions prior to the PoD are all losses and potentially the fifth depending on whether the detection system has real-time prevention capabilities. By then multiplying the average loss per transaction by the PoD, there will be an accurate and transparent view of the real cost of fraud.

Ignoring the issue of whether to use PoD as an industry standard for a moment, it should be clear that even within individual banks, the argument for its use for fraud analysis is persuasive as it can play a central role in direct loss avoidance. This is because the sooner banks can detect fraud on an account, the sooner they can take action on it and stem their losses. Based on an average loss per fraudulent transaction, it is easy to see the potential savings if detection was targeted at earlier transactions in the fraud cycle. Even a small drop in the average PoD of half a transaction per account can make more difference than increasing detection rates by a large percentage.

Implementing PoD

Despite all the benefits, PoD is yet to become a staple in fraud managers' repertoires. It is for this reason that an industry-wide view needs to be taken where, preferably, one of the card schemes should take the lead and introduce an industry standard for PoD. For example, if the industry-wide PoD rate was set at 'three', then it would become unacceptable for any fraud department to operate at a higher rate. It would also provide a coherent and unified level of response to fraud attacks.

Some consideration may need to be taken into account depending on the type of fraud, as some fraud types take longer to become apparent, however the systems and technology are already in place to enable the adoption of such an industry measurement. It would also contribute significantly to tackling the continually growing consumer fear on fraud, which is, in many ways, more damaging to financial institutions than the fiscal value of the fraud itself. The anecdotal and statistical evidence all points to consumers being either rationally or nonsensically afraid to undertake certain types of transactions due to the fear of being a victim of fraud. Given that the education programmes undertaken by banks and APACS, combined with the fear stoked up by the media, has made payment fraud prominent within the social psyche, there is an opportunity to build on this level of awareness.

By introducing a standard, in words that consumers can understand, and then they could appreciate to a far greater extent what is happening when fraudulent transactions start occurring on their account and be prepared to participate in the fraud prevention process. This is crucial as consumers currently find it hard to legitimise why a fraudster might be able to make ten or so fraudulent transactions before their bank puts a stop to their card or account. However, if PoD is used as a key measure of banks' anti-fraud systems, then consumers can be engaged with the process in the same way, for example, that they have historically understood other banking processes such as the time it takes for cheques to clear.

By creating a standard that consumers can relate to, new processes can be introduced that rely on customer input. One example is interactive SMS alerts that are sent to individual's mobile phones whenever a transaction occurs that is outside their pre-set trigger points such as when it is over a certain amount or outside their usual spending habits. The customer receives an SMS alerting them to the transaction and giving them the opportunity to immediately reply to block their card if it is fraudulent. Alerts can also be sent for any transaction that the bank thinks is suspicious, even if it is within the customer's usual limits. This has the potential to stop fraud after the first transaction and in so doing bring the PoD down to one, thereby dramatically reducing the amount of fraud undertaken against an individual account.

Conclusion

For the industry to get behind PoD as a standard measure of fraud analysis would, as mentioned, require a significant industry ambassador to spearhead the initiative. However, the benefits to consumers and the banks individually are dwarfed in comparison to the overall effect such a unified response would have on the fraudsters. Where they are currently able to probe and exploit individual weaknesses, so they would find a coherent and singular response that will in turn lower the amount of fraudulent transactions that take place. It is this sort of strategy, combined with other anti-fraud standards that could subsequently emerge, that will ultimately reduce fraud levels and in so doing limit the attractiveness of payment fraud to the criminal community.

By Dave Divitt, business solutions consultant, ACI Worldwide (EMEA) Ltd