COVID-19 and the current state of play
COVID-19 has had an undeniable impact on fraud trends throughout the world, and certainly here in Australia. Banks have undergone a dramatic shift from managing transactional fraud to focusing on protecting customers from scam activities — something that demands much more attention from banks.
“Scam prevention is tough work,” said Young (Westpac). This is due to the nature of scams, which aren’t easily identifiable by the same metrics as, say, card fraud. Young says that propensity eModeling, something not used much in fraud, is being used more often to identify scams.
Additionally, remote access scams are becoming a larger issue throughout Australia. An example of this would be someone calling you pretending to be your telco provider with an issue and tricking you to install a remote access tool into your computer. According to Tim Dalgleish (BioCatch), this scam claims more than 30 victims per day in Australia and is continuing to grow.
In all instances, the challenge of defeating these scams comes down to your knowledge of the customer. “Attackers are focused on the human,” said Dalgleish. “You need to know your customers better than the criminal, and what that comes down to is making sense of a whole lot of data.”
While “a whole lot of data” is necessary in recognizing good and bad transactions or behaviors, the challenge of sorting through that data is the key to protecting customers. Dalgleish was quick to point out that the ultimate goal of data collection is to turn it into an actionable signal.
That’s where machine learning comes into play. Machine learning quickly distills this broad data into actionable signals, allowing the bank to act on the information. For instance, in the remote access example, machine learning can recognize that the user is logging in from a different device or IP and paying someone new. All of these signals would send up a red flag.
So how is machine learning being used? Young says it’s a matter of modeling for everything from card transactions to customer profiles, which is used alongside rule- and pattern-based governance. “The models and rules we have these days use enhanced profiles and have an algorithmic and data complexity. They’re capable of processing and mapping data very quickly. And thank goodness they do because so many of our payments are real-time now. It’s not just cards.”
But one of the most important aspects of machine learning that has come to the forefront recently is the ability to share intelligence.
While data rights, privacy considerations and regulations such as GDPR are intended to help the consumer, they can sometimes impact the ability to share data that is necessary to protect consumers. Network intelligence — the ability for corporations throughout the world to collaborate using data-driven fraud signals — is changing the game in terms of intelligence sharing and fraud protection.
This collaborative use of signals versus data is going to be increasingly important for customer protection…whether it be from scams or transactional fraud.
Strong customer authentication (SCA)
Part of the revised PSD2 directive in the EU, SCA mandates multi-factor authentication based around:
- Something the user knows (e.g., PIN)
- Something the user possesses (e.g., phone)
- Something the user has (e.g., biometrics)
It’s only a matter of time before SCA is implemented in Australia and New Zealand, making it essential that banks and merchants familiarize themselves with the benefits and challenges of SCA implementation.
One of the key aspects is that institutions can become exempt from SCA regulations if they maintain fraud rates below a certain percentage. As my colleague Mark Southby (ACI) explains, “You don’t have to authenticate every transaction if you use risk-based authentication. For example, you might have the same device, the same amount at the same merchant. Well, let them through. It can be frictionless.”
Southby also explains that organizations can maximize 3-D Secure 2.0 (3DS2) to create a competitive differentiator for themselves. “We have one customer who’s putting in a lot of work towards 3DS2. They’re getting 0.4 percent abandonment rates whereas the country they operate in is at 10 percent. It just goes to show that you can actually put yourself ahead of the competition.”
For Dalgleish, the number one challenge for the future revolves around scam protection. “Fraud is not one session anymore. It’s multiple sessions, multiple components. It’s a lot messier.” Detecting a bad actor controlling the computer is a lot different than detecting a fraudulent transaction, which forces banks to develop strategies to both protect customers in a traditional sense, and also educate and guard them against various scams.
Young added that scam protection also creates a balancing act for banks between scam liability and customer sovereignty. Protection cannot come at the cost of trampling the customer experience.
Personally, I believe that convergence of intelligence from merchants, information security, insurance, healthcare, telco and other sectors will be critical for banks to effectively fight fraud. Given the wealth of information becoming available, banks must find ways to access this data, bring it together and act upon it. This depends on solutions that put real-time, big-data analytics directly in the hands of the anti-fraud specialists, helping them develop tactical models that address digital fraud threats.
Financial institutions throughout Australia and New Zealand must prepare for SCA. Southby, who works closely with some of our largest customers, believes that banks must acknowledge that they can still deliver a premium customer experience even with some friction caused by greater protections. If customers are educated and can understand why this friction exists, they will be more likely to react positively.
Listen to the full on-demand webinar featuring experts from Westpac and BioCatch: Tomorrow’s Customer Protection Today