Skip to content

The Seasons Are Changing (And So Are Fraud and Regulations)

Seasons change for security regulation

If you smell the air, you can sense the seasons changing; a little crispy cold moving in suddenly, the leaves are reddening and the winds of Faster Payments and PSD2 are kicking up. Smooth transition, right? So, yeah, seasons change, and so do regulatory regimes. In the US, we’ve been largely left to our own discretions about how to run our fraud shops, with some regulatory oversight regarding disputes handling. Historically, financial institution processes around authentication and fraud monitoring (including analytics and strategy) could be anything or nothing, depending on an institution’s risk appetite. Like the seasons, this might be in transition.

Winds of change blowing from Europe

The approach is at least surfacing in Europe, where the Payment Services Directive 2 (PSD2) is mandating some minimum requirements for high-risk transaction monitoring if a payments player wants to get between banks and merchants. This innovative mandate will place minimum requirements to ensure that there are minimum requirements for fraud strategy; that strong (two-factor) authentication will underpin transactions, and it specifies the thresholds to which controls will be applied. It does not mandate machine learning, or biometric authentication, but rest assured, these elements are going to be heavily favored. The regulations that are there, however, will have teeth, and monitoring is mandated.

PSD2 has the potential to be hugely disruptive to the legacy banking business models, and it sets a very serious precedent on floor standards for future technologies, regardless of the channel. In the US, we have our own Secure Payments Task Force (convened by the Federal Reserve), with one of the tasks including the evaluation of future recommendations in payments to ensure that  payments security is up to the standard of the western world. Yes, recommendations are not regulations, but if we are going to move to Faster Payments, and both understand and mitigate the risks associated with mobile wallets, we need to be sure that we do it right and not compromise the security of all stakeholders when recommendations are published.

So, while regulations may not be immediately forthcoming, best practice recommendations for the industry might be the first step in that direction, acting as a stopgap for a very compliance-sensitive industry. That means that if a regulator sets foot onsite, sees a significant control deficiency and identifies it as a safety and soundness risk, it could be a finding.

Combine that with the influence that PSD2 will bring to our shores in the US, and you can see the setup. Control standards will not be so isolated in the future, payments risk containment standards will jump geographies via multinational organizations, there will be cross-pollination of best practices, and vendor competition will ensure that everyone has a machine learning strategy and biometric/two-factor authentication out of the box. The seasons do change, so we should welcome it. Embrace this change and see the upside in the prism of colors that the leaves bring. Put a fire on and warm yourself, winter is coming!