Online payment fraud can be a challenging topic. It is not just the payment service provider that is responsible for creating a payment platform that is secure and tamper-proof. The payer, too, needs to be aware of the changing threat landscape and adjust actions and habits accordingly. Regulators have started to weigh in, too.
The subject matter experts at SAS have been sharing their thoughts on strategies, tactics and analytics designed to make it easier to reduce losses from fraudulent transactions. Their recent ideas divide roughly into two areas: broad trends in payments and fraud, and new sources of fraud risk.
Broad trends in payments and fraud
Digitisation was supposed to help reduce fraud. Unfortunately, however, as Michael Rabin points out, fraudsters turn out to love digital. Digital favours anonymisation and self-certification, and many companies are still using rigid rules that are easy for fraudsters to manipulate. Michael argues that insurance providers need to start looking for suspicious patterns and anomalies, and also examine patterns in relationships and networks. This is where analytics can really help.
Ellen Joyner Roberson also believes that digital, especially mobile, is a huge issue for payment fraud. She notes that what makes it so attractive to customers – convenience and speed, for example – also makes it attractive to fraudsters.Combating it requires a fine-tuned system to stop just the fraudulent transactions. Machine learning and hybrid analytics are turning out to be vital tools in the tuning of fraud detection systems.
One of the major sources of payment fraud is wire fraud, broadly defined as any fraud involving communications technology. A blog from Veena Hirannaiah discusses this issue. She explains that probably the most prominent example of wire fraud is business email compromise, otherwise known as email scams. Examples include phishing, spoofing, and social engineering. Veena discusses how advanced analytics, including machine learning, is being used to detect patterns and proactively prevent wire fraud.
You might think from reading these blog posts that machine learning is pretty new in fraud detection. Jen Dunham points out that it has actually been around for a long time, and been used in fraud detection for many years, drawing on feedback loops to train the analytics model. She closes with a timely reminder that machines, even the so-called intelligent ones, need humans to investigate potential frauds.
No discussion about payments would be complete without mention of APIs, or application programming interfaces. These little pieces of sheer genius allow different bits of software to talk to each other, including, for example, websites like Amazon and eBay, and payment systems such as PayPal. APIs are increasingly everywhere, including in analytics, and will only increase in importance as the payments market is opened up.
New sources of fraud risk
New regulations to promote more competition can themselves create new fraud risks. The EU’s new Payment Services Directive (PSD2) provides for an API-driven open market, which may have some unintended consequences.
PSD2 will open up the payments market, which will inevitably result in more transactions. Colin Bristow’s useful introduction to the topic notes that where there are more transactions, there is more potential for fraud, including new types of fraud. Decisions on authentication must be taken soon, and companies will have to think about what will be enough, but not too much.
Sundeep Tengur has contributed with a series of three blogs on PSD2 and how it will operate. The first is about understanding PSD2 in broad terms. Sundeep describes the main PSD2 themes, in particular market integration, democratising access to payments, increased consumer protection (largely through the regulation of fintechs that have previously not been covered by European regulations), and specified security requirements, such as strong authentication.
Sundeep’s second blog post explains how PSD2 could increase fraud risk. He notes that it will increase the number of transactions, but also the number of channels used for payments. Banks will therefore be under increasing pressure to ensure that payment data is secure, even while authorising payments rapidly. The proliferation in the number of market players could open up gaps for fraudsters to step in, and strong authentication and fraud prevention systems will be vital.
Finally, Sundeep describes the regulatory technical standards governing PSD2, and describes the requirements for the “strong authorisation” required by the directive. The regulatory technical standards make clear that banks will be responsible for securing third-party transactions. They also cover banking APIs, interface formats, and fraud reporting requirements. This is, effectively, the “how” of PSD2, and Sundeep’s blog demystifies the standards while helpfully explaining their implications.