Fraud teams are dealing with an increased workload and new regulatory challenges, despite widespread resourcing constraints. We have four recommendations to help.
COVID-19 sent consumers flocking to digital shopping channels and inevitably led to changes in the fraud landscape. At the same time, new regulations around card-not-present (CNP) transactions are rolling out. Here are four recommendations to help fraud teams stay efficient and effective.
Handling more transactions without growing your fraud team
The pandemic has led to an increase in online transactions for many types of business, as consumers have chosen (or been obliged) to switch to digital channels. Despite this shift, however, internal fraud team resources may be constrained, perhaps because of pandemic-related restrictions or for budgetary reasons. As a result, we've seen fraud teams struggling to:
- Defend or reconcile chargebacks
- Address emerging fraud trends in a timely way
This can, of course, have an impact on a merchant's overall dispute and fraud rates. In the EEA and U.K., where the Strong Customer Authentication (SCA) requirement of PSD2 applies, any rise in these rates can affect acquirers' and issuers' ability to offer SCA exemptions.
If your fraud team is struggling owing to resourcing constraints, you should consider entrusting the configuration of your fraud solution to your provider or outsourcing manual reviews to a trusted third party.
Making effective use of ML and AI
Some fraud teams are compensating for resourcing constraints by making more use of machine learning (ML) and Artificial Intelligence (AI-based) fraud detection. Automated system-generated rules and digital review could well become a fixture in the fraud-screening process for many businesses.
There's little doubt that human expertise will always be crucial to getting best value out of any automated tools, which is where the knowledge and expertise of professional risk analysts plays a crucial role.
Cybersource Decision Manager clients can take advantage of our Rules Suggestion Engine (RSE), which automatically creates fraud rules using advanced ML models. We also recommend our clients integrate Identity Behavior Analysis (IDA) into their fraud strategies. IDA draws on data from across our global client network to help a business identify genuine customers more efficiently and confidently.
Dealing with new regulation-driven fraud challenges
Sending one-time passwords (OTPs) to mobile phones is a common way to meet the SCA requirement of PSD2 in the EEA and U.K. As these regulations continue to roll out, we anticipate an increase in SIM swaps and SIM hijackings, as fraudsters look to intercept OTPs sent to cardholders' mobile phone numbers to validate fraudulent transactions.
To help guard against SCA-related fraud, consider using GPS location verification and flagging up device fingerprint inconsistencies. It's also worth educating consumers about the risk of SIM-focused attacks.
Naturally, you should educate your fraud team on the new regulations and help them understand areas where fraud may migrate to. Channels and transaction types that are out of scope for strong authentication (such as MOTO and one-leg-out transactions in the case of PSD2 SCA1) could become more attractive to fraudsters. Consider additional measures, too, such as adding protection to MOTO channels, paying attention to BIN countries outside the region covered by the regulation, and monitoring for account takeover fraud.
Are you ready for increased regulatory oversight?
The dramatic shift in commerce to the CNP environment will doubtless prompt national governments to re-evaluate how consumer information is processed and stored. Some countries may even introduce data protection regulations for the first time.
We expect to see increased scrutiny of merchants and, potentially, calls for tougher treatment in the case of a data breach.
To be well-prepared, we suggest you review your data privacy policy with a data privacy officer who can carry out a data protection assessment of your organization. You'll also want to educate your fraud team about new and evolving data privacy laws that may affect your business.
Source
1 Applicable to the “European Economic Area & UK”. The issuer makes the decision about whether SCA is applicable and should be applied.