Portals & Rails

February 11, 2013

Is Growing Fraud Really a Catalyst for EMV?

My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.

In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?

I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.

Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.

It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c

Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:

Comments

My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.

There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.

Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.

One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.

Chris Slane, VP, Business Development, Quatrro Processing Services

Posted by: Chris Slane | February 28, 2013 at 07:41 AM

Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.

Posted by: Ketharaman Swaminathan | February 17, 2013 at 12:41 PM

I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.

Posted by: Dave Birch | February 15, 2013 at 02:26 AM

Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.

We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike

Posted by: Mike Buhrmann, CEO Finsphere | February 12, 2013 at 02:11 PM

Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.

Posted by: Aaron Press | February 11, 2013 at 04:26 PM

Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.

Posted by: Chip Wickenden | February 11, 2013 at 10:23 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 23, 2012

The debate on credit card surcharges

Late Friday the 13th, Visa and MasterCard announced that they, along with several major issuers, reached a $7.25 billion class-action settlement with U.S. merchants. In addition to being party to the largest monetary antitrust settlement in U.S. history, the networks agreed to permit retailers to impose a surcharge on credit transactions subject to a cap and a level playing field with other general purpose card competitors. Previously, the no-surcharge rule (NSR) had been a staple for both MasterCard and Visa, ultimately prohibiting merchants from charging consumers more to pay with credit cards. Merchants claim that because of the NSR, all consumers, regardless of their payment method, incurred higher costs. Now, in theory, merchants should be able to lower their prices and pass along the costs of a credit card transaction only to those consumers paying with a credit card.

Theory versus practice
However, in the payment card market, theory and practice can differ. Look no further than the Durbin Amendment. In theory, Congress intended for this legislation to benefit consumers, assuming that merchants would pass along their savings through lower prices. However, the debate continues whether merchants who received interchange relief—some actually experienced increased rates and are in fact passing along these costs to consumers—are really passing on the savings.

Should the settlement be finalized, I believe we will see another debate about whether the consumer actually benefits, as with the Durbin Amendment. Will many merchants actually choose to impose a surcharge on credit-card-paying consumers? Will the surcharging merchants actually drop prices from their current levels or simply add a surcharge on top of existing prices? Will networks lower the effective interchange rates thus making it less costly for consumers to use credit cards should merchants choose to actually surcharge?

Will credit card surcharging take place in the United States?
Again, we have to look at theory versus practice. In theory, the surcharging provision seems like a win for merchants, but in practice, will the surcharge provision have any impact at the point of sale? And what will prevent surcharging from being put into widespread practice in the United States?

For starters, 10 states with 40 percent of the U.S. population—including California, Florida, New York, and Texas—currently prohibit retailers from charging customers a fee for using a credit card. Keeping the consumer in mind, remember the backlash that one bank experienced when it proposed a new debit card fee? Will any merchant that attempts to implement a surcharge—actual implementation of a surcharge with various types of cards and payment environments is worthy of an entire discussion itself—face similar scrutiny?

I also wonder: if a merchant chooses to charge consumers a fee for using a credit card, would the fee and the merchant then fall under the authority of the Consumer Financial Protection Bureau? The surcharging debate around this potential settlement and ultimate outcome will no doubt be interesting moving forward.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

July 23, 2012 in card networks, cards, regulators | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017616a536b7970c

Listed below are links to blogs that reference The debate on credit card surcharges:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 02, 2010

Fight against payments fraud: The target is moving, but not everybody takes aim

Industry statistics show payments fraud continually evolves, which is a likely reason it will never disappear. Even so, industry statistics also show some institutions prefer incurring costs associated with fraud rather than paying the price for preventive measures. Nothing drives those points home like drilling into the numbers.

Regarding the evolution of payments fraud, the same technologies that enable electronic payment innovations are also the same ones that help bad actors find ways to access consumer data and account information to perpetrate identity theft and payments fraud. In fact, FinCEN's June 2010 issue of The SAR Activity Review — By the Numbers reports that the number of Suspicious Activity Report (SAR) forms filed by depository institutions on computer intrusion, while quite small relative to other forms of suspicious activities at around 1 percent of suspicious activity–type filings, increased roughly 52 percent in 2009 from 2008.


Changes in Types of Suspicious Activity, 2008-09
ENLARGE

This increase of computer intrusions confirms recent media reports about the industry's heightened concern over malware attacks and corporate account takeovers. However, despite the continued decline in check writing, the data also show that check fraud remains the most frequently reported suspicious activity, primarily in the form of counterfeit checks.


FinCEN Suspicious activity report filings by depository institutions
ENLARGE

Businesses weigh in: Check fraud remains rampant
Even with the emergence of new threats, many of the established risks continue to thrive. The Association for Financial Professionals (AFP) 2010 Payments Fraud and Control Survey reports payments risk experience from the standpoint of businesses, with similar results. The survey indicates payment fraud, particularly check fraud, "remains rampant." Ninety percent of respondents to the survey were victims of check fraud, with 64 percent suffering financial loss as a result.


Prevalence of Payments Fraud in 2009
ENLARGE

Industry fight against payments fraud
The fight against fraud remains ongoing—financial institutions and vendors offer a number of fraud control services to protect corporate bank accounts. According to the AFP, the most widely used fraud control measure to guard against check fraud is positive pay, a tool that compares an organization's check record with those presented for payment or payee names for possible alteration. With respect to ACH payments, companies can use debit blocks and filters to prevent unauthorized transactions. Other traditional internal control processes, including daily reconciliation and separation of duties, are effective measures especially in concert with similar sound practices by the organization's financial institution, such as the use of checklists (as described in an earlier post). Other mitigation practices reported in the AFP report include restricting online data communications and controlling the transmission of payment instructions from the phone or fax to more secure environments, to name just a few.

Interestingly, the report included survey responses on reasons organizations elected to forgo the use of purchased fraud control services, with most reporting that the costs outweigh the perceived benefits they might realize.


Reasons for Not Using Positive Pay, Debit Blocks or UPIC
ENLARGE

Looking forward
If we use these reputable data sources as proxies for the collective success of the efforts of all payments stakeholders in the fight against payments fraud, we appear to be doing rather well. Fraud experts know, however, that there is no time for resting on laurels, as the bad actors are always moving forward. It will be critical to engage all stakeholders in the fight against payments fraud, finding new means to control the disclosure of private information and to authenticate consumer payment credentials at every step in the payments process.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

August 2, 2010 in ACH, card networks, check fraud, consumer fraud, fraud, online banking fraud, risk | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485f0df70970c

Listed below are links to blogs that reference Fight against payments fraud: The target is moving, but not everybody takes aim:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 28, 2009

Coordinating roles in mobile payments--who will we trust?

The concept of mobile payments is beginning to gain some traction as the industry grapples with environmental complexities—namely the myriad participants in the mobile payments arena, the mulitiple channels for a mobile payment to follow, and the ever-present questions about security. Who can be trusted to intercede among the various entities with an interest in the payments process? While a number of roles in the mobile payments arena are taking shape, the least known and possibly the most confusing is the concept of the trusted service manager (TSM). However, this role is also possibly the most critical to establishing a secure and trusted environment for mobile payments. So what exactly is a TSM and what are its responsibilities?

Complex environment for mobile payments
While anecdotes sometimes dismiss the anticipated speed to market of mobile payments as industry hype, the fact is that the ubiquity of the mobile phone is driving the convergence of telecom and payments. This convergence creates a far more complex environment for payments than ever before. Telecom participants and financial institutions have different regulatory and legal frameworks and distinctly different risk exposure, for example.  Furthermore, the U.S. mobile payments environment will leverage existing payment channels, such as the automated clearinghouse (ACH) and the card networks. No one knows if the industry and market will ultimately prefer a particular channel. The result is an array of business models with a vast number of unrelated players with competing interests for customer revenue.

Stakeholders in the mobile payments business model
In addition to the traditional payments model that includes the customer, financial institutions, and perhaps payment processors, the developing mobile payments ecosystem also includes large groups of mobile network operators and handset makers who have no previous payments life cycle experience. For payment system interoperability, all participants must agree to operate under uniform technical operating and security standards. In this context, the role of a TSM is to manage collaboration among the various stakeholders.

Role of the TSM
The concept of the TSM was introduced by the Global System for Mobile Communications Association (GSM) in 2007 in an effort to improve interoperability among various and unrelated proprietary mobile networks. The core function of the TSM is to serve as a neutral and independent middleman between financial institutions, payment network operators, customers, and the mobile network operators.

Responsibilites envisioned for the TSM include managing contractual relationships with the large number of mobile network operators (MNOs) as well as acting as a single point of contact for banks and other payment service providers to communicate with customers they share with the MNOs and handset makers. The key to the TSM’s success clearly is the financial wherewithal to inspire trust on behalf of the other payment participants and to support agreements with a large number of partners. Finally, the TSM should also provide the oversight for various systems among participants to ensure secure transmission of payments and personal data in the transaction.

Who should fill the role?
While the need for a TSM is recognized, there is no consensus on who should fill that role. MNOs, payment network operators, and financial institutions lack the economic incentives to form alliances with other participants in the payment ecosystem because of their competing interests for customer revenue. Whether the role is filled by a consortium of existing players or by a new entity yet to be formed will depend on an ability to fulfill these critical responsibilities from a position of neutrality and independence.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum at the Atlanta Fed

September 28, 2009 in ACH, card networks, mobile network operator (MNO), payments, trusted service manager | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0120a5a4bf95970b

Listed below are links to blogs that reference Coordinating roles in mobile payments--who will we trust?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in