Take On Payments

About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

June 29, 2015


The More Things Change, the More They Stay the Same

As I write this blog on the screened porch of a North Alabama lake house, the cicadas are constantly buzzing in the background. I am fascinated by the life cycle of this species—namely, the emergence of the periodical cicadas from belowground every 13 to 17 years. This life cycle got me thinking how the world has changed since the last time the 17-year cicadas emerged. And while in this neck of the woods, some things have changed—new houses have been built and personal watercraft are now constantly buzzing on the lake—some things have remained the same. The nearest grocery store is still 30 minutes away and the iced tea is as sweet as it ever was. Is this mixed scenario really any different for payment card fraud?

Certainly a lot has changed in card payments during the last 17 or so years. We've witnessed the enormous growth of debit card transactions, the continued growth of credit card transactions, the emergence of the e-commerce and mobile payments channels, and the almost global adoption of the EMV (chip) card. As card payment usage has evolved, so has the fraud landscape. Lost and stolen card fraud fell out of vogue while counterfeit card fraud took off only to see stolen card fraud re-emerge when the issuance of EMV cards in most markets thwarted counterfeit card fraud. Point-of-sale (POS) fraud is occurring less often across the globe because of EMV and PIN verification, driving the fraudsters to the Internet to commit card-not-present (CNP) fraud.

But what hasn't changed is the global rate of fraud. An article in the August 2013 Nilson Report estimated that the annual cost of card fraud worldwide in 2012 was 5.2 cents for every $100 spent, resulting in $11.27 billion in losses. This figure compares to Nilson's estimate of fraud losses in 1998, which ran approximately 4.8 cents for every $100 spent and resulted in a little less than $2 billion of fraud. Perhaps a fraud rate in the 5 basis points range is the industry-wide acceptable rate, but with billions of dollars being invested to mitigate fraud, I would like to think that over time the rate would be reduced (though I must admit that I am not sure what the acceptable rate should be).

Maybe this speaks to the tenacity of the card fraudsters. As we in the Retail Payments Risk Forum have often stressed, once one door is fortified, the fraudsters find another door to enter. And if we could dive deeper within the figures, I am certain that is what we would find, according to various estimates of fraud and anecdotal evidence. For example, the emergence of EMV and the use of PIN verification instead of signature verification have reduced POS fraud. Today, CNP fraud rates are significantly higher than POS fraud rates and many industry risk efforts are focused on mitigating CNP fraud.

When the cicadas reappear, undoubtedly the payment card usage and fraud landscape will look different. Perhaps mobile payments will have taken off and the use of biometrics as a method of verification will be commonplace. I feel confident that in 17 years the industry will make substantial strides in reducing e-commerce CNP fraud rates—but also that new areas of fraud will appear. Is the industry prepared to fight the next generation of fraud or will it just continue to Band-Aid the past? Should we expect a 5 basis points rate of fraud when the cicadas emerge in another 17 years? I'd like to think the rate will be lower. At a minimum, hopefully, it will remain as consistent as the sweet iced tea in this neck of the woods.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


June 29, 2015 in cards, chip-and-pin, EMV, fraud, innovation, mobile payments | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 23, 2015


Payments Stakeholders: Can't We All Just Work Together?

Coming together is a beginning; keeping together is progress; working together is success.
 – Henry Ford

In my physics classes at Georgia Tech, I found the principles around forces, momentum, and energy sometimes difficult to comprehend and distinguish. But I readily grasped a simplified version. I understood that if people apply their combined energy in the same direction, they can move the object of their attention to a designated spot faster and easier than if any of them tried it alone. And if they directly oppose one another or exert their efforts in different directions, the movement of the object is slow, its route is haphazard, and it may never reach its intended destination.

This last situation sometimes occurs with different groups of payments stakeholders—most notably, but not exclusively—the national card brands, along with their financial institution clients, and the merchant communities. Amidst all the charges and countercharges between the groups, it sometimes appears that these stakeholders are pushing in different directions—so the industry seems to be making little progress toward adopting payments standards and practices or fraud prevention solutions, for example.

An important payments risk issue affecting multiple stakeholders is card-not-present (CNP) fraud, which is expected to increase significantly after the United States migrates to EMV chip cards. We learned this from the experiences of other countries that have completed their migration. What happens is that EMV cards essentially close the door on the criminals' ability to create counterfeit EMV cards, so they shift focus to CNP opportunities.

Merchants contend that EMV card migration primarily benefits the card issuers since, for counterfeit-card-present (CCP) fraud, the issuer normally takes the loss—and EMV makes CCP fraud much less likely. Another way merchants may view EMV as being more issuer-friendly is that they must bear card-present fraud loss if they don't upgrade their terminals—at their expense—once the October 2015 liability shift goes into effect. So not only do they face increasing liability for card-present transactions, they will continue to be held responsible for the expected increase in CNP fraud losses.

The card brands and financial institutions counter the merchants' position on a number of fronts. For example, they point to the massive payment card data breaches that took place in 2014 at national merchants, saying these events eroded consumers' confidence in payment cards. Migrating to EMV cards and eventually replacing the magnetic stripe will provide clear improvements to payment card security, which will in turn increase consumer confidence in the safety of using cards. And that will benefit all stakeholders in this payment system. In addition, card brands and financial institutions are taking steps to help mitigate CNP fraud: they have invested heavily in several products and are collaborating with third-party providers to develop better customer authentication solutions to ultimately reduce the risk of CNP transactions for all stakeholders.

Disagreements among stakeholders will always exist, especially on elements that have a major financial impact on their businesses. However, there must be a diligent and ongoing effort by all parties, working together and with the same goal, to find areas of common ground that will result in a more secure payments environment.

Photo of David LottBy David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


February 23, 2015 in cards, chip-and-pin, EMV, payments | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01bb07f047c8970d

Listed below are links to blogs that reference Payments Stakeholders: Can't We All Just Work Together?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 26, 2015


Tackling Fraud with Data

As the dust settles on the 2014 retail holiday season, it isn't surprising to learn that e-commerce was once again the winner. ComScore reported that online holiday spending through December 21 was $48.3 billion, a 15 percent increase over 2013. And there is nothing to suggest that this growth trajectory will flatten. While these trends are encouraging for online retailers' sales departments, they must be challenging for their fraud and loss prevention teams. According to the 2013 Federal Reserve Payments Study, card-not-present fraud rates were approximately three times higher than card-present fraud rates in 2012.

Just before the holiday shopping season, CyberSource released its 15th Annual Online Fraud Management Benchmark Study This 2014 study reveals that merchants improved order conversion through lower rejection rates while keeping their fraud losses stable. Naturally, I was curious about the tools that yielded these results and wondered to what extent they might have changed. Using CyberSource's 2012 study to compare, I found some surprises.

In 2012, validation tools were used the most—79 percent of merchants used a card verification number and 77 percent used address verification. Of the merchants who did not use these tools, 81 percent indicated they planned to implement a card verification number and 61 percent planned to use address verification. While merchants can implement these tools with little cost, their effectiveness, according to the surveyed merchants, is limited.

Given the 2014 report's positive findings, coupled with the expected very high use of card verification numbers and address verification reported in 2012, I was expecting merchants to rate the effectiveness of these tools higher. Interestingly, even though these validation tools remained the most prominent, their usage did not increase as expected, despite the number ofmerchants who planned to implement them following the 2012 study. And there was not a significant increase in their reported effectiveness.

Here's what did change: the use of proprietary data tools such as customer order history, in-house positive and negative lists, and company-specific fraud scoring models. Purchase device tracking tools, such as fingerprinting, also saw an increase in usage, though not as large of an increase as the proprietary data tools. And it is these tools that, generally speaking, are rated as the most effective fraud management tools by the merchants surveyed.

The 2014 study highlighted improved fraud management. I have several of my own highlights. Merchants appear to be more apt and capable of leveraging their own data today than the preceding several years. And they are finding that using this data is more effective in combating fraud than traditional validation services. I think it's important to note that only two tools (device fingerprinting and a fraud scoring model) were selected by more than 50 percent of merchants as most effective. Even though traditional validation services are still highly used and useful, no single tool is a panacea for fraud management. A layered approach using multiple tools and data elements is critical for success. I suspect this trend of merchants using their own customer data to manage CNP fraud will continue. I also expect that data-centric tools will become more effective as merchants become more sophisticated with data analysis.

What is your view on the future role of proprietary data in CNP fraud management?

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


January 26, 2015 in cards, fraud, online banking fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b7c73f1e40970b

Listed below are links to blogs that reference Tackling Fraud with Data:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 20, 2014


Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?

Portals and Rails recently embarked on a series of posts on tokenization. In the first installment, we defined tokenization and distinguished between a merchant-centric enterprise tokenization solution and payment tokens generated as an issuer-centric end-to-end solution. In the second installment, we examined several different attributes of the issuer-centric end-to-end token initiatives currently under way and considered their impact on mitigating risk. In this post, we examine the shortcomings of end-to-end token initiatives and question if they are really a coup in mitigating risks in today's environment.

The goal of payment tokenization is to substitute sensitive data—such as account numbers, expiration dates, and security codes—that criminals can use to extract monetary value with surrogate values that lack monetary value. In light of the number and depth of recent data breaches, tokenization seems like a grand idea—let's get data that fraudsters can use out of the payment transaction flow and the merchants' systems.

But current uses for these end-to-end initiatives are limited to card-on-file transactions for in-app or e-commerce payments and mobile proximity payments. I know you have to start somewhere but, in the near future, only a small percentage of transactions will use tokenization. These end-to-end initiatives are solid solutions, but are currently extremely limited. Thus, there will be a continued need for the industry to use a variety of methods to fight fraud, including the merchant-centric enterprise tokenization solutions the first installment discussed.

And isn't the point of the significant EMV investment currently under way to mitigate risks associated with counterfeit cards using compromised card data? In other words, it should render compromised card data useless. But I am hearing the EMV naysayers claiming that, in an EMV world, data compromises will still take place and, while fraudsters may not be able to counterfeit cards, they can still use that data to shop on the Internet.

Those naysayers are correct.

But let's circle back to the use cases for the current issuer-centric end-to-end token initiatives. Is tokenizing payment data for card-on-file and mobile proximity payments really going to have a material impact on preventing card-not-present fraud? Are these tokenization efforts really the best solution for this challenge? It could be many years before we regularly use our mobile phones for proximity payments. I am confident that we will be using chip-enabled cards for a significant number of transactions within two to three years. Would it be wiser to rely on solutions that leverage the chip or other security features of cards? Or maybe it's time we realize that cards weren't designed for card-not-present uses and place a higher priority on the broader adoption of existing and emerging non-card-based payment solutions in a multi-layered security approach.

Unfortunately, I do not have the answers. But these questions and topics will certainly be discussed during the upcoming Securing Remote Payments conference that the Retail Payments Risk Forum and the Secure Remote Payment Council is hosting. If you are interested in attending, please reach out to us. We will be in touch with more details.

In the next installment in this series, we'll look at new security and operational risks introduced with these token initiatives.

By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed


October 20, 2014 in cards, data security, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d080b04d970c

Listed below are links to blogs that reference Let's Talk Tokens, Part III: What Problem Does Tokenization Solve?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 15, 2014


Let’s Talk Token: Authenticating Payments

It's challenging to have a conversation about EMV cards—cards with chip technology—given their well-documented fraud-mitigating shortcomings, without diving into a conversation on tokenization. And these conversations just intensified with Apple announcing the use of tokenization with its soon-to-be launched mobile payment application. Tokenization of payment card data can provide an additional layer of security to EMV cards for in-person payments and mitigates fraud risks that these cards don't address in the non-face-to-face environment.

I recently spoke at a forum on EMV cards, where it became evident to me that there is a high degree of confusion in the payments industry, especially within the merchant community, about tokenization. Currently, multiple standards initiatives around a new tokenization framework are under way, so Portals and Rails is embarking on a series of posts on tokenization. In this first installment, we define tokenization and distinguish between tokens generated within the merchant's environment (an enterprise solution) and payment tokens generated as an end-to-end-solution. A future post will compare the various payment end-to-end tokenization initiatives that have been announced to date.

In the data security and payments environment, tokenization is the substitution of sensitive data with a surrogate value representing the original data but having no monetary value. For payment cards, tokenization refers to the substitution of part or all of a card’s PAN, or primary account number, with a totally randomized value, or token. A true token cannot be mathematically reversed to determine the original PAN, but a token service provider in a highly secure environment can subsequently link it to its associated PAN.

Tokenization of payment credentials has been around since the mid-2000s, driven primarily by the issuance in 2004 of the Payment Card Industry Data Security Standard (PCI-DSS), which defines merchant requirements for protecting cardholder data. Merchants historically stored PANs for a variety of reasons, including to use in settlement reconciliation, perform incremental authorizations, handle chargebacks, and identify cardholder transactions for loyalty programs. With tokenization, merchants can remove PANs from their data environment and replace them with tokens—and thereby reduce their PCI-DSS compliance requirements. However, this enterprise solution still requires that the PAN enter the merchant environment before the tokenization process taking place.

Under the tokenization initiatives currently under way from the Clearing House and EMVCo, a financial institution would issue a token replacing a cardholder's PAN to the person's mobile handset, tablet, or computer device before initiating a digital payment transaction. So the merchant, rather than receiving the cardholder's PAN for initiating a transaction, would receive a token value associated with that PAN, which would then be de-tokenized outside the merchant's environment to obtain the necessary authorization and complete the transaction. The merchant never has knowledge of the cardholder's PAN—and that is a significant difference between these tokenization initiatives and the enterprise solution related to handling payment credentials.

The Clearing House's and EMVCo's concepts for payment tokenization are similar in many ways, but they also have differences. A future post will delve into the end-to-end tokenization initiatives and consider the impact on mitigating risk in payment transactions.

Photo of Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 15, 2014 in cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01b8d068d564970c

Listed below are links to blogs that reference Let’s Talk Token: Authenticating Payments:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 09, 2014


Magic 8 Ball, Will We Ever Be Cashless?

Predictions of a cashless society have been broadcast sporadically throughout the decades. It became a popular concept in the United States in 1965 when Thomas J. Watson Jr., CEO of IBM, said, "In our lifetime, we may see electronic transactions virtually eliminate the need for cash." Watson believed, or hoped, that the newly released IBM mainframe computers would revolutionize financial transaction processing and make carrying cash unnecessary. Later that decade, the concept was expanded to a checkless/cashless society, with some predicting that both payment forms would be extinct by the 1980s.

Despite consumers' growing use of cards and the emergence of the ACH system, the cashless society concept took a bit of a detour during the 1980s and 1990s—ATMs and shared EFT networks proliferated, both offering tremendous convenience and making it very easy to distribute currency. When card-based point-of-sale (POS) programs also emerged, they offered an alternative to currency and checks, while also increasing the convenience of currency by allowing cash-back transactions. This expansion of currency convenience took place even as consumers were being warned of the dangers of coin and currency—the germs, the cocaine residue, the increased chance of robbery, and so on. Certainly this was a more intense negative campaign than the spontaneous combustion danger my mother warned me about when I was young. I'd received some birthday money that I was anxious to spend, and she declared that the money was "burning a hole in your pocket."

While the central banking authorities of some countries such as Sweden and Nigeria have announced a goal of moving to a less-cash society, consumers in the United States are seemingly moving in the opposite direction, as evidenced by some recent San Francisco Fed research. Researchers examined the data from the 2012 Diary of Consumer Payment Choice (DCPC) study by the Boston, Richmond, and San Francisco Federal Reserve Banks. The San Francisco Fed research included these key findings

  • Cash remains the most-used form of payment, accounting for 40 percent of payment transactions.
  • Cash is generally used for lower-value transactions. The average value of a cash transaction was only $21, compared with $168 for checks and $44 for debit cards.
  • Cash is used most often in gift and P2P (or "person-to-person") transfers, with food and personal care supply purchases second (see the chart).
    Figure 4: Payment Instrument Shares, by Spending Category
  • Contrary to the conventional wisdom of millennials' love for all things electronic, 40 percent of 18–24 year olds prefer cash over all other payment methods—the highest percentage of any age group.

Yes, card, ACH, and other electronic transactions are continuing to increase and gain larger shares of the overall consumer transaction mix while check usage remains in a steady decline. Despite the dire outlook for checks, my colleague Doug King pointed out in a recent post that check usage among P2P users actually increased, according to the latest Fed payments study. My Magic 8 ball is predicting that coin and currency are going to be around for quite some time. What does yours say?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 9, 2014 in cards, checks, currency | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fd1ade46970b

Listed below are links to blogs that reference Magic 8 Ball, Will We Ever Be Cashless?:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 14, 2014


Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

October 07, 2013


Fraud Happens. So What Do You Do?

As both a data junkie and someone interested in payments fraud, I must admit that I am envious of my colleagues across the pond in the United Kingdom. The Financial Fraud Action UK recently released Fraud the Facts 2013, its annual report providing insight and data on payments fraud in the U.K. financial services industry. Unfortunately, no such report exists in the United States.

This year's report drives home two key points that were discussed at our July 31 Improving Customer Authentication forum. First, the enrollment process is a critical initial step in securing transactions. Enrolling a fraudster can only result in fraudulent transactions. Second, consumer education remains an important aspect of mitigating fraud—a topic we at the Risk Forum have written and spoken on extensively. Despite the fact that the United Kingdom uses the EMV standard—which is based on chip card technology—overall payment card fraud increased by 14 percent from 2011 to 2012. Among its many insights, the report reinforces the idea that EMV adoption alone will not keep fraud from occurring.

Aside from the usual suspects of card-not-present (CNP) fraud and cross-border fraud in non-EMV countries, the report mentions two other contributors to payment card fraud growth that captured my attention. One, card ID theft fraud, which includes application fraud (using stolen or fake documents to open an account) and account takeover fraud (using another person’s credit or debit card account by posing as the genuine cardholder), increased by 42 percent from 2011 to 2012. Two, criminals have resorted to using "low-tech deception crimes" to convince consumers to part with their cards, PINs, and passwords.

The important takeaway I got from this report is that no matter the technology or standard used on payment cards, it remains critical to keep personally identifiable information protected and to continue to educate consumers about sound payment practices. The industry could use the most sophisticated and secure solutions to authorize and authenticate transactions, but those sophisticated, secure solutions can do very little to prevent the use of accounts established fraudulently.

Criminals are exploiting weaknesses in both the enrollment process and consumer behavior. These weaknesses are not something a chip-embedded card can solve.

So what tools can and should the industry use to prevent a criminal from using a stolen or synthetic identity to open an account? Do you think information available through social media could play a role in this process? We would value your thoughts.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

October 7, 2013 in authentication, cards, chip-and-pin, EMV, identity theft | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019affd3f992970b

Listed below are links to blogs that reference Fraud Happens. So What Do You Do?:

Comments

While everyone is focused on the water main, there are millions of slow, steady fraud drips that aren't getting any attention: call center transactions.

Just started a subscription yesterday and read my CC# to some faceless agent in some unknown call center. Did she write it down? The call was recorded. Are the quality monitoring people writing it down and selling it?

There are solutions readily available. They are simple. They are cheap. They work. But there is no hue and cry to use them...from consumers, from banks, from regulators, or from businesses.

Until known solutions to known and supposedly big problems are implemented, the hand wringing about fraud is beginning to look like a Potemkin Village...a veneer of concern with nothing behind it.

Posted by: Dennis Adsit | October 21, 2013 at 12:12 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

September 24, 2013


Using Analytics to Improve Credit Quality

With consumer credit products such as mortgages and payday loans occupying headlines, credit card portfolios have been quietly and steadily marching towards improvement in quality over the last three years, according to data released by the Fed’s Board of Governors. As the chart shows, seasonally adjusted charge-off rates are down to 3.9 percent, and delinquency rates are at 2.6 percent for the largest 100 commercial banks in the United States, the lowest rate since the Federal Reserve began tracking this statistic at the start of 1991.

Credit Card Charge-Offs and Delinquency Rates: Top 100 US Commercial Banks

But how have credit card issuers been able to improve the quality and profitability of their card portfolio since the severe economic impact felt by all during the recession? One of the many tools the Board identified—and one cited by portfolio managers—is the increasing use of analytics. Issuers collect and comb vast amounts of data from a variety of sources to ensure that cardholders are equipped to manage their balances.

Credit issuers use analytics for a variety of purposes, including establishing credit limits, monitoring ongoing credit quality, targeting marketing efforts, and detecting fraud. They perform analytics at the individual cardholder level—looking at credit history and purchasing patterns, for example—as well as at the customer segmentation level to identify correlations between certain data elements and indicators of potential changes in credit quality. The increased power of these analytical tools over the last decade is due primarily to the incredible advancements in data collection and analysis technology. These advances have provided issuers with the ability to run sophisticated "what if" models to determine how changes in various key attributes of cardholders or in the overall economic environment will affect the quality of their portfolio.

Clearly, many of the issuers have taken other proven steps to improve the credit quality of their portfolios: they’ve reduced credit lines and increased payment monitoring management for existing accounts during and after the recession. And they applied more stringent credit policies, making it more difficult for new applicants to be approved (or likelier to be approved at lower credit limits than they would have been before). These are all sound risk management techniques. But data analytics has been a very powerful additional tool, allowing issuers to make huge strides in ensuring ongoing credit quality.

How are you using increased technology capabilities to improve your risk management capabilities?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

September 24, 2013 in cards, debt, innovation, payments study | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019aff958780970c

Listed below are links to blogs that reference Using Analytics to Improve Credit Quality:

Comments

Data and analytics can provide a competitive advantage for financial institutions (FIs) of all sizes. Sophisticated models can lead to better decisions and improve your institution's risk management, marketing, price optimization, offer optimization, and more. Arguably, the most important area is risk management. FIs need to find their happy median for risk. Effective decisioning won’t be profitable if high-risk customers are approved for too many cards or approved for credit limits that will overreach their ability to pay, but FIs also don’t want to necessarily turn a consumer away due to an address discrepancy. The FIs that can most effectively leverage their data and analytics will gain the competitive edge. It appears many credit card issuers have already figured this out.

Posted by: Christina Lysacek | October 21, 2013 at 02:53 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

February 11, 2013


Is Growing Fraud Really a Catalyst for EMV?

My payments news feed has been filled with a heavy dose of EMV-related news these last few days. Take the January 2013 article from the American Banker that looks at the incidence of increasing fraud losses as the United States continues to lag on the implementation of EMV chip cards. This one especially caught my attention given that I had written a paper on this topic early in 2012.

In recent SEC filings, both Discover Financial Services and Capital One reported significant increases in fraud losses. Based on calculations using figures from Discover's latest annual report, its fraud rate on sales volume increased from 4.8 basis points in 2010 to 7.2 basis points in 2011, and reached 8.8 basis points in 2012. Because of our nation's continued reliance on magnetic-stripe cards, "we are the weakest link around the world," according to one analyst. According to another, "the fraud comes here." Given this trend of rising fraud losses, is fraud finally becoming a bigger part of the business case for EMV with card networks' liability shifts for counterfeit fraudulent transactions a little more than two years out?

I don't think that it is. While the American Banker article, and even my paper, paints a somewhat discouraging picture of the fraud situation, the fact remains that fraud is but a small, albeit growing, expense on an issuers' income statement. For example, Discover reported $93 million in fraud losses for 2012, or roughly $8 million more than it spent on postage. By comparison, net charge-offs from credit card debt cost them over $1.2 billion in 2012 and as much as $3.7 billion in 2010. Fraud risk as measured by fraud losses is just "another expense" to issuers while credit risk, measured by credit losses, has one of the largest, if not the largest, negative impact on an issuers' bottom line. Is it possible that fraud losses will have a larger negative impact further down the road? Absolutely, and I think they will. I also recognize there are other "soft costs" associated with card fraud in terms of cardholder inconvenience and overall payment safety perception.

Further, EMV does not address the entire fraud loss problem. It's no secret by now that while EMV has been excellent at reducing face-to-face fraud, card-not-present (CNP) fraud continues to rise because EMV does not effectively prevent it in today's online environment. For example, since the rollout of chip-and-PIN in 2008 in Canada, CNP fraud increased from C$128 million to C$259.5 million in 2011. This is another example of fraud moving to the weakest link in the payments chain. Ultimately, EMV as it exists today only solves part of the fraud equation. Until a cost-effective and consumer-friendly CNP fraud reduction solution gains traction, I believe a business case for EMV built around fraud losses will remain difficult to build. For some, the costs to implement EMV may be viewed as an insurance policy against a widespread compromise of the mag-stripe technology.

It has been more than 17 months since Visa announced its EMV U.S. migration plan and a year since MasterCard announced its EMV "Roadmap." Still, issuance and acceptance of EMV cards remains tepid, if that, here in the United States. With a little over two years until the first liability shifts for the U.S. are scheduled to take place in April 2015, issuers will need to make EMV migration decisions soon if they intend to take advantage. But is the business case there currently?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 11, 2013 in card networks, cards, chip-and-pin, EMV | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017d40f3aa2f970c

Listed below are links to blogs that reference Is Growing Fraud Really a Catalyst for EMV?:

Comments

My view on EMV is that it is a fundamentally more secure payment vehicle than typical magnetic stripe cards - plain and simple.

There are many benefits outside of just fraud savings. Consider missed transactions that international travelers might incur with a traditional card. Aite analysis reveals that card issuers missed out on $4 billion in charge volume in 2008 because of problems cardholders had with their cards while traveling abroad.

Then there is consumer perception. Ask a consumer today if he/she would like to own a car without air bags? The answer is likely no. The same is likely to hold true for EMV cards. If I have two options, traditional or EMV, I'm likely to choose EMV because it's safer. We all need to protect and enhance the consumer experience.

One cannot accurately predict future fraud costs with any degree of certainty. The pie for fraudsters is getting smaller, and if I'm a bank or credit union I don't want to be in the cross-hairs, especially if those vulnerable are getting smaller. CNP fraud is escalating. The payments industry will need to solve for that.

Chris Slane, VP, Business Development, Quatrro Processing Services

Posted by: Chris Slane | February 28, 2013 at 07:41 AM

Excellent article. One that takes the credit card fraud issue head-on and establishes that issuers and merchants have more serious issues to worry about than controlling fraud. I also found @MikeB's comment - especially the part about "issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most" - very sensible.

Posted by: Ketharaman Swaminathan | February 17, 2013 at 12:41 PM

I think you need to add other costs in (eg, PCI-DSS compliance and fraudulent portion of charge-offs) to obtain the correct cost/benefit calculation.

Posted by: Dave Birch | February 15, 2013 at 02:26 AM

Douglas,
Very interesting article and I agree that it appears that the EMV benefit is perhaps not worth the industry expense particularly if you're also shifting fraud from CP to CNP. In addition, it seems that here in the US, we're poised to move to new payment technologies such as Digital Wallets, NFC and/or Bar-codes that are more inline with the American customer, who I'm sure won't want to slow down at the point of sale to put in a PIN number on a Credit card transaction.

We conducted trials in the UK last year that I believe get to the issue that matters most for consumers and that is False Positives and the need for their cards to always work, particularly for when they need them most. By using Location-Based Analytic, we saw a 55% reduction of false positives while at the same time seeing a 30% increase in fraud detection . All of this in a non-intrusive manner, allowing the consumer the convenience of just swiping their card and moving on.
Mike

Posted by: Mike Buhrmann, CEO Finsphere | February 12, 2013 at 02:11 PM

Fraud may continue to be manageable from a cost perspective, but it is ultimately damaging to the user experience and the network brand experience. Consumers are increasingly frustrated by dealing with fraudulent charges (even with zero liability), receiving notices that their accounts are being breached, receiving re-issued cards, and having to re-configure their automatic payments. The networks are the ones pushing EMV because ultimately it's confidence in their systems that is taking the hit.

Posted by: Aaron Press | February 11, 2013 at 04:26 PM

Your comments raise an interesting question, namely, how much of what banks allocate as net charge-offs are actually fraud losses - especially in cases of account takeover fraud. The bad guy gains access to an account, changes the address, runs up a huge balance and bolts. As these balances get stale, the bank can either categorize them as fraud or simply charge them off.

Posted by: Chip Wickenden | February 11, 2013 at 10:23 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


July 2015


Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31  

Archives


Categories


Powered by TypePad