Visa note the easiest fraud is to buy a Rolex

We had a very enjoyable and engaging dialogue with Peter Bayley, Executive Director of Fraud Management for Visa Europe at the Financial Services Club London last night.

Peter spoke for over an hour in an interactive discussion about the role of Visa in managing fraud, who is accountable for losses, the impact of current and future regulations such as the Payment Services Directive 2 and more.  Unfortunately, it’s far too much information for a quick blog entry so I’m just going to pick on one point: fraud metrics.

Peter talked about the cycle a bank goes through in setting up their fraud methodology.

Frist, they set a level of acceptable risk for the bank in terms of fraud losses.  Let’s say that it’s 0.05 basis points of transactions.

Then the bank creates a fraud prevention strategy targeted at maintaining fraud at that level and below.

Once the fraud strategy is created, it is then monitored through fraud detection, occurrences of fraud instances and tracking of fraud events.

These fraud occurrences are then fed into the metrics of the bank and monitored for adjustment.

Finally, the bank on a regular basis – in Santander, Peter did this weekly – reviews fraud occurrences and resets and rebalances their risk and prevention approaches accordingly.

It’s all about a balance between acceptable and unacceptable losses although, for most fraud managers, it is a lose-lose situation.  You lose if you allow too much fraud to occur and you lose if you piss off the customer.  One way or another you will achieve one of these too instances to occur – too many frauds and controls are tightened irritating the customer; pleasing the customer by relaxing controls allows too many frauds to occur.

This is why data is so critical in a fraud operation.

The quality of fraud detection data metrics is the key, according to Peter, to having an effective fraud management approach.

What metrics are key here?

Here are a few areas he cited:

Financials and fraud:

• What are the losses as a percentage of total transactions and in total £’s lost?
• Where and how did they occur?
• What was the cost of repudiations and chargebacks?

 Detection:

• Levels of false positives and false negatives
• Impact on customer satisfaction
• Value levels for fraud triggers to occur

Operations:

• The Service Level Agreements between processors, issuers and acquirers
• The cost to process and time to process fraud analytics
• Resources required versus levels of efficiency and effectiveness

Customer Experience

• Overall customer satisfaction levels
• Level of complaints about service due to fraud blocks
• Impact upon actual customer engagement re account switches or other actions

Peter listed many more covering business impact, law enforcement, autopsy, projections and the change agenda set as a result, but it demonstrates that fraud analytics is a critical area in business activity monitoring for any bank, processor or institution.

After all, you end up with a dashboard of metrics in real-time that trigger events and actions based upon breaking different alert levels.

If detection levels are not working well enough as a percentage of total fraud, or if too many customers are being blocked from processing real transactions (false positives), then the company can act and act fast.

It is that business agility to act upon fraud analytics that is key to banks and processors.

Then you get into the realisation that this is not just a single institution acting against fraud, but multifaceted layers of fraud at each level:  from Visa’s capability to identify suspect transactions in real-time; to the regional and domestic processors ability to do this; to the real-time analytics of the bank issuers and acquirers.  Equally, the cost of this multi-layered protection is one major reason for justifying some of the interchange fees incurred in the process.

We didn’t get into the interchange implications, but my feeling is that too often the regulators and politicians really do not understand this complex process of real-time dashboard in a multi-layered approach that are all there to protect the consumer and the merchant.

Without such multi-layered security, who is liable for the losses?

Well it’s not the cardholder, bank or processor more often than not, but the merchant and, considering this is an industry that grew up in the days of purely domestic commerce using paper trails, the card processing industry isn’t doing a bad job of keeping up with today’s cybercriminals.

How can I say that?

Because the average figures for fraud appear to be monitored around just that level I mentioned earlier: 0.04 basis points of total transactions.

That’s acceptable for now because it’s one of the lowest levels ever traced in the payments processing arena.

Meantime, the lowest levels of fraud are where Chip & PIN is used, closely followed by 3D Secure.  The highest levels of fraud are not Cardholder Not Present (CNP) but mag stripe fraud.

In fact magnetic stripe card fraud is running at about twice the level of CNP and beats Chip & PIN fraud by a factor of almost 40:1.

All very interesting and educational.

And the part that made me the most surprised was the ending, where Peter referred to the latest fraud scams and said that one of the most common is where someone is telephone out of the blue by their local police.

The police politely inform the person that one of their local shops, a jeweller for example, is trading in stolen goods but they have not got the evidence to prove it. Would the householder mind going to that jewellers tomorrow and buying a Rolex for £15,000 so that they can check if it’s stolen and bring the case to court?

Amazingly, many people are so gullible that they actually do this. They go to the jeweller at an agreed time, buy a Rolex with their card, walk out and give it to the person who claims to be from the police who thanks them, bags the evidence and disappears.

Not a fraud by the way, just an poor sucker who got hustled.

What is the time by the way?  Oh no!