Payment Expert caught up with Sune Gabelgård, Head of Digital Fraud, Intelligence & Research, Nets, as he detailed how he believes combating fraud will evolve in the year ahead, as well as why the role of data will be crucial.
Payment Expert: Firstly, can you tell us more about how you feel fighting fraud will evolve and how important it is the industry adapts to this evolution in 2020?
Sune Gabelgård: As consumers increasingly live and spend in the digital world, criminals are following. Digital crime today is highly organised. Digital skimming, for example, is now being packaged and sold as a service on the dark web, enabling criminals to commit advanced types of fraud with little specialist knowledge.
One problem with the current landscape is that regulations like Strong Customer Authentication (SCA) do not stop payment fraud; they simply encourage it to migrate between departments and regions. In reality, criminals will react to the EU legislation by changing their modus operandi. In the long term, they will develop new, more advanced tactics that will enable them to resume targeting European consumers and merchants once more.
In my role at Nets, we were seeing criminals preparing for and testing how they will commit fraud in a post-PSD2 world, using shell companies and sophisticated social engineering, as early as January 2018.
It is crucial that the banking and payments industries adapt and take a proactive approach to fraud prevention, as the total value of fraudulent transactions annually has now reached €1.8 billion, according to the latest European Central Bank (ECB) report.
Payment Expert: How pivotal do you believe the correct utilisation of data will be in the battle against fraud?
Sune Gabelgård: Fundamental. When it comes to fraud prevention, data underpins everything.
Fraudsters use the same services that are used by genuine card holders when committing fraud, for a simple reason: if an ecommerce merchant was used solely for fraudulent transactions, it would be identified and shut down very quickly.
To evaluate whether a transaction is fraudulent or not at the most accurate rate possible, financial institutions need access to the entire ISO standard for all previous transactions, including sender and recipient identifiers, a timestamp, transaction amount, currency, card type, input method and merchant category code (MCC) – just as a starting point.
In addition to the basic information on historic transactions, it is also essential to know whether any of these transactions were fraudulent or not, to enable comparison with the transaction in question.
It would be easy to prevent fraud if there were some straightforward pieces of evidence (or ‘features’, as they are called in the machine learning community) that separated fraudulent transactions from legitimate ones. Unfortunately, that is not the case – leaving fraud prevention teams with the challenge of finding multiple features.
Payment Expert: What can financial institutions do to gain a greater understanding of how fraudsters adapt to new legislation?
Sune Gabelgård: They can recognise the cyclical nature of fraud prevention. Instead of playing catch up with fraudsters, it’s time for financial institutions to get ahead of the curve by focusing their efforts upstream in the value chain.
The most effective way for banks to do this will be to analyse the data available to them using cutting edge machine learning processes and algorithms, and acting on the insights created in real time.
The good news for issuing banks and payment processors is that, once they do adopt a new approach, they are starting at an advantage. They hold vast amounts of data on billions of payment card transactions, from sender and recipient identifiers to MCC, card type, input method and more. All of this data can be extracted for analysis and leveraged in the fight against fraud.
Payment Expert: Do you anticipate the enhancement in verification technology and security methods this year?
Sune Gabelgård: I feel confident that the collection of data over the past few years – this year more than ever – will be used to ensure a frictionless customer experience.
Financial institutions have always collected data about their customers; now it is time to start utilising this data for non-commercial initiatives like supporting and securing the customer journey. This approach is crucial for financial institutions to create customer stickiness, face the competitive landscape and rival new players entering the world of open banking.
Data leads me to the next anticipation, in the past the approach to combating financial crimes has been chasing known modus operandi and establishing feedback loops. This year we will see verification and security methods starting to include anomaly detection, based on a very granular understanding of the individual’s normal behaviour.
This approach will be fuelled by all the hard and expensive learnings from projects including machine learning, neural networks, supervised and unsupervised machine learning and all other elements that fall under the umbrella term of artificial intelligence.
For financial institutions and service providers like Nets, who are successfully increasing the detection rates and reducing the number of successful fraud cases, 2020 will bring a new exciting challenge in also bringing down the number of false positives to create an even better customer experience.
Payment Expert: Why will investment in data and AI become increasingly imperative for the sector in the battle against fraud?
Sune Gabelgård: AI’s importance is growing because humans cannot compete with computers when it comes to data interrogation. This is why AI holds so much potential – it presents an opportunity to analyse and act on patterns too complex for the human brain to even identify.
The modus operandi for traditional fraud prevention decision engines has been for humans to create rules in the ‘If X and Y, then Z’ format. The decision engine has two possible courses of action if a payment is flagged – either it declines the transaction, or it allows it but raises an alert to a team of monitoring agents, who manually review the data and take appropriate action.
This does work, but requires hundreds of rules to be effective. It is also highly labour intensive, and therefore costly, to create and maintain these rules, balance fraud prevention with the number of false positives, and maintain a stable stream of alerts for the agents to review. Another challenge facing traditional rule-based systems is that a transaction that almost triggers several rules, but does not actually trigger any, will not be flagged by the system.
Further complicating fraud prevention efforts is the increased use of multiple different third-party providers for payment solutions by ecommerce merchants. If just one of those third-party providers is compromised, then subsequently only a subset of payment cards used at that merchant will be compromised. Worse yet, there might not be any data available to the transaction processor that can differentiate between compromised and non-compromised payment cards.
This makes traditional fraud prevention tactics, such as preventively blocking cards suspected to be compromised, undesirable, as too many cardholders will be affected – many of whose card details will not have been compromised at all. This is an area of significant concern for merchants in particular, as 26% of cardholders have reduced their patronage of a merchant following a false decline, and 32% stopped shopping with the merchant entirely.
The only alternative to the traditional approach that addresses all the challenges above, including dramatically reducing false declines, is artificial intelligence – specifically, the use of decision trees.