We live in a time of great convenience for many customers and businesses: according to PWC, a possible 20 per cent of online transactions in the UK took place on mobile devices in 2018. But while double-clicking our iPhone’s Home button is a quick and effortless way to pay for our morning coffee, the consequences of this convenience are disproportionately serious.
Simply put, digital payments are the reason behind rising fraud rates. The more transactions we carry out online, the more data we make available for criminals. In turn, this can fund organised crime as serious as terrorism, drug trafficking and people smuggling.
The EU is stepping up its data protection regulations, with the introduction of GDPR in 2018 and PSD2 this year. In this article, we not only do some jargon-busting on these acronyms, but also explore how these regulations might adversely affect the ecommerce ecosystem by helping criminals carry out their digital dark deeds. In this new regulatory environment, it’s essential that business leaders educate themselves so that they can do all that is possible to protect their customers and companies.
GDPR and PSD2: new legislative defences against fraud in the EU
GDPR was brought in across the EU in 2018 to place control over personal data back into the hands of consumers. Among other clauses, GDPR ensures they can request to see any data that firms have on them and demand it be deleted, known as the ‘right to be forgotten’.
On top of GDPR, PSD2 will come into effect in the EU in September 2019 as a response to the digitalisation of the European economy and the growing number of online-only platforms offering consumers financial services. The idea behind PSD2 is to simultaneously improve security and encourage competition in the fintech ecosystem – such as by obliging banks to open up their APIs (application programming interfaces) to third-party payment providers. Digital banks and app-based payment services are going to flourish more than they do now as a result.
In theory, this is a step in the right direction and a piece of legislation fit for the modern world. However, GDPR and PSD2 could open up many companies to the risk of global fraud – and make it harder for them to fight it.
The case against: legislative loopholes and missed marks
Today’s online payment ecosystem is highly complex – and so while created in the name of healthy (and secure) competition, some of this regulatory protection might not work in businesses’ favour.
One fraud risk associated with GDPR is that criminals can request that their data is deleted from online businesses, then turn to other ones with all of their history removed. With a blank slate, fraudsters can more easily beat fraud detection, which often relies on previous history to identify criminals. What’s more, GDPR places restraints on data sharing, which hampers businesses’ ability to share data on fraud with each other. As a result, it is more difficult to warn competitors against fraud attacks.
Lastly, GDPR and PSD2 are both EU-only. Companies must be wary of transactions coming from outside Europe – as data stolen elsewhere could still be used for fraud within the EU.
Machine learning and human intuition can close the gaps
Fraud protection in this digital payment landscape was never going to be an easy task. As more services become digitalised and fraud becomes more sophisticated, solutions have to evolve to keep pace. Your firm needs to be able to go beyond the obvious, to spot and flag patterns across disparate data points which, together, may point to fraudulent behaviour. Only with this level of sophistication is it possible to identify criminals who, post-GDPR, can repeatedly wipe their slates clean and move their scams elsewhere. Global firms, meanwhile, need solutions of their own which comply with regulations such as GDPR and PSD2 but go further – such as by mounting an additional defence against fraud coming from outside the EU.
Sophisticated fraud defences require human expertise to spot hidden patterns while deploying machine learning to crunch through swathes of data. Machine learning alone could mark fraudulent transactions as safe, if they seem to come from existing or previous customers which may have had their data stolen. That’s why human intuition is also required. But as the number of online payments grows exponentially, machine learning must be brought in to deal with the pure scale of transactions that modern businesses have to cope with.
As payment services are increasingly digitised, it is easier and more common than ever to use FS platforms without even interacting with another human being. This is a gift to convenience-loving customers – but also to the fraudsters. Only by combining machine learning with human intuition is it possible to spot and flag criminal behavioural markers on a vast scale. This is, by far, the best way to comply with these new regulations – and much more importantly, to protect both your company and your customers in equal measure.
Rafael Lourenco, Executive Vice President, ClearSale