The importance of global standards for fintech is founded in creating a trusted and safe space for transacting in a next generation eCommerce world. Up until now, there have not been any adequate benchmarks for minimum security controls, and this has led to significant abuses by fraudsters – even when it comes to some of the most trusted brands in the fintech world. The balance of customer experience and security is critical in any new product launch, but in many cases chasing user adoption and gaining customer traction have been prioritised by fintechs.
However, given the security gaps that fraudsters continue to exploit, we must redress the balance. What a strong consortium approach could bring is discipline to the ‘wild west’ of fintech: Universally accepted approaches for strong customer authentication, reference data points and core controls to prevent excess fraud or abuse; and minimum standard technologies that should be applied to transaction monitoring to ensure the legitimacy of authorised customers.
Up until now, the standards that have existed to manage an eCommerce merchant against fraud were loose and few. One might argue that 3D Secure, commonly known as Verified by Visa and Mastercard SecureCode was the fixture of the industry, even if it never received widespread adoption or success. This frequently resulted in merchants needing to step up their own fraud operation business units if chargebacks increased beyond management’s tolerance for financial losses. However, this era of minimum investment in controls is rapidly ending. PSD2, the European mandate to increase consumer choice, reduce costs through competition, and bring innovation, integration and harmonisation in the space will inevitably be the standard for eCommerce fraud management in the future.
In 2015, the year that the last G20 country, the United States, adopted the EMV standard, many industry pundits suggested that fraud would continue to expand in the eCommerce space, as this channel lacked controls. Certainly, fraud has continued its growth in the Card Not Present (CNP) format, with many merchants subsequently realising that ever growing fraud rates need to be mitigated by stronger detection and prevention controls. Thus, investment has belatedly followed.
Scratching the surface
PSD2 will bring structure and planning to such investments by instilling a universally accepted standard minimum level of controls that all businesses in fintech must adhere to.
This will inevitably lift the industry to new heights, in terms of sophistication relative to fraud. Merchants will need to include mandatory strong authentication, real-time (automated) transaction decisioning, malware detection, fraud scenario detection logic, behavioral profiling, device level analysis which may include IP and geo-location, response automation and of course, monitoring and reporting. This is a far more comprehensive structure than what is typically associated with merchant fraud prevention today.
So, that is the cost of entry in this space, but it doesn’t scratch the surface if fraud can perpetuate in the channel. Once fraud is sustained at the merchant, above a predetermined threshold level relative to that channel, a switch must occur that creates higher authentication requirements (friction) for customers. These triggers and threshold-based additional control reqirements are specifically designed to prevent fraud from entering the channel, whatever it is (more on channels in a moment).
This might appear to be a burden to businesses who are trying to create a great customer experience while expanding into new markets, but bear with me. Ecommerce fraud continues to grow year-on-year for payment cards. Very few things, beyond elective investments of 3D Secure and the deployment of fraud detection solutions, have stemmed its growth. This has created an environment where a sizable fraud culture has established a foothold, developing a black-market economy to skim merchants for payment card details, and allowing for the scaling of fraudsters schemes to fleece merchants and banks in the card networks. So, the inaction of online retailers to put fraud into check has indirectly contributed to the environment where fraud can expand unchecked, until a mandate to reduce fraud has been enacted, which is exactly what PSD2 is attempting to achieve.
Security AND customer experience
Moving away from payment cards, one of the more interesting elements for PSD2 is that it speaks directly to “credit push” payments. These call to the direct “Faster Payments” networks that are being established globally and will mature further in this post-PSD2 marketplace. The critical factor here is that the aforementioned thresholds will differ relative to the channel, where cards have a higher threshold and enjoy safety net mechanisms for establishing liability in the case of a dispute. However, credit push payments may not have this process for establishing financial liability between merchants and banks, and the thresholds for fraud at a merchant level are somewhat lower – sometimes as much as 50 per cent lower than card-based peer channels.
This is a brilliant way to help support new and more efficient emerging payments channels, maintain them as cleaner alternatives to existing payments that have already have a significant scale of financial crime endemic to the channel, and preventatively implement mechanisms to keep them preferential to both merchants and consumers.
The net result of all of this investment in security is to arrest or potentially even reverse some of the growth of fraud in the eCommerce space, by creating a level playing field for all participants in the market. Setting some minimum standards for security and enforcing compliance via smart and risk-based controls is a model that all countries, especially in non-EU markets should take note of. Fraud has the tendency to absorb any oxygen the room allows it. It therefore makes sense to incorporate many of the controls into a local framework to ensure that fraud does not expand unchecked as it has. What Europe has done with PSD2 is creating the requirements, and other countries should follow suit. Depriving fraudsters of oxygen with these controls will be like removing the punchbowl from the party before it gets out of hand. PSD2 fraud controls thus may in fact just be a reaction to this historical environment, and the EBA is just rightfully taking away the punchbowl at the right moment.
So, as consumers continue to migrate to eCommerce, we can and should enable greater technology to continue to embrace a future that both elevates security and customer experience. PSD2 is a model to do this, and while this will affect the Eurozone initially, we should have every expectation that the mechanisms employed here will trickle out, as global merchants recognise that this is not just best practices for security in one market, it’s good business practice globally. And as this is recognised by consumers, their expectations will begin to align to these merchants’ authentication and fraud controls.