This is a guest blog from Jonathan Williams, an expert in payments, identity and fraud prevention, working for advisory firm Mk2 Consulting. He speaks at many conferences worldwide and has recently addressed audiences at the EuroFinance, EBA Day, the Fraud Conference, and spoken on the security of retail payments at the Federal Reserve’s conference on payments.
In July, the European Banking Authority (EBA) published their guidelines for reporting fraud under Payment Services Directive 2 (PSD2). For years, businesses have been advised to use key performance indicators (KPIs) to work out whether they’re making progress or issues are starting to arise.
For fraud this holds true at both a country and business level — without insight into losses and trends, it is unlikely that fraud prevention measures such as EMV/Chip and PIN or 3DSecure would ever have been implemented. While each business can adopt KPIs that make sense to it, countries and regions have to obtain their data from many parties; establishing base rules for data, and how it is categorized, is critical to confidence in the PSD2 fraud reporting.
This is the driver behind the PSD2 requirement to report payment fraud to national bodies and the European Banking Authority. The recent guidelines published in July 2018 take steps to clarify not only what data should be included, but also how reports from payment service providers (PSPs) should be broken down and what figures should be used. These guidelines will be active from 1 January 2019 across the EU and EEA, assuming each national authority agrees. For the first time, this will create a single reporting regime for all payment service providers, including cards, ACH, e-money and money remittance.
The bottom line: Consistency is the paramount goal across all payment service providers.
PSPs will be obliged to report not only how many cases are fraud, and the type of fraud, but also the total financial loss suffered. This means two things: Not all data required is currently preserved beyond the transaction analysis, and calculating the loss as it impacts the accounts of the PSP will be both delayed and subject to revision if funds are recovered. Since these guidelines affect all payment products within a PSP, consistency will be needed across multiple lines of business.
Those PSPs that must implement fraud reporting will need to collect data at the same point and in the same way and be able to synthesize a view across their portfolios. Using common tools to both assess risk and capture transaction data may be a simple approach and can certainly help with the consistency required, but it is important not to re-engineer, nor to change outputs relied upon elsewhere.
PSD2 fraud reporting also requires statistics on fraud losses for those PSPs that plan to use the Transaction Risk Analysis exemption to strong customer authentication — but whilst much of the raw data is the same, the loss figures are differently calculated and to a different timescale. This may result in an over-reporting of fraud losses, which is not in any party’s interest.
Ultimately, consistent fraud data will help all to benchmark payment operations against industry averages and on a divisional basis. To trust these statistics, and the insights derived, consistency is essential. Where a PSP decides to put this reporting is its own decision, but much of the data required is transactional and therefore live in running systems. The vital question is: Can the industry deliver the consistency requested without undermining the stability of the payments system?
For more information about the EBA Fraud Reporting Guidelines and the actions that PSPs need to take, read the FICO white paper ‘Is PSD2 Fraud Reporting a Benefit or Another Burden?’