Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2017 Fair Isaac Corporation. All rights reserved. 1
EXECUTIVE BRIEF
Payment Service Providers are now even more
responsi...
EXECUTIVE BRIEF
PSD2 and Transaction Risk Analysis: Why It’s Important to You
© 2017 Fair Isaac Corporation. All rights re...
EXECUTIVE BRIEF
PSD2 and Transaction Risk Analysis: Why It’s Important to You
© 2017 Fair Isaac Corporation. All rights re...
EXECUTIVE BRIEF
PSD2 and Transaction Risk Analysis: Why It’s Important to You
FICO and Falcon are trademarks or registered...
Upcoming SlideShare
Loading in …5
×

PSD2 and Transaction Risk Analysis: Why It's Important to You

European politicians have not failed to notice that levels of fraud have been increasing despite industry initiatives to stop its growth. The second Payment Services Directive (PSD2) comes into force in January 2018 and places the accountability firmly on Payment Service Providers (PSPs) for unauthorised or fraudulent payments, especially online. PSPs are now obliged to confirm their customer’s identity robustly, both when paying and managing their accounts. But these measures threaten to put barriers in the way of the frictionless journey that customers want. How can PSPs balance ease of use with security?

  • Be the first to comment

  • Be the first to like this

PSD2 and Transaction Risk Analysis: Why It's Important to You

  1. 1. © 2017 Fair Isaac Corporation. All rights reserved. 1 EXECUTIVE BRIEF Payment Service Providers are now even more responsible for authenticating their customers European politicians have not failed to notice that levels of fraud have been increasing despite industry initiatives to stop its growth. The second Payment Services Directive (PSD2) comes into force in January 2018 and places the accountability firmly on Payment Service Providers (PSPs) for unauthorised or fraudulent payments, especially online. PSPs are now obliged to confirm their customer’s identity robustly, both when paying and managing their accounts. But these measures threaten to put barriers in the way of the frictionless journey that customers want. How can PSPs balance ease of use with security? It’s easy to get caught up in the details of PSD2, whether it’s rules on surcharging or liability for unauthorised payments. PSD2 is designed to make payments within, into and from the European Union (EU) more efficient and reliable, and so the main goals are to: • Extend the scope of the first directive to non-EU currencies and payments starting off or ending up outside the EU • Treat all electronic payments in a similar manner, whether made by payment card or remote banking • Strengthen payment systems against fraud by authenticating customers more reliably • Allow payment accounts to be used by new service providers The European Commission drafted a new version from scratch, which was approved in December 2015 but lacked clarity on some technical details. To fill in these blanks, the European Banking Authority (EBA) was tasked with laying out specific technical rules in Regulatory Technical Standards (RTS), including indemnity, governance, security and authorisation. These RTS are then approved by the European Commission; at the point of publication there is still some debate between these two European bodies on some of the details, despite the deadline for compliance expected to be January 2018. Payment Services Directive 2: • Extends geographical and currency scope of PSD1 • Gives access to payment accounts to third parties • Strengthens payment systems against financial crime • Mandates Strong Customer Authentication • Makes Payment Service Providers liable for unauthorised payments
  2. 2. EXECUTIVE BRIEF PSD2 and Transaction Risk Analysis: Why It’s Important to You © 2017 Fair Isaac Corporation. All rights reserved. 2 One RTS focused on a definition of Strong Customer Authentication (SCA), including when and how a PSP must ensure it is their customer making a payment or request for account management. Strong Customer Authentication — helping you prove it’s you, again SCA is technically a process and an obligation for a PSP, say a card issuer or bank, to confirm that a person claiming to be their customer matches the individual who opened the account, and enrolled or was issued security credentials. Furthermore, because PSD2 treats humans and organisations alike, authentication may be with a representative of an organisation. Under the definition, SCA must use two of three different factors: • Knowledge — something the payment services user (PSU) and PSP both know, a shared secret such as a password or set of personal information. • Possession — a proof of ownership of device that can be associated uniquely with the payer, such as a security token or mobile phone. • Inherence — something physical about a PSU, such as a biometric measurement or behavioural model. One likely outcome is that this change will increase how biometric technologies are used in our financial lives and move them beyond the current small trials to mass adoption. SCA is required in three circumstances, subject to specific exemptions; when a PSU: • Initiates an electronic payment, such as a card payment or remote banking transaction. • Accesses their account online, such as an online banking login. • Remotely requests an action for which there is a risk of payment fraud or other abuse, such as changing their address over the phone. With many customers preferring to use the internet or phone to access their service providers, this covers a great many interactions related to payments. To illustrate this, a payment made by a UK-issued card to a merchant in the United States with a US acquirer will come under PSD2 and will require the UK-based card issuer to strongly authenticate their customer. So it’s not just EU transactions this will affect. The main implications are: • Transactions may become more complicated and onerous for customers • Merchants will no longer be accountable for identifying cardholders • PSPs must be able to authenticate their customers securely While security has been an increasing concern, PSD2 creates a new framework and set of obligations on PSPs, which will impact almost every electronic payment to some degree. PSPs are consequently looking to see how they can most effectively comply whilst minimizing the impact on their customers. Avoiding the hurdle of Strong Customer Authentication Customers, PSPs and merchants prefer to have streamlined, efficient processes, but authentication can cause obstacles to that objective. It is only the PSP that controls where it is used. In certain circumstances such as low-value, high-volume or time-critical payment, the PSP is exempted from SCA: for some types of transactions, such as ticketing, contactless and parking payments. SCA exemptions can also extend to those PSPs who manage rates of fraud loss down to low levels. In the rules, the situations where a PSP is not obliged to use SCA include when the customer is: • Making a contactless payment at point of sale • Accessing their payment account data again (subject to time limit) • Paying for transport and parking • Making a low-value payment • Paying a “trusted beneficiary” • Making a recurring transaction for the same amount • Moving money to another of their account(s) at the same PSP • Making a low-risk, remote payment and the PSP has low levels of fraud loss Many of these have clearly defined and restricted usage, but in the final case, the PSP has a degree of control for remote transactions, if they perform Transaction Risk Analysis (TRA). Jan 2015 PSD2 passed Oct 2017 (estimated) EBA approve Regulatory Technical Standard Jan 2018 PSD2 in effect in all EU member states Apr 2018 (estimated) Strong Customer Authentication mandatory Timeline for PSD2
  3. 3. EXECUTIVE BRIEF PSD2 and Transaction Risk Analysis: Why It’s Important to You © 2017 Fair Isaac Corporation. All rights reserved. 3 PSD2 requires, as a minimum, that every PSP must monitor every transaction for signs of fraud, including at least: • Lists of compromised or stolen authentication elements • Amount of each payment transaction • Known fraud scenarios • Signs of malware infection All PSPs must ensure their decisioning systems are recording and assessing against these criteria. Additionally, PSPs who use TRA must also, as a minimum: • Calculate a risk score based on the transaction monitoring factors above • Identify any abnormal spending or behavioural pattern from the payer • Look for unusual information about the payer’s device/software • Check for malware within the authentication procedure • Look out for known fraud scenarios • Check for abnormal locations for the payer • Verify whether the payee is in a high- risk location Any of these that indicate fraud should therefore require either secure authentication or the transaction to be rejected or declined. The implication is that PSPs must do more analysis of the transaction data and create and evolve more adaptive and adaptable models to better fight fraud. Being adaptable will give PSPs an edge in how they deal with their customers and result in not only reduced fraud, but increased loyalty and share of wallet. The goal is that by deploying these checks, PSPs will be able to manage their fraud rates to keep beneath the reference levels — set by the EBA — for the remote payment mechanism they are providing. By doing this, the PSPs will be able to accept the payment instruction without further checks and, consequently, customer friction. While the Reference Fraud Rates set by the EBA are roughly in line with current fraud rates — the limit for transactions under €100 is 0.13% or 13 basis points — some PSPs will need to more closely manage their acceptance, authenticate and decline criteria. Finally any PSP using these exemptions must inform their national competent authority that they are doing so and report their fraud rates, immediately notifying if the rate goes higher than the lowest level. Transaction Risk Analysis and reporting While much of the RTS is clear and concise, the current draft is still unclear on some of the details such as reporting the outcome of using this exemption. The EBA has recently published a consultation designed to clear up some of the inconsistencies and queries. The minimum requirement is reporting detailed loss rates by exemption every 90 days. These statistics must be broken down across the whole of the different payment types, currently remote card payments and remote credit transfers, including where no exemption is used. While it is possible to comply by producing statistics every 90 days, no PSP will want to find out, on the day the statistics are delivered, that their fraud rates have risen above the reference rate they have been targeting. Being able to know the trends in fraud rates on a daily basis will allow PSPs to tune authentication policies and the TRA procedure itself to meet the targets. Furthermore, if a PSP does report that its fraud rates have gone above the lowest reference fraud rate (0.13% for remote card payments, 0.015% for remote credit transfers) it will no longer be able to use TRA until those rates come down and stay down for 90 days. In this period, customers will be required to strongly authenticate their payment transactions, resulting in increased customer friction and a likely increase in customers using other payment providers. Transaction Value (up to) Reference Fraud Rate for: (% by value of total transactions that are fraudulent over previous 90 days) Remote card-based payments Credit transfers € 500 Below 0.01% Below 0.005% € 250 0.01–0.06% 0.005–0.01% € 100 0.06–0.13% 0.01–0.015%
  4. 4. EXECUTIVE BRIEF PSD2 and Transaction Risk Analysis: Why It’s Important to You FICO and Falcon are trademarks or registered trademarks of Fair Isaac Corporation in the United States and in other countries. Other product and company names herein may be trademarks of their respective owners. © 2017 Fair Isaac Corporation. All rights reserved. 4448EX_QE 08/17 PDF NORTH AMERICA +1 888 342 6336 info@fico.com FOR MORE INFORMATION www.fico.com www.fico.com/blogs LATIN AMERICA & CARIBBEAN +55 11 5189 8267 LAC_info@fico.com EUROPE, MIDDLE EAST & AFRICA +44 (0) 207 940 8718 emeainfo@fico.com ASIA PACIFIC +65 6422 7700 infoasia@fico.com PREPARE with expert advisors • Get advice you can trust from informed and confident advisors. • Understand in detail why fraud is happening in your accounts. • Reduce fraud to the best possible levels for your operations, with specific and detailed information about what you need to do. • Understand when and how you can balance Transaction Risk Analysis with Strong Customer Authentication to deliver the best results for you. PROTECT with a proven fraud detection solution • Be confident in your solution. FICO® Falcon® Fraud Manager already protects 70% of UK cards from fraud • Detect and manage fraud in mass volumes and in near real time. Our customers can process 9,000 transactions per second. • Improve accuracy of fraud detection with better access to relevant data. We can incorporate data from multiple sources and help you to share fraud data through our consortium. • Detect more fraud faster with expertly built fraud models designed for PSPs. • Protect customer relationships with better communications that manage the fraud process with your customers, keeping them informed and safe from fraud. About FICO and PSD2 As you adapt to PSD2, we can support you with our unique three pillar approach. With FICO, your fraud operations will be ready for PSD2 and supported into the future. ADAPT and future-proof with machine learning • Adapt quickly to emerging threats and the new data landscape with our proven machine learning capabilities. • Reduce the need to manually write and change fraud models. Our machine learning capabilities will adapt them on the fly — and they’re designed specifically for your industry. • Be confident your solution won’t date — our machine learning pedigree started 25 years ago and today we’re innovating more than ever. We have 42 fraud-related AI patents awarded or pending in just the past five years. A continuously evolving fraud landscape Whilst we know many of the mechanisms that financial criminals use, this is likely to change radically after SCA becomes mandatory. Experience has shown that most fraudsters are lazy; they look for the easiest compromise and adapt their techniques to take advantage of weaknesses. By strengthening the link between the PSP and their customer using strong authentication, it is likely that fraudsters will look at other methods, or if that is unsuccessful, other geographies. In essence, that is the political goal: raise the bar of fraud prevention to reduce or move fraud outside the European Union completely. No one can state with any certainty what the fraud environment will look like after SCA comes in; however, PSPs must develop systems that can make the best fraud management decisions based on the information at hand. There are four key things to consider: • Capturing and preserving data to feed into automated analysis • Building adaptive models to identify fraudulent and fraud-free payments • Identifying unusual cases for further investigation and categorisation • Creating monitoring, reporting and governance processes to proactively take action Simplistically, a PSP’s entire fraud policy could be viewed as a dial that controls the prevention and detection mechanisms as fraud rates rise and fall; without the information on which way to turn the dial, PSPs will run the risk of either losing customers and revenue or losing money to fraudsters.

×