Australia Post, NAB launch new identity security venture

Australia Post has confirmed it has quietly been pulling together a new digital identity and fraud protection business with the National Australia Bank as regulatory pressure continues to mount on banks and payment schemes to reduce surging online fraud.

Known as TrustCheck, it is understood the new corporate-seeded start-up will be launched as a commercial joint venture between its two big backers.

It is not related to the identically named Unisys cyber analytics service.

The revelation of the new play comes after a conspicuous year-long quiet period surrounding the previously heavily promoted DigitaliD product, the progress of which has been unclear since the departure of former Australia Post chief executive Ahmed Fahour in 2017.

Until then, Australia Post had strongly marketed its foray into identity and trusted services through its DigitaliD credential and later a tie-up with transaction services and eCommerce and fintech aggregator AlphaPaymentsCloud.

Then in June 2018, Australia Post’s highly regarded transformation and tech chief, Andrew Walduck left the organisation and was replaced by former Deutsche Post executive Ingo Bohlken as head of product and innovation.

The official line now from Australia Post’s Melbourne HQ is that “TrustCheck is complementary to the DigitaliD service” which the government-owned corporation says is still proceeding.

“We continue to grow our Digital iD service through external organisations and its use across Australia Post services, with close to a million users using the service each year,” a spokesperson for Australia Post told iTnews.

“TrustCheck is focused on finding new ways to reduce identity fraud for businesses and retailers online.”

Questions over what space TrustCheck will occupy started swirling around the financial services sector late last week after Banking Day clocked a job ad circulating for an “Innovation Business Owner” that offered “a rare opportunity to operate in a start-up environment with the full support of both Australia Post and NAB.”

The specifics of the role, a 12 month fixed term contract now closed, include the ability to “drive funding pathways to obtain the investment required for the TrustCheck business to achieve positive cashflow” and to “lead the ongoing strategy for TrustCheck to enter the market and scale.

While there are plenty of commercial counter identity fraud solutions in market, the most acute pressure now being applied to banks by regulators is for card-not-present (CNP) fraud that are essentially online transactions made with stolen credit card and scheme debit card (Mastercard, Visa, American Express).

The Reserve Bank of Australia has repeatedly warned it is unhappy with CNP fraud losses which have ballooned to just under $500 million a year.

In proportional terms, online fraud on all cards now accounts for 85 percent of local card fraud volume and is up from 78 percent in 2016, up sharply compared to the previous five years that all sat below 80 percent according to official statistics from AusPayNet.

Australian banks that issue cards also routinely sheet back online fraud losses to merchants, a position shopkeepers feel is particularly unfair given the big clip institutions extract for processing payments.

One option available to regulators would be to ban banks from passing through online fraud losses, thereby increasing pressure on them to clean-up their own backyards. (Consumers, in the main, are indemnified from online card fraud.)

While the RBA has been a strong advocate of digital identity credentials to drive down ballooning online fraud losses, the central bank last year opted to give the payments industry a last chance to clean-up its act through AusPayNet’s CNP Fraud Mitigation Framework.

The framework, developed in consultation with the payments industry, is essentially a set of best practices for banks and payments gateways that draw on measures similar to those rolled out in Europe through the PSD2 mandate.

In Australia, US based credit card and payment schemes have heavily resisted the entry of regulators into the payments security space, arguing they are best placed to defend their own global networks with a variety of risk-based authentication methods.