Banks to be fined for online fraud failures

An ambitious bid to curb Australia’s $478 million-a-year online card fraud bill slugs banks that fail to clean up their act with heavy financial penalties under a tough new enforcement regime that will take effect in less than a week.

The controversial crackdown, which has been resisted by major card schemes and retail banks, is contained in the new Australian Payments Network (AusPayNet) and finally sets minimum loss thresholds and intervention trigger points for both merchants and institutions.

AusPayNet is the payments industry’s self-regulatory body which sets standards and rules for participants that range from banks to payments processors and gateways.

Dubbed the Card Not Present (CNP) Fraud Mitigation Framework, the new rules require mandatory quarterly reporting from 15th July and contain thresholds that banks and merchants must remain under.

While the penalty unit amounts are not in the public domain, similar scheme rule regimes enforced by credit card brands typically range in the millions.

“Breaches of these thresholds will trigger obligations for Merchants or Issuers to take action. Repeated breaches over a period of time could ultimately result in financial penalties for Issuers or Merchants’ Acquirers,” AusPayNet said in an industry advisory.

“The initial Issuer Fraud Threshold is set to 15 [basis points or 0.15 percent]” AusPayNet said, adding that the issuer bank rate “is calculated using the value of fraudulent, settled, online CNP transactions that were sent to an Issuer for authentication, each quarter.”

For merchants there is a 20bps breach trigger threshold that is backed up by a dollar limit of $50,000 in online fraud per quarter.

The $50,000 fraud ceiling for merchants is certain to trigger deep unease among some online retailers which are persistently targeted by carders intent on burning through stashes on stolen card details before countermeasures like tokenisation hit.

Like most fraud and theft, criminals tend to buy popular products that are readily saleable on secondary markets with consumer electronics, designer goods and luxury items a favourite.

A major issue that is still yet to be made by AusPayNet is determining the split between fraudulent credit card transactions and so-called ‘scheme debit’ purchases that use credit card payment rails to access consumer bank accounts.

Scheme debit fraud, the level of which is absorbed into broader online credit card fraud reporting figures, are not currently separated made public because of persistent resistance from Mastercard and Visa.

AusPayNet is clearly hoping that there will be a compliance effect that will dent fraud before it has to resort to financial sanctions.

Aside from the fines regime, the cutting edge of the fraud control overhaul is the application of a Risk Based Analysis of transactions to create a profile that then has authentication requirements applied.

In practical terms that means transactions deemed riskier will now require minimum second factor and or biometric measure to pass muster at the checkout.

Known as Strong Customer Authentication, the approach is similar to Europes’ PSD2 regime that has many ecommerce providers worried over payments and conversion failures at the checkout.

The strength of European consumer protections has irritated US-based merchants and payments providers because they compel major investments in technology to make them work.

Conversely, the attitude of many European regulators is that they have little incentive to green-light looser US electronic fraud protections.

AusPayNet has tried to find some middle ground on that front, it appears. Its analysis says that while “both endorse SCA as best practice to authenticate transactions” …“there are key differences.”

“While PSD2 mandates SCA for all transactions and considers certain exceptions, the Framework only requires SCA for those merchants and issuers whose fraud rate is consistently in breach of agreed thresholds,” AusPayNet says.

Which essentially sends the signal that while banks might not like the clean-up, it could be a lot worse.

The new framework follows persistent agitation by the Reserve Bank of Australia for banks to get their act together on the online fraud front, or face remedial action from the government.

AusPayNet’s voluntary rehab scheme is regarded as the litmus test of whether the payments industry is capable of voluntary reform.

In regulatory circles there is a growing view that the ability of banks to pass through their online fraud losses to merchants creates a perverse incentive because there is effectively no penalty cost for payments security failure.

With online losses now at $478 million a year, copping it from the industry self-regulator will be the significant lesser evil for banks than soaking up losses.

Whether the new regime works is another matter entirely.