The body mandated to track online payment fraud levels across Australian banks and card schemes, AusPayNet, has revealed key reforms intended to arrest ballooning losses have been finalised and will bite by July this year.
The reforms come as key stakeholders attempt to avert more regulatory intervention from the Reserve Bank of Australia (RBA), which has put the sector on notice it has run out of patience.
The problem is so bad even the Governor of the RBA, Philip Lowe, has been carded, with the head of the central bank making the revelation at AusPayNet's annual forum late last year.
AusPayNet on Monday revealed it had appointed Andy White as its new chief executive, as the self-regulatory body prepares to push its new fraud control regime across institutions, operators and merchants ahead of formal adoption.
White replaces Leila Fourie, who leaves at the end of February.
The new counter-fraud regime has been years in the making and, when adopted, will reset and liberalise the tools and techniques available to online merchants to counter fraud.
It also draws a line under the loathed card scheme hegemony of clunky and expensive solutions like 3D Secure and various PCI-DSS fixes that previously fell foul of regulators.
In 2016 the Australian Competition and Consumer Commission (ACCC) rejected a bid by the then Australian Payments Clearing Association (now AusPayNet) to mandate the adoption of the 3D Secure system by merchants that was pushed hard by international schemes, particularly Visa.
Since then, the Productivity Commission has called for banks and credit card schemes to be stripped of payments self regulation powers.
A key reason for the ACCC’s rejection was the move would have cost businesses close to $400 million, kept out rival solutions, maintained merchant liability for growing losses and set-up a compliance cash cow for global payments giants.
Now, with the RBA still frustrated over escalating losses, AusPayNet is betting a more collaborative and inclusive approach will push down online fraud losses.
A major element of the new counter fraud regime, officially dubbed the “CNP Fraud Mitigation Framework”, is that it will conspicuously try to include merchant it systems in helping to develop and implement solutions that are effective as opposed to just compliant.
Large numbers of merchants and their industry groups, like the Australian Retailers Association, have for the last decade been vocal critics of international card schemes’ various technical efforts to reduce online card fraud because of their limited effect and high costs.
A major frustration has been that sometimes card scheme compliance mandates are more expensive to implement than the fraud they prevent, a factor that irritates banks selling merchant acquiring services.
Adding to the often strained relations, banks in Australia are still allowed to pass online fraud losses back through to merchants as opposed to absorbing those losses – a liability regime many believe removes the incentive for banks and card schemes to develop effective countermeasures.
With card-not-present (online) fraud now tipping the scales at more than $475 million per year, banks and card schemes have desperately been trying to avoid getting stuck with those losses in the event regulators like the Reserve Bank of Australia or Australian Securities and Investments Commission move to change where liability falls.
Parts of the law enforcement community are known to be deeply ambivalent about continuing to allow banks to pass through online card fraud losses to merchants as the economy continues to digitise, especially given the known links between for-profit hackers and cyber espionage operations.
AusPayNet’s latest big push to make a dent in online fraud numbers is also regarded by many as the payments industry’s last chance to avoid regulatory intervention by arresting and reversing growth in fraud losses.
“Card-not-present (CNP) fraud now represents almost 85 percent of all card fraud, on Australian cards, and costs the e-commerce industry close to half a billion dollars each year,” AusPayNet said in a bulletin to members.
“We have been working with our Members, merchants, the RBA, gateways and payment service providers to define an approach to reduce the level of CNP fraud in Australia. In 2018, we managed a successful industry consultation that has resulted in this framework.
“In addition to reducing online card fraud, the framework is also designed to build consumer trust and support continued growth in e-commerce.”
The mechanics of the framework are understood to include the ability of merchants to put their own preferred local solutions into the mix, for example popular gateways like Fat Zebra and Merchant Warrior.
In a strong indication of how clunky many payment security standards have become, Fat Zebra sells itself as a way to “Avoid PCI-DSS requirements while still retaining your brand.”
The new framework also contains new fraud reporting thresholds across industry based on fraud volume and value metrics that are aimed at quicker neutralisation of vulnerabilities, though the specifics of the thresholds is yet to be made public.
The prospect of merchants shedding financial liability for online fraud losses without direct regulatory intervention at this stage still appears unlikely.
It is understood the hope behind the new CNP Fraud Mitigation Framework is that losses will be sufficiently neutralised to appease both merchants and the RBA.
Come July, banks will need to show rapid progress in arresting fraud volumes for that to happen.
AusPayNet CEO Andy White has a big job ahead of him.