The odds of a regulatory intervention to arrest ballooning online payment fraud rates have shortened markedly after another embarrassing spike in online payment fraud in Australia.
The official aggregated figure for online payments fraud on all Australian cards has hit a whopping $476 million for the 2017 calendar year, surging from $418.1 million in 2016.
The numbers are based on disclosures by banks and credit card schemes to self-regulatory body the Australian Payments Network (AusPayNet).
In proportional terms, online fraud on all cards now accounts for 85 percent of local card fraud volume and is up from 78 percent in 2016, up sharply compared to the previous five years that all sat below 80 percent.
The concerted leap in online fraud is certain to worry regulators like the Australian Securities and Investments Commission and the Reserve Bank of Australia, the latter of which has been making strong calls for the use of digital identity credentials I n online transactions.
The numbers also reveal that when it comes to payments fraud in Australia, online scams aren’t the hot new trend – they’re almost the only vector.
The news is even worse for specific payment product (card) types.
Online fraud using credit and scheme debit cards (the ones that let you pay from a bank account using a card branded mastercard or Visa) now accounts for almost all payments fraud in Australia.
“In 2017, online fraud totalled $476.3 million, representing 87.5percent of all fraud on scheme cards. This compares to 75 percent in 2012,” AusPayNet reported.
Officially dubbed ‘card not present fraud’ (CNP) thanks to a pre-internet throwback classification term the criminal endeavour of ripping off cards ballooned 13.9 percent while almost all other fraud types declined – though cheque fraud bounced like a dead cat off a low to terminal base.
The combined figure for scheme payments fraud on cards issued in Australia that was committed both here and overseas came in at $544 million. Disturbingly overseas fraud is bigger than local fraud for that category, coming in at $278.1 million for 2017, a reasonable drop from $293.8 in 2016.
However total scheme payments fraud perpetrated in Australia soared to $266 million in 2017, soaring from $217.2 in 2016.
There are also still two big unknowns in the payments fraud data.
The first is where liability falls. The liability question is huge because for card not present fraud, losses were often sheeted back to merchants – that means there could be a massive liability shift happening as digital payments become the default.
Put more simply, banks and card schemes could be wriggling off the hook in terms absorbing online payments fraud losses, a situation that removes financial incentive for them to improve transaction security or technical remedies.
Although consumers are essentially covered under the so-called zero-liability bargain, it’s the degree to which merchants are being stung that will worry ASIC and the RBA.
However the second big unknown is how much money defrauded is flowing out of bank accounts via scheme debit products (debit cards branded mastercard and Visa) that are lumped in with credit card transactions.
That difference especially matters in the context of real time payments because it is essentially cash fraud rather than credit fraud.
Resentment is also close to boiling point within business groups and merchants that banks and schemes are still allowed to pass through losses to retailers despite the fact they use transactional facilities supplied as a service.
Card fraud was barely tolerable to merchants prior to mainstream online migration, but the default position of passing back card-not-present is now unlikely to escape regulatory attention whoever
In volume terms fraud rates in Australia are sitting at around 7.5 cents per $100. They are lower in the UK which sits around 7 pence per every £100 transacted.
AusPayNet announced the start of an industry consultation on a new framework to accelerate the fight against online card fraud as the figures were released.
Measures suggested include "targets for card issuers to reduce CNP fraud across their card base" along with "merchants who record fraud above an agreed industry benchmark being required to use multi-factor authentication, except for exempt (low-risk) transactions."
The Productivity Commission's review of Australian financial system released this month recommended a shake-up of the codification liability around online payments, a move that was bookended by a call to abolish card interchange fees.