Banks need to feel the financial sting from surging online payments fraud to stop them from simply dumping hundreds of millions of dollars in losses onto merchant victims, Australia’s peak digital commerce body has warned.
Speaking following the release of Australia’s latest payment fraud statistics on Wednesday, the head of the National Online Retailers Association (NORA) Paul Greenberg said financial institutions need a reason to change their current stance where his members absorb the bulk of losses.
The latest payment fraud statistics make for grim reading, with online fraud having leapt to $476 million in the 2017 calendar year, a spike of 14 percent. Online payments fraud is now a whopping 85 percent of all payments fraud in Australia.
Compiled by self-regulatory body the Australian Payments Network, the release of the fraud number was accompanied by the launch of a new Card Not Present (CNP) Fraud Mitigation Framework it hopes will make a dent in online losses by recalibrating rules around how transactions are accepted.
The new measures include so far unspecified reduction targets for card issuers (banks and credit card schemes) – but there is also a bid to have “merchants who record fraud above an agreed industry benchmark being required to use multi-factor authentication, except for exempt (low-risk) transactions.”
Shopkeepers aren’t opposing a tightening of the rules, but they are mightily sick of picking up the tab for ballooning losses.
“Online retailers are the forgotten victims of CNP fraud. The consumer is essentially protected, as they should be. But all roads in the chargeback framework lead to the merchant. Our pure plays have really been struggling with it,” Greenberg told iTnews.
NORA isn’t opposing the new fraud countermeasures, but wants responsibility to be more equally shared instead of merchants just having to “cop it on the nose.”
Part of the problem for online retailers is that institutions involved in payments card issuing and acquiring were “all care no responsibility” and that many of NORA’s smaller members were “really hurting from CNP” fraud, Greenberg said.
The ability for banks to pass through online payments fraud losses dates back to dotcom era regulations when internet purchases were a novelty rather than the norm.
While new multi-factor requirements were “not a bad thing”, Greenberg cautioned that merchants already had strong financial incentives to prevent fraud because they picked up the tab.
If they didn’t actively manage fraud, merchants simply went broke, he added.
“Everyone should have skin in the game, that is the way to cure [fraud],” Greenberg said, adding that NORA had previously called for a “Camp David” style summit to thrash out a workable compromise.
Despite the ongoing liability tussle, Greenberg said he still held “great faith” in AusPayNet and its leadership to “make things happen” in terms of industry self-reform to stave off regulatory intervention.
But he cautioned patience on the regulatory side was unlikely to be unlimited, estimating if there was not a tangible change in 12 months the argument for someone to step in will be far stronger.
Greenberg said that while there was always a chance that a new technology solution could quickly fix CNP fraud, current numbers didn’t indicate technology was having a reductive effect.
Click and brick
The executive director of the Australian Retailers Association, Russell Zimmerman told iTnews that while his group had been working with AusPayNet around introducing a second level of authentication for vulnerable online transactions, what wasn’t wanted was “cart abandonment”.
There were also equity and competition factors to be taken into account in how mandate would be applied.
Zimmerman said it should not be the case that one retailer that competed against another selling the same products gained a clear advantage because of unequal application of a two factor mandate.
“Our position has always been that, if it is going to be mandated, it should be across industries – so if its department stores, then all department stores should be allowed to do it,” Zimmerman said.
Merchants who had already hardened their systems shouldn’t be penalised “if they already have very strong protocols in position.”
We think that this is the right way to be going but we have to have discussions with industry. I’m pleased to see that is occurring.”
The move by AusPayNet to flag the two-factor mandate follows strong noises made by the Reserve Bank of Australia’s Payments System board in February around CNP fraud in February 2018.
Note from that meeting spelled out a clear expectation that a “clear and effective strategy that balances the interests of all stakeholders, including merchants” would be developed by AusPayNet and “finalised within the next six months and implemented soon after that.”
The clock to achieve a reduction in CNP fraud growth before the stick comes out is now officially ticking.