When the banking Royal Commission final report drops in shortly after this piece hits the web there will be acres for copy about greed, governance failures and a corporate culture in financial services that has arguably resulted in regulatory capture.
There will be buckets of blame tipped from great heights, the predictable ‘swift and comprehensive response’ from the federal government and a great collective atonement for the multiplicity of sins uncovered.
As the late Northern Irish comedian Dave Allen once beautifully put it, there will be "a great wailing and gnashing of teeth."
Yet for all of the high drama on the witness stand and heart wrenching case studies with damning revelations, at iTnews we’re betting one of the prize rocks of banks behaving badly will be left unturned, if only for reasons of expediency and limited resourcing:
That rock is what's really happening in Australia with online credit card fraud and who really pays.
The short answer is not the banks – and in 2019 in an economy when most payments have been digitised, or soon will be, that just shouldn’t pass regulatory muster and will once again be left the Reserve Bank of Australia to try and clean up.
The situation as it currently stands looks like this:
Merchants (shops or businesses who sell stuff online) buy payment processing services from banks or authorised payments processors.
Banks, in conjunction with big card schemes Mastercard and Visa, issue consumers with credit cards or debit cards (that ride on the same rails as credit).
Along the way, thanks to historically clunky and difficult security, card numbers get stolen, cloned, compromised and are used to make fraudulent transactions.
And then, after paying the bank for a payment facility that is supposed to be able to weed out a compromised card, fraudulent transactions are put through with the cost of the loss passed through to the merchant rather than absorbed by a bank or a card scheme.
Put simply, as a business you pay a bank for a service to keep your funds and transactions secure, you get ripped-off because they have dud security and you have to foot the bill.
It’s not hard to see what’s wrong with the picture.
It’s not a new problem either which, along with the fact banks and card schemes go out of their way to make it as hard to understand as possible, is one of reason’s it’s easy to miss.
At the moment online card fraud in Australia, dubbed ‘card not present fraud’ racks-up close to $500 million a year in losses. It's a big bill and it's getting better.
Consumers are indemnified, so banks instead sheet the losses back to the businesses who got robbed. And they do it with the full blessing of the card schemes who make billions each year taking a clip out of the transactions.
Ever seen a credit card scheme come out and say banks should cop the loss and indemnify merchants? Me neither.
Aside from the headline fraud volumes – which will be understated because not all merchants will bother reporting the losses because they know they will unlikely to ever see the money – it’s impossible to get a reliable figure on what, if anything the banks are copping rather than passing through.
The reason banks are allowed to do this pea and cup trick is largely historical rather than malevolent. In the early days of the web, and we’re talking the turn of the millennium, most online transactions were risky. Think pills, risqué content and poker.
Online credit card transactions were essentially treated like mail order transactions: if the merchant had dodgy customers, they could wear the risk.
Two decades alter and the same regulatory code applies, even though the economy has flipped from bricks and mortar ‘card present’ to online ‘card not present’. It’s Amazon, it’s Qantas, it’s most things you buy. The economy flipped but the rules didn't.
Now because payment card security is hard, complex and sometimes eye-wateringly dull it successfully resists change that should have happened 10 years ago. And it’s completely opaque.
Had there been time, Royal Commissioner Kenneth Hayne would have done well to put some of the thousands of businesses dudded by a bank payments service that let a bad card number go through.
It would go something like this:
Counsel Assisting: “You believed that because you paid the bank a monthly fee and proportion of the transaction the payments made to you would be legitimate and not counterfeit.”
Shopkeeper: “Yes, in the same way that they guarantee over the counter transactions”.
Counsel Assisting: “So you applied to get the money back and what happened?”
Shopkeeper: “They just refused and then said I had to upgrade my payment terminal at an extra cost.”
Counsel Assisting: “Did you ask if that would indemnify you?”
Shopkeeper: “Yes, they said it would depend on the circumstances.”
The real problem for the community is that when regulators continue to allow banks to pass through losses to merchants it removes the incentive for them to fix the problem. It's not their problem.
Because merchants are at the mercy of banks, an abusive cycle takes hold where fraud losses are systemically obfuscated and buried by foisting them on those who can’t fight back.
With the exception of mortgages, many of the atrocities the Banking Royal Commission uncovered were not core banking: insurance, wealth management, fees for no service etc.
Payments and everyday card transactions are at the very core of banking.
The decision not to probe card fraud is a significant omission and a key opportunity for positive systemic reform for the public good lost.
And it will make the RBA’s job of lancing the boil and cleaning up the mess that much harder.
In the interim systemic trust will continue to be eroded, one bad transaction at a time.