CREDIT CARD FRAUD Tony Kowalewski, Bluerock Consulting Ever wondered why UK credit card losses are higher than those of Europe? Sure, credit card usage is very high in the UK but that's not the reason. Neither is the impression that UK fraudsters are better at it - actually they aren't. Average basis point losses (bps) is the standard measure against which all issuers compare performance, but is merely performing better than the average place you want to be? Some domestic issuers have extremely good fraud defences. More importantly however, some don't and are in fact downright poor. The worst culprits have the effect of pulling up the average. And this is one reason why the UK average bps losses are so much higher than in Europe. So why are some card issuers so poor at preventing fraud? It is of course a fact that once credit cards became popular in the USA, the UK led the way in Europe in adopting what was then a new payment method. Over time, the systems used by those card issuers have become comparatively old and inflexible, meaning that trying to adopt new methodologies can become expensive and painful. Trying to integrate the new fraud prevention tools that are available with ageing heritage systems is sometimes far from plain sailing. Additionally, if the card issuer is part of a larger retail banking group, it has to compete for investment with other parts of that group. Sounds familiar? In Europe, (and especially Eastern Europe) clunky old legacy systems simply didn't exist and so new issuers there started life with a virtual blank piece of paper upon which to design leading edge processes based on the latest available, state of the art systems. So there's one reason why some UK issuers simply don't measure up to their European counterparts. A little too simple actually. Read on. Systems issues are all too often blamed for poor performance, not just in relation to fraud management but for all kinds of risk issues from poor operational risk controls all the way through to the coffee machine being out of action. It's just too easy to blame a lack of investment in systems for the ills of card issuers with poor loss records. What it really boils down to is lack of appreciation at the very top of the potential payback that can be brought about by employing a dynamic, pro-active fraud strategy based upon a well researched cost/benefit argument. To begin to persuade the executives with responsibility for the purse-strings, you have to do some homework first. But before you can even begin to think about creating a proactive fraud strategy, what about the risk appetite of the organisation? The balance between fraud prevention and customer satisfaction is a fine one. Be too aggressive and your best customers (and don't forget of course, they are the overwhelming majority) may walk to your competitors. Too passive and you become targeted by the organised fraud rings that can decimate profit performance, literally overnight. And so defining risk appetite becomes the cornerstone of the issuer's fraud risk strategy. You need to know how much money your organisation is prepared to lose to fraud, understanding not just the direct impact on profitability but the indirect impacts too. Do you have such a strategy? So once you have defined your risk appetite, you can then go away and design a strategy that involves the use of a mix of tools. I will talk about systemic controls later but to rush out and buy the latest gismos at this point would be foolhardy. But quite how do you determine what controls need to be improved? The answer is - risk analysis. Both Mastercard and VISA conduct risk review/audits on their members. If you are really unlucky, they are imposed upon you simply as a function of the fact your bps losses are so bad! All too often, organisations view these reviews as an obstacle to be overcome and to be dispensed with as quickly as possible. Wrong answer!! Those organisations with a proactive approach to risk management actively invite the schemes to perform such reviews regularly. By laying their souls bare to such scrutiny, they are saying "how can we improve still further?" These are the issuers whose bps losses are amongst the best and are nowhere near the average UK losses. These reviews, as well as your own risk assessments can help to identify exactly where your investment should be. And they needn't all be system related. Many procedural issues can be identified too, that when compared with best practice represents a threat to profitability. A good example might be the challenge process used when cardholders dispute spend. The strength of this challenge is directly related to fraud losses. No system changes € just good old common sense. Relying on scheme audits alone though, is not to be recommended € the availability of their risk management audit teams is often limited. Don't be afraid to use consultants with proven track records in this field. Internal fraud too is - whether we like it or not - a serious contributory factor to overall losses. It is reckoned that 60% of all declared credit card fraud losses are attributable to staff dishonesty. Sounds over the top? Ask those organisations whose contact centres have been infiltrated by fraud gangs. Once again, systemic control solutions are not the whole answer. You don't need a system to remove the use of e-mail from non-essential users or to ban the use of mobile phones in operational areas. Yes, systems help but they are not the be all and end all. In a similar vein, if you outsource any part of your card business are your partners trusted? And by that I mean have you devised a trust model against which you can formally grant (or otherwise!) trusted partner status? If not then think on and think Basel II as another good reason why you should. It may save a small fortune in preventative measures if they are formally recognised as organisations with effective risk controls. (Last month in The Buerock Review, Tim West wrote an article warning of the dangers of ignoring Basel II any longer € log onto our website to download a copy if you didn't receive a copy). And so to system based fraud controls. Falcon from Fair, Isaac is the undisputed king of the transaction fraud detection world. Used in real time mode it can actually prevent fraud losses by declining transactions at point of sale. Back up an implementation of Falcon with some top-notch optimisation modelling by Fair, Isaac and potentially, you have an excellent foundation on which to build. Bolt Adpetra's "Just In Time" solution to Falcon and you have the capability to confirm spend on many thousands of suspect transactions without the need to employ dozens of extra fraud investigators. The power of Falcon's neural network based solution with a powerful outbound dialler/IVR system in the shape of Just In-Time is a very powerful combination, as ably demonstrated by several U.S. card issuers. Application fraud is one way in which fraudsters may change their habits when Chip & PIN is rolled out. Some of them may decide to concentrate their efforts on obtaining a "real" card instead of counterfeiting one (or many!). Those organisations that don't use fraud scorecards such as those developed recently by Jaywing or Experian's Detect software are in very real danger of having their fingers burned. In the same way that the Radio Times isn't the only listings magazine available, there are several other clever software options available in the market of course! But I can just hear you say "Yes but my steam driven systems just won't interface with these things". Are you sure? Interface technology has improved beyond all recognition in recent years and you may be pleasantly surprised by just what is possible. And of course, you will be right to say "ah, but that's not cheap". But then again, the cost of fraud isn't cheap either. I have heard it said that there is no crystal ball available to predict where fraud losses are going to come from. That may be true - but only partially so. Some organisations have set their maths PhDs to work on modelling the data they get from systems such as Falcon. What they've succeeded in doing is develop models that won't necessarily prevent fraud from occurring in the first place but what they can do is to identify quickly when a fraud attack is happening and prevent it from getting any bigger. To achieve this kind of capability requires an attitude to risk at the very top that is truly pro-active, (as opposed to the traditional approach which is reactive) and supports innovation. For some, this may be too large a leap of faith compared with the capability they have today. But some have already gone down this route and - it works! There is only one way of avoiding fraud losses completely and that is - don't issue any cards. Simple eh? Not much profit to be made there though. So in summary, what do you need to do to move away from being an average performer? € Conduct a full scale detailed risk analysis of your card operation. € Follow that up with an assessment by an independent consultant to validate your findings or ask them to do it for you. € Determine your organisation's fraud risk appetite. € Create a fraud strategy and again € get it validated by an outside source. € Research the availability and potential of systemic solutions. € Complete a cost/benefit analysis of the potential solutions that will mitigate the risks already identified. € Obtain top-level support internally that will support the investment costs of your change programme. € Then do it! Counterfeit Card Fraud Losses on UK-issued Cards.