20 October 2017
Niall Hogan


Niall Hogan - Touchtech

1Posts 5,917Views 0Comments
Finextra community

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.

EBA Sets Tough Rules On Online Payments Fraud

01 March 2017  |  5918 views  |  0

The final PSD2 draft regulatory technical standards (RTS) issued by the European Banking Authority last week clearly set out the very limited circumstances in which risk-based assessments may be used in authenticating online transactions. The standards are much more stringent than many had hoped after EBA Chairman Andrea Enria revealed in a speech in London that "transaction risk analysis" would be permitted.

What the final draft RTS sets out in Chapter 3 and elsewhere is that banks may run risk-based authentication so long as fraud remains below certain defined levels for five set payment and transfer value bands. Online payments below €30 will certainly not be subject to strong customer authentication while payments over €500 certainly will. Payments between these amounts (at different bands of up to €100 and €250) have been assigned set fraud thresholds. This will create 10 different risk profiles across cards and credit transfers that will have to be managed by banks.

Banks which breach the stated fraud levels will be forced to turn off exemptions and strongly authenticate all transactions until the institution is deemed to have come back into compliance. The final draft RTS sets out a quarter-by-quarter mechanism of analysing and reprimanding fraud.

Overall, the RTS set out that banks will no longer decide themselves what their tolerance is for customer payments fraud. Under the new standards, banks are being told what acceptable rates of fraud look like and that if they breach these rates, they will be forced to adopt strong customer authentication for all transactions until their fraud record comes down below the acceptable threshold.

A major, but often overlooked, implication of PSD2 is that the prevalence of risk-based solutions on the Issuer side will increase issuing banks’ fraud liability by as much as 10 times. Completely frictionless authentication on the Issuer domain makes it likely that the majority of merchants who currently disable 3-D Secure to avoid shopping cart abandonment will begin to enable it.

Because fraud liability is shifted to the issuing bank when a merchant enables 3-D Secure, and because currently as few as 1 in 10 merchants currently enable this protocol, banks’ liability for online retail fraud will be effectively multiplied by 10 when the remaining 90% of merchants follow suit.

The existence of risk-based solutions on the Issuer domain makes merchant-domain authentication next to obsolete, since merchants have no downside in terms of fraud liability or user experience in passing the burden to the bank. Since fraud liability requires an increased capital requirement (an already pressing challenge for banks), the question must be asked if now is really the time for banks to choose low friction, risk-based solutions over the more robust Strong Customer Authentication which the EBA has clearly outlined and continues to view as the standard rather than an exception.

Perhaps this is why the EBA has been so stringent in setting tough standards for online payments and defining clear negative consequences for failing to meet the new fraud thresholds.

nh2 TagsPaymentsRetail banking

Comments: (0)

Comment on this story (membership required)

Latest posts from Niall

EBA Sets Tough Rules On Online Payments Fraud

01 March 2017  |  5918 views  |  0 comments | recomends Recommends 0 TagsPaymentsRetail bankingGroupTransaction Fraud Systems and Analysis

Niall's profile

job title Head of Product
location Dublin 11
member since 2017
Summary profile See full profile »
Head of Product at Touchtech Payments touchtechpayments.com

Niall's expertise

Member since 2017
0 posts0 comments
What Niall reads
Niall writes about
PaymentsRetail banking
Niall's blog archive
March 2017 (1)

Who's commenting on Niall's posts