In September last year – the ECB produced its first report on Card Fraud since 2015. It is unusual to see a public report that covers all of Europe and there are some interesting viewpoints to be taken from it. And despite the gap in production (and that
it relates to data up to 2016 only), it's very clear that Payment Card Fraud is still very much on the increase.
Within the statistics, one in particular caught my eye – the number of cards in every 1000 cards issued that had seen fraud. Within the SEPA region, in 2013 there were 11 cards that saw fraud in every 1000 cards issued; in 2016 that has doubled. And some
countries have seen larger increases than that in percentage terms.
For example, Ireland saw 17 cards with fraud on every 1,000 cards issued in 2013, and by 2016 this had increased to 47 cards per 1,000 cards, an increase of 176%. Other mature card markets, like the UK and France have seen similarly large increases – but
the smaller markets like Finland, Portugal, Romania have seen even larger increases in terms of percentage values (Finland saw 5 cards per 1,000 seeing fraud in 2013 compared to 18 in 2018, while Portugal saw 2 cards per 1,000 in 2013 compared to 15 in 2018).
So what is behind the increase – and why has it happened? Looking deeper into the historical statistics, CNP is unsurprising still the biggest driver; if you look at European fraud statistics for the last 10-15 years, CNP fraud levels have probably risen
year on year in that period. Given the popularity of internet based purchases this is not necessarily a surprise, however, across the region the volume of fraud (in terms of the number of Transactions) in 2016 was significantly higher than the preceding years,
driven by CNP and POS fraud on cards issued within the SEPA. Indeed, Portugal was the only country not to report an increase on CNP fraud, but rather an increase in POS Transaction Fraud. However, the value of Fraud lost across the SEPA region has decreased.
So what is now the market trend for card fraud – is it that we are now seeing focused fraud attempts, perhaps at a lower value but an increased volume? Or is it purely the increase in online transactions – including mobile and browser based transactions?
Using other sources of Data – in particular the annual fraud statistics from the UK Finance organisation – we can see that the level of e-commerce fraud during the same period as the ECB reports backs up the increase of e-commerce fraud – in the UK at least.
From 2012 to 2016 the annual growth in e-commerce card fraud has been anywhere between 15% and 36% year on year; from £140m (€160m) in 2012, to £310m (€355m) in 2016. Only in 2017 has the growth rate been flat for ecommerce fraud – virtually identical to 2016
at £310m (€355m). To further support this – the Banque Observatoire in France have seen an increase in e-commerce payment card fraud; from €109m in 2012 to €146m in 2016.
The increase in additional digital payment channels plays a part in this – in that payments and purchases are made via internet browser, mobile browser and app. Factor in that organised crime and fraudsters will vary their techniques to attempt to stay at
least one step ahead of the fraud prevention teams at cards issuers and merchant acquirers – either through pure account takeover, continuous payment authority scams, test transactions etc.
This means that there is a need for Payment Institutions to use multiple techniques to prevent fraud; for example
- Machine Learning and Behaviour Analytics to identify unknown or exceptional behaviour on accounts/portfolios that has not been picked up by specific rules
- Rules to target known threats and behaviours that could indicate fraudulent activity
- A combination of the above techniques to create a hybrid monitoring solution
By applying multiple techniques and strategies, payment institutions are then able to focus on their false positive rates to reduce the level of impact to their customers through misidentification of potential fraud and the temporary stops or holds placed
on cards. If those institutions can also be reactive enough to change those strategies as threats changes – then there is a much better opportunity to reduce fraud levels, by being as flexible as the fraud perpetrators to counter their actions.