At the UK Card Association autumn reception, which was rather splendidly held on the walkway over Tower Bridge, giving an excellent view of the city of London by night, forum friend Melanie Johnson, the Chair of the Association, gave a super talk about pickpockets and prostitutes and there was much good cheer. Melanie used to be a politician but she's really nice and it was a pleasure to see her again. In her talk she mentioned that the industry has had some success in reducing card fraud, but I feel that she missed the opportunity to celebrate a tremendous milestone in the evolution of our card payments industry. So let me do it for her…
I couldn't resist raising a glass of the champagne so liberally supplied and making to a toast to our friends across the water. Yes, the UK is no longer the card fraud capital of the continent. France has overtaken us and, as the chart below shows, while there's a really big drop off to the number three position, we should be pleased to be number two for a change.
In France, overall fraud losses have risen by two-thirds in the last five years, with the highest lost-and-stolen fraud levels in Europe. Although fraud is rising in the UK (up 14% last year and up even faster in the first half of 2013) it is still below its historic high.
The number of frauds against plastic card accounts (e.g. credit or store cards) rose by 19% in first half of 2013 compared with the last six months of 2012. Frauds targeting loan products (personal unsecured loans and payday loans) also increased markedly over the same period.
Despite our sterling efforts (sic), it is Russia that has the fastest card fraud growth rate. Overall, card-not-present fraud is booming everywhere, but the UK issuers have spent a lot of money on fraud detection, as evidenced by the phone calls I get from my issuers from time to time. I get robocalls from my bank asking me to confirm transactions (some of which, if I recall, were chip and PIN transactions), a chap from an issuer asking me if I used my card for something or other online which I couldn't remember but turned out to be a shareware licence fee (which, as I recall, was a chip and PIN transaction) and a message asking me to call Amex to see if I'd used my card in Detroit car wash (I hadn't, and my new Amex card arrived yesterday).
You can see how, from the card industry point of view, things aren't too bad. According to the UKCA's annual report for 2013, fraud on UK-issued cards is a touch over six basis points (a decade ago it was over 13 basis points) so the investment in chip and PIN has worked. But this is a narrow analysis. Yes, chip and PIN has made some impact on card-present fraud (although criminals are coming up with ever more sophisticated scams to get hold of cards and PINs), and yes, significant industry investment in various types of fraud prevention and detect systems has stopped card-not-present fraud from zooming off the scale, but this has been at the expense of other stakeholders. The costs have been transferred to merchants and consumers and law enforcement.
If we were keeping a lid on fraud, then all of these costs (e.g., PCI-DSS costs) could be justified and (perhaps shared more fairly) sustained. But they are not. Fraud is going up and the cost of fraud is going up too. LexisNexis reckon that every dollar in fraud loses merchants almost three dollars in total costs. When we as industry add up the total costs of fraud, the costs of fraud prevention and the associated costs that fall on others (e.g., the cost of handling chargebacks) then the picture is not so rosy. Chargebacks are a particularly interesting case: I mentioned before that the most interesting panel that I attended at the CNP Expo this year was the one about chargebacks. I suppose like a lot of people in the payment space I don't spend too much time thinking about the retailers' issues with chargeback management, but these costs are high.
Results of the LexisNexis Fourth Annual True Cost of Fraud Study drive home this point. Conducted by Javelin Strategy & Research, the study calculates the overall cost of chargebacks for merchandise, as well as fees and interest paid to financial institutions and processors to replace and redistribute lost or stolen merchandise. In 2012, that cost worked out to $2.70 for every $1.00 in fraudulent transactions, up from $2.30 in 2011, and that doesn't count costs associated with lost business.
The costs are not distributed evenly, as you might imagine.
Merchants hardest hit by card fraud are those with mobile, e-commerce and international transactions, the LexisNexis report revealed. In 2012, mobile merchants paid $2.83 for every $1.00 lost, compared to just $2.00 in 2011.
At that expert panel on Best Practices for Chargeback Management, I learned a lot about the nature of these costs. For example, I learned that criminal fraud using stolen credit card information is the most visible source of chargebacks for merchants, and the most prevalent kind of fraud. Jim Rice, director of market planning for LexisNexis, said during the session some two-thirds of a US merchant’s fraudulent transactions, on average, originate from professional fraudsters using stolen credit-card information. It is just too easy to steal card data and then go and use it. But there's a growing problem for merchants in "friendly fraud", where a cardholder or accomplice makes a card-not-present purchase, receives the goods and then calls the card issuer or merchant and claims he never received it. Rice noted that friendly fraud accounts for a fifth of all fraudulent transactions and that it is more costly to merchants than traditional criminal fraud because it is more expensive to investigate. Jim also pointed out that sometimes chargebacks are not the result of nefarious actions on the part of outsiders at all but stem from the operational processes of the retailers themselves. In fact, an otherwise healthy merchant can expect more than a fifth of their chargebacks to be caused by business process failures.
I think that latter problem is going to get worse. It happened to me a while back when I saw a charge I didn't recognise on my card statement and called up to put it into dispute. It subsequently turned out to be a perfectly valid charge, but it was for a transaction in Spain (where I had been) that was acquired through a French parent company leading to a reference that meant nothing to me. While I was puzzling over the charge ("What is this? I didn't go to France last month") and pointlessly clicking on the online statement for more information (there wasn't any – my issuer knew no more about it than I did). Hopefully, when we get working digital wallets, this problem will go away because my wallet will link the charge and the receipt for me.
In the last two decades we've stuck some band-aids on cards and shoehorned them into new channels while avoiding fundamental changes to the legacy infrastructure. It's time for change. We need to start work on post-internet infrastructure that reduces the costs of fraud and shares those costs fairly across the stakeholders in proportion to the risks that they are prepared to take. Some retailers might prefer a high risk, low cost option (rather like they do in Germany) whereas other might prefer a lower risk but higher cost option. I might mention this idea to a few people at the Merchants & Payments Conference in London in October. Consult Hyperion are one of the sponsors for this excellent event (I've had a heads up on the delegate lists and I'm really happy to see so many merchants coming along – it signals to me that payments have become interesting to them again) and I'm looking forward to chatting to John Lewis, IKEA, Carrefour, Aurora, Waitrose and others to find out what they want from the next-generation payment products. See you there.