The Independent Community Bankers Association asked 400 community banks a year ago about the most significant challenges they face in their signature debit card programs. Overwhelminglyu00e2u20ac”with a 70% responseu00e2u20ac”they pointed to mitigating fraud.
Fraud has always been a bigger problem for signature versus PIN-based debit cards.
The more forms of authentication, the greater the security, and having two of three formsu00e2u20ac”something you know, something you have, or something you areu00e2u20ac”constitutes extremely strong security. Signature debit cards rely on only one form of authentification.
They are similar to credit cards in that the mere presence of the card is considered a type of authentication. The required signature is intended to give an added measure of security, but generally fails to do so. Thatu00e2u20acu2122s because merchants usually neglect to check if the signature on a sales slip matches the one on the back of the card, and besides eyeballing it, they donu00e2u20acu2122t really have the means for ensuring a match. Plus, their motivation is fairly low since merchants donu00e2u20acu2122t have liability for a transaction as long as a financial institution authorizes it.
PIN-based debit cards, meanwhile, constitute two forms of authenticationu00e2u20ac”something a person has (their card) and something they know (their personal identification number). So itu00e2u20acu2122s not surprising that far less fraud occurs with PIN-based debit cards. According to 2005 research conducted by Dove Consulting, the loss rate for signature debit is about 15 times greater than that for PIN debit, both in transactions and sales volume. On average, issuers lose $1.15 per card a year to signature debit fraud versus only $.04 per card a year to PIN debit. That amounts to $193 million in signature debit fraud losses in 2004 compared to only $8 million for PIN debit.
As bad as that sounds, those numbers still do not compare to other types of fraud. ATM losses in 2004, according to the Dove report, totaled $345 million. And check fraud takes the cake. In the latest numbers available from the American Bankers Association, which examines deposit account fraud, check fraud losses hit $677 million in 2003.
Despite that high figure, checks have the advantage of longevity and consumersu00e2u20acu2122 attachment to them. But debit cards, with their shorter track record, are at risk of being marginalized by consumers who fear they are not to be trusted.
u00e2u20acu0153Itu00e2u20acu2122s a consumer confidence issue,u00e2u20ac says Dan Kramer, senior vice president of marketing and merchant services at the electronic funds transfer network, Shazam. The mass media has been playing up the fraud pitfalls of debit cards, he says, a factor that helped spur Shazam to seek out technology to help its 1,600 community bank members cope with the problem.
Signature debit card fraud is Shazamu00e2u20acu2122s real culprit. The network, which has 5.8 million cards on the street, has experienced a double-digit increase in the number of signature debit fraud attempts in the last three years, Kramer says, while PIN-based fraud remains negligible.
Shazam has just begun implementing neural networking software from Minneapolis, Minneapolis-based Fair Isaac that will analyze every card transaction and offer a prediction on the likelihood of its being fraudulent. The Falcon Fraud Manager system works by pooling transaction data from all its customers to develop the predictive scores. Individual institutions then set their own rules to determine which scores should trigger follow-up investigations on particular transactions.
In investigating its options, Shazam did not find many providers beyond Fair Isaac, aside from some that were much smaller or foreign-owned, Kramer says. u00e2u20acu0153Falcon is it,u00e2u20ac he says. u00e2u20acu0153Theyu00e2u20acu2122ve been in the market a long time.u00e2u20ac
The Falcon system augments the fraud detection systems Shazam already has in place, including such things as expiration date checking and address verifications, and it incorporates all these elements to its analyses. u00e2u20acu0153Falcon marries all these services for us,u00e2u20ac Kramer explains. u00e2u20acu0153Now weu00e2u20acu2122ve got not just one linebacker, weu00e2u20acu2122ve got three.u00e2u20ac
Fraud management is becoming increasingly important as debit card usage rises. The Dove study found that 73% of checking accounts can now be accessed by a debit card, with best-in-class issuers averaging a 91% penetration rate. Active cardholders execute 15.6 point-of-sale transactions a month, 10.6 of which are signature-based and five of which are PIN-based. From May 2004 to May 2005, transaction volume increased for PIN debit transactions by 34% and for signature debit by 30%, the study found, and healthy growth is expected to continue. Issuers projected transaction growth of 22% for PIN and 18% for signature debit in 2006.
The fraud that accompanies all this growth does not attack all institutions equally. Star Networks Inc., a unit of First Data that provides debit card processing services to more than 5,700 financial institutions, has found widely varying rates of fraud at different institutions. Signature debit fraud rates run as high as 11 basis points (based on purchase volumes) to less than one point, depending on the institution, according to Beth Lynn, Star Networku00e2u20acu2122s senior vice president. PIN debit fraud rates range from six points to one-tenth of a point, she says.
The dramatic differences point to a need for institutions to analyze the type of fraud they are dealing with. u00e2u20acu0153If a financial institution has higher-than-average fraud losses, thereu00e2u20acu2122s usually one particular type of fraud theyu00e2u20acu2122re being hit with,u00e2u20ac Lynn says. For example, if the volume of international ATM transactions is unusually heavy, the bank likely is a victim of phishing, a scam in which customers are duped into giving their card information to fraudsters posing online as legitimate service providers. With that knowledge, the fraud can be stopped almost immediately through some simple controls.
But the number one problem institutions have in tackling fraud is the ability to analyze their transaction data to uncover the type of fraud theyu00e2u20acu2122re dealing with, Lynn says. Part of the problem is the siloed nature of payments. ATM card processing may be handled by a different system or vendor than signature debit processing, for example. Plus, institutions often do not have historical transaction data that would let them analyze what has changed and by how much. u00e2u20acu0153The biggest challenge is analyzing and understanding whatu00e2u20acu2122s going on, and picking what you want to attack first,u00e2u20ac Lynn says.
Community banks, most of which hire outsourcers to handle their card processing, are likely to rely on them for fraud detection services as well. But fighting debit card fraud takes a commitment beyond just signing up for a monitoring service.
Once a potentially fraudulent transaction is detected, a certain amount of follow-up is required. Cardholders must be contacted to verify whether fishy transactions are legitimate or not, and cards that have been compromised must be blocked.
And there is no time off. Fraud needs to be monitored and dealt with 24 hours a day, seven days a week, says Mike Urban, fraud technology operations director at Fair Isaac. u00e2u20acu0153Fraud can occur at any time from any part of the world,u00e2u20ac he says, adding, u00e2u20acu0153Criminals are more apt to attack on the weekend.u00e2u20ac
Fair Isaac and the regional networks that offer its Falcon software do not offer any guarantees that fraud will be eliminated. Urban says a plain-vanilla installation should result in a 25% to 30% reduction in fraud. Kramer says he expects Shazamu00e2u20acu2122s implementation of Falcon to prevent about 50% of its fraud cases.
Much depends on the rules that individual institutions adopt regarding questionable transactions, Lynn says. A conservative institution, for example, might set a low bar to determine which transactions should be investigated. While a lot of fraud would be caught, some number of those would turn out to be legitimate transactions, thus potentially causing some customer dissatisfaction, she notes. u00e2u20acu0153Falcon detects the majority of fraud cases,u00e2u20ac Lynn says. u00e2u20acu0153Whether it can stop fraud depends on how the financial institution sets up the rules.u00e2u20ac
While signature debit is the current cause of concern, experts foresee the day when PIN debit will be more of an issue for community banks. Criminals are eagerly exploiting the opportunity phishing has opened up to obtain PINs. In 2005, phishing far surpassed any other type of PIN fraud, Urban says. With a stolen PIN and a counterfeit card criminals can hit an ATM and achieve the ultimate goalu00e2u20ac”cash. u00e2u20acu0153By doing the extra work to get the PIN, they have the opportunity to get something much more valuable,u00e2u20ac Urban says.
To date, most phishers have targeted large banks because they are assured a higher number of hits. u00e2u20acu0153The bad news for community banks is that in the last year, every large financial institution we do business with has implemented a neural scoring system,u00e2u20ac Lynn says. u00e2u20acu0153As with any kind of fraud the criminals will start looking for weaker links, so community banks will become more of a target.u00e2u20ac