Over the last few months I have been investigating and writing about consumer initiated fraud. I have been defining the issue, giving recent examples of the issue, providing data about the issue and demonstrating that it is a known issue and has been for quite some time.
Along with providing to you a solid foundation of understanding regarding the issue of consumer initiated fraud, I am going to propose some ideas on ways to actually tackle the issues that exist.
If the card associations and regulators can tout setting chargeback ratios and penalties for those merchants and acquirers who exceed those thresholds as successful in combatting fraud, then the same structure should work on the issuing banks.
To sum up my previous conclusions, consumers lie and steal at a rate that easily surpasses the restrictions for fraud placed on merchant accounts, online transactions suffer from a lack of systems that can guarantee the identity of the person entering the transaction information, online purchasing is targeted by fraudsters with computer programs to find and use card numbers and finally, merchants, the most impacted party, must bear responsibility for addressing this fraud as there is no incentive for anyone else in the chain of the transaction to take corrective action.
Issue 1: Online transactions suffer from a lack of systems that can guarantee the identity of the person entering the transaction information.
The ideal solution is that a system is developed which positively identifies the consumer and provides the proof that the consumer does, in fact, have the authorization to use that payment method. This is a very tall order, especially for an online transaction. There are companies in the marketplace which attempt to address this issue by performing some check on the consumer’s system, or take a snapshot of their credit card, running pieces of the data through databases, but none of these checks guarantee that the consumer is who they say they are or have the right to use that payment instrument.
Further, this is an additional cost to the merchant and there is no guarantee that this will result in a legitimate consumer. The only tool out there is provided by the card associations through their Verified by Visa and MasterCard SecureCode that provided the consumer jumps through all these hoops and eventually successfully transacts with the merchant, the merchant is off the hook for the consumer claiming the transaction was unauthorized. Any way you look at these solutions, it is the merchant again who is being forced to forgo sales in hopes that they are eliminating the bad transactions and not the good ones.
I think the relevant question here is, Does it make sense to have a chargeback ratio that is the same for all merchants and transaction types? At a minimum, a utility company, a mortgage company or even a property management company should be held to a much stricter set of rules then an ecommerce merchant. The first solution is to provide a different ratio standard for e-commerce merchants. This is not challenging to implement because ACH has a WEB designation on their transactions and the card associations have a Merchant Classification Code that designates the merchant type resulting in the classification already being clear.
Issue 2: Consumers lie and steal at a rate that easily surpasses the restrictions for fraud placed on merchant accounts, It is unrealistic to think that consumers will stop lying and stealing, especially when there is no real consequence for so doing. There is only the reward of getting something for nothing and their money back.
I believe that there are two actions that can take place to assist with this issue.
First, the majority of consumers simply want their money back and they do not want to call the merchant because that is like lying directly to someone’s face … which, for the most part, is still taboo. But if there were a return reason code that was not considered merchant fraud but more along the lines of buyer’s remorse or account misuse then everyone would be happier as the consumer would get their money back in the first call, the issuing bank keeps their consumer happy, the card associations still wave their “secure network” flag and the merchant wouldn’t have to bear the additional negative consequences that a chargeback creates. Keep in mind that the merchant still bears the financial implications of each negative sale on their business.
The second action has to be that every time there is a transaction that is returned as unauthorized or fraud, the consumer’s payment account has to be terminated and they have to get a new one. How perfectly suitable is that solution? If you really did have an unauthorized transaction on your account, then you and your bank should be very keen to shut down that exposure. The consumer incurs the additional headache of updating any automatic or stored billing options they have with others, and the waiting period for the new cards and checks but their account was compromised … isn’t closing the account and opening a new one the responsible thing to do? If someone stole their house keys, I bet they would change their locks, even if they knew the culprit. Issuing new accounts also costs the issuing bank money as they have the administration and the physical costs associated with account setup! Further, those nasty merchants and fraudsters would not have the new account information so the consumer’s and bank’s money and reputation are all safe and sound.
Issue 3: Online purchasing is targeted by fraudsters with computer programs to find and use card numbers.
This is a real problem for everyone who owns a business, a payment instrument, or the banks themselves. There is a lot of private enterprise out there creating great technology to address this issue and help merchants discover that a consumer is potentially fraudulent but as the systems get smarter so do the fraudsters and it is their business to crack the code to continue making money. As a result, this has to be a joint effort with the banks as it is only the banks that actually know if the account number is valid, if the name (or other data) on the transaction matches the account owner and if there are funds in the account.
The only realistic action is to have a different standard set for chargeback and unauthorized transactions on ecommerce merchants as described earlier.
Issue 4: Merchants must bear the responsibility for addressing this fraud as there is no incentive for anyone else in the chain of the transaction to take corrective action.
It is time for the regulators and card associations to return some balance to the networks. If the card associations and regulators can tout setting chargeback ratios and penalties for those merchants and acquirers who exceed those thresholds as successful in combatting fraud, then the same structure should work on the issuing banks. It is my belief that the consumer’s banks should also have to stay under a given ratio of chargebacks or unauthorized transactions that they initiate. After all, it is the issuing bank that takes the call from their consumer and processes the complaint that leads to a chargeback.
To support this concept, I analyzed a year’s worth of return data for ACH transactions. I grouped the return data into three groups: NSF, Invalids and Unauthorized. I then calculated the ratio of each banks returns to see the split of the three groups against their own returns. You would hypothesize that the ratios would be similar across the majority of banks. What I found was enlightening. The biggest banks in the nation generated twice as many unauthorized transactions compared to the average of all the banks.
One can postulate that those banks are getting their consumers off the phone, as quickly as possible, as happy as possible. There is a cost to customer support and those banks are motivated to keep those costs down. There were two notable exceptions though. The first was the bank that also was the originating bank. This bank had a balanced view of the situation because it would be their merchant they would be penalizing from their consumer as they are both banks in this scenario and thus responsible to the regulators for what they, as a merchant account provider, generate into the network.
The other exception was a large credit union where it was apparent that they took the time to know their consumers and caught true fraud as it happened and due to the personal relationship, consumers were less likely to lie to them regarding transactions.
Every solution which I have proposed would be easy to implement, would help address the problem and would not create too much of a burden on any one entity. However, I doubt that any of these items will ever be implemented. The reason is quite simple: there has been no merchant group to date that has banded together to stand up and say, enough is enough. There is no access to information for an individual merchant to really understand how big a problem this is, so as a result e-commerce merchants devise ways to be able to operate within the gray area of the rules so that they can mitigate the results of the all-too-unbalanced power of the issuing bank and its consumer. Quite frankly, who can blame them.
L3 Payments, along with other providers, is dedicated to providing merchants with the tools and knowledge to successfully operate within the current environment as well as provide a reasonable, experienced voice at industry groups and to the regulators to help maintain some sensibleness in the payments networks. In this continued effort, I welcome your stories, experiences and findings.
Melody L is chief operating officer for L3 Payments.