Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
December 7, 2015
Inquiring Minds Want to Know More about Card Fraud
As I described in an earlier post, while doing research on expanding card fraud data collection in the Fed's upcoming 2016 triennial payments study, I came across a gap in publicly available detailed fraud data for the United States compared to what is available in other countries. Fortunately, prospective survey instruments accompanying the Federal Reserve Payments Study posted in the Federal Register for the upcoming study promise to remedy the problem. In particular, the Networks, Processors and Issuers Payments Surveys lists the following fraud classifications; I've included capsule descriptions for each.
- Lost card: Fraudulent payments result from the use of a lost card.
- Stolen card: Fraudulent payments result from the use of a stolen card.
- Card issued but not received: Fraudulent payments result from use of an intercepted new or replacement card in transit to a card holder.
- Fraudulent application: Fraudulent payments result from a new card that is issued based on a falsified or stolen identity.
- Counterfeit card: Fraud is perpetrated at the point of sale by someone using an altered or cloned card based on card account details fraudulently obtained.
- Fraudulent use of account number: Fraud is perpetrated remotely (that is, via phone, mail, or Internet) using card account details fraudulently obtained.
- Other (including account takeover): All other fraud not covered above. In particular, "other" covers a form of identity theft whereby an unauthorized party gains access to and use of an existing card account.
The last triennial payments study (2013) used a bifurcated classification, distinguishing only card-present and card-not-present fraud across various card payment types. If in its place we used a more detailed classification system, it could offer a richer understanding about whether fraud was perpetrated by gaining possession of an existing card, through a data breach, or through identity theft.
But even this level of specificity may not be enough. If we were to use only the detailed classifications I provide above to map card-present and card-not-present fraud data, we still might assume that card-present fraud encompasses all fraud except for fraudulent use of account number. So by extension, what is excluded must represent card-not-present fraud, right?
But we should not be so hasty in making such assumptions.
The rub is that how each fraudulent payment is classified can depend on the case management system the issuing bank uses. For example, suppose that the skimming of a card results in the rightful card holder reporting 10 fraudulent payments. Two payments are made at the point of sale and the other eight payments are made online. Using the definitions above, some case management systems would treat all of the payments as counterfeit card while other systems may flag two as counterfeit card and the others as fraudulent use of account number. Flagging all 10 of the payments as counterfeit card would lead to overstating the number of overall card-present fraud payments at the expense of understating card-not-present fraud. Without additional detail on where the payments were initiated, we would be uncertain about the shares of card-present and card-not-present fraud.
So given the tradeoffs and trying to anticipate fraud reporting needs in the future, would it not be better to retain and possibly improve existing measurements of fraud while offering other complementary measurements to fill in the gaps? Making this more concrete, I proffer that we should be interested in the distribution of how the card or card information was obtained using the categories above as well as how the fraud was perpetrated by card entry mode and card verification methods. Being specific on the latter, we could report on fraud based on chip versus nonchip cards, point-of-sale payment versus remote payment, signature versus PIN authentication methods, and so forth. In fact, a closer review of the updated survey instruments for 2016 reveals that both survey approaches are in fact what is used.
What suggestions do you have for classifying card fraud data? All comers are encouraged to respond to the Federal Register Notice.
By Steven Cordray, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Will Payments Be Getting REAL?
- Financial Solutions for the Younger Generation
- Encouraging Password Hygiene
- Should We Throw in the Towel When It Comes to Data Breach Prevention?
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- November 2019
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud