Is My Bank Alone in the Fraud Fight?
By Kathy Keneborus
BJ’s Wholesaler was the first of many merchant breaches (early 2004) involving debit card information. The Maine Association of Community Banks and the Maine Bankers Association, along with representatives from other New England banking trade associations, joined together to establish the New England Debit Card Task Force (NEDCTF). The Massachusetts Bankers Association has provided leadership to the committee and has arranged regular meetings of the task force. The goal of the task force is to investigate issues surrounding debit card fraud and to assist New England banks in fighting back against debit card fraud. Over the past eight months, the task force has met with security experts, law enforcement officials, representatives of the various debit card processing firms, and representatives from Visa and MasterCard. Two national associations, American Bankers Association and America’s Community Bankers, have been active participants in the task force.
The need to provide “quality” debit card fraud loss training for banks is a key action step identified by the task force. The multi-layer debit card processing approach, utilized by many financial institutions, can cause educational inconsistencies and communication breakdowns for the issuing bank. The task force has hired an industry expert (former high level MasterCard security employee), to develop a comprehensive “best practices” manual that will assist issuing banks in making the critical decisions associated with debit card fraud. NEDCTF will release the “best practices” manual as soon as it is complete. Several of the issues to be covered in the NEDCTF manual include when to block and reissue cards and when to monitor accounts and highlight available debit card fraud technology including neural network technology and rules-based systems.
Neural network technology systems are programmed with large amounts of historical data (normally 13 months). These systems are complex and take time to “learn” the difference between normal cardholder transaction and criminal activity. Once these systems have been trained, they score each authorization. The higher the score, the greater probability the account is fraud. Neural networks will understand fraud patterns and will quickly detect patterns of behavior. Staff will then follow up with the true cardholder to confirm if the transaction was fraud or legitimate.
Unlike a neural network system, which learns and automatically scores transactions based upon certain criteria, a rules-based system applies logical rules to limit risk. These rules must be created and implemented manually by the security and risk management expert. The rules can be simple ideas such as setting any international transaction over X amount of dollars to be declined, or programming a combination of factors. A combination factor example would be, an unattended gas station transaction followed within 30 minutes by a jewelry transaction (high risk, high dollar transaction) and the jewelry transaction would be automatically declined. Declining the jewelry transaction would be the result of a combination factor review. Historically, criminals will test an account number (gas station transaction) and once approved will then attempt to make a large purchase (jewelry) with fraudulent card. The downside to rules-based systems is that they are only as good as the rules that are written and often are wrong or incomplete. Well-trained employees will make their models much more effective and efficient. Staff must closely monitor the number of false positive rates in these models. Too many false leads should facilitate rules-tweaking or modification.
Does your third-party processor offer card-monitoring technology? Interviews with various third-party debit card processing firms highlighted the multiple levels of services offered by these firms. Risk mitigation programs differ substantially from processor to processor, so it is important to make sure you have the right processing contract to meet the fraud prevention and servicing needs of your bank. The increases in debit card fraud alerts and losses may warrant a new look at the products offered by your third-party processor.
The NEDCTF has come up with several key issues and potential solutions that the task force would like to see addressed by the two major card associations. Here is a partial list of the key issues identified by NEDCTF:
1. Would like to see a shift of liability responsibility in account data compromise cases like the BJ’s Wholesaler case. Why should issuing banks have to assume the losses when a merchant violates standard processing rules?
2. Require merchants to transmit track 1 data to the issuing bank. track 1 data transmission will allow issuers to compare the cardholder name in track 1 to the master file name stored in the issuer’s host system. This will help to combat some of the “skimmed” counterfeit losses incurred by issuing banks.
3. To allow the direct concurrent account compromise notification to all MasterCard and Visa issuers including principal members, affiliate and agent banks and processors regardless of membership status with Visa or MasterCard. Many small- and medium-sized issuers do not receive timely notifications regarding security breaches. Better communication would lead to quicker blocking of potential fraud accounts and less fraud losses.
4. Make sure all compromised account notification to the issuer includes the severity of the security breach and the name of the merchant who compromised the information. Having the “full story” in a compromised situation will assist the issuing bank in making a determination on what to do with a “proposed compromised” card.
5. Shorten the time frame where issuers receive reimbursement for monitoring accounts and card reissues for compromised accounts. In addition, issuers need to have more time to file compromised account data cases. Issuers are unfairly bearing the brunt of costs associated with merchant/acquirer security breaches.
The Secret Service has stated that organized crime is involved in a large percentage of the debit card fraud committed in the United States and there appears to be no end to the ongoing attempts by criminals to get compromised card information. The New England Debit Card Task Force is committed to helping our banks and their customers fight back against debit card fraud.
Your bank is not alone in the fight against debit card fraud! Kathy Keneborus, Maine Association of Community Banks and Mark Walker, Maine Bankers Association are the Maine representatives on the New England Debit Card Task Force. Please feel free to contact Kathy Keneborus at (207) 791-8406 or Mark Walker at (207) 622-6131 with any questions you might have regarding the work of the NEDCTF.