We were privileged to host a roundtable at St John in Clerkenwell with some of the leading names in UK (and global) ecommerce. We had Argos, ASOS, Deliveroo, JDSports, Lego, and Waitrose in attendance who, between them, represent over a billion yearly transactions - all of which need to be assessed for fraud - a daunting task. The discussion, as always with our roundtables, was under the Chatham House Rule allowing for free and open conversation.
Fraud evolution: more widespread and more sophisticated
The conversation began with some observations on the nature of fraud in the last 12 months - read more about this here. I suggested that perhaps the nature of fraud was not changing particularly but that there was simply much more of it. I was wrong. The participants all agreed that not only was there more fraud but also that the fraudulent attacks were more sophisticated. Better, easier-to-use tools were increasingly becoming available to fraudsters. The bots used in brute force and other attacks were becoming harder to spot. The challenge for fraud teams therefore was not simply one of scale but also one of knowledge. Recognising and developing tactics to deflect fraud was a growing challenge.
Aligned with the technology, the demographics of fraud was also shifting. First party fraud - where someone decides to charge back something they bought - was growing. This was at least partly and maybe mostly because of the ease with which the crime can be committed. Banks are making it so easy to instigate a chargeback that is it almost tempting people into having a try. Third party fraud is also growing. The stigma of using compromised details is diminishing so the crime is spreading into new demographics. Clearly there is a long road ahead to defeating this crime.
Most of the table felt that a low to zero tolerance level was required by merchants themselves towards people who attempted either. For instance, someone tries multiple cards that fail and then uses his or her own legitimate card as a last resort to purchase goods. This order should still be declined and the the user blocked even though it is technically legitimate since the user has shown a clear propensity to defraud.
The changing nature and complexity of the fraud threat is a clear challenge for the analyst teams. It was brought up that expecting one person to be able analyse all the data of any order in a timely way is not sensible when there are machines that can process the data in milliseconds. There was general consensus that simply growing teams to meet a growing threat only made sense if the tools they used got smarter too.
GDPR and PSD2: next year’s favourite acronyms
The conversation turned to the twin challenges of GDPR and PSD2. For GDPR there was a feeling that the legitimate use exemption for fraud detection was in theory a good thing. However, people were less sure about how it would stand up to test cases. There was a general fear of GDPR becoming the next PPI industry with thousands of time-wasting cases brought forward by unscrupulous firms. Most of the people at the table felt their data compliance teams were preparing as well as they could for the new legislation however.
The picture for PSD2 was less clear. It was expressed that many parts of the legislations had yet to be decided, so trying to plan for compliance was a little like trying to catch smoke. Many of the elements made sense and indeed if well-implemented could have great benefits in combating fraud. But the law of unintended consequences could mean opening up a whole new vector to fraud.
The meal broke up with an intention on all sides to continue the conversations. The sharing of new approaches, especially with regard to making more of the data we have available seemed a sensible route to explore. In general the immediate feedback was that it is always time well spent to hear from fellow practitioners and understand the shared threat being faced.
We host these events regularly, usually in central London. If you think you could benefit from joining please contact me at gerry dot carr at ravelin dot com.