The discussion (under the Chatham House Rule) got off to a lively start. It was immediately proposed that the future of the fraud team is to be seen as a revenue generator or an acceptance enabler in the business and move away from being seen as a transaction blocker.
Some companies were further down that road than others. This was partly a consequence of maturity of the business. The immediate priority is to stop losses from fraud. Once under control, attention can be switched to optimisation.
Customer journey optimisation and tuna tartare
The optimisation discussion was largely (and correctly) focused on friction, or the lack of it, in the customer journey. When asked how much fraud was the acceptable price of a friction-free journey the amusing consensus was ‘zero’. Realistically there was an agreement that firstly, the fraud rate per sector and the fraud rate per market will vary widely in terms of what is acceptable. And that sometimes a higher fraud rate is the cost of growth or staying competitive. Too much friction might cause a reduction in fraud but also a loss of customers switching to a friction-free alternative.
The role of the fraud vendor and PSP in this was revealing. Ideally we have no impact on the customer journey - in fact there was strong consensus that the control of that experience lay squarely with the merchant. Our role was to consume the data and provide predictions and actions, invisible to the user. One strong request from everyone there was that the fraud vendor and/or PSP provide trending information about fraud seen across a portfolio of clients. There was also a suggestion that, although it is not a simple task, somehow this data is shared between merchants in some format. Something to pursue.
Strong Customer Authentication, Exemptions, 3DS2.0 and duck breast
Martin Sweeney, CEO at Ravelin, after the main course shared some thoughts on Strong Customer Authentication (SCA) and 3DSecure 2.0 (these links are to articles Sweeney has penned on the topic). Maurits Dekker, CCO of Buckaroo, also expressed his wish that we start to talk about the coming regulation as an opportunity and not a threat. In reaction, the table were hungry for certainty. The role again here of the PSP and fraud vendor is to work with the merchant to navigate the choppy waters.
Those that get the collaboration right between acquirer, merchant, and issuer have a significant opportunity to gain a significant competitive advantage starting next September. The role now is to arm ourselves with facts. Subscribing to the Ravelin newsletter is a useful way to do this. It was also highly recommended by the table to read the actual regulation and amendments if you have not done so already.
Account Takeover and macaroons
The lunch ended with some discussion around ATO and account security in general. It’s fair to say there is a long road ahead in this area especially around consumer education. Many ATO attacks are unsophisticated credential stuffing attempts. They rely on poor personal security choices by the customer. There is genuine uncertainty about the role of the merchant here. Does a merchant want to raise the spectre of security when someone is in ‘buying’ mode? Is the consumer going to think the security weakness is the merchant’s and not theirs?
It’s going to take some brave choices and clever technology to help move this topic forward.
A final word of thanks to the staff at the Dylan Hotel in Amsterdam and a reminder of an open invitation to any merchants who would like to join us at a future event.