Voice of the Industry

How the CNP Fraud Mitigation Framework differs from PSD2: insights from Australia

Friday 22 November 2019 08:42 CET | Author Anda Kania | Voice of the industry

Fraud Prevention and Online Authentication Report 2019/2020

Andy White, the CEO of Australian Payments Network, describes the way CNP Mitigation Framework, an AusPayNet initiative, differs from Europe’s PSD2, yet having the same goal: to secure transactions.


Fraud Prevention and Online Authentication Report 2019/2020

While Europe has been implementing PSD2, Australian Payments Network (AusPayNet) has been working with the Australian ecommerce industry over the last 18 months to design a framework to reduce card-not-present (CNP) fraud. Australia’s industry CNP Mitigation Framework took effect on 1 July 2019.

How does PSD2 compare to the work we have been doing as an industry in Australia?

In developing the CNP Mitigation Framework, we leveraged global standards and best practice from other jurisdictions, including work being done on PSD2. Of particular interest were the recommendations agreed at the European Payment Institutions Federation (EPIF) workshop held in Brussels on May 2019. Jointly supported by Ecommerce Europe, EuroCommerce, Visa, and EPIF, these were:

  1. a phased implementation; 
  2. consider the consumer journey and ensure this remains as smooth as possible;  
  3. Strong Customer Authentication (SCA) needs to be communicated and implemented in a harmonised way;  
  4. consistent application of the exemption regime;  
  5. the SCA rules need to be delivered with an effective communication strategy;  
  6. regulators and industry should assess and monitor the readiness of the infrastructure to comply with SCA.

Australia’s CNP Mitigation Framework

As a result of consultation and collaboration with the ecommerce industry, these recommendations had already been incorporated into the CNP Fraud Mitigation Framework during the drafting process in mid-2018. The Framework parallels PSD2, in that both endorse SCA as a best practice to authenticate transactions.

However, there are some key differences:

1. While PSD2 mandates SCA for all transactions and considers certain exceptions, AusPayNet’s Framework only requires SCA for those merchants and issuers whose fraud rate is consistently in breach of agreed thresholds. Participants with fraud rates under the defined thresholds are not required to take additional steps to identify and reduce fraud, and there are exceptions for low-risk transactions, such as recurring payments, trusted customers, and wallet transactions.

2. The Framework’s thresholds were collaboratively set to ensure a targeted approach to minimising fraud whilst minimising the impact on smaller merchants. As a result, SCA is only required for:

  • merchants operating for two consecutive quarters above fraud thresholds of AUD 50,000 in fraud losses per quarter and a fraud-to-sales ratio of 0.2%; 
  • issuers operating above a fraud-to-purchases ratio of 0.15%.

 

Combining this approach with a comprehensive communications strategy and phased lead times for implementation, the Framework provides a clear runway to readiness for the wider payments community for reducing CNP fraud. This ameliorates the issues currently being witnessed in Europe in terms of readiness, which have resulted in calls for implementation to be delayed.

CNP fraud on Australian cards

Fraud Prevention and Online Authentication Report 2019/2020

On 7 August 2019, a month after the Framework took effect, we released new card fraud data covering the year 2018. The data shows a decline in the rate of fraud on Australian cards for the first time since reporting became public in 2006. In 2018, the rate dropped from 75.0 cents to 72.8 cents per AUD 1,000 of card spending.

Fraud Prevention and Online Authentication Report 2019/2020

Card payments grew by 5.4%, reaching a total value of AUD 789 billion, whereas card fraud increased by 2.3% to AUD 574 million; in 2017, both had increased by 5%.

CNP fraud – on both domestic and overseas transactions – accounted for 84.9% of all card fraud, steady on 2017. But the rate of increase is declining; CNP fraud increased by 2.4% in 2018 compared to 13.9% in 2017.

Moreover, domestically, the overall growth of ecommerce transactions (27%) outstripped the growth of CNP fraud (13.4%). These figures suggest that industry work on the Framework over the last 18 months has helped create awareness of protecting against CNP fraud.

Adopting the CNP Fraud Mitigation Framework

While we are seeing an encouraging trend in CNP fraud, the overall numbers are still large. Reducing the space for fraudsters to operate is an industry priority, and the Framework is a major step in further stimulating the uptake of CNP fraud countermeasures across the ecommerce community.

To support the adoption of the Framework, AusPayNet is working with the industry on a phased implementation. Issuers and acquirers are required to provide quarterly reports to AusPayNet outlining their Fraud Rates and Fraud Threshold breaches. The first reports, covering Q2 (April to June 2019) were submitted on 15 July, with Q3 reports (July to September 2019) due on 15 October 2019. We are also tracking the overall volume of ecommerce transactions to ensure growth in the channel continues. The Framework is enforced through inclusion in AusPayNet’s Issuers and Acquirers Community code set (rules).

As an industry, we need to continue to collaborate and be vigilant in adopting digital security measures. Further effort is required to respond to changing trends in fraud and we need to continue to adopt best practice. The Framework goes a long way in providing a unified approach to shrinking CNP fraud in the Australian market.

This editorial was first published in the The Fraud Prevention and Online Authentication Report 2019/2020, which depicts valuable insights into fraud detection, risk management, data intelligence and machine learning, and ways to tackle into where is fraud heading to after PSD2’s Strong Customer Authentication.

About Andy White

Andy White is the CEO of Australian Payments Network. Prior to AusPayNet he worked at ASX, LCH.Clearnet and the Bank of England. Andy is also a Member of the Advisory Committee to Australia’s Data Standards Body, a Member of the Board of Advisors to the Payment Card Industry Security Standards Council, and Deputy Chair of Emerging Payments Association Asia. 

About Australian Payments Network

AusPayNet is the self-regulatory body for payments. We enable competition and innovation, promote efficiency, and control and manage risk to deliver improvements for all users of the payments system. As the industry association, AusPayNet brings together 130 diverse organisations including Australia’s leading financial institutions, major retailers, payment system operators and technology providers. Our role includes managing core systems for cards, cash, cheques, direct entry and high-value payments.

 


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: CNP fraud, PSD2, AusPayNet, SCA
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: Australia
This article is part of category

Securing Transactions