Han Sahin, Co-Founder and CEO at ThreatFabric shares his perspective on navigating the contradictions of frictionless online journeys in an age of fraud reimbursement.
In the past years, we have been asked by online payment teams to enable so-called frictionless online journeys. The implementation of this request means removing screens, adding additional consent steps, and even reducing fraud design principles such as What You See Is What You Sign (WYSIWYS) on a separate trusted device. After spending time in the UK with the PSR and anti-fraud community members, we have observed a lack of discussion on this controversial topic. However, we believe that attaining a balance is achievable through collaborative efforts, as this heightened focus on frictionless journeys is now not only affecting fraud and risk managers. It appears we as fraud protection vendors are now parroting an ‘everything must be frictionless’ strategy by enabling so-called frictionless fraud controls. By doing so, tipping the scale in favour of convenience versus security for customers. Even after consulting advisors, regulators believe it is acceptable to enable authentication controls that are weak by design to ensure an easy user experience as a top priority.
PSD2 regulations have shown that SMS-based One Time Passwords or Second App Authenticators are considered a second Strong Customer Authentication (SCA) MFA-factor. However, there are many exploits in the wild (by malware and SIM swapping) introducing a false sense of security. It is in our best interest to question if we have gone too far by blindly parroting our digital teams’ needs for fast onboarding, instant payments, and minimal user interaction while performing transactions. Is there even a way back when PSD3 dictates more consent on critical actions?
Establishing permanent solutions to prevent online fraud is a challenging task. Complex fraud controls require accountability in an age of new reimbursement rules. Now in 2023, the fraud protection industry can solve very complex problems such as APP fraud where the victim is coached to execute a malicious payment. However, these new protection technologies require strong interaction with input fields, complex navigation, and even new consent screens to alert a victim that a fraudster could be coaching them to take critical actions. Banks and financial institutions, therefore, struggle with teaching users how to avoid fraud whilst delivering an enjoyable and seamless customer experience.
Fraud regulations for in-journey accountability consist of measures and policies defined to protect a customer's journey from various angles against fraud and economic crime. This approach seeks to determine which parties (banks, customers, third-party service providers) should be held accountable for security lapses that lead to fraud incidents during different steps of the customer's banking journey. A longer user journey may be necessary as it requires time to model the digital behaviour of a potential victim and fall back to normal payments (from instant payments) when there are strong fraud indicators present.
Although a customer journey with additional touchpoints may appear inconvenient and distracting from performing the task at hand, these measures ultimately serve to protect against fraud and unauthorised transactions. As the industry adapts to new reimbursement rules, complex fraud controls are necessary to maintain accountability and protect both institutions and customers.
Will your customers feel more secure if they never have to show their key or prove their identity?
The future of online banking will consist of a rat race between which banks provide reimbursement based on proper authentication and fraud controls. Having a good Secure Experience (SX) serves as a strong USP for any payment team. It emphasises the protection of sensitive user information and the prevention of unauthorised transactions. This consists of robust authentication methods, encryption, real-time fraud monitoring, and adherence to industry standards and regulations. It effectively minimises the risk of fraud and data breaches through which payment teams can build trust with customers, differentiate from competitors, and encourage long-term loyalty.
We advocate for interdepartmental discussions within organisations to address the inclusion of consent screens, the addition of steps between critical actions, and the necessity of requesting interaction with input fields. For example, fraud technology currently exists that can create supposed in-journey adaptive trust decisions.
Low risk-users that do not have fraud indicators can have certain steps removed in their online sessions (less friction, not frictionless), whereas high-risk users require more consent and interaction. Although these strategies are not widely adopted today, we still believe there is hope enforced by new regulations surrounding fraud such as APP fraud in the UK, which will require payment organisations to rethink their strategy moving forward. Ideally, this will result in a balanced world of less friction versus completely frictionless by parroting the requirements of payment departments dictated through fast onboarding numbers. The bigger underlying problem is working in strong silos, and the related organisational governance parroting important decisions that impact the ability to prove fraud.
In conclusion, fraud regulations and enforcing in-journey accountability are a step in the right direction to protect against fraud and economic crime. While frictionless payment methods are desirable, they need to be balanced with accountability to ensure a strong foundation before moving towards reimbursement. To achieve greater security, the industry should adopt stricter regulations when opening accounts and create accountability by introducing more friction in the journey flow, such as asking for consent and confirmation. Regulators should also consider implementing more stringent oversight and enforcement measures. Payment teams could benefit from creating fraud fusion centres that include equal shareholders to move away from silos. Ultimately, the industry needs to ensure that the feeling of security is prioritised and that the cost of fraud is reduced by implementing strong fraud regulations.
This editorial was initially published in the Financial Crime and Fraud Report 2023 which dives into the captivating world of fraud management, digital onboarding, and financial crime in the financial services industry. You can download your free copy here.
Han Sahin is the CEO and Founder of ThreatFabric, and the previous owner of Securify (2012-2021). With more than 16 years of cyber fraud experience on both sides of the table, Sahin’s vision is to empower banks and financial institutions to combat payment fraud using innovative fraud detection solutions.
ThreatFabric utilises web and mobile threat intelligence to offer advanced online fraud detection solutions for the financial industry. Their cutting-edge technologies, such as behavioural analytics, device fingerprinting, and adaptive fraud indicators provide businesses with real-time fraud prevention and detection to ensure safe online experiences.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now