How Issuers Can Get Real-Time Risk Scoring Right

Visa will stop supporting 3-D Secure 1.0.2 and related technology effective October 15, 2022. The goal is to make risk more manageable and deliver a consistent user experience for credit card users. This means issuers must implement real-time risk scoring capabilities to address new liability realities. Here’s everything issuers need to know about getting real-time risk scoring right.

Fighting Financial Services ‘Free Riders’

As the old saying goes, “you’re only as strong as your weakest link.” This same principle holds true in financial services for issuing financial institutions (FIs) that are too lax in their risk-scoring capabilities.

Let’s say you have a group of five FIs. One of the five has implemented weaker risk-scoring capabilities than its peers. While the four other banks are better-prepared to prevent financial crime, they are still impacted by the fifth bank’s under-investment. Criminals, after all, behave like water in a dam. If even one crack appears, they will be drawn to it. This means the bank that under-invested – the free rider – sees higher losses than its peers. They also cause overall losses in the industry to rise. Put simply, criminals and fraudsters target the organizations with the weakest defenses. That makes these FIs the weakest link in the financial services’ chain that can cause losses for the broader industry. 

The bank with inadequate defenses will inevitably see a greater share of financial losses across the industry as fraudsters target this organization. As criminals see value and reap profits from their efforts, fraudsters will continue their attacks which affects all banks – even the ones who stepped up their risk-scoring capabilities. These attacks mean increased IT costs, greater regulatory scrutiny, more expensive operations, and compromise the user experience.

In other words, these holdouts are placing an undue burden on other FIs who have made the right investments in stopping financial crime. Unless all FIs up their risk-scoring capabilities at the same time, they will not fix the financial crime problem. Instead they will just move air around the balloon.

4 Pillars of Strong Real-Time Risk Scoring 

Banks and financial institutions now face pressure to implement real-time risk scoring solutions to comply with Visa’s requirement. To be effective, issuing banks must be able to perform a risk assessment based on four key criteria.

• Transaction details: This applies to information returned in the transaction authorization, such as the merchant, payment type, and amount.
• Customer information: Risk scoring models should also look at the customer’s transaction history for red flags (e.g., the customer making a payment from a country they’ve never traveled to before). 
• Merchant’s historical risk: Look at whether there is a strong appetite among fraudsters to use the merchant or if the merchant is enabling a high-risk activity (e.g., illegal transactions, unsecured website).
• Payment cards: Consider the payment card being used in a transaction. Make sure they aren’t on any known lists of compromised cards and if it is good in the context of the consumer or merchant.

Key Risk Scoring Challenges

A key mistake that many issuing FIs make is to define “normal” behaviors across their entire customer base. This is often done in the name of enabling faster payments. But defining static “normal” behaviors in the name of speed for an entire customer base can easily backfire. 

This is especially true as customers’ behaviors shift over time. For example, think back to the early days of the COVID pandemic as many customers embraced digital banking solutions for the first time. Many banks saw  a large number of false positives as their old definition of “normal” quickly became outdated. 

Today’s customers have grown accustomed to getting what they want in real time. If they go to a merchant looking to buy headphones, for example, they will present a credit card and expect the transaction to go smoothly. However, if the transaction is declined they may try another card to complete the purchase. The customer may walk away with an unpleasant view of the merchant. But they are more likely to view their payment card negatively if similar experiences keep happening when they use it. This reflects poorly on the payment card issuer.

These false positives are a moment of truth for issuing organizations and their customers. If they have a good experience, they’ll see their payment card (and the issuer behind it) favorably. If not, it ruins the entire customer relationship forcing FIs to rebuild trust with the customer.

3 Steps to Get Real-Time Risk Scoring Right

1. Understand Your Customers’ Data to Make Better Decisions

Better decisions are preferable to quicker decisions. If issuers rely on a set of rules and data, fraudsters will simply change their behavior to navigate around existing fraud prevention controls. Issuers must use artificial intelligence (AI) and machine learning models to quickly analyze customer, merchant, and industry data to understand the context behind a transaction. For example, let’s say a customer suddenly sends money to a new recipient, logs using an unfamiliar device, or handles their device differently. Issuers can look at how these different behaviors fit with the customer’s usual patterns. 

Understanding how each party normally behaves makes it easier to identify unusual patterns and stop fraud before it can happen. Always remember to emphasize the context behind a transaction over the speed of a transaction. 

2. Don’t Use a 1-Size-Fits-All Approach to Risk Scoring

Issuers do not have a choice over whether they can implement 3-D Secure. But issuers do have control over how their risk scoring strategies will apply to card present and card-not present (CNP) transactions for eCommerce. They must also segment eCommerce payments into 3-D Secure and non-3-D Secure transactions. 

Issuers must also remember that not all fraud losses are the same. If a merchant has not implemented 3-D Secure, issuers may be tempted to pass the chargeback loss back to the merchant. However, this can translate into a bad user experience for the customer as well as the merchant. Meanwhile, fraudsters will view the issuing organization as weak and may step up their attacks. Instead, issuers should think about accepting a fraud loss in order to protect their reputations and protect their customers’ experiences. By focusing on net fraud losses, issuers risk missing the customer’s context and the wider cost of fraud – even for those who can be charged back.

3. Emphasize 24/7 Customer Service

Today’s customers operate on a 24/7 basis. For issuers, this means they must have a customer service operation that can support customers on a 24/7/365 basis. Issuers must invest in staff that can respond to customer requests in a timely manner and deliver fraud specialist expertise on demand. Most importantly, they must be able to deliver a strong customer experience at any time of day. Customer demand now dictates the needs of issuers’ operations teams. 

Bank staff require simple processes and quality training on how to properly label and categorize fraud correctly. Proper labeling is critical to helping with customer conversations and to improve ongoing fraud prevention strategies. This is a critical step in the risk scoring feedback loop that enables issuers to make better decisions in real time.

Investing in real-time risk scoring now means issuing organizations can make more informed decisions based on reliable data and context. It also means the end of the free ride for institutions that haven’t made the same investment.

If you are looking for a fraud solution that provides strong digital trust, we’d like to help you. Schedule a demo with us today to see how our experts and our technology can help establish digital trust for you and your customers.