Will the EBA’s New Risk-Based Approach Achieve its Goal?

Will the EBA’s New Risk-Based Approach Achieve its Goal?

Ziv Cohen

CEO at Paygilant

Ziv has over 18 years of experience in the cybersecurity and fraud arena with more than a decade in driving sales strategy and execution, for innovative startups as well as established Fortune 500 companies. He is responsible for Paygilant's strategy and execution and brings vast experience and a strong background in the international security market. Prior to joining Paygilant, Ziv managed Trusteer's (acquired by IBM) financial fraud and advanced threats enterprise protection solutions, where he established and grew EMEA sales from zero to multi-million revenue. In addition, Ziv managed RSA (EMC) FraudAction business operations where he was responsible for delivering Anti-Fraud services to undressed of financial customers globally.

Views 492

Will the EBA’s New Risk-Based Approach Achieve its Goal?

07.06.2017 02:00 pm

As we speedily approach 2018, the deadline looms for countries in the EU to implement the EBA’s PSD2 strong customer authentication requirements. Banks, payment providers and merchants are in a heated discussion on which proposals will help or hinder their business.

The EBA has recognized that indiscriminate authentication negatively impacts the user experience as well as the adoption rate of mobile wallets. In response, it has recommended a risk-based approach to authentication and has eliminated the necessity for strong customer authentication for payments up to €30. Payments between €30 and €500 will be subject to meeting fraud thresholds set by the EBA. This will create different risk profiles that will need to be managed by the issuers.

While we applaud the EBA’s new recommendations, we feel that there still remains more to be done.

Banks still struggle to gain better visibility to combat mobile payment fraud.

Strong customer authentication has been applied by banks for many years already and is a part of most online banking security controls. Despite these controls, we’ve seen that fraudsters are successful in cashing out. Mobile payments offer weaker security controls since passwords, PIN codes and even biometric authentication can be more easily circumvented while most devices don’t even have the basic defenses such as antivirus and firewall. Fraudsters are always seeking the weakest links to infiltrate, and mobile payments has become the next in line. As a result, mobile wallet fraud is on the rise.

The problem is that current mobile payment controls still don’t allow for the visibility that banks desperately need. In other words, they still don’t know if the payment device is connected to the consumer using it for that particular transaction. Was the device stolen and now being used by a fraudster? Did the fraudster succeed in onboarding using the customer’s stolen identity? Or did the customer simply take their mobile device abroad and decide to splurge on luxury items in Europe? Currently, banks struggle to differentiate between these scenarios with their existing fraud detection system and instead rely on cumbersome and costly operations (call centers, OTP, KBA) to contact the consumer directly to validate the transaction.

What banks need is the ability to detect fraud on the mobile device itself in the pre-transaction phase. With better visibility into the payment activity of the user through in-depth behavioral mapping, they can accurately identify fraudulent attempts and trigger authentication only upon these suspicious and risky transactions. This solution is a big improvement compared to current legacy systems which create friction and have a high number of false positives in their fraud detection.

A robust risk-based authentication is still mandatory for all transaction amounts.

As a leading payment provider, PayPal also recognizes banks’ lack of visibility. Their recommendation to the EBA suggests that factors beyond the value of transactions also pose additional levels of risk, and should be included in the EBA assessment, including the type of device used and the user’s usual pattern of behavior. The risk presented by the value of the transaction can be mitigated using technologies that analyze all of the information the user provides.

On-device fraud detection is based on acquiring behavioral data from multichannel sources, whether it be mobile, plastic card, web or the device itself. This approach to mobile-based fraud detection combines individual spending activity with advanced machine learning to differentiate between fraudulent purchases and legitimate transactions.

This frees banks from constant worry about whether or not they are meeting the levels of fraud standards the EBA requires of them.

Banks must learn to bridge the ever-widening gap between security and adoption.

Mobile wallet payment adoption is growing at a frantic pace. With more than 450 million users today using their mobile devices, Gartner has projected a figure of $720 billion in annual global mobile payment transactions by 2017. Mobile payment fraud is currently over six times that of card fraud, according to Droplabs, a leading mobile payments and e-commerce strategy and advisory firm, a number that is expected to rise significantly as mobile payments increase.

In response to the rise in mobile wallets and PSD2, disruptive banks will need to become early adopters of API-enabled payment systems that allow payments to be initiated from customer accounts by third-party providers. In order to mitigate this new risk, this disruptive approach requires applying effective on-device security controls to combat the increasing risk of mobile payment fraud.

A New Mobile Payment Security Horizon Lies Ahead

Banks already use risk-based systems today and they won’t be taken out of the mobile payment playing field due to PSD2. That’s a relief to banks, retailers and consumers alike, but no single authority alone can stop fraud. It must be a multi-layer approach, and the industry has learned its lesson from their experience in the web bank channel, where fraudsters’ MITB attempts were successful at bypassing security solutions which included strong customer authentication.

Banks should decide whether this time they choose to be better prepared in the mobile payments arena.

The article originally appeared at: Let's talk payments 

Latest blogs

N/A ReliaMax

College Dreams? Here’s How to Get Accepted

Higher education in the United States is not just about getting accepted, it is about where you get accepted. Sure, there are options, there are seemingly endless options - from community colleges to Ivy League schools and everything in between. The Read more »

Bobby Gill GCWealth

Bobby Gill: 3 Ways Fintech is Helping Small Businesses During the Pandemic

Image Source: Pixabay. Back in April, the US oil prices sank to a 20-year low. In the UK, road traffic levels hit a 70-year low. Worldwide, due to lockdown, retail, travel, and restaurant bookings have dropped by 85%. More than 430 million Read more »

Christa Ardley Bitstocks

Bitcoin and blockchain without the b******t

An industry once viewed by the general populace as a haven for criminals and online scammers, and still somewhat marred by fractious in-fighting, Bitcoin and blockchain are gradually casting off their outdated negative reputation; as the focus Read more »

Otabek Nuritdinov Safenetpay

Beyond Payments Services

    Why it really matters for small for medium-sized enterprise (SMEs) to choose the right payments services provider. Strategic planners in the financial services sector often define their business in terms of products that Read more »

Chak Kolli DXC Technology

How Can Insurers Realise the True Value of AI?

As Artificial Intelligence (AI) and digital transformation find their way into every aspect of our daily lives, we are gradually seeing changes taking place in different sectors. Progressively, AI is permeating the insurance value chain and it is Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel