As seen in The Paypers

By Julie Fergerson

Recently, Ethoca’s Chief Marketing and Product Officer, Keith Briscoe wrote in-depth about the many faces of friendly fraud. In his article, he explained how damaging this problem is for merchants, issuers and customers alike – describing its costly impact on sales, customer experience and more. Unfortunately, thanks to a series of new rules and regulations, the fight against friendly fraud may have become a lot harder.

The regulations in question are the General Data Protection Regulation (GDPR) and the second Payment Services Directive (PSD2). And, though they’re meant to improve things in the long term, in the short term they may create new opportunities for criminals to leverage for their own benefit – not just in the European Union, but worldwide. Another part of this overall regulatory backdrop is card scheme changes to chargeback processing rules, including Visa Claims Resolution.

General Data Protection Regulation: abusing the right to erasure

The GDPR comes into effect on May 25, 2018. It’s designed to give EU citizens more control over their personal data and better control on how it’s used in the online and digital environment. It applies not only across all EU countries, but to all organizations processing the data of EU subjects – and it could very well impact your ability to fight friendly fraud.

One of the key elements of GDPR is the “right to erasure” (aka the “right to be forgotten”). Although an important step forward for privacy rights, there is the potential for this to be abused by criminals for their own means.

Let’s take a look at one potential mis-use case for the right to erasure – in this case ‘friendly fraud’ or a falsely disputed transaction:

1. A cardholder places an order with a merchant.
2. They receive the goods, as promised.
3. The cardholder calls the merchant and requests erasure of personal data.
4. Once their personal data is erased, they initiate a chargeback on the transaction claiming they don’t recognize it.
5. Because the merchant does not have all the compelling evidence they need, they lose the representment and are forced to accept the chargeback.
6. Emboldened, the friendly fraudster repeats this process at other merchant sites.

In this scenario, the merchant no longer has the data necessary to prove that the customer purchased and received the goods – making friendly fraud defence considerably harder.

PSD2: new dispute environment?

PSD2 was created by the EU to spur innovation in the payments industry by increasing competition and harmonizing consumer protection and the rights and obligations for payment providers and users.

Advocates of PSD2 hope real-time bank transfers and expanded banking services through ubiquitous API connections (aka Open Banking), along with SCA (Strong Consumer Authentication) will increase overall competitiveness and help take more fraud out of the ecosystem. However, this new system – just like the current one – will require a mechanism to balance the interests of all parties involved and to ensure the right party is taking liability for the transaction (the raison d'être for chargebacks today).

The dispute/chargeback processes for the new landscape/players are still in the works. In the case of friendly fraud, the regulations don’t yet fully envision what will happen when cardholders falsely dispute a two-factor authenticated transaction. That’s because new regulations often have a series of unintended ripple effects. In this case, the cardholder protection dimensions of the original PSD may not be in perfect harmony with the new changes being introduced as part of PSD2.

While the regulations do envision the dispute process for transactions initiated via a PISP on behalf of the cardholder, the actual mechanics have not yet been fully fleshed out. New dispute scenarios are bound to emerge, and fraudsters will continue to adapt to this new environment, like spurring an increase in ATO (Account Takeover).

Visa Claims Resolution: goodbye reason code 75 – possible increase in friendly fraud losses?

Visa Claims Resolution (VCR) is the new global dispute resolution process launched in April 2018. It was created to reduce timelines and improve the chargeback process. It involves a number of major changes including the consolidation of 22 chargeback reason codes into four dispute groups, the switch from a litigation to a liability model for certain chargeback types (fraud and authorization) and – most relevant for friendly fraud – the retiring of chargeback reason code 75, “Transaction not Recognized”.

Friendly fraud is often caused by customer confusion. Maybe the descriptor isn’t clear, maybe a family member bought something online without the cardholder’s knowledge. Regardless, now whenever a cardholder calls into question a transaction they don’t recognize, it’s likely these dispute types will move into the category of fraud.

What’s the impact of this for merchants? This is still being fully determined, but what we do know is that under the new VCR rules, fraud falls into the “Allocation” (aka liability) workflow. This means that whether it’s friendly or not, liability is immediately assigned to them. Not only will merchants have to provide compelling evidence up front to dispute a chargeback, they will have less time to do it – 30 days instead of 45.

In short, it will become increasingly important to manage the representment process with increased efficiency and have easy access to properly formatted and presented compelling evidence. If not fully prepared, merchants may find that their losses on benign friendly fraud transactions could increase.

Defence needs to be multi-pronged

Anyone already familiar with friendly fraud knows how hard it is to detect, and how frustrating it is to fight. Thankfully, even with the increase in volumes anticipated from of the aforementioned rules and regulations, there are solutions that can help.

The ideal solution proactively stops disputes before they become chargebacks – putting a stop to friendly fraud before it escalates. Through merchant-issuer collaboration, detailed merchant information can be made available to cardholders and issuers in real time. Issuers can pull this information up and present it to the cardholder when they call in or – even better – the cardholder can view this detailed information online or from their banking app, helping them recognize their transaction and eliminating the need to call in at all. This eliminates friendly fraud caused by purchase confusion and retrains cardholders – reducing the likelihood of attempts to ‘game’ the system for personal gain.

If cardholders continue to dispute a transaction, despite being given detailed merchant information, merchants and issuers need a way to reduce costs and avoid the chargeback process altogether. This can be accomplished through direct-from source issuer alerts that warn merchants of impending chargebacks so that they can proactively provide a refund. All parties are now saved from the painful chargeback experience and the damage caused by friendly fraud is reduced.

Finally, merchants who have the necessary compelling evidence, and would prefer to contest the chargeback in the hopes of recovering the revenue lost to friendly fraud, should leverage an automated representment solution that helps them get their money back quickly and efficiently – especially in light of the new time frames imposed by chargeback rule changes.

Want to learn more?

There is a lot to unpack from these new rules and regulations, and their impact on friendly fraud is but one piece of the puzzle. To learn more, I suggest you invest an hour and check out the following webinar that takes a deeper dive into these issues and outlines how they can affect your business.