Congress, banking regulators and the payments industry have spent the past six months debating the strengths and weaknesses within the payments infrastructure (see Retail Breaches: Congress Wants Answers).
The catalyst for the debate is the explosion of card fraud linked to retail and payments processing breaches. But while point-of-sale network breaches that have compromised Target Corp., Sally Beauty, P.F. Chang's China Bistro and others are a concern, so are upticks in skimming attacks and ATM cash-out schemes that have defrauded banks and cardholders.
Now, the Federal Reserve Bank System, in its just-released 2013 Payments Study, is shedding light on emerging fraud trends related specifically to payments. This is the first time the Fed study has addressed fraud related to payments, and what it confirms is that card fraud is banking institutions' greatest pain point.
The majority of fraud reported by U.S. banks in 2012 resulted from unauthorized card transactions, not ACH, wire and check. And while the study does not specifically call out whether those fraudulent card transactions were linked to a retailer or payments-processing breach, the findings illustrate the growing challenge card issuers face when it comes to preventing card fraud, experts say.
According to the study, in 2012, 13.7 million fraudulent transactions involved credit cards, totaling $2.3 billion; 14.9 million involved debit or prepaid cards, totaling $1.5 billion; and 1.3 million, totaling $300 million, were categorized as fraudulent ATM withdrawals.
Setting a Baseline for Fraud
Industry experts say the new fraud data in the study, even though it's based on a 2012 survey of more than 1,300 U.S. banking institutions, payments processors and independent card issuers, will prove valuable to banks because it helps to highlight emerging fraud trends. But some say they hope future reports provide more details about the actual losses banking institutions suffered because of fraud linked to those payments -- not just the total value of the fraudulent transactions themselves.
Still, the data will provide the industry with a valuable baseline about payments fraud, giving banking institutions insights into areas where they need to improve fraud detection.
"Our payments study provides a helpful groundwork regarding ongoing payment trends," says Jim McKee, senior vice president of the Federal Reserve Bank of Atlanta, and one of key contributors to the study.
Questions about third-party fraud were added to the survey for the latest report because the industry expressed an interest in having more definitive data about payments fraud, he adds. Now in its fifth iteration, the Fed has been gathering data for its triennial Payments Study since 2000.
Third-party fraud, according to the Fed, results from any payments transaction that is conducted by someone other than the authorized user of the account or from a payment card that is used for a fraudulent transaction.
Comparison of Card Fraud to ACH and Check Fraud
SOURCE: Federal Reserve Bank
Card Fraud on Rise
In 2012, unauthorized credit, debit and prepaid card transactions represented 92 percent of the total number of unauthorized transactions identified by banking institutions. Those totals exclude cards that are issued by retailers for in-store shopping and prepaid cards issued for governmental benefits, the Fed notes.
The value of card-present fraud, which relates to transactions and purchases made at the physical point-of-sale, totaled $2.4 billion. By comparison, the value of card-not-present fraud, which is based on transactions conducted over the phone or online, totaled only $1.6 billion.
But while the overall value of fraudulent CNP transactions was lower, the number of the fraudulent CNP transactions reported by the industry was three times greater than those reported for card-present fraud.
The CNP fraud rate for credit cards accounted for the highest fraud rate among all types of unauthorized third-party card transactions measured in the study.
Addressing Industry Worries
Tom Wills, a payments fraud expert and director of payments consultancy Ontrack Advisory, says the level of detail provided in the Fed's study about third-party fraud is definitely of value to bankers.
"It will help them determine what kind of resources to allocate for security and fraud programs," Wills says. "Different types of fraud indicate different types of countermeasures. For example, countermeasures for account-takeover fraud are different from those for online card fraud. Granular, quality data about fraud on a public level has historically been hard to come by, so I expect that bankers will welcome this additional insight."
But financial fraud expert Shirley Inscoe, an analyst with the consultancy Aite, says she hopes subsequent reports include more details about fraud losses.
"This is great data; but it's unfortunate the Fed did not also gather the same information concerning fraud losses," she says. "That would be a subset of the numbers reported and would also help quantify how good of a job FIs [financial institutions] are doing, overall, with their fraud-prevention efforts."
McKee says institutions were asked to only provide information about the unauthorized third-party transactions they processed, not fraud they may have suspected or believed could be related to a retail breach.
Thus, first-party fraud that may result from the opening of fraudulent accounts or identity theft is not included in the results, nor is data about fraud linked to breaches.
McKee says future reports could include more fraud data, depending on industry feedback.