F
IRST
-P
ARTY
C
REDIT
C
ARD
F
RAUD
:
T
RENDS
,
A
NALYTICS
,
AND
P
REVENTION
S
TRATEGIES
David Fish
Senior Analyst; Fraud, Risk & Analytics Advisory Service [email protected]
2
© 2012 Mercator Advisory Group, Inc.
Table of Contents
Executive Summary Introduction
The Credit Card Fraud and Risk Landscape
Credit Card Fraud Trends: Where’s First-Party Fraud?
First-Party Fraud Is Difficult to Identify
U.S. Charge-offs and Delinquencies Stabilizing
Sometimes Desperate People Do Desperate Things
U.S. Credit Scores Improving (Sort of)
First-Party Fraud Is a Large Percentage of Bad Debt
Identification Strategies, Tools, and Analytics for Combating First-Party Fraud First-Party Fraud Targets More than Credit
Identification of Mules, Command and Control, and Collusive Merchants
Analytics: From Bureaus to Big Data
Vendor Profile: NICE Actimize
Vendor Profile: Palantir Technologies
Vendor Profile: Transaction Network Services
Conclusions
Classification of First-Party Fraud vs. Bad Debt The Need for More Transparent Reporting
Privacy Issues Concerning Use of Big Data and Other External Sources for Fraud Control
Copyright Notice
Figures and Tables
Table 1: Selected Payment Card Fraud Statistics, 2010–2011
Figure 1: Card Fraud in the United Kingdom, 2001–2011
Figure 2: Credit Card Fraud in France, 2003–2010
Figure 3: Credit and Charge Card Fraud in Australia, 2006–2011
Figure 4: U.S. Quarterly Credit Card Delinquencies and Charge-offs, and Net Employment Change, 2006–2011
Figure 5: FICO Score Distribution in the U.S., 2005–2011
Figure 6: Change in FICO Score Tier and Segment Population from 2005 to 2011
Figure 7: Card Issuer Charge-offs and Fraud Losses in the U.S. by Reason/Type, 2011E Figure 8: Customer Data Sources of a U.K. Credit Bureau
4
© 2012 Mercator Advisory Group, Inc.
Introduction
First-party fraud, in which borrowers apply for and use credit with no intent of paying off their loans, takes several different forms. Activities in this category are true name fraud, “bust-out” and “never-pay” fraud, false identity application fraud, and first payment default (or strategic default) fraud. Each of these types of fraud has long been difficult for credit card issuers to identify as intentional acts of theft, so most lenders end up writing off first-party fraud as bad debt. In first-party fraud there is no consumer victim, as there is in the better known third-party card fraud. Because proving intent to commit fraud in instances of bad debt is difficult and cases have to be ironclad to justify the expense of pursuing them legally, first-party fraudsters are often allowed to escape prosecution. The issuer’s (also expensive) alternative is to send charged-off fraud accounts to collections with little hope of recovery.
First-party fraud got a lot of attention in the United States during the recent recession as banks’ identification of first-party fraud activity expanded beyond the criminal element that has always sought to exploit the vulnerability of the banking system. As desperation set in for many borrowers—and as card issuers took sometimes draconian measures to mitigate default risk—otherwise good customers who were left with depleted financial resources and few options for necessary purchases took to intentionally charging cards without knowing if and how they’d be able to pay back what they borrowed. Much of this activity was in fact classified as first-party fraud, not as bad debt, partly because of card issuers’ overreaction to the deteriorating economic climate and partly because the industry was ramping up efforts to correctly classify bad debt associated with malicious intent as first-party fraud. The payment card industry and its vendors continue to intensify efforts to combat first-party fraud as the criminal underworld exploits, continually and with increasing sophistication, vulnerabilities in the banking and credit card system. Building a strong case that demonstrates a first-party fraudster’s intent requires establishing a pattern of behavior that reveals it, but the best risk management policy is to cut off a fraudster’s opportunity to steal in the first place. Card issuers have incorporated fraud prevention technologies in account origination, in the transaction process, and in account review processes to identify fraud rings and fraudulent activity, weed out bad accounts, and respond with greater insight to cases of potential first-party fraud.
While statistics indicate that first-party fraud is quite small compared to other reported forms of card fraud, this is largely because it is grossly underreported. In reality, first-party card fraud in the U.S. is more extensive than other forms of card fraud combined, and the market has shown some signs that an increase in first-party fraud could be imminent. The measures that some banks have taken to identify first-party fraud have improved and as issuers expand their business after a period of sharp contraction, we expect that the associated widening of credit availability will attract first-party fraudsters with newfound aplomb.
First-party fraud, in spite of recent attention by commentators and vendors, is still not widely understood. Banks that are aware of the distinction between a bad debt “collections issue” and a case of criminal activity hopefully have tuned their solutions properly and implemented all the necessary modules to accurately identify and treat first-party fraud.
This Mercator Advisory Group research report examines first-party fraud by first looking at current market statistics on credit card fraud from a number of industry participants and national reporting bodies. The report then presents data on credit quality in the United States and describes the environment that fosters first-party fraud. The report describes a few of the strategies, as well as vendor solutions and analytical tools, for managing first-party fraud and explores some of the broader market implications associated with first-party fraud and banks’ tactics when dealing with it.
The Credit Card Fraud and Risk Landscape
Credit Card Fraud Trends: Where’s First-Party Fraud?
The statistics published by several groups around the world that track payment cards include some useful
breakdowns of fraud volumes by fraud type, but none identify the transaction or value volumes of first-party fraud specifically. In fact, when first-party fraud is represented by statistical data about card fraud in general, it is always comingled with other kinds of fraud, such as application fraud (which can be either third-party or first-party fraud), account takeover, or activity merely labeled “other.” The vast majority is hidden in charge-off statistics. In Table 1 and the following charts, the statistics cited should be taken to represent third-party card fraud by and large. Table 1: Selected Payment Card Fraud Statistics, 2010–2011
6
© 2012 Mercator Advisory Group, Inc.
Source: Compiled by Mercator Advisory Group
Fraud risk managers look to statistics that speak to their space, tracking and consuming both charge-off and fraud data, but it is likely that records about first-party fraud that are available to them consist of what their individual institution has on its books. Thus, wider market trends about first-party fraud are difficult to assess without more transparent reporting. Since first-party fraud involves no victims other than the lender, these statistics are likely not included in the data regarding other types of card fraud because of the limited impact on the industry at large. Statistics that are readily available (see Table 1) are spotty at best, even about card fraud in total, but enough can be gleaned from extant data to provide at least a high-level picture of card fraud in certain markets and what those market statistics might tell us about card fraud globally.
Data regarding current fraud figures in North America provided by payment gateway provider (and Visa subsidiary) CyberSource show losses associated with fraud committed against e-commerce merchants. Fraud losses for 2011 reported by CyberSource showed an uptick from the prior year in both the total dollars lost to fraud (up $700 million) and the overall rate of fraud (10 basis points more). Very little of the fraud losses absorbed by merchants for online, card-not-present (CNP) transactions can be labeled first-party fraud. This is because card issuers technically hold liability for first-party fraud, though some issuers do try to recover their losses on CNP transactions by improperly submitting chargebacks against those sales. ServiRed, the Spanish ATM card scheme, payment gateway, and Visa and MasterCard franchisor for issuers and merchant acquirers, reports statistics on fraud in Spain in its annual report. The most recent report (for 2010) indicates that Spanish card issuers lost a total of €205.2 million, but no breakdown by fraud type is available.
Figure 1: Card Fraud in the United Kingdom, 2001–2011 Country or Region
(Sample) Reporting Body Year
Total Fraud (Millions)
Fraud Loss Rate (Basis Points) North America (Merchants) CyberSource 2011 $3,400* (USD) 100
Spain (Issuers) ServiRed 2010
Domestic acquirers €5.8 0.9
Foreign acquirers €199.4 30.8
U.K. (Issuers) The UK Payments Administration, Ltd. 2011 £341.0 6.1
France Observatory for Payment Cards Security (OPCS) 2010
French issuers €269.3 5.7
French acquirers €263.0 5.5
Australia (Issuers) Australian Payments Clearing Association (APCA) 2011 $220.7†
Source: The UK Payments Administration Ltd.
The UK Payments Administration Ltd. (UKPA), a trade association, reports fraud statistics biannually. Fraud in the United Kingdom (Figure 1) declined from 14 BPS in 2007 to 12 BPS in 2008 to just over 6 BPS in 2011. The reduction has been attributed to the continued success of EMV chip-and-PIN cards as a means to control card-present fraud in the U.K., which dropped 34 percent in the first half of 2011 from the same period in the prior year. The total lost by U.K. issuers of credit and debit cards declined to just over £341 million from nearly £610 million in 2008, when card fraud in the country and affecting its banks peaked. Mercator Advisory Group anticipates that fraud rates will continue to fall as the issuance of EMV chip-and-PIN cards in the U.K. reaches full deployment. To the extent that first-party fraud is represented in the UKPA’s statistics, it is contained in the fraudulent application category. The majority of application fraud is perpetrated with stolen identities, but we are aware that some instances of app fraud involving synthetic identities have been processed as fraud losses and not bad debt. The Observatory for Payment Card Security (OPCS) reports French card fraud statistics (Figure 2), which are inclusive of all fraudulent payments and withdrawals. The total fraud in 2010 was €368.9 million on cards issued in France. The issuer and acquirer breakdown represented in Table 1, then, does include some fraud attributable to instances of foreign cards being used at merchants and ATMs with French acquirers.
£0 £100 £200 £300 £400 £500 £600 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Millions
Card Not Present Lost/Stolen Counterfeit Fraud App/Acct Takeover Mail Nonreceipt
8
© 2012 Mercator Advisory Group, Inc.
Copyright Notice
External publication terms for Mercator Advisory Group information and data: Any Mercator Advisory Group information that is to be used in advertising, press releases, or promotional materials requires prior written approval from the appropriate Mercator Advisory Group research director. A draft of the proposed document should accompany any such request. Mercator Advisory Group reserves the right to deny approval of external usage for any reason.
Copyright 2012, Mercator Advisory Group, Inc. Reproduction without written permission is completely forbidden.
Thank you for reading Mercator Advisory Group’s sample report.
Highlights of this report include:
Definition and sizing of first-party credit card fraud in the U.S. market
The likely effect of easing credit policies (in future economic recovery) on first-party fraud The steps processors and institutions will need to adopt to lower their risk of exposure Industry wide steps needed to combat first-party fraud
Profiles of three vendors of fraud and risk management solutions indicating the direction of the industry's countermeasure strategies
This report is 33 pages long and has nine exhibits.
Companies mentioned in this report include: ACI, CyberSource, Detica NetReveal, Early
Warning Services, Equifax, Experian, FICO, Intuit, MasterCard, NICE Actimize, Opera Solutions, Palantir Technologies, PayPal, Square, Transaction Network Services, and Visa.
Members of Mercator Advisory Group's Fraud, Risk & Analytics Advisory
Servicehave access to this report as well as the upcoming research for the year ahead,
presentations, analyst access and other membership benefits. Please visit us online
atwww.mercatoradvisorygroup.com.
For more information and media inquiries, please call Mercator Advisory Group's main line:
(781) 419-1700, send E-mail to [email protected].
For free industry news, opinions, research, company information and more visit us
atwww.PaymentsJournal.com.
About Mercator Advisory Group
Mercator Advisory Group is the leading, independent research and advisory services firm exclusively focused on the payments and banking industries. We deliver pragmatic and timely research and advice designed to help our clients uncover the most lucrative opportunities to maximize revenue growth and contain costs. Our clients range from the world's largest payment issuers, acquirers, processors, merchants and associations to leading technology providers and investors. Mercator Advisory Group is also the publisher of the online payments and banking news and information portal PaymentsJournal.com.