How do banks afford to absorb the costs associated with credit card fraud?
— To only “absorb” part of all the costs related to fraud, e.g., through insurance, banks prevent and manage the risk of fraud as efficiently as possible.
We review the multi-layered approach used by issuing banks (“issuers”) to prevent the risk of credit card fraud—and thus the volume of fraud they absorb—and discuss their strategies to manage fraud and reduce their liabilities.
To help reduce the likelihood of fraud, banks may authenticate card holders through two factors (3DSecure). The first factor is the card number and CVC, and the second is the phone number or email address linked to the card holder, which are used to receive authentication codes.
Banks can also limit the maximum amount a card can be charged within a given period (e.g., a week or a month) and the regions (e.g., national or international) from which charges can come using private banking contracts or client-defined rules. These limits help reduce the likelihood of fraud.
Another layer of prevention for banks involves detection algorithms that can identify live transactions that are at risk for payment fraud. If these algorithms detect a risky transaction, alerts are triggered. These alerts may notify the bank or the client. At that point, there are three options. The transaction may be:
- denied directly, e.g., if it hits a blacklist;
- verified by the client or the bank if mechanisms exist to validate payments; or
- accepted by default if the client does not respond within a specified period after the alert.
Efficiently managing fraud
First, issuers must know exactly what their liabilities are for each fraud subtype. Depending on those liabilities, they may transfer the loss to the acquiring side, e.g., if the transaction is not 3DSecure-enabled, or to their clients, e.g., if the client failed to rapidly discover the fraudulent charge and to notify their bank. In both cases, because the issuer knows what its liabilities are, it does not “absorb” the losses.
Second, issuers may implement internal mechanisms to speed up the detection and escalation of fraud. This matters because efficient escalation prevents the repeated occurrence of fraudulent transactions of the same type, which in turn reduces the overall risk and the likelihood that the issuer will have to “absorb” additional losses.
Finally, the issuers’ last line of defense is still insurance. By definition, issuers have a strong financial incentive to reduce their reliance on insurance because the price of premiums depend on the risk level.
In conclusion. We laid out how issuers absorb the costs of credit card fraud, i.e., by preventing and managing the risk as efficiently as possible. The last layer of defense for an issuer remains its insurance.
I hope this information helps. As usual, feel free to reach out with questions or comments.