Card-Not-Present (CNP) Fraud Mitigation Framework
The banking industry has commenced the execution phase of this framework, which aims to tackle the most prevalent type of card fraud.
Long gone are the days when a cardholder could only make a purchase at point of sale with their physical card. The ongoing advances in payment capability previously paved the way for consumers to make online Card-Not-Present (CNP) transactions, but has now gone even further by enabling these CNP transactions to be initiated from a mobile wallet with fingerprint authentication.
Nevertheless, the fundamental transaction that underpins these digital advances is the CNP transaction, which is gaining momentum as one of the most popular ways Australians like to transact. The CNP transaction growth rate has increased from 14% in 2017 to 27% in 2018*, which may be partially accounted for with the increase of mobile in-app payment opportunities (where a consumer uses a retail app and selects a card stored in their mobile wallet to make the purchase). More avenues for CNP transactions means more opportunities for card compromise and fraud spending.
CNP Fraud Mitigation Framework
Earlier in the year, Indue advised its clients of the significant industry-wide initiative to combat the increasing CNP transaction fraud. Championed and led by the Australian Payments Network (AusPayNet), the CNP Fraud Mitigation Framework aims to target the most prevalent form of fraud in the card payments space.
According to AusPayNet’s ‘Australian Payment Card Fraud 2019’ report, although the rate of CNP fraud growth has decreased since previous years, CNP fraud still accounts for 85% of all card fraud on Australian cards.
The collective industry acknowledged the need to address this fraud concern by establishing this industry-wide framework.
CNP Mitigation Framework in Action
The CNP Mitigation Framework took effect in 1 July 2019 after a long collaboration and consultation process to define the minimum standards that both card Issuers and Merchants need to meet as a means to reduce the rates of CNP fraud. These standards provided industry-agreed fraud thresholds that Issuers and Merchants were to report against. Failing to meet these thresholds would require them to implement additional security measures or be subjected to penalties. “Breaches of these thresholds will trigger obligations for Merchants and Issuers to take action. Repeated breaches over a period of time could ultimately result in financial penalties for Issuers or Merchants’ Acquirers,” AusPayNet said in an industry release.
Watch and See
In July 2019, Indue consolidated the required statistical data on behalf of our financial crimes clients and submitted the relevant reporting to AusPayNet. Indue has since continued to submit monthly reporting to AusPayNet according to the CNP Fraud Mitigation Framework requirements. As this new reporting becomes embedded in the operation and maintenance of the card payments ecosystem, AusPayNet and indeed the entire industry will get a glimpse into whether this new framework is making inroads into the chief objective of curtailing the growth of CNP fraud. Coupled with the 3DS 2.0 mandate issued by both Visa and MasterCard, this reporting and accountability should have an impact on fraud numbers. It will be an interesting space to watch over the next two to four years.
*Source: Reserve Bank of Australia
AusPayNet’s Australian Payment Card Fraud 2019 report
Indue’s March 2019 CNP Fraud Mitigation Framework article