The bank’s risks related to fraud of EMV technologies

To determine the impact of fraudulent transactions in the bank’s PS on the bank’s business, it is necessary to assess the following risks:
* financial. The result of fraudulent transactions is most often the financial losses of the bank or its customers. In the latter case, it is necessary to take into account the risk of losing the client if he ceases to trust the services provided by the bank;
* reputational. The reputation of the bank may be damaged if the services provided by it are (or seem) unsafe, and the protective measures taken are ineffective. It is necessary to take into account the opinion about the bank in the field of countering fraud in the media, among other banks, MPS, law enforcement agencies and even fraudsters.
* business continuity. Fraudulent transactions in the acquiring network of the bank may lead to a temporary interruption of business in the TSP with a high level of fraud (including as a result of sanctions of the Ministry of Internal Affairs). With regard to the issue, the bank risks losing customers who, due to fraud or due to strict measures to restrict transactions with bank cards, may refuse the bank’s services altogether.

Collecting statistics is a necessary process for risk assessment

A necessary precondition for the start of risk management work in the bank’s PS is the collection of initial statistics on implemented information security incidents, the effectiveness of measures currently applied. In general, the collection of statistical data should be a continuous ongoing process.
The following values are listed, the calculation of which is necessary to assess the risks and effectiveness of the measures taken.
Issue
1. Annual and quarterly financial losses from issue fraud — total, per card, per transaction, unit of transaction currency, by types of fraud, by region.
2. The number of fraudulent transactions is total, by product type, by region.
3. The average amount of balances on card accounts is total, by type of products.
4. Statistical profiles of cardholders.
5. Statistics on the use of the card management service via mobile phone – SMS notification of transactions and management of limits and card status.
6. Statistical processing of fraudulent transactions.
Acquiring
1. Annual and quarterly financial losses from fraud – total, per terminal, per transaction, unit of transaction currency, by TSP categories, by region.
2. The number of fraudulent transactions is total, by categories of TSP, by region.
3. The turnover in the acquiring network is general, by TSP categories, by regions.
4. Statistical profiles of TSP.
5. Statistical processing of fraudulent transactions.

Risk assessment

Mandatory requirements of the IPU
The Bank, as a member of the IPU, is obliged to carry out a list of procedures for fraud control. Failure to comply with the established requirements leads to fines, damage to the reputation of the bank and, in the worst case, to revocation of the IPU participant’s license.
VISA determines the following violations for which sanctions are provided:
1. Exceeding the level of fraud under the TSP. A trading and service company is included in the Global Merchant Chargeback Monitoring Program if any of its points reaches or exceeds all of the following monthly limits for international transactions:
* 200 protests;
• 200 transactions;
• the level of protested transactions is 2%.
After getting into the program, the acquirer pays $ 100 for each protested transaction for each TSP of the trade and service company that got into the program. A fine can be set by VISA at $200 if no remedial measures are taken.
2. Non-compliance of the issuer with the requirements of risk monitoring. An issuer that does not comply with the monitoring rules defined in the VISA Operating Rules for the CEMEA region section 2.7 will pay a fine at the end of each financial quarter, the amount of which depends on the volume of transactions and varies from $6,000 to $25,000.
3. The acquirer’s non-compliance with the risk monitoring requirements. An acquirer who does not comply with the monitoring rules defined in the VISA Operating Rules for the CEMEA region section 2.6 will pay a fine at the end of each financial quarter, the amount of which depends on the volume of transactions and varies from $6,000 to $25,000.
4. Exceeding the level of fraud by the acquirer. This category includes acquirers whose quarterly fraud losses exceed $ 50,000 and the fraud rate is higher than 0.35% (fraudulent cash receipt transactions, fraudulent transactions on non-received cards and cards issued on fake applications are not taken into account). During the first four quarters, the fine is $5,000, for the fifth, sixth and seventh – $ 50,000, then the CEMEA Committee is considering revoking the acquiring license.
5. Violation of the rules for processing e-commerce transactions. If the TSP carries out e-commerce transactions by receiving data over the Internet, does not carry out the necessary processing of fields related to e-commerce transactions (electronic commerce indicator), then this TSP enters the program, and the acquirer begins to receive written notifications from Visa about the need for correct processing of e-commerce transactions.
After four months, the acquirer is charged a fine of $ 5,000, after five – $ 10,000, after six – $ 25,000.
6. Violation of transaction processing on online gambling services (On-line gambling). Visa prohibits the inappropriate use of credit vouchers for the payment of winnings to winners and the use of the following field values in the transaction for a service company providing an online gambling service: Merchant Category Code (MCC) 7995, POS condition code 59. In the first case, the acquirer is charged a fine of $ 50 for a loan over 5% of the established threshold. In the second — $ 25,000. for the first six months, consideration of the issue and suspension of work in the next six months, consideration of the issue of revocation of the license after thirteen months.
7. Violation of Visa brand protection restrictions. For the participation of TSP in the distribution of child pornography via the Internet, Visa applies sanctions to the acquirer if he does not stop the work of TSP at the set time. The fine is $ 50,000, or $ 250,000, or a ban is imposed on the conclusion of new contracts with online merchants, or the mandatory termination of all existing e-commerce contracts, or the revocation of the license.
8. Cross-border acquiring. For violation by the acquirer of clause 4.11 of the VISA Operating Rules for the CEMEA region, a fine of $ 1,000 per transaction is charged.
9. Non-participation in the program of the Fraud Reporting Service for the CEMEA region (Fraud Information Service). The CFIS service was created in 2004 to exchange information on fraud and counteraction measures for risk management. If a member of the VISA payment system does not participate in this program, the fine is $ 1,000 for the first six months, and $ 5,000 for the following.
MasterCard determines the following violations for which sanctions are provided.
1. Non-compliance with SAFE reporting standards. MasterCard, at its discretion, conducts an additional RAMP check (cost
15,000 dollars), starting from the second case of the identified discrepancy, charges a fine of 15,000 dollars quarterly, in addition, after the third case, the issue may additionally be submitted to the MasterCard Audit Committee.
2. generating reports on the SAFE system on protested transactions due to fraud with certain codes. For each transaction that the issuer protested due to fraud with codes 4837, 4840, 4847 and 4862, and did not report it to the SAFE system, a fine of $ 1,000 will be charged.
3. Non-compliance with fraud loss management standards. After the scheduled RAMP check, the bank will receive a written report with the requirements that must be met within the established time frame to achieve compliance with the fraud management security requirements. If the MasterCard participant does not take the prescribed actions, the following sanctions may follow
• * suspension of the right to insure losses from card forgery;
* imposition of fines (25 000, 50 000, 75 000, 100 000 USD (euro) per month for the first, second, third and subsequent quarters of non-compliance);
* revocation of a MasterCard member’s license – despite the possibility of appealing to MasterCard, the final decision will remain unchanged.
It follows from the indicated requirements of the Ministry of Internal Affairs that the bank must take measures to comply with these minimum requirements, otherwise financial sanctions, breach of reputation and, in the worst case, business interruption (license revocation) may follow.

Financial risk assessment

1. Assessment of the number of customers who neglect the rules of safe use of a bank card:
assessment of the number of customers who store a PIN code with the card;
* estimation of the number of holders who have not set limits for card transactions.
2. Evaluation of the effectiveness of the sms card management service. To conduct an assessment, it is necessary to analyze data on the use of the service by its customers, while taking into account the following:
* the number of customers who do not use all the available card management features of the service (for example, based on customer statements about fraudulent transactions, notifications for which they received, but could not send a command to block the card; you can also analyze the types of commands used by customers to manage restrictions on their cards);
• comparison of two time intervals — mean time between fraudulent transactions (in case of compromised card details, the data from the magnetic stripe PIN) and the response time connected to the service client (sending SMS control commands, call the Bank).
3. Assessment of the financial risk for the holder of the card, group card holders, taking into account:
• account balance; limits by account (cash withdrawal, shopping in TSP, the total limit for all transactions);
* connecting to the sms card management service and the efficiency of its use;
* compliance with the requirements of safe use of the card;
* statistical profile.

Example

The cardholder has not set limits on operations on his card and has not connected to the SMS card management service. In this case, to estimate the amount of financial losses S as a result of card theft [type of fraud “lost and stolen cards” (lost and stolen cards)] it is necessary to perform the following calculation:
S = Account balance × The probability of card theft × The probability of storing the PIN code together with the card.
At the same time, the probability of card theft can be calculated based on statistical processing of information on stolen bank cards.

Assessment of reputational risk

1. Assessment of the number of customers who consider the bank’s PS services unsafe. This assessment will require a study involving the resources of the bank’s business units.
2. Assessment of the number of customers who refused the bank’s PS services due to insufficient security. This assessment will require analytical work involving the resources of the bank’s business units.
3. Assessment of the impact of successful interaction with law enforcement agencies on the facts of fraud on the reputation of the bank. This assessment will require a study involving the resources of the bank’s divisions that ensure interaction with law enforcement agencies and the media.
4. Assessment of the bank’s reputation in the direction of countering fraud by third-party banks, MPS.

Risk handling

Risk management includes taking measures to eliminate, reduce, transfer or accept it.
1. Compliance with mandatory requirements. It is necessary to be guided by the mandatory requirements and recommendations of the Ministry of Internal Affairs, international and Russian standards, regulatory documents of the Bank of Russia to ensure the information security of the PS.
2. Risk insurance. The practice of transferring PS risks to insurance companies is becoming increasingly widespread in Russia. It is necessary to consider the available insurance options and use this opportunity in conjunction with other measures taken.
3. Claim work. High-quality claim work will reduce the amount of fraud attributed to the losses of the bank, customers or insurance companies.
4. Monitoring. Timely detection of fraud and the adoption of adequate and effective measures based on the monitoring system in the PS should be a risk management tool in the PS.
Setting the task of monitoring transactions
A powerful solution to the problem of fraud is the introduction of a system for monitoring bank card transactions, which allows analyzing all transactions, identifying suspicious ones from the point of view of fraud and taking prompt actions to minimize risks.
Fraud with bank cards leads to financial losses and a decrease in customer confidence in this banking product, so it is important to realize the relevance of counteraction measures and develop a comprehensive approach to solving the problem to minimize risks. Early detection of fraud and the adoption of adequate and effective measures are necessary conditions for ensuring the security of the bank card payment system and should be carried out within the framework of risk management measures in the bank.
Monitoring of bank card transactions should provide an analysis of all authorization and clearing operations on bank cards in the PS and decision-making on transactions suspicious from the point of view of fraud in order to minimize risks.

Classification of transaction monitoring systems

According to the response rate , monitoring systems are divided into the following classes:
1. Online (on-line). Such systems work in real time, it is possible to influence the result of authorization of the operation.
2. Pseudo-online. The analysis of operations is carried out in real time, but it is impossible to interfere with the authorization process. The decision can be made only after the completion of a suspicious (fraudulent) transaction.
3. Offline (off-line). Periodically (daily, weekly, etc.) special reports are generated, based on the analysis of which decisions are made.
By the type of decision-making.
1. Automatic. The decision on the operation is made by the system automatically without human intervention.
2. Automated. The system provides the authorized employee with information to make a decision on this transaction.
By the amount of information used in the analysis.
1. Systems that use only the data of the transaction itself. The analysis takes into account only the transaction parameters – the amount, the name of the TSP, the category of the TSP, the country, etc.
2. Systems that involve the history of operations on the card/point of sale for analysis. The analysis uses the history of past transactions on this card/point of sale.
3. Monitoring systems using behavioral models of cardholders and trade and service enterprises. The system builds and/or uses behavioral models of cardholders and trade and service enterprises. The transaction analysis is carried out in accordance with the existing model, based on the deviation of behavior from the model, the operation is considered suspicious.
According to the mathematical apparatus used for analysis.
1. Systems based on simple logical checks. Logical checks include operations >, <, =, ≠.
2. Systems using statistical methods. The methods used include methods of descriptive statistics, correlation analysis, and regression analysis.
3. Systems involving Data Mining methods (without involving neural networks). Data Mining methods used in transaction analysis may include methods of classification and forecasting, cluster analysis, association search.
4. Systems based on neural networks. The analysis of operations is carried out on the basis of adaptive schemes built on neural networks, which also makes it possible to identify previously unknown types of fraud. These systems are expensive and require significant resources for configuration (neural network training).

According to the type of transactions analyzed, they are divided into two classes.

1. Emission.
2. Acquiring.
The transaction monitoring system is a risk management tool associated with fraudulent bank card transactions and should be an integral part of an integrated approach to ensuring the security of the bank’s bank card payment system.
The choice of a monitoring system should be based on an analysis of existing risks. The system should be manageable and effective in order to minimize financial losses of the bank and cardholders, customer dissatisfaction and increase confidence in the bank.
Mandatory criteria for monitoring by international payment systems
The international payment systems VISA and MasterCard have formulated a number of criteria for mandatory monitoring of transactions for acquirers and issuers. Failure to comply with the requirements for mandatory monitoring entails sanctions and fines from the Ministry of Internal Affairs.
Monitoring of transactions by the acquirer
Transaction data is analyzed for each point of sale serviced by the acquirer, separately for financial (clearing) transactions and authorization transactions. To assess the activity, data is used for all the MPS with which the acquirer works.
Monitoring of authorization transactions
The acquirer should monitor all authorization requests, both successful and unsuccessful (Table 1). During monitoring, the following data should be analyzed
• * transaction amount;
• number of transactions;
• authorization response code;
* card number;
* time and date of the transaction;
* card acceptance parameters.
Monitoring of clearing transactions
The acquirer must monitor the following types of transactions (Table 2):
* authorization requests and responses;
* shopping;
* lending and repayment operations;
• cash withdrawal;
* protesting operations with reason codes.

Monitoring of operations by the issuer

Monitoring allows issuing banks to trace the attempts of fraud transactions on Bank cards and to take measures to reduce risks (table. 3).
According to the requirements of MasterCard acquirer must take additional measures to control losses from fraud if the fraud rate in basis points (basis points) 2 times higher than the average for MasterCard and annual losses exceed $ 200,000.
MasterCard also recommends monitoring the following events and parameters:
* attacks on generated card numbers;
* negative results of CVC1 and CVC2 checks;
• operations on expired cards;
* transactions with incorrect card numbers;
* CAT transactions;
* transactions at possible points of compromise;
* operations of crediting and cancellation of authorization by a point of sale;
* lists of unused cards.