Every day, fraud analysts across the U.S. are stretched razor thin attempting to curtail the ever-growing fight against fraud. The current methods of common point of purchase (CPP) analysis are labor-intensive and time-consuming, that are done in-house via a manual process.
When a bank’s fraud analyst receives the standard Compromised Account Management System (CAMS) alerts regarding suspicious activity, its often too delayed to be impactful. In order to protect their cardholders, analysts are left with two options: scramble to put new fraud rules in place without disturbing their cardholders, or re-issue the entire portfolio.
Potentially disrupt your cardholders’ transactions by implementing new rules and they may use a different card in their wallet. Re-issue the card entirely and the affected cardholder may place their new card in the metaphorical bottom of their wallet, never to be used again. At a recent fraud summit in Chicago, it was noted that 20 percent of all reissued cards are never reactivated once received in the mail.
After a data breach occurs, financial institutions are often the last to find out what has really happened. Late in 2014, a major retailer experienced a data breach where a portion of its stores were experiencing higher levels of fraudulent activity. A few months later, the breach was nearly nationwide and garnering media attention from all over. But when was the CAMS alert for this breach sent out to the majority of financial institutions? Over a month later.
Despite both internal and external research being conducted by banks and credit unions, there has not been a consensus regarding which method has the most benefits without disrupting cardholders. Even with the CAMS alerts that often arrive too late to have a significant impact in reducing fraud, they are not a good indicator of which cards financial institutions should re-issue.
In the case of the Target data breach, 8.12 percent of banks’ cards were compromised in the breach. While the banks surveyed in this American Bankers Association report ended up re-issuing roughly the same amount of cards, less than 1 percent of cards actually went fraudulent at the time of re-issuance.
For those 8.12 percent of compromised cards in the Target data breach, only 2-3 percent of those would eventually go fraudulent. What this means for banks is that this reactive approach to re-issuing payment cards is costing banks and credit unions a ton of money. Not just from the fraud losses directly related to a data breach, but the costs associated with setting up call centers for customer service, the delays in getting new payment cards due to the sheer amount of requests, and the financial losses from reduced card spending or failure to re-activate the replacement payment card.
Estimated costs associated with reissuing payment cards ranges anywhere from $3 to $25. According to an American Bankers Association survey, it costs on average $11 for community and regional banks with under $1 billion in assets to create and mail a new debit card to an affected cardholder.
These analysts at community banks and credit unions are struggling to keep their heads above water, looking for better information to protect their financial institution and the customers they serve. Now take the $11 average cost for reissuing a debit card and apply that to the 8.08 percent of cards reissued in the Target breach. Financially, these community banks and credit unions cannot continue this reactive approach of reissuing cards in large batches. But does the cost of not reissuing cards in this manner outweigh the current status quo?
Financial institutions of all sizes currently employ some form fraud monitoring to help spot suspicious activity using traditional breach prevention software. If an analyst spots suspicious activity involving one of their cardholders, they can flag the card associated with that account, triggering additional security measures to ensure that future transactions are legitimate. These can be directly related to geographic distance, average spending habits and much more.
Financial institutions must decide if the expected costs associated with fraud on a compromised card will outweigh the cost of re-issuance for a card that has not yet experienced fraud. In the American Bankers Association Target Breach Impact Survey, respondents indicated that the average loss per fraudulently used debit card was $311 and credit card losses were even higher with an average loss per credit card of $530. Banks and credit unions can’t wait until the first signs of fraudulent activity occurs or they will be severely impacted by fraud losses that are not able to be kept in check.
The current card re-issuance methods that financial institutions and their analysts utilize are not strategic and writing effective rules without disturbing cardholders is difficult. Based on the information available from a variety of sources, reissuing cards liberally after a data breach occurs appears to be much more costly than waiting for suspicious activity to occur before reissuing.
In a perfect world, fraud rules would be implemented that would prevent fraudulent activity while also not disturbing their cardholders’ spending habits. However, we know that when these fraud rules miss a fraudulent transaction or flag a legitimate transaction, the financial institution and their cardholder pays the price. Fraud analysts need access to better information, in a more automated fashion to help scale their talents and protect us as cardholders.
See how Rippleshot’s fraud analytics and data breach detection software allows analysts and financial institutions can re-issue compromised cards smarter, write better rules and support their current fraud strategies while also recommending unique actions based on Rippleshot’s experience. Download Rippleshot Sonar's Regional Bank Use Case.