Securing the Digital World

The Value of Transaction Risk Analysis for Consumer Authentication

Sep 02, 2016 | by Nathan Close |

The recent consultation paper set forth by the European Banking Association (EBA) surrounding the call for comments on the regulatory technical requirements for strong customer authentication under PSD2 has created a buzz. In particular, while the EBA recognizes the "merit" of transaction risk analysis, it has called into question the ability to allow it "as a specific exemption" for the strong customer authentication requirements. This is based on the EBA's problem of technically defining what transaction risk analysis is, and how transaction risk analysis works within the framework of fair competition between the banks and third party payment and account information service providers.

This is quite remarkable and leads me to believe that perhaps there is a misconception about what transaction risk analysis really means. While I can't speak for other vendors, I can say that RSA has been perfecting risk-based authentication and "transaction risk analysis" for over a decade. The merits are evident in the fact that 15 of the Top 20 global banks have adopted RSA's risk-based authentication technology for their fraud detection platform to protect consumer and business payments and transactions across both the Web and mobile channels. In addition, the Top 20 U.S. banks currently use risk-based authentication to meet the transaction risk analysis requirements set forth by the US-based FFIEC Guidance.

It is important to note that risk-based authentication is almost always deployed as part of a layered fraud prevention strategy. The risk analysis serves as the decision engine to determine whether the transaction is low-risk and can continue without interruption to the consumer or whether too many flags have been raised and the transaction must be challenged. This decisioning process is accomplished by RSA measuring over 100 fraud indicators and predictors gathered from a specific event such as the associated IP address, the device, the location where the transaction originated, and the payment details.

Depending on how an organization wants to challenge its users, a number of step-up authentication methods can be used for further identify validation including out-of-band phone/SMS, biometrics, or mobile app transaction signing.

The overall flexibility of a risk-based authentication platform is part of what makes it so appealing to many organizations within the financial industry. It offers a simple risk scoring model which allows them to set their own custom policies to align with the business. The combined risk- and rules-based approach also allows organizations to adjust their risk policy on the fly in case of extenuating events. For example, an outbreak of phishing or malware attacks targeting users in a specific region might call for a temporary modification of policy. This is critical to help organizations quickly address emerging fraud threats.

Even more important than the benefits to the organization is the greater benefit to the end user - transparency. Risk could be virtually eliminated if every transaction was challenged. But then user adoption would never take off, innovation would be restricted, and it would defeat the entire purpose of moving services to digital channels.

Simply put, user experience trumps everything. Just ask issuers and merchants within the 3D Secure ecosystem who, led by EMVCo, got together early last year to define a new standard for authenticating card-not-present transactions. The existing protocol came with many challenges, most notably low user adoption, despite having been in existence for more than ten years. Requiring customers to enter additional credentials at every purchase led to high abandonment rates, thus many merchants opted out.

Moving forward in developing the new standards, EMVCo noted, "To ensure longevity, the payments industry recognised the need for an updated approach incorporating risk based elements." EMVCo also acknowledged the importance of user experience stating, "This will promote consumer familiarity, convenience and security."

If this isn't enough evidence to demonstrate the power of transaction risk analysis provided by risk-based authentication, let's just look at the numbers. RSA customers can identify significant volumes of fraud with minimal interference. By challenging only 3% of transactions, RSA's Risk Engine achieves an average 91 - 92% fraud detection rate across both Web and mobile transactions, boasting genuine to fraud ratios around 2:1.

While the EBA is looking to transform the payments industry and encourage fair competition, some of the exemptions set forth in the draft Regulatory Technical Standards directly impact innovation and user convenience. For example, requiring a challenge for electronic payment transactions that exceed €10 (such as paying your utility bill every month) is hardly conducive to an optimal user experience. Eliminating the need to challenge these types of high volume, low-risk transactions are exactly what transaction risk analysis and risk-based authentication is designed to do - and more importantly, what consumers demand in this new era of innovative digital banking.

If you would like to respond to the paper there is a public hearing on this topic on Sept 23rd and you can submit feedback until Oct 12th.

What do you think? Tweet us at @RSAFraud.