Fraud-control executives and researchers predicted card-not-present fraud would boom when the U.S. converted to EMV chip cards a few years ago, and, sure enough, it did. But if the experiences of other countries that adopted EMV before the U.S. are any guide, Americans can take relief in that CNP fraud losses will ease—but new threats related to real-time payments are emerging.
That’s the word in a recent working paper from the Federal Reserve Bank of Atlanta titled “The Future of U.S. Fraud in a Post-EMV Environment.” In it, Doug King, a payments risk expert at the Atlanta Fed, updates fraud trends in the United Kingdom, France, and Australia, three countries whose payment losses the bank studied in 2012.
The good news for Americans is that while card-not-present fraud rose sharply in all three countries after their conversions from magnetic-stripe to EMV chip payment cards, they’ve begun to decline in the U.K. and France.
“Data clearly show that when countries such as the United Kingdom, France, and Australia migrated to EMV chip cards, CNP fraud rose—in some instances, dramatically,” King writes in a Monday blog post about the report. “And where the data are available, we can see that the fraud rate for CNP transactions also initially rose. But over the last several years something interesting has happened. Both absolute CNP fraud and CNP fraud rates are declining in some of the countries.”
In the U.K., CNP fraud losses grew 80% from 2010 to 2017. They peaked at £432.3 million in 2016 before finally falling 5% to £409.4 million in 2017. Similarly, CNP fraud on cards from French issuers boomed from 87% from 2010 to 2016 before dropping 10% in 2017.
Although CNP fraud is still rising in Australia, King suggests that better anti-CNP-fraud tools are being deployed in many countries, and that’s benefiting issuers and merchants in both the U.S. and abroad. But now, what Americans call business email compromise or email account compromise—a type of fraud called authorized push payment in other countries—is coming to the fore. In these types of fraud, a person often posing as a ranking executive at a company or other trustworthy individual persuades a lower-level employee or a consumer to send a payment to a fraudster’s account.
In the U.K., “losses from this type of fraud were £236.0 million in 2017, which represented nearly 25% of all payment fraud reported in the country,” says the new report, citing data from UK Finance.
Expect to see more email-related push-payment fraud as more countries, including the U.S., adopt real-time payment systems. “Authorized push payment (APP) fraud, which is a form of credit-push fraud, is a growing problem,” says King’s blog post. “In the United Kingdom, the real-time payment system is being used extensively to carry out this type of fraud. Just as other countries didn’t have many tools to fight CNP fraud in early EMV chip adoptions, we don’t have all the tools yet to mitigate APP fraud.”