Chris Jones, Managing Director, PSE Consulting
There is growing interest in the acquirer and merchant community in the Transaction Risk Analysis (TRA) exemption for Strong Customer Authentication (SCA). The opportunity to exclude transactions up to €500 from SCA and place the merchant back in control of consumers’ check-out process is understandably attractive. What remains unclear, however, is whether issuers will accept these opt-out requests. Here we argue that TRA should be regarded by issuers as acquirers providing a positive waved signal, not a desperate request for help…
Despite the many areas of uncertainty regarding the implementation of SCA, almost everyone agrees that consumers are likely to experience an increased number of authentication challenges as they shop online from September 2019 onwards. While this increased authentication volume is expected to drive down fraud levels across the EU payments industry, it has created significant concerns for eCommerce merchants. They are worried that increased friction at the point of purchase will drive up basket drop-out and many feel that they are bearing the brunt of the payments industry’s fraud problems.
Today most merchants have a choice whether to use authentication tools such as 3DS. This choice will disappear in September once the SCA mandates come into force. However, many large merchants do not currently use 3DS to create a smoother check-out and minimise basket drop-outs. Merchants take this approach despite the fraud risks and the liability shift they bear, strongly illustrating the importance attached to controlling the check-out experience.
In order to mitigate some of these concerns the European Union legislator created a range of exemptions to SCA within the Regulatory and Technical Standards. The role of the low value and recurring exemptions is relatively well understood and follows standard custom and practice within the cards world. White listing (trusted beneficiaries) remains a mercurial opt-out, which many industry participants believe may be an important part of the payment industry’s future but is unlikely to be a major opportunity to reduce shopping friction during 2019. This is because many issuers are struggling to meet the mandatory SCA requirements, and see white listing as a nice to have in the short term.
However, none of these exemptions is the subject of this blog… The area of focus here is the TRA exemption, and its impact on the signalling for and allocation of risk within the payment ecosystem.
TRA allows the merchant’s acquirer to exempt certain transactions from SCA in exchange for the acquirer taking on the risk of fraud. Acquirers are expected to assess transaction risk and decide if they wish to take on the liability for fraud. If acquirers do not want the liability, they can leave the risk with the issuer by enabling an authentication step-up, or by using one of the other exemptions. Acquirers will make this assessment using real time fraud tools and whatever additional information they have on the customer at the time.
If the acquirer wishes to take on the fraud risk, they will need to present a transaction to an issuer with the associated TRA flag (currently being developed by the card schemes). The issuer is always the final arbiter of an authentication decision and can always request a step-up or decline. It seems likely that the most efficient way of presenting the TRA flag for an issuer decision will be at the point of authentication (i.e. via 3DS) rather than authorisation, as this should reduce transaction latency. If the issuer accepts the acquirer exemption, the transaction will be authorised without the associated authentication, the acquirer will take on liability, and bear the costs of any fraud.
Our question is: Are issuers likely to accept TRA exemptions applied by acquirers for SCA opt-outs, and should issuers see TRA flagged transactions as higher or lower risk than other comparable transactions?
Our hypothesis is that issuers should be more disposed to accept requests not to decline TRA flagged transactions because:
- Acquirers will only use the TRA flag if they believe that there is a relatively low risk of fraud. In some cases, acquirers/merchants may have better cardholder information than that held by issuers. If acquirers/merchants believe the transaction to be fraudulent, they have the option to use other opt-outs, or allow a transaction to be stepped up, passing the fraud risk to the issuer. This pushes risk out of the TRA exemption and onto other opt-outs or transactions with no opt-out requested
- If the TRA flag is applied, and the transaction does turn out to be fraudulent, then issuers do not bear the costs of fraud anyway, so why not accept the request?
- There may be concerns that fraud of any kind could drive up issuers’ fraud reference rates, even if they are not liable, reducing their opportunity to use TRA. Given that fraud rates are expected to drop, and some National Competent Authorities are considering splitting issuing/acquiring fraud reporting by liability[1], this should be less of an issue.
- It is possible for issuers to validate acquirer TRA risk levels over time as fraud emerges within the chargeback window. More advanced issuers are likely to implement feedback loops to test that TRA exemption requests deliver lower risk transactions in reality. This allows for more granular decision-making on an acquirer by acquirer basis, rewarding those who deliver low risk transactions with even fewer step-ups.
The implication of this approach is that issuers should see TRA flagged transactions as a low (arguably zero) risk signal from their acquiring counterparts and should thus be highly inclined to accept the exemption applied by the acquirer.
Whether this hypothesis turns out to be true we will just have to wait until Q4 2019 to see. It remains unclear at this stage how many issuers will be able to support their own TRA opt-outs or will even look for the relevant scheme TRA flags within incoming transactions.
[1] For example, the UK FCA is considering such an approach see: https://www.fca.org.uk/publication/policy/ps18-24.pdf page 20 “If more than one PSP is involved in processing a transaction (as is the case with card payments), a given PSP’s fraud rate should be calculated based on both the unauthorised transactions for which that PSP has borne liability and transactions involving manipulation of the payer which have not been prevented by that PSP.” This is also stated in the EBA Opinion on the implementation of the RTS, June 2018 para 46.