Submissions – Payments System Applications for Authorisation in Relation to 3D Secure
65 Martin Place
Sydney NSW 2000
GPO Box 3947
Sydney NSW 2001
T: +61 2 9551 8700
F: +61 2 9551 8024
richardsa@rba.gov.au
www.rba.gov.au
26 February 2016
Adjudication Branch
Australian Competition & Consumer Commission
GPO Box 3131
Canberra ACT 2601
By Email – adjudication@accc.gov.au
Dear Sir/Madam
A91525 and A91526 – Australian Payments Clearing Association Limited – Submission
Thank you for the opportunity to comment on the Australian Payments Clearing Association's (APCA) applications for authorisation to coordinate mandatory use of 3D Secure in Australia for certain online transactions.
The Bank welcomes industry efforts to reduce fraudulent use of payment methods and supports in principle APCA's applications for authorisation, subject to the proposed initiative not being detrimental to competition between card schemes.
Coordinated industry action is likely to provide the quickest path to reducing card-not-present (CNP) fraud losses which have increased significantly over the past decade. On top of the lost value of goods/services fraudulently obtained – which is typically borne by the merchant – cardholders, merchants and financial institutions are likely to incur significant aggregate resource costs when investigating and resolving CNP fraud cases.
However the Bank sees some possibility for the initiative to competitively disadvantage some payment schemes and believes that the ACCC should consider this impact when determining whether the public benefit of the proposed conduct will outweigh any public detriment.
If final authorisation is subsequently not granted, the Bank believes that the market would be able to return to its pre- interim authorisation state given the nature of the planning activities and the relatively short likely timeframe between a draft and final determination.
Trends in card payments fraud in Australia
According to data published by APCA, total losses from fraudulent debit, credit and charge card transactions on cards issued and/or acquired in Australia amounted to $465 million in 2014/15, up by 17 per cent from the previous financial year.
Card-not-present (CNP) fraud
Fraudulent CNP transactions accounted for around 80 per cent of total losses ($370 million in 2014/15). Of this, domestic CNP transactions (transactions on cards issued and acquired in Australia), which are the focus of the proposed industry initiative, accounted for $118 million in 2014/15.[1] Domestic CNP fraud has risen over the past decade (Graph 1); the Bank estimates that the rate of fraud for these transactions has also increased to be approximately $1.20 per $ 1 000 transacted in 2014/15, up from $0.94 in the previous financial year.
The remaining two-thirds of CNP fraud losses (or $252 million) relate to outbound and inbound international transactions. Outbound fraud (where an Australian card is used fraudulently overseas) in particular has grown rapidly in recent years to account for over $200 million in losses in 2014/15. As discussed below, one of the benefits of the proposed industry initiative may also be to help reduce fraud related to international transactions.
Card-present fraud
In contrast to CNP fraud, according to APCA data, card-present (CP) fraud on international scheme cards (Visa, MasterCard, American Express, Diners Club, JCB) has fallen in recent years, reflecting the introduction of more secure arrangements by the industry. The composition of CP fraud has changed, with losses associated with counterfeiting falling following the introduction of chip technology. In contrast, fraudsters have migrated to less-advanced types of fraud, with an increase in losses associated with cards being stolen and intercepted (Graph 2). In 2014, the industry's PINwise initiative was implemented relatively smoothly and made it more difficult for criminals to steal/intercept cards and use them in a card-present environment by forging the cardholder's signature.
While the rates of fraud for eftpos and ATM transactions remain relatively low compared with the rates for international scheme card purchases, counterfeiting activity has not declined by the same extent (Graph 3). The industry is working to upgrade eftpos cards and Australian ATMs from magnetic stripe to chip technology, which is expected to help reduce this type of fraud.
Likely benefits and costs of coordinated implementation of 3D Secure
Overcoming short-term first-mover disadvantages
An industry approach is likely to overcome the coordination problems that have held back voluntary, independent adoption of approaches like 3D Secure.
The experience to date is that online merchants have been reluctant to adopt 3D Secure voluntarily. Merchants have been concerned that, by adding frictions to the payments process, 3D Secure could drive their customers to competitors' websites where the payments process is simpler (even though they might each be better off if they collectively decided to adopt the system). Because cardholders are generally insulated from the impact of fraud by chargeback rights and zero liability arrangements, they can be expected to value convenience over the risk faced mainly by others. The initiative's proposed sequencing ensures that merchants of a similar nature will be required to introduce 3D Secure at the same time, removing one of the obstacles to the adoption of more secure arrangements.
If a coordinated approach does not occur, voluntary adoption of 3D Secure is likely to take significantly longer to achieve a critical mass and may never do so. As noted above, the costs of delayed implementation of more secure arrangements not only include losses of principal amounts, but also the costs borne by the various parties in investigating and resolving fraud cases.
Schemes also currently face similar incentives. If schemes were to implement 3D Secure mandates separately, it is likely that costs would be somewhat lower for the second mover, as some costs (such as those associated with initially enrolling merchants in 3D Secure) would be avoided, and they would have the benefit of learning from the experience of the first-mover. This could lead schemes to delay implementation of 3D Secure to ‘free ride’ off the first mover. A coordinated approach would remove these disincentives.
Consistent consumer experience and education
The voluntary arrangements that have occurred up to now have made the task of educating consumers about the benefits and steps involved for more secure online purchases relatively difficult. Similar to the PINwise initiative in 2014, a coordinated approach to the roll-out of 3D Secure is likely to make the task of educating consumers more straightforward, although the staged nature of merchant enrolment might introduce a little complexity. A joint communications strategy is likely to reach a greater audience, and be more effective, than if individual banks or schemes carried out separate activities.
Lower adjustment costs
A coordinated approach will make the adjustment process less burdensome for merchants, acquirers and gateways compared with a situation where they adopt/promote 3D Secure independently. In particular, the coordinated approach means that merchants may only need to make technical changes to their online systems once. In the absence of a coordinated response, and in the event that individual schemes introduced mandatory 3D Secure separately, it is likely that a merchant would have to incorporate different schemes' changes at different times, multiplying the efforts required to be ready for 3D Secure.
Nevertheless, the joint implementation of mandatory 3D Secure will still result in large aggregate adjustment costs for cardholders, merchants and financial institutions. While these costs are likely to be significant in aggregate (for instance, considering the number of online merchants in Australia having to update their websites), these one-off costs should be outweighed by the ongoing benefits from the more secure arrangements (and notably, a liability shift will remove merchants' liability for fraud where 3D Secure is in place). While the Bank supports the initiative, it is conscious that the industry will need to plan carefully to avoid disruption for online merchants and consumers. Online merchants need to be made aware of the changes well in advance of deadlines so they have time to plan and make the necessary changes. The process of educating consumers and in some cases financial institutions gathering additional information such as mobile phone numbers is also a large undertaking, at a time when the industry is actively working on other innovations such as the New Payments Platform.
Assisting to reduce domestic and international fraud
While the proposed industry initiative focuses on the mandatory enrolment of domestic cards and domestic merchants, it is possible that the initiative could have broader benefits.
To the extent that foreign cardholders in some jurisdictions are enrolled in 3D Secure, the mandatory adoption by Australian merchants could help reduce inbound international CNP fraud (which accounted for $48 million in losses in 2014/15). Likewise, the mandatory enrolment of Australian cardholders could help reduce outbound international fraud to the extent that there is some overseas adoption of 3D Secure by foreign merchants. Australian financial institutions will have a greater ability to stop some of this fraud before it occurs, by challenging the payer to enter their password if a transaction appears suspicious.
Potential detrimental effects on competition
Potential effects on competition between schemes
While the Bank strongly supports efforts to reduce CNP fraud, it notes that this initiative relies on proprietary technology owned by one of the parties to the proposed initiative. It is important that such an industry initiative does not competitively disadvantage some payment schemes relative to the others. In this context it is worth noting that card schemes operating in Australia may feel compelled to participate, given widespread participation by other industry players and the likelihood that consumers will view any card scheme that is not part of the initiative as less secure. In order for the initiative to be competitively neutral, it would need to provide access on reasonable terms and not inhibit the replication of current card functionality; for example the ability for both schemes on a card issued with dual-network functionality to utilise 3D Secure for that card.
The Bank would be happy to discuss any of these matters further with the Commission.
Yours sincerely
Tony Richards
Head of Payments Policy Department
Endnote
The proposed initiative only focuses on certain online CNP transactions. For instance, fraudulent mail- and telephone order transactions, which are included in APCA's CNP fraud data, are not within scope of the initiative. [1]