Discussing Multi-Factor Authentication

A couple of weeks ago, NACHA’s Electronic Check Council hosted a Forum entitled, “Moving Beyond Well-Trodden Paths: New Maps for Combating Risk and Fraud”. In this Forum, several industry experts discussed a wide variety of risk and fraud topics related to payments.

I was honored to open the forum with a session that subsequent presenters could build upon. In my session, “After You’ve Authenticated the Customer: Transaction Monitoring”, the audience and I discussed the need for layered security on all payment systems. Financial institutions have learned that multi-factor authentication is no silver bullet, nor are systems which validate where the hardware transactions are originating from, monitoring IP addresses, etc. In order to better protect themselves and their customers, it is becoming increasingly important to proactively monitor transactions to detect suspicious activity in real time.

For card transactions, real time equates to sub-second response times with the accompanying high operational costs, potential customer inconvenience of denying valid charges, and taking a loss on the first (and perhaps second and third) fraudulent transaction. Effective card prevention can be done in near real time as well, but that will not enable the first fraudulent transaction to be stopped real time either. Each institution must perform their own cost benefit analysis to determine which monitoring is right for them. Fortunately, many other payment systems allow adequate time after the initiation of the transaction to successfully prevent fraud. Examples include ACH and wire payments. In both of these systems, once the transaction is created, there is a window of time (while the transaction is being processed operationally) during which transactions can be monitored. As long as the suspicious transactions are detected during this processing window, the financial institution can take manual or automated steps to ensure the transaction is legitimate before releasing it to the payment system. Since the originating institution is liable for the transactions it originates, and it is very difficult (and sometimes impossible) to retrieve funds once released, fraud prevention must be conducted real time during processing.

Transaction monitoring can take many forms, ranging from very simple, rules-based monitoring to very complex analytical methods. Regardless of the method used, interdiction of transactions before funds are released is the key to successful fraud prevention. We all know it is much easier to prevent fraud than to recover funds after fraud has occurred. Some payment vehicles, such as checks, allow much more time for successful fraud detection. In many cases, banks have several hours to detect check fraud, and real time is not an issue. Taking advantage of the time allowed is wise because real time fraud prevention is more costly than batch methods (in most cases). However, even with checks, there are times that real time is critical, such as at the teller line or at the ATM if cash back from deposits is allowed.

When determining how to best prevent fraud, institutions must consider both internal (such as those for outgoing Check Returns) and external (such as Federal Reserve) deadlines. Real-time detection should be employed where necessary to ensure timely rejection of transactions.

As a result of monitoring transactions from all delivery channels, cross-channel fraud detection is enabled. This is a huge benefit of transaction monitoring, if done properly. It allows fraud analysts to see the complete picture with regards to a customer or account, and detect suspicious events that would otherwise result in losses.

NACHA’s Risk and Fraud Forum contained a wealth of information with regards to all payment systems. Kudos to Nancy Grant for putting together such a fine agenda! 

Make a Comment

* = Required

* Name:

* Email:

Website:

* Comment:

*

Fill in the code shown on the left