Skip to main content

In Fighting Fraud, Reducing Losses is Only Half the Battle

Author Svetla Pavlova

Many financial institution fraud management teams make minimizing fraud their primary objective. That means success could be defined as beating issuers’ average fraud loss rate of 5.3 basis points (bps), as reported in the 2024 PULSE® Debit Issuer Study.

PULSE believes a better approach is to monitor not only fraud losses but also the cardholder experience, as measured by authorization rates, and work to achieve an optimal balance of these metrics.

Fraud losses are just one factor

Debit has remained the most popular payment method, even as digital payments have grown. Issuers now must assess the legitimacy of debit transactions across a broader array of channels. PINs are the most reliable test, but most debit transactions today are not PIN-authenticated. To decide whether to authorize a transaction, issuers use data embedded in the transaction message or assess whether the transaction matches the cardholder’s behavioral profile.

The fraud profiles of debit transactions also have changed. According to the 2024 Debit Issuer Study, card-present transactions without a PIN had a gross fraud loss rate almost twice that of PIN transactions in 2023 (9.2 bps versus 4.9 bps). However, due to greater chargeback rights, issuers’ net loss rates were comparatively similar between these transactions (4.0 bps for signature or no cardholder verification versus 3.4 bps for PIN). Card-not-present (CNP) transactions had much higher gross fraud loss rates (41.6 bps), offset by an 80% issuer recovery rate.

Bar graph shows that fraud claims are far greater for card-not-present transactions (41.6 bps) than card-present signature or PIN transactions (9.2 bps and 4.9 bps, respectively). Issuer recovery rates are also much higher (80% for CNP vs. 56% and 32% for signature and PIN). (Source: 2024 PULSE Debit Issuer Study)

Across all debit transactions, issuers incur average net fraud losses of 5.3 bps. This equates to an average loss of 2.5¢ per transaction.

If an issuer can achieve a net debit fraud loss rate of 3 or 4 bps, does this mean the institution is more effective than their peers? Not necessarily, because declining legitimate transactions also has a cost.

If an issuer tasks its fraud management team with minimizing losses, the easiest approach is to simply deny more potentially fraudulent transactions. The loss rate will almost certainly decline, but so will total transactions and interchange income. Taken to an extreme, an issuer that declines all attempted transactions would have zero fraud. Clearly, a more nuanced approach is needed.

“We continually monitor false-positive ratios, fraud losses, authorization rates, and other metrics to help our clients identify opportunities to modify fraud rules and strategies in service of optimizing their performance.”

Russell Brown, PULSE Senior Manager of Fraud Operations and Strategy

A more complete fraud framework

Minimizing fraud losses is certainly important, but it cannot be an issuer’s sole focus. Leading issuers judge their net fraud loss rate in relation to their overall transaction approval rate.

On average, issuers approved 92.3% of attempted debit transactions in 2023. Of the 7.7% of transactions they denied, the most common reason was insufficient funds. There are many other reasons: the card has expired, the cardholder entered an incorrect PIN, the cumulative value of purchases that day exceed the cardholder’s daily spending limit, the cardholder entered an incorrect address or CVV information, etc.

Issuers deny 1.4% of attempted debit transactions for suspected fraud. In some cases they are correct, and blocking the transaction avoided a loss. In other cases, they are incorrect, and these “false positives” inconvenience account holders.

The goal is to strike the optimal balance between fraud losses that impact the issuer and declined transactions that impact cardholders. The illustration below shows how financial institutions performed along these two dimensions in 2023.

Conventional wisdom is that financial institutions must choose between a high authorization rate, with associated high fraud losses, and low fraud losses, with an associated low authorization rate. Yet, as the diagram above shows, 35% of issuers manage to excel on both fronts simultaneously. These financial institutions are cognizant of the fraud loss/cardholder experience dynamic and actively work to deliver on both fronts.

“This is why PULSE uses historical data to analyze the impact of fraud strategies and prioritizes balancing the customer experience with mitigating fraud losses,” said Russell Brown, PULSE Senior Manager of Fraud Operations and Strategy. “We continually monitor false-positive ratios, fraud losses, authorization rates, and other metrics to help our clients identify opportunities to modify fraud rules and strategies in service of optimizing their performance.”

Driving better performance

Best-in-class issuers (those in the upper-right quadrant of the matrix) employ a multi-pronged approach to deliver the best outcome for their institution and their cardholders. Broadly, the strategy has three components.

1. Issuers employ a range of tools to distinguish between suspected fraud and valid purchases.

These tools include utilizing network fraud scores, leveraging processor fraud models, and using two-way SMS with account holders to verify charges. Scoring should be dynamic across multiple dimensions: Certain merchant categories are higher risk than others, and shorter-tenured cardholders are subject to greater scrutiny. Also, fraud models should be applied to all transactions to avoid coverage gaps. A common such gap is CNP transactions routed over single-message networks.

2. Leading issuers hire and develop top talent for their fraud-prevention function.

Tools and models are only effective if calibrated correctly. It is the people who test and deploy rules who capture the full spectrum of potential risk vectors. This is also true when an issuer relies on its processor’s fraud team. Debit fraud often has a common point of compromise, such as a data breach or skimming device. As a result, engaging with counterparts at other institutions can be helpful in staying up to date on developments.

3. Top-performing institutions monitor the performance of their fraud rules and adjust accordingly.

The nature of fraud is constantly shifting. As soon as financial institutions block one type of fraudulent activity, fraudsters will identify and exploit another vulnerability. In this environment, the weakest link in the chain is the issuer with the loosest defenses. These institutions will be the most exposed. It is therefore critical to continually monitor the performance of your fraud rules, retiring ineffective strategies and testing newer parameters to achieve the target authorization rate/fraud loss ratio.

While the battle against fraud will never be won, financial institutions can still emerge as winners by correctly framing the tradeoffs associated with fraud prevention.

To learn more about how PULSE DebitProtect® can help your institution fight fraud, or to strategize about ways to improve your fraud performance, contact your Account Executive or a PULSE debit expert.