June 14, 2016
One of the most talked about subjects in sessions, hallways and over cocktails at the recent CNP Expo in Orlando, Fla., was false positives. Discussion centered primarily on how to measure and prevent negative impacts on legitimate customers from companies just trying their best to prevent fraud. Several CNP merchants offered best practices to help industry professionals with similar pain points.
In the last few years, the focus of fraud managers has shifted. More advanced fraud prevention systems have left many companies feeling confident they are preventing more fraud. They wonder, however, how many legitimate customers are being wrongfully declined by those systems. Over the years, the behavior of fraudsters has evolved to look more legitimate. At the same time, there always will be real customers using their own cards for orders that appear risky. Some fraud orders successfully get past review while some legitimate sales are held for several hours or canceled all together. Beyond the loss of the immediate sale, this also can impact customer retention. Customers that have an order delayed or canceled by the merchant due to suspicion of fraud may never return to that site. As one speaker stated at the CNP Expo: “When you cancel a good order, you are essentially referring that customer to your competitor.”
Identifying the Impact of False Positives on Your Business
The biggest challenge presented by false positives is [hide for=”!logged”] identifying them. Fraud orders that are not canceled typically end up as chargebacks, closing the feedback loop on the order and allowing a merchant to learn from the loss. False positives, however, may never be uncovered. Even if a customer contacts the merchant to inquire about the cancelation and is willing to prove his legitimacy, not all companies alert the fraud department of this contact. Best practices some merchants have put in to place to better identify and measure the impact of false positives on their business include:
- Work with customer service to route calls to a member of the fraud team either at the time of the call or flag and follow up with the cardholder later. There should be a way for the customer service representative to identify that the order was canceled by the fraud team. The representative, however, should be trained to not disclose this: It’s better PR optics and it protects against social engineering attempts by a fraudster learning how to prevent a future order from being canceled. Having a generic phrase that the representative can use has been helpful to other merchants, such as “there seems to be an issue with the billing details of your order that requires a little more information.”
- Be able to pull a report that identifies customers whose orders were canceled as a result of fraud but who placed a second order within the next week that was not canceled due to a suspicion of fraud. Have a senior member of the fraud team review both orders and either cancel the second order if it was also fraud, or add the customer to a white list and track the volume to determine the false positive rate.
- Have a process in place that requires a second set of eyes or an additional fraud system to review all canceled orders for a set period of time to determine if they were truly fraud or were marked in error. Some merchants have even dedicated an analyst to call every customer with a canceled order to determine if it was truly fraud or simply appeared suspicious. While time consuming and dependent on order cancelation volume, determining if the phone number even works and posing as a customer service representative trying to improve the order process can determine if a high volume of orders are being canceled in error. Other merchants use a fraud vendor that guarantees to cover chargeback costs on fraudulent orders it approves to screen all orders that would typically be canceled, allowing them to be less conservative and surer that the orders they are canceling are indeed fraudulent.
Not all legitimate customers that had an order canceled in error will contact customer service or place a second order, nor can most companies review all canceled orders to assess the risk. Some companies have established a multiplier, based on customer service industry figures, that determines how many instances each call to customer service represents. This multiplier can also be used in determining the number of false positives a fraud department may be causing when canceling orders.
Create a Strategy to Reduce False Positives
Once a ratio of false positives to sales is determined, the question becomes “how do we reduce the impact?” Knowing that each canceled sale resulted in at least one lost sale to the company can be an important lesson to the fraud team.
Merchant feedback at the 2016 CNP Expo indicated that many enterprise merchants have changed the way they think about risk when assessing rule sets in their current fraud tool, retraining manual review analysts and selecting new fraud tools. One large merchant said it has adopted a 98-2 policy within its fraud team, establishing a goal of not impacting 98 percent of their good customers. Another fraud manager told manual review analysts to look at the identifying aspects of an order to convince them why the order is bad, as opposed to assuming the order is bad and wanting to be convinced why it is good. Many merchants said that just changing their team’s way of looking at orders has been most helpful in reducing this number. Additional best practices that have been helpful in reducing the negative impact of fraud decisioning on good customers include:
- Actively review current rule sets to look for specific rules that are flagging orders for manual reviews but result in a high percentage of approved orders.
- Review orders that were canceled, but later determined to not be fraudulent. Study the identifiers that concerned the fraud system or analysts. If there are commonalities, retrain the system and analysts to pass future orders with similar traits.
- If your risk threshold and systems permit it, consider having an “accept and watch” capability built in to the fraud review system for orders that are considered risky and would have been canceled, but are not considered “confirmed fraud.” Every month, assign a senior analyst to go back and determine if the orders resulted in a chargeback. Utilize this information to identify if there has been a false positive issue and the identifiers that made them appear risky.
- Evaluate the current tools, systems and processes used to identify fraud to determine if they need to be replaced or if another system could be added to decrease the impact to good customers. Some merchants have found that adding authentication tools such as 3DSecure or user behavior analytics have assisted in further pinpointing fraud while decreasing any negative impact on good customer sales.
Evaluating the impact of fraud decisions on good customers and reducing this impact will increase sales for the company. Once a method of measuring the impact is established, measuring and reporting this rate can be used as a way of demonstrating a fraud team can increase sales, not just cancel them. All merchants who shared their experiences stressed that showing their company how they increased sales was beneficial in communicating the value of their team to cross-functional teams and executive leadership. [/hide]