Fraud plagues all aspects of business online. From ad fraud to data breaches, technology has exposed companies to a variety of new threats. This constantly changing landscape makes it difficult to keep up with the best strategies for protecting yourself.
In response, there have been advances in fraud prevention techniques, legislation, and finance policies over the past few years. Only time will tell how successful these endeavors will ultimately be, but all companies should be aware of what changes are happening and how these changes could affect them.
Bureaucracy may move slowly, but privacy, data, and fraud have been hot topics in politics around the globe. As new laws and court decisions begin to crop up, it’s important to know what changes may be on the horizon in your neck of the woods. These are just a few of the changes that have been made or may be upcoming:
PSD2 (European Union)
The Payment Services Directive 2 (PSD2) includes a requirement for Strong Customer Authentication (SCA). This means that, moving forward, nearly every online transaction in the EU will require two-factor authentication. It also means that any company selling something to EU customers must comply with PSD2 or risk owing fees and penalties to EU countries.
Although this requirement will mostly fall on the shoulders of payment service providers, you should be proactive and talk to your payment providers and fraud prevention companies to learn how these rules will affect your business. Companies that do not operate in the EU may still want to keep an eye on how well this requirement works, as it may become more widely adopted if its implementation goes well in Europe.
Foreign Investment Rules (India)
To combat fraud and help India’s emerging eCommerce market, the Indian government has created laws around the industry. These laws mostly affect larger eCommerce companies, but anyone looking to break into India’s growing market should pay attention to these changes, especially because India is cracking down on foreign companies to try to boost local businesses in the country.
These regulations include limits on how much money can come from outside investors, how much inventory must be stored or made in the country, and even how much of a discount can be offered to customers. If companies fail to comply with these rules, they may be fined or even barred from operating in India altogether.
GDPR/CCPA (European Union/California, USA)
Data breaches have exposed the private data of millions of people around the world, and the sheer amount of information available has made it easier than ever for online fraud to thrive. One way that legislators are pushing back is by enacting new data protection laws.
The General Data Protection Regulation (GDPR) is the first and most extensive law that has been enacted regarding data security. It includes severe penalties for companies that both allow breaches to occur and fail to notify users with compromised data in a timely manner. It will be years before enforcement is fully explored, but any company doing business in the European Union should pay attention to these requirements.
The California Consumer Privacy Act also seeks to regulate how data is held and used. While not as in-depth as the GDPR, it could significantly impact businesses in California. It goes beyond just attempting to fix data breaches and fraud—it also considers individual privacy and how properly collected data can be used. If this law is successful, other states may look to enact similar resolutions.
Breach Notification Laws (USA)
Every state has enacted regulations that require notification about data breaches in a reasonable time frame. Individuals that have been affected (or even are potentially affected) must be notified. In some cases, regulators must also be made aware of the breach. Because each state has separate definitions of what a breach is and who needs to be notified, it can be confusing for companies that have been compromised. Punishments for failure to notify will also differ but can be severe, especially if fraud occurs as a result.
In addition, there are a few federal laws about certain types of breaches. The Health Breach Notification Rule is particularly complicated. The intent of the law is to encourage companies to purge unnecessary data and protect any owned data; however, compliance with all the laws can be confusing.
Companies often adapt to changing threats and new technologies more quickly than governments do. Visa in particular has been pushing the eCommerce payment industry forward in an attempt to reduce fraud.
Visa Chargeback Threshold Change
In 2018, Visa introduced a lowered chargeback threshold for merchants, which then went into effect in 2019. Under these requirements, merchants must keep their chargeback ratio at less than 0.9%, reduced from 1.0% previously. The new threshold limits are an attempt to keep fraud levels low for at-risk merchants. The effects of this change remain to be seen in coming years.
Visa Return Authorization Mandate
Another change introduced by Visa in 2019 is a return authorization mandate. This will alter the process for returns for all retail companies, both digital and brick-and-mortar. With this new mandate, all returns must be processed as immediate transactions in the same way that purchases are. Instead of holding returns and processing them all at once, each individual transaction will need to be approved by Visa. Returns that do not include a return authorization may be subject to chargeback fees.
The goal of this mandate is to reduce friendly fraud that occurs when customers are unable to verify if their return has been processed. These customers will often initiate a chargeback even though their return was correctly handled, which creates unnecessary confusion and more headache for all parties involved. Under the new system, customers should be able to see return transactions that are pending in the same way that they see purchases. However, this does mean that a return could be declined in some circumstances, but. This will only happen in rare cases (e.g., in the event an expired or canceled card), but merchants should keep customers informed of any potential issues to avoid complaints.
Google/Facebook/Social Media Data Policies
The damages caused by data breaches and ad fraud are much harder to measure and assess than other forms of fraud. Yet digital ad fraud is worse than ever and data breaches continue to occur, even to large tech companies. To combat this, many companies have begun to test new policies and features that combat these potential problems.
Facebook has changed the way third-party apps are allowed to collect data. Some social media platforms now offer customers the opportunity to opt out of targeted ads and even data collection. Google now offers refunds (though only partial) if you can prove that ad fraud has negatively affected your campaigns.
Policy changes will likely continue, especially as larger companies try to keep up with new and emerging threats. Though the impact of these changes won’t be known for a long time, they are a step in the right direction.
The Future of Fighting Fraud
The battle against online fraud will likely never be over—but there is some hope on the horizon. As more governments and companies begin to make changes, fraud will become more costly and difficult and it will become easier for individual companies to fight it.
Potential Legislation Changes
Many states and countries are also considering additional legislation to help reduce issues with privacy, ad fraud, eCommerce, and online transactions. While federal legislation is unlikely to happen anytime soon in the US, individual states have been pushing forward with new regulations that affect companies doing business online. Make sure your company is caught up on any new state legislation in areas where you operate.
Additionally, other countries like China have begun introducing new laws around eCommerce and online businesses in an attempt to cut down on fraud and regulate the whole industry. As it gets easier for companies to go global, expect an increase in regulation for all countries. Countries with stronger fraud protections may become the most coveted markets in the future.
Potential Policy Changes
Companies around the world continue to battle the changing landscape of fraud. Some large companies currently have departments dedicated to risk management, and this seems to be a trend that may become common practice. As payment providers, advertisers, and other industries attempt to limit their own risk, every business will need to be flexible and ready to accommodate new fraud prevention techniques. Making your defenses strong from the start is the best way to win your own battle against fraud.