Frictionless ways to reduce fraud and risk

From amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act, to the upgrade to 3DS 2.0 online payment authentication, Australian businesses have much to keep track of when it comes to meeting their financial compliance obligations.

A key focus of June’s AML/CTF act amendments is addressing the challenges of abiding by the act in the COVID-19 age. With most customer interactions now taking place remotely, entities subject to the act must still meet their compliance obligations when it comes to customer onboarding.

AML/CTF compliance requires verifying the name, date of birth and address of individuals against multiple government or commercial sources.

To reduce the cost and regulatory burden of fulfilling such obligations, safe harbour provisions now enable one reporting entity to rely on the customer due diligence of another. That third party must be subject to AML/CTF regulation and supervision, carry out regular assessments and have reasonable grounds to believe it is meeting the act’s customer due diligence requirements.

Additionally, a reporting entity may also rely on the customer identification procedures undertaken by a third-party reporting entity or foreign entity – although there is no safe harbour provision in this situation.

The third party must undertake the customer identification procedures prescribed by the act. The reporting entity must also have reasonable grounds to believe it is appropriate to rely on those procedures regarding the risk of money laundering and terrorism financing. Many entities that fall under Australia’s AML/CTF act are still under the misconception that they are not required to fully verify identities. They incorrectly believe they are only required to confirm that individuals are not sanctioned individuals or politically exposed persons, says Shaun Thomas, head of partnerships with AML/CTF and KYC provider MemberCheck.

MemberCheck’s technology streamlines client onboarding and helps minimise fraud before the point of transaction. MemberCheck’s parent company Neurocom offers fraud, risk and compliance solutions.

Australian organisations often struggle to undertake the appropriate due diligence on their customers, Thomas says. As customer identification procedures have become more sophisticated, MemberCheck has seen many organisations fined by regulatory bodies for failing to fully meet their obligations.

‘‘For example, an organisation may ask a client to send a photocopy of their passport or driver licence but, under the latest amendments, this alone is not necessarily the correct way to identify them,’’ he says.

‘‘The organisation must verify that the details on that passport or driver licence match official documents, which requires checking them against the appropriate data sources.’’

Australian regulators are yet to follow New Zealand in mandating a biometric component to AML/CTF identity verification, although Thomas expects Australia will adopt this in time. Biometric verification options include photo ID scanning using a smartphone and facial recognition with a passive liveness test.

Meanwhile, Australian merchants and banks are also coming to terms with the changes required for online payment authentication, brought about by the introduction of the second version of the 3-D Secure payment authentication protocol by EMVCo (3DS2).

The 3DS2 protocol is an authentication solution for card-not-present transactions through which the merchant requests the cardholder be authenticated by the financial institution that issued their credit/debit card. By authenticating the cardholder, liability for fraudulent transactions is shifted from the merchant to the card issuer, reducing chargebacks to the merchant.

With 3DS2 comes more frictionless authentication, along with support for mobile apps to deliver a better user experience across devices, says Brett Chapman, product manager with payment authentication solution provider GPayments (also a Neurocom company).

GPayments provides a complete range of integrated authentication products for merchants, payment service providers and card issuers. Based on the 3-D Secure protocol, these products are certified compliant with Visa Secure, Mastercard Identity Check, JCB J/Secure, American Express SafeKey and Discover ProtectBuy.

Under the original 3-D Secure protocol (3DS1), cardholders were challenged every time via SMS as part of the payment process. Advances in risk-based authentication technologies with 3DS2 allow the issuer to collect far more data to assess the risk associated with transactions, often eliminating the need to challenge the cardholder.

‘‘The original 3-D Secure protocol didn’t experience strong uptake in Australia, in part due to the need to challenge the cardholder during every transaction,’’ Chapman says.

‘‘Doing this frictionlessly behind the scenes with 3DS2 improves the customer experience, not just reducing fraud but also increasing successful transaction rates and reducing incidents such as cart abandonment.’’

Merchants relying on the original 3-D Secure protocol must migrate to 3DS2 by October 2022.

‘‘Those using the legacy 3-D Secure systems really need to start planning for this migration now,’’ Chapman says. ‘‘Rather than hosting the solution in their own data centre, there is also the option to access 3DS2 as software-as-a-service.

‘‘However merchants choose to approach it, 3DS2 promises to deliver online shoppers a much safer and smoother shopping experience, without getting in the way at the checkout.’’