The European Banking Authority favours arbitrary box-ticking over data innovation
Nick Wallace, Centre for Data Innovation: The EBA proposal is harmful to the economy
The European Banking Authority (EBA) recently proposed new rules that would require payment card operators to enforce additional security measures, such as passwords or security tokens, for all online transactions over €10.
Aimed at fraud prevention, these proposed rules mean that unless customers add vendors to pre-approved lists held by their card providers – and re-authorise them with the extra security measures every month – “one-click” transactions would become impossible.
This would affect not only online shopping sites like Amazon and Otto, but also services like Uber and Deliveroo that use in-app payments.
While fraud prevention is important, data-driven approaches offer far more sophisticated measures to address this goal. Rather than require card providers to use specific security measures, the EBA should allow banks to choose between different methods that combat fraud without creating unnecessary burdens on consumers – especially because the vast majority of online shopping transactions would be subject to the new rules since, according to Visa, 95% of online transactions in the European Union are over €10.
There are three main issues with these rules:
1. They are unnecessary. Banks and credit card companies have both better tools and the incentive to prevent fraud because they often have to cover the cost of it. This is why most already require additional security steps like the rules proposed for many online transactions. But not all do it every time, because there are other anti-fraud tools that minimise unnecessary hassle for the customer.
2. There are more sophisticated methods for preventing fraud. Many companies are using their ability to analyse massive volumes of data to identify fraudulent activity. For example, banks and card companies often monitor payment activity and gather data from merchants to determine when further checks are appropriate. Ride sharing companies, meanwhile, can analyse data such as location information and transactions details to assess whether a rider is using a stolen credit card.
3. They are inconvenient for consumers. For example, the EBA proposal has an exemption for payments that are of the same amount each time. But this does not lessen the burden for a consumer who consistently uses their bankcard to pay off their credit card each month, where it would be overkill to re-authorise the payment each time, even though the amount varies. A better option might be for companies to use machine learning to identify out of the ordinary transactions, such as using the card for a new online shopping account, a new delivery address, or from a foreign IP address. By using data to recognise patterns, the company can identify when it may be worth having some extra check and save the consumer the hassle of reauthorising the same payment each month.
The proposal is not only needless though; it is also harmful to the economy.
Punching codes into card readers and relaying the codes they produce is time consuming, security tokens get lost, and passwords are often forgotten. Customers are often unable to complete legitimate transactions, or give up because they cannot be bothered with the hassle. This cannot be helped when the possibility of fraud is sufficient to necessitate additional checks, but the proposed rules will reduce legitimate commerce for no reason at all.
Companies whose business it is to handle payments are better placed than regulators with limited experience in product design to decide the trade-off between security and ease of use – because it is profitable for these firms to maximise both.
The measures would seriously undermine many app-based services, like Uber and Deliveroo: how many customers will want to type out passwords or codes when they are trying to get a ride home on a cold night after a few drinks? Fingerprint scanners or facial recognition may suffice for those with phones that support these features, but that still leaves out many others. Of course, many governments have sought to protect the taxi industry by restricting or even banning Uber, so there will be some who will welcome this pernicious detail.
Payment cards, mobile, and other electronic transactions are convenient and efficient for both customers and vendors. E-commerce contributes hundreds of billions of euros to the European economy, and the European Commission estimates that the lower prices and wider choice it brings save consumers €11.7 billion per year.
Forcing people to jump through unnecessary hoops will only diminish these benefits, infuriate customers, and hurt businesses.
When it comes to cybersecurity, the banking industry is already well ahead of policymakers. The regulator is pushing a clumsy solution to a problem that is already being addressed by far more sophisticated means. Policymakers should reject the EBA’s proposal.
Nick Wallace, senior policy analyst at data policy think-tank Centre for Data Innovation
