Elevated Acquiring Risk in the EMV Transition
Not all U.S. merchants are going to be ready for chip cards later this year, and that’s going to shift some consumer-fraud risk to acquirers, which have never had to deal with that before.
After years of anticipation, the U.S. market begins its transition to the Europay-MasterCard-Visa (EMV) chip card standard this year, and in October the major payment networks are implementing a liability shift, essentially transferring certain risk to the acceptance side of the business. Though a transitional rather than a permanent issue, this risk transfer is material relative to the risk acquirers face in the ordinary course of business.
In October, for most merchant categories, Visa Inc. and MasterCard Inc. will implement a liability shift in which the least-secure party is liable for certain types of fraud risk in card-present environments. The least-secure party is the acquirer if the card is EMV-capable and the merchant is not. It’s the issuer if the card is not EMV- capable.
There are some nuances differentiating the approach of the two major payment networks, but as a general statement the type of fraud addressed by EMV and included in the liability shift is counterfeit fraud and, in some cases, lost and stolen card fraud.
In the pre-EMV environment, these consumer-fraud risks are clearly issuer risks and not acquirer risks. The EMV liability shift, however, will put acquirers into the consumer-fraud business for the first time in the U.S., at least for card- present merchants.
For 20 years, we have tracked acquiring exposure and loss levels. Exposure is the potential loss an acquirer could generate if a merchant went out of business—losses from subsequent ordinary-course chargebacks, returns, and delayed-delivery chargebacks. Exposure varies widely from acquirer to acquirer but averages 50 to 100 basis points of volume.
Loss levels have hovered around the 1-basis-point level, varying a few tenths of basis points up and down. To be sure, individual acquirers have had much worse losses, but the industry overall has generated both stable and low loss levels.
In the issuing business, however, consumer-fraud losses are in the 8-to-9-basis-point range, depending on card type, according to proprietary First Annapolis research involving a sampling of issuers in late 2014. The proportion of these losses related to counterfeit fraud is a quarter for credit to a half for signature debit, or 2.4 to 4.2 basis points.
Lost-and-stolen fraud is another 6% to 9% of total fraud, and, combined, counterfeit and lost-and-stolen fraud amount to approximately 3.1 basis point for credit and 5 basis points for signature debit.
Not all of this exposure, of course, will manifest as losses and transfer to the acquiring side as a result of the liability shift, but these figures illustrate the heightened exposure that acquirers are about to experience.
As a general statement, it appears as if acquirers as a group are not going to be all that far along in implementing EMV at the point of sale by the time of the liability shift in October. Estimates vary, but most observers are predicting something like 30% to 50% of the terminals will be EMV-ready by the shift.
In many respects, though, terminals are the easiest part of the transition. Integrated solutions (software at the POS) are a different kettle of fish and likely will not be so far along as the terminal base.
In short, for a large swath of the merchant market, acquirers will be exposed for some period of time until their merchants have fully implemented EMV solutions. In Canada, for example, four years after that country’s liability shift, on the order of 85% of the POS is EMV- compliant. These transitions take some time.
Issuers, on the other hand, are moving right along. First Annapolis’s best estimate at the moment is that more than 70% of credit and approximately 30% of signature debit will be EMV-enabled by the time of the liability shift. Issuers will achieve levels approaching 100% of credit and 70% of signature debit by the end of 2016, we project.
So, netting all these factors, on half or more of their merchant base acquirers will be faced with consumer- fraud levels that increase overall acquiring exposure by 5% to 10%, depending on how quickly the issuers act.
Many High-Risk Categories
Not all merchants pose equal risk to acquirers. Certain merchants will be much riskier than others. Some merchants will have a higher-than-average proportion of EMV cards in their tender mix and some will be more vulnerable to consumer fraud than average.
For example, certain types of merchants in certain geographies will have a high proportion of non-US cardholders, who will in turn have a disproportionately high rate of EMV-compliant cards (because non-U.S. issuers are ahead of the U.S. in transitioning their card base to EMV). Hotels and other travel-and-entertainment merchants and merchants in border areas may fall into this category.
Anecdotally, non-U.S. issuers (who have had to eat counterfeit losses for so many years because of the U.S. market’s tardiness in adopting EMV) are generally eager to charge back their eligible fraud losses early and often to U.S. acquirers.
More fundamentally, the merchant market is highly heterogeneous as it relates to consumer-fraud rates. These fraud patterns change from year to year, but there are numerous merchant categories that have counterfeit fraud rates orders of magnitude higher than the average—indeed, five to 10 times the average.
Some of these categories are intuitively apparent—wire transfer and money order, computer stores, electronics stores, hobby and games stores—but some are less obvious—music stores, drugstores and pharmacy, and apparel. On these merchant types, acquiring exposure could be 50% to 100% higher than pre-EMV levels.
By contrast, there are many merchant categories where the counterfeit-fraud rates are orders of magnitude below the average—doctors and dentists, religious organizations, dry cleaners, auto-body shops, and lawn-and-garden shops, for instance.
The key point is that few acquirers have had line of sight into these loss levels because these consumer-fraud losses were not an acquiring risk. That is, they will not be an acquiring risk until the fall of 2015. And it is probably not an exaggeration to say that acquirers originally underwrote something approaching zero percent of merchants considering these consumer-fraud risks.
At the end of the day, however, these consumer-fraud risks, though of a different sort and nature than the risks that acquirers have faced in the past, have conventional solutions. First and foremost, acquirers should transition their merchants to EMV, and perhaps the consumer-fraud risk profile is one of the variables to consider in prioritization decisions.
However, it would be prudent for acquirers also to modify their exposure calculations, and therefore their underwriting standards and collateralization policies, to reflect this new category of risk. It would be prudent to review the existing base of merchants in this light in addition to the flow of new merchants.
Acquirers should also put in place a means to monitor the consumer-fraud levels at merchants and in merchant categories (at the very least by monitoring incoming chargebacks and focusing quickly on merchants impacted adversely by the liability shift), all without over-investing in managing a risk that is transitional in nature.
Marc Abbey is managing partner at First Annapolis Consulting, Annapolis, Md., and is responsible for the firm’s acquiring practice, where Raymond Carter is a principal.
This article was published in Digital Transactions, February 2015.