Blog

By James Dodsworth, Senior Manager, Financial Crime at Thistle Initiatives

In a world of heightened fraud risk, multi-factor authentication has become a potent weapon in the anti-fraud tool kit. But it also means adding friction into payment journeys, impairing the customer experience and potentially resulting in lost sales and therefore reduced fees for payment service providers. However, there is a solution that can allow payment service providers (PSPs) to relax security measures on certain low-risk transaction types: TRA exemptions.

What is a TRA exemption?

Since the introduction of the EU’s PSD2 rules, and under the Strong Customer Authentication (SCA) process, PSPs must ensure multi-factor authentication is applied to electronic payments for added security, for instance by requiring customers to enter a password or biometrics such as a thumbprint to complete a transaction. A TRA (transaction risk analysis) exemption allows PSPs to remove that security layer for certain transactions covered by the SCA process. While PSPs need to consider this exemption against their level of risk appetite, removing security barriers on low-risk transactions can improve conversion rates by reducing online shopping cart abandonment—which can sometimes be quite high if there are too many steps a customer has to go through to complete a purchase (for instance, they may have forgotten their password and need to re-set it, deterring the customer from continuing with their transaction).

How do the exemptions work?

There are three different levels of exemption PSPs can apply for, dependent on the fraud rate of the product the exemption would be applied to (a debit card, for example).

• Band one: For transactions up to £100 or €100. Fraud rate for the provider’s product must be below 0.13%.
• Band two: For transactions up to £250 or €250. Fraud rate must be below 0.06%.
• Band three: For transactions up to £500 or €500. Fraud rate must be below 0.01%.

PSPs that want to apply for one of these exemption bands therefore must have a good handle on their fraud data and the transactional behaviour of the product they are seeking the exemption for.

What are the requirements PSPs need to secure an exemption?

The first stop in applying for a TRA exemption is being able to track and report fraud rates for that particular product on a rolling 90-day basis. This is essential, as the Financial Conduct Authority will want to see evidence of those fraud rates and the methodology for how those rates were calculated. There are also six areas where PSPs need to demonstrate they are monitoring transactions for potential fraud risk even when transactions are below the exemption threshold.

• Can you identify any abnormal spending or behavioural patterns of the customer? Is the customer suddenly purchasing a high volume of goods that doesn’t match that customer’s known profile (for example, buying car parts but doesn’t own a car)?
• Can you identify any unusual information about the customer’s device or software access? For instance, are they making the payment from a new device?
• Can you identify any malware infection in any part of the authentication procedure? This is one of the most challenging requirements and will rely on the PSP having robust cybersecurity systems in place.
• Can you identify if there is any known fraud scenario related to the type of transaction? Is there a common scam involving the product the customer is buying?
• Can you identify if the customer is an abnormal location? Is the customer making the purchase from a different country to where they are normally located and where the location might seem unusual from a customer behaviour perspective?
• Can you identify if the customer is located in a high-risk location? Is the customer making the purchase from a country where fraud risk is known to be high?

Aside from demonstrating that these fraud controls are in place, PSPs also need to complete an independent audit from an auditor with specific fraud and payment expertise like Thistle Initiatives to assess those criteria and determine whether or not the PSP meets those requirements.

How can payments firms maximise their chances of success?

PSPs should approach their independent audits from a holistic fraud control perspective and not just focus on the technical aspects of meeting the exemption threshold requirements. This means working with an auditor that can examine the entirety of a PSPs fraud framework and governance structures, including their policies and procedures and general approach to financial crime and fraud risk. This will give the FCA a greater level of comfort that granting a TRA exemption will not result in fraud rates increasing.

How challenging is it to secure FCA approval?

Securing a TRA exemption is not something that can be obtained overnight. To apply for an exemption, PSPs must be very well prepared upfront and have a solid understanding of their fraud rates on an ongoing basis. While this is a significant undertaking, it is not an insurmountable challenge—as long as providers have good frameworks, systems and data in place, the exemption can be achieved without negatively impacting fraud rates.

What happens when a TRA exemption is in place?

Once a TRA exemption has been granted, PSPs must continue to monitor transactions and ensure fraud rates remain below the relevant threshold on a rolling 90-day basis. If the fraud rate for that particular product rises above the threshold, then the PSP would need to start applying multi-factor authentication again. This means calculating a product’s fraud rate can’t just reflect a snapshot from one point in time, it must be an ongoing exercise. This is where PSPs should be looking to invest in powerful data-driven systems that can interrogate transactional behaviour and spending patterns across multiple customers at speed to identify fraud risk.

In addition to ongoing monitoring, PSPs must also submit an annual independent audit to demonstrate compliance to the FCA for as long as the firm wishes the exemption to remain in place.

To learn more about how Thistle Initiatives can help your firm secure a TRA exemption and ensure ongoing compliance, please contact us at 0207 436 0630 or via email at info@thistleinitiatives.co.uk.