CNP Manual Review: Solving the Paradox

manual review cnp card-not-present

Manual review is the paradox in card-not-present (CNP) fraud prevention today. Many in the market are trumpeting the decreased need for manual review amid the implementation of greater automation and machine learning solutions. Meanwhile, a number of companies that sell manual review solutions are expanding their operations and data coverage to include growing e-commerce markets outside North America, particularly in Europe. They are confident that there is room for growth for their products. So which is it? Is the demand from e-commerce sites around the globe for manual transaction review increasing or decreasing? Are the days of manual review solution vendors numbered or are they sitting in a profitable and growing market niche?

Manual review is here to stay

The increasingly sophisticated level of automation in CNP transaction review has supposedly cut down on the percentage of overall transactions reviewed by large merchants in the past decade. According to a 2016 study by Juniper Research, large merchants manually review on average 7% of their total orders, while small merchants reviewed a whopping 42% of all their orders. However, fraud prevention professionals at online merchants and marketplace platforms make it clear that even the most efficient automated review systems still require skilled fraud analysts to conduct the occasional manual review.

Nowadays automation is a big part of the work, and we strive to do less and less manual reviews,” says Fiverr Risk Team Leader Idan Cohen. “We’re here to optimize models and add rules for trends.
The sole purpose of manual review sole within our team is to create feedback for better automation before and after transactions occur.”

As of 2017, the average manual review rate in the top 10 countries with the largest percentage of online merchants still lay between 8 percent and 15 percent, according to a whitepaper by the U.S. Payments Forum. All the top 10 countries covered by the report were either in North America or Europe. Even the U.S. had an average manual review rate of 11% of total orders. Many well-established automated fraud review platform vendors, such as Accertify and Kount, recognize this need by including third-party manual review tools as add-on options for that their platform customers can use.

The increasingly widespread use of data science and machine learning to develop better algorithms for automated transaction has also paradoxically increased the importance of getting manual reviews right. This is because the machine learning models used in fraud prevention almost all rely on supervised learning. This means the machines must be fed accurately labeled training data sorted by human experts to learn what characteristics to look for when identifying fraud among new transactions. If the training data lacks good examples of new fraud trends as determined by human experts, the machine learning model will become less effective over time as fraudsters adapt techniques to bypass it.

Recognition of this problem, led the new generation anti-fraud startup SEON to add a manual review capability to it’s automated fraud platform. The Budapest-based startup soft launched it manual review product last week and has made it available it through their existing demo request process.

“I think automation in fraud prevention is actually putting a larger emphasis on manual reviews than ever before,” says SEON co-founder Bence Jendruszak. “Today, the decision of a fraud manager is not only going to affect the single transaction in question, but it will most likely influence the scoring mechanisms calculated by the machine learning models. Consequently, manual review processes have to be thought through from day one in order to build a sustainable machine learning model for the long term.”

Why so few manual review solutions in Europe?

Today several manual review options exist that work for transactions involving individuals in Europe, such Whitepages Pro, Perseuss’ FACT and SEON. However, until approximately a year ago there were no manual review solutions that were purposefully designed to serve major markets in Continental Europe. Perseuss re-designed its FACT tool in 2017 and only began marketing it to other merchant verticals beyond it’s core group of airline users late last year. Whitepages Pro opened it’s brick-and-mortar first office outside North America in Amsterdam in the beginning of this year. Meanwhile, SEON’s manual review tool is still in its early days and is officially only a week old.

Given the borderless nature of software, this begs the question: Why were manual review tools so focused on the North American market until 2019?

  • The answers from people in the industry boil down to two main points:
    e-commerce was pioneered in the U.S. and the attendant explosion in CNP transactions occurred years ahead of other markets, stoking American innovation in e-commerce fraud solutions.
  • Much of the fraud in e-commerce involves the U.S., whether involving American customers or U.S. based e-merchants. According to a study based on 2014 data, the U.S. accounted for 52% of the fraud attack volume on merchants around the globe.

“The U.S. has a very well established e-commerce ecosystem that created the demand for [manual] review tools quite some time ago,” explains Beth Shulkin, Marketing VP for Whitepages Pro. “Combine this with the fact that the U.S. has the most data availability in the world and an enormous amount of tech companies that are pushing daily life into the digital realm.”

Many fraud analysts in markets in Europe acknowledge that the early development of American e-commerce gave U.S.-based solution vendors first-mover advantage in the global market for fraud prevention solutions. “For Europe-based online marketplaces and merchants it is easier and cheaper to use an existing tool than create a new one and the implementation of existing tools also consumes much less time,” says Mateusz Król, a fraud prevention analyst at G2A.com.

G2A.com claims to be the world’s biggest digital gaming marketplace with over 20 million transactions last year and customers in 170 countries. The company, which was founded in 2013, is headquartered in Hong Kong, but was founded by two Polish entrepreneurs and has its main fraud prevention office in Poland. According to Król, G2A.com currently relies on internally developed tools for transactions involving EU citizens and for non-English speaking markets.

Data collection differences within Europe

Part of the problem of gathering enough identity data for manual review tools to work well outside of North America is the wide variability in the availability and accessibility of this data in different markets. In the EU, privacy legislation on both the EU-level (i.e. GDPR) and on the national level puts more legal limitations on vendors acquiring the personally identifiable information (PII) that powers most manual review solutions. However, the issue goes beyond just privacy regulation and even into differences in national data architecture and accessibility that can vary significantly by geography.

Germany is a good case in point. The country does not keep much personal information about residents in digital form in a centralized database. Personal information like a person’s registered address and property ownership is maintained on the municipal level in the country and often must be accessed in-person and not online.

“Germany is not that digital, we still use pen and paper for a lot of things,” say Matthias Wilson, an intelligence analyst who used to work at one of the German intelligence agencies and now works in the corporate sector..”We are not as advanced as other countries [in this sense] and, therefore, we do not have these databases.”

These limitations not only hurt the accuracy and information value of manual review tools for card-not-present transactions, but also those used in fraud and money laundering investigations done by insurers, banks and others in the corporate sector. Wilson says that in Germany, a car license plate number or what is known as the vehicle identity number (VIN) can only be accessed by law enforcement. In contrast, TransUnion openly sells this information in the U.S. to investigators as part of its TLOxp product.

Some countries in Europe are even stricter regarding data access. According to Wilson, to find information on a person’s registered address in Austria, the requesting person must also be an Austrian citizen. This obviously impedes quick and efficient manual review of address on cross-border transactions, whether card-not-present purchases, money transfers or other types of fraud. It probably also helped discourage the development of manual review tools in the EU market.

“Cross-border companies doing business in multiple geographies do not want to go country-by-country figuring out how to source and leverage quality identity data,” says Whitepage Pro’s Shulkin. Several fraud analysts who work for multinational e-commerce companies agreed with her assessment.

Pan-European manual review options

For now that means that Whitepages Pro and SEON are focusing in the European market largely on data available on the open web, including email, phone number and IP address. Perseuss’s FACT tool, meanwhile, is based on credit card data and enabling frictionless communication between merchants and issuers to review and authorize transactions in real time.

For now these vendors tools are probably the best options European merchants have for using cross-border manual review tools. The market will judge over the next few years if there is a healthy demand for them.

This article was originally published on About-Fraud’s partner website FraudBeat.

Posted by / March 21, 2019
Posted in News
Ronen Shnidman

Ronen Shnidman

Ronen Shnidman is the Managing Editor of about-fraud.com.