On August 22, the Australian Payments Network, Australia’s self-regulatory body established by the payments industry, issued its Australian Payment Card Fraud Report for calendar year 2017. Highlights of the report included the following findings:
- The overall value of card transactions in Australia for 2017 was AU$748,110,632,702, a 5 percent growth over 2016. Paralleling this growth, the value of fraudulent card transactions in Australia for 20167 was AU$561,408,226, a 5 percent growth over 2016.
- For Australian cards, the average value of a fraudulent transaction decreased from AU$188 in 2016 to AU$157 in 2017.
- Related to the global move to EMV card technology, counterfeit/skimming fraud dramatically decreased 47.8 percent, from AU$59.2 million in 2016 to AU$30.9 million in 2017. With regard to all Australian cards used, fraud decreased domestically by 36 percent to AU$16.5 million and internationally by 57 percent to AU$14.4 million.
- Card-not-present (CNP) fraud accounted for 84.5 percent of all card fraud. Online card fraud increased by 13.9 percent, from AU$418.1 million in 2016 to AU$476.3 million in 2017. With regard to Australian cards used, fraud increased domestically by 29 percent to $227.5 million and internationally by 3 percent to AU$248.9 million.
- The increase in online fraud is due to three factors: (1) “fraud migrating online as chip technology provides strong protection for face-to-face fraud”; (2) “large scale data breaches, which capture sensitive card data”; and (3) “identity theft, which often includes the theft of sensitive card data.” Online fraud schemes “continue to use a variety of techniques, such as “malware and phishing attacks to capture sensitive card data or cardholder passwords, and masking tools to try and bypass the risk-based rules used in fraud analytics products.”
The report also noted that implementation of the Australian payments industry’s framework for reducing CNP fraud is expected to begin in late 2018.
Australian financial institutions will need to pay close attention to the report’s data, particularly regarding CNP fraud and the role of large-scale data breaches, because of new legal obligations under the Privacy Amendment (Notifiable Data Breaches) Act 2017. That law established the Notifiable Data Breaches (NDB) scheme in Australia, which took effect February 22, 2018. Under that scheme, entities with existing personal information security obligations under the Australian Privacy Act 1988 (Privacy Act) (including Australian Government agencies) are required to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm, including recommendations about the steps that individuals should take in response to the breach, and to notify the Australian Information Commissioner of eligible data breaches.