One of the fastest growing trends in ecommerce fraud protection is the promise of a guaranteed approval rate for transactions.
In some ways it seems the next logical step in an industry that has been evolving as rapidly as ecommerce itself. Future-focused retailers long ago left behind the world of rules-based fraud detection solutions. Soon after came guaranteed fraud protection, a model that Signifyd pioneered and one that makes merchants whole for approved orders that turn out to be fraudulent.
So why not guarantee a merchant a certain approval rate? As a merchant, it would obviously be highly desirable to know with certainty that a precise percentage of the orders that customers initiate would end with a sale. But it turns out there are pros and cons involved with the fledgling feature.
- Guaranteed approval rates are increasingly the subject of conversation among merchants implementing a modern fraud-protection solution. By definition it sounds like a great idea, but beware of the rule of unintended consequences.
- No question, approval rate is a significant metric to track when determining the success of your fraud-management efforts. But it’s best viewed in the long-term — a high number of approvals that includes a significant number of fraudulent orders is not a good thing.
- There are good questions to ask when considering the offer of a guaranteed approval rate. Read on.
“Approval rate” is the gold standard of fraud prevention success metrics. Over the long term, it provides a measure of whether a fraud prevention provider is optimizing revenue for a merchant. More orders out, more revenue in.
The upside to guaranteed approval rates seems obvious. With an approval rate guaranteed, a merchant would have solid revenue predictability.
Approval rate is a long-term success measure for fraud protection
Over the long run, approval rate is a powerful and appropriate way to measure success. Next-generation commerce protection providers, like Signifyd, achieve approval rates of 98% and 99%.
But in the short term, a focus on a high approval rate alone fails to account for fraud attacks and acknowledge that when a merchant is under attack, a drop in approval rate is a sign that fraud protection is working. After all, it’s in everyone’s best interest — except the fraudsters — to decline those fraudulent orders.
A couple of illustrations will help make the point. When a merchant is under fraud attack, a high-quality fraud protection solution recognizes the attack and turns the bad orders away. Naturally, a merchant’s approval rate declines during such events. The more dramatic the attack; the more dramatic the drop in approval rate. (See Day 6.)
But as important as approval rate is as a metric, in the case of a fraud attack it is more important to consider the amount of GMV approved. When a fraud ring attacks a merchant, the overall number of orders increases — often significantly. It stands to reason, however, that the number of good orders stays about the same. That means a merchant that is able to decline the fraudulent orders brought on by the attack, while approving the good orders arriving in the normal course of business will not experience a decline in revenue. (See Day 6.)
How do you guarantee what you can’t control?
For all its upside, the downside of an approval rate guarantee comes into focus when you start to think about how a guaranteed approval rate would work. The idea immediately raises a question: How do you guarantee what you can’t control?
For instance, what happens in the case of a fraud attack?
Consider a recent automated attack that Signifyd detected and prevented. A fraud ring placed thousands of orders for computer chips in quick succession at a number of merchants in Signifyd’s Commerce Network. Each retailer saw its number of orders increase substantially, while their approval rates dipped. Why? Because an unusually high number of the orders were fraudulent and therefore declined.
In other words, to cite an extreme example, consider a fraud protection provider that guarantees a 99% approval rate. Now imagine in the midst of an attack, 40% of a merchant’s orders are fraudulent. Suddenly, 39% of the orders the merchant ships will result in a chargeback.
Somebody needs to pay those chargebacks and associated fees. And whoever pays, a merchant in that position should worry about its standing with its payment gateways and bank, given the high number of fraudulent orders it accepts. Not to mention its standing with consumers who have to deal with the fraudulent charges on their credit accounts.
One of the key advantages to a machine-learning solution like Signifyd is that it is able to detect and decline the bad orders based on millions of transactions and a feedback loop that is constantly fine-tuning it to sort fraudulent orders from legitimate ones.
Once a merchant has that kind of protection in place with a financial guarantee backing it, they no longer have to worry that static rules and inflexible custom guardrails are causing good orders to be declined. And shipping good orders is where, as they say, the money is.
Back to our example above. Let’s consider the options open to a fraud provider offering a financial guarantee in such a case:
- It can do what it was hired to do and decline the 40% of orders that are fraudulent. Of course that puts its approval rate guarantee in jeopardy.
- It can decline the 40% and get creative with the numbers by counting multiple fraudulent orders made with the same account as just one attempt. Or it can carve out certain fraudulent orders as “obvious fraud” that shouldn’t be applied to the guaranteed approval formula. Such manipulation can easily add 10 percentage points to an approval rate.
- They can let the fraudulent orders through, pay the resulting chargebacks and associated fees and find ways as time goes on to make up the losses at the merchant’s expense. For instance, it might lower approval rates in the future, limiting its exposure, while limiting the merchant’s revenue.
Five questions to ask when considering an approval rate guarantee
So, yes, the notion of a guaranteed approval rate is a complicated one. Given that’s the case, we’ve come up with questions a merchant should ask the fraud protection providers it’s reviewing when considering a guaranteed approval rate offer.
- What is your incentive for offering me a guaranteed approval rate?
Maybe this is a version of asking, “Isn’t this too good to be true?” But think about it: Is the guarantee being offered because the provider doesn’t think you’ll be hit by a fraud attack? It would be an odd position, given that you wouldn’t need the provider’s solution if you’re not going to see fraud attacks. On the other hand, if a provider actually believes you won’t be attacked, it doesn’t know much about ecommerce fraud. Enlightening information, for sure.
- What happens when a fraudster or fraud ring does attack me? Do you intend to maintain the guaranteed approval rate by approving fraudulent orders?
Sure, you presumably are talking to a provider that provides a liability shift for approved orders. If the provider isn’t providing a liability shift, your conversation should be an incredibly short one. With no skin in the game, an approval rate guarantee is meaningless.
But even with a liability shift, think of what waves of fraudulent orders are going to do to your brand reputation. As important, think of what those waves will do to your ability to function. Banks, payment processors and card issuers all frown upon high fraud rates and will shut down services to those who go too far wrong.
- Explain to me with concrete examples how you maintain the guaranteed approval rate in the face of a fraud attack.
You probably understand by now that it’s not a question of whether you’re going to confront a fraud attack, it’s a question of when and how often you’re going to confront a fraud attack. Knowing that, how do the fraud providers you’re considering explain their business models? How do they make that number when your order mix doesn’t dictate that the guaranteed percentage of orders should be approved? Will they approve bad orders? Will they pay you some penalty for missing the mark? Will they walk away from the contract?
- How do you define a declined order?
It seems simple enough, but we’ve seen guaranteed approval rates that come with caveats. Does every single decline count against the guaranteed approval rate? Or does the provider deduplicate attacks that come from the same account or same attack in the case of bot attacks? Does the provider have a category of fraud attempts that are considered so obvious that they argue they should not count against the guarantee? And if so, how does the provider define “obvious fraud?” Are there controls and transparency around the “obvious” fraud” category in the fraud solution’s reporting tools? Be sure you’re crystal clear on what does and doesn’t count as a declined order.
- How did you decide upon the time element you’re using to establish the required approval rate metric?
We’ve seen contracts structured so that if the fraud provider misses the guarantee for six consecutive months, the provider is in breach of contract. What’s to stop a provider from missing the mark five months in a row and then in month six, taking the hit by approving enough fraudulent orders to raise the approval rate to the guaranteed number, thereby staying in compliance with the contract? In essence, the financial hit the provider takes paying the guarantee on each approved order is an investment in keeping the contract.
Again, we think approval rate is a solid metric to gauge the success of fraud protection strategies and solutions. Where it can become a problem is when a provider offering a guaranteed approval rate isn’t talking to you about transparency. If they can’t deliver the good numbers with the bad, without artificial caveats — you’re talking to the wrong provider.
Photo by Getty Images
Do you have questions about approval rates and fraud protection? Let’s talk.