The role of ICT in a credit business: authorisations

November 2007
Raymond Garde from PIC Solutions, South Africa provides some insights

This article details the core functionality and processes that make up an authorisations system. The authorisation system is typically used in a real-time environment to decide whether to accept, decline or refer for additional review, customer purchases or cash advances.

Authorisations - Core Functionality
The main purpose of authorisation functionality is to control debit transactions and ensure that spending is maintained within acceptable limits, at the same time maximising the profitability each customer represents for the organisation. The authorisation system is designed to minimise the decision processing time, ensuring high quality customer service from stores or merchants. Central to this objective is making sure that the appropriate security or risk checks are performed to determine the best possible decision and limit the organisation's exposure to fraudulent transactions and bad debt.

The authorisation system will decline certain groups of customers for policy reasons. Policy reasons vary between organisations, but normally include lost/stolen card situations, bankrupt customers, confirmed frauds, charge-offs and accounts with an unacceptably high level of delinquency. The parameters guiding the application and management of policy rules are set within the authorisation system. In addition, the authorisation system manages security checks to identify potential fraudulent activity, for example, where there is a high transaction velocity. Should this occur, the authorisations system refers the purchase or advance for manual resolution.

With all other types of customer interaction, the authorisation system ensures that the transaction request falls within an acceptable risk level before being approved. Typically, approval is determined by calculating an 'open to buy' amount for each customer. 'Open to buy' is the maximum spend allowed on an account without the transaction being referred or declined. The amount is calculated as the difference between the credit limit and current balance, but also includes any transactions that have been approved since the last balance update (termed 'outstanding authorisations'). Accordingly, the authorisations system must maintain the value of outstanding authorisations each day to prevent a customer making multiple transactions between each balance update.

Many organisations allow some leeway for customers before referring or declining the transaction. These tolerances usually fall into two specific areas:
Over credit limit tolerance - This is an amount above the known credit limit that the customer is allowed to spend to. Tolerance here is variously known as the oversell, cushion, shadow or expansion amount. In advanced authorisation systems, parameters may allow additional expansion of tolerance for traditional high spending periods like Christmas, seasonal sales or annual holidays. 

Acceptable delinquency tolerance - This tolerance is defined according to the level of delinquency up to which a customer is allowed to purchase. This parameter allows for continued customer service in the event of a late payment.

In most cases, the customer is unaware of the tolerances and the tolerance level allowed will vary between institutions. For example, retailers typically allow more lenient tolerances than banking institutions because of the additional revenues generated from the margin on retailing merchandise sold. With the majority of authorisation systems, tolerances are applied as a 'blanket rule' to large groups of customers although variation may occur between specific product types. For example, Gold cardholders usually have higher tolerance levels than Classic cardholders because of higher account status.

Policy Rules
The authorisations system must be able to evaluate many data fields to determine policy groups. The host credit system refers to these policy indicators as status codes, block codes, or VIP status. Examples of data field indicators are: deceased, bankrupt, VIP, or pick up card descriptors. Policy indicators are held at account level and indicate either positive or negative circumstances. The authorisation system evaluates the policy indicators as part of the approve, decline or refer decision. For example, a VIP account would receive more favourable sales treatment whilst a bankrupt account would be declined automatically.

Security/Fraud Rules
Typically, an authorisations system performs a series of security and fraud checks. Where these checks 'fail,' the transaction is normally referred for manual review. Ideally, the authorisation system also allows for the real-time update of all lost and stolen card information to combat the dangers of card fraud and crime. Organisations may discover that there are certain trading times with a higher potential for fraudulent transactions, for example, immediately prior to store closure or late night transactions. If this is the case, the authorisations system should be designed with lower tolerances or automatic referral rules based on time of transaction.

Checks the authorisation system takes into account when attempting to identify potential fraudulent activity include:
Expiry date checks
CVV and CVC checking for bankcard authorisations
Maximum number of PIN attempts
Maximum number of transactions per day/week/month
Maximum single item transaction values
Maximum transaction values per day/week/month

Merchants
Authorisation systems often accept transactions from many different stores or merchants. Merchants usually have customised parameter settings to control authorisations in the event the host system is unavailable (off-line). For 'closed loop' issuers (the acquirer and issuer are the same, as in chain store retailers) a database is created with summary information that can be downloaded to stores for off-line situations or to enhance off-line decisions. Although better than a 'no check' scenario, there is still a danger here that information may be out of date or that recent (same day) authorisations are not accounted for. Merchants normally have pre-defined, or floor limits, to control the volume of transaction 'traffic' to the host system. Transactions below the limit are automatically approved whilst those above the floor limit are routed to the host system for decisioning.

It is common for certain merchants, stores, geographical areas or transaction types to be considered a higher risk. The authorisation system must allow for additional levels of parameterisation to cater for these circumstances with security and risk checks tailored accordingly. As an illustration, jewellery transactions are generally considered considerably higher risk and treated as a policy exception requiring manual intervention.

Reporting and MIS
Authorisation systems can process millions of daily transactions. All transactions must be logged for backup and reporting purposes and typically the transaction log forms the basis for the reports drawn from the system. Report criteria must be easily definable to ensure an appropriate level of detail. Ideally, the risk management team analyses reports to track and measure all authorisation activity and determine the effectiveness of the parameters, as currently defined.

In summary, additional functionality can be present in an authorisation system. However, the key drivers in selecting an authorisations system should be ease of use, rapid decision timeframes and flexible system parameterisation.

Complementary Tools and Technologies
Many credit organisations view account management solutions and systems as an essential part of the account authorisations function. Account management systems provide a flexible, intelligent approach to authorisation decisions and allow the risk management team to refine the strategies applied to individual accounts within a portfolio. Account management systems also enable the risk team to test new strategies on smaller groups of accounts, measure the results, and then apply those strategies to larger groups in event there is a desirable test outcome. (For information on account management refer to 'The Role of ICT in a Credit Business - Account Management')

Increasingly, credit granting organisations use credit bureaux information during the authorisation decision process. Part of this may include use of credit bureaux (CB) scores as an additional criteria, especially where there is a decision on a 'marginal' or higher risk account. The major benefit of CB scores is that they measure the performance of all the customer accounts held at other organisations and so provide a broader, more comprehensive view of the associated risk.

Enhanced fraud prediction software is also available to help identify potentially fraudulent transactions prior to the approve or decline decision. Fraud software typically uses predictive models built on historic data to quickly identify the possibility of fraudulent activity on an account.

Emerging Trends Internet Technology
The growth of Internet technology and reality of extended shopping hours makes it vital to have an authorisations systems that can function 24 hours a day, seven days a week. The Internet gives customers access to shop at any time, in any time zone, and with any currency. Consequently, the authorisation system must have the capability to provide real time responses to customers transacting from a Web-based environment.Smart Cards

Smart cards are becoming more prevalent in the market place. These cards hold an electronic 'purse' of money with available funds accessed directly from the card. The smart card also holds identifying information about the customer, providing additional identification functionality. Presently, the greatest obstacle to widespread adoption of this technology is the high hardware cost. In addition, traditional magnetic stripe readers are unable to read smart card chips and the cost of replacing existing technology to enable this is prohibitive. It is predicted that as the price of smart card reader technology declines, so smart cards will become more widely utilised.

Neural Networking
Neural network technology 'learns' from historic transaction patterns and can be used for identifying and combating fraudulent transactions. Neural networks keep track of the characteristics associated with fraudulent transactions and translate this into a predictive model, which can identify and block transactions with a high probability of fraudulent activity. The main strength of neural technology lies in its ability to build on the past and become increasingly accurate over time.Other Developments

Optical Character Recognition (OCR) equipment and technology is being increasingly used by organisations. With this process, customer service or call centre staff conduct further verification on manual referrals by checking electronically scanned sample signatures against the original docket to confirm customer authentication

Summary
This article provides an overview of the main high-level functionality currently available in credit processing authorisation systems. It details some of the 'checks and balances' typically used in authorisations systems and discusses operational issues facing the credit management professional.

© Banker Middle East 2007