High-risk acquiring often means high rewards for acquirers and payment service providers. However, balancing risk with reward in the e-commerce channel can be fraught with hazards for the unwary. The risks from unscrupulous merchants, consumers and criminals are high. And when the stakes are high, doubling down may not be an option…
ACQUIRER RISK WAS different in the old days. The world seemed smaller, slower and more store-based. There were fewer payment mechanisms and players in the ecosystem. Acquirers were primarily concerned with credit and operational risks.
Merchants selling goods with a high resale value and more likely to be targeted by fraudsters posed a higher credit risk. So did merchants accepting pre-payment or offering ongoing services.
If the merchant’s business failed, they failed to supply the service or introduced excessive issuer fraud into the system, acquirers would bear the potential chargebacks.
“It was sufficient to focus on chargeback risks and content violation, but that has changed. Just as the fraudsters are adapting and scaling their business, the same needs to happen on the side of the vendors and risk departments. They constantly need to evolve.”
Christian Chmiel, CEO, Web Shield.
Higher credit risks equalled higher acquirer chargeback risks, and rates reflected risks. Merchants selling jewellery or consumer electronics, furniture or fitted kitchens for delivery in four-to-six weeks or rolling gym membership tended to pay higher merchant service charges (MSC) than those selling groceries. Quite naturally, risk management practices also reflected the nature of the risks. Acquirers performed credit scoring and site visits. They took collateral, monitored their merchants and their rolling reserves. Then came the internet.
THE INTERNET CHANGED EVERYTHING
Credit and operational risks present in the physical world persist online, but the scale and clock-speed on risk exposure has increased. New risks have appeared, and notions around credit and chargeback risk, which have dominated acquirer risk thinking for decades, have undergone a fundamental re-set.
The internet helps to facilitate more cross-border sales. This trend is set to continue. Research firm Forrester predicts that cross-border business-to-consumer e-commerce will more than double over the next five years to reach $424 billion by 2021. Cross-border sales will also take an increasing share of online commerce, rising from 12 percent in 2015 to 15 percent in 2021. Cross-border expansion is a huge opportunity for any business. However with greater rewards comes greater risks for both merchants and acquirers around the nature of goods and services being sold, as well as how they are sold.
“The fact that you do checks at the entry point is not enough. It is critical to have a very good ongoing monitoring process to spot the changes within the merchant, their website and their ecosystem.”
Daniel Klein, chief operating officer, EverCompliant.
Cross-border transactions have to be legal in the country of both the buyer and the seller. In some cases this is clear-cut: some goods are not lawful to sell. However sometimes goods and services may be legal but subject to age or legal restrictions, for example tobacco or pharmaceutical products. In other cases, goods may be legal but prohibited by the card schemes or platform. How goods are sold is as important as what goods are sold. If a merchant’s sales and marketing practices violate applicable laws in either the country of the buyer and/or the seller, transactions for legal goods and services may become illegal. Examples include making misleading claims or operating pyramid schemes or inertia selling.
The addressable online opportunity is larger and faster. For example, American broadcaster CNBC estimates that the pornography industry is worth $13 billion per year in the US alone, with $3,075 spent on porn every second. E-commerce merchants are open for business 24 hours a day to a global customer base. Legitimate transactions can occur quickly, so can illegitimate ones, which changes not only the potential risk exposure but also the ways it is managed and mitigated.
“Distance selling and cross-border sales pre-date the internet of course, but the e-commerce channel exacerbates some of the acquirer risks,” says John Berns, managing partner, Accourt. “The internet is a quasi-anonymous platform where it is difficult to trace messages back to their original source. There’s no centralised legal authority and enforcing contracts across national borders can be difficult.”
Rates reflect risks for high-risk e-commerce merchants. “It is not unusual to see gambling merchants paying five-to-six percent MSC on average, those in the adult sector around eight percent, and nutraceutical merchants paying 10-12 percent,” says Berns.
GAMING THE SYSTEM
“The high-risk acquiring space has to contend with two additional types of fraud not so prevalent in the payments industry generally. Firstly, ‘friendly fraud’ where the consumer participated in the transaction, but repudiates it via their card issuer who instigates a chargeback. Secondly, there is affiliate fraud,” explains Christian Chmiel, CEO, Web Shield, a cyber risk management company.
Affiliates promote goods or services offered by merchants in exchange for an incentive or commission from the merchant. “Affiliate marketing is the number one way to market in the dating and adult sectors. Instead of spending budget on banner advertising, merchants only pay if an affiliate brings them a client,” says Chmiel. “Affiliates receive a specific link with their affiliate ID and connection to the merchant website. If someone clicks on that link and signs up, the affiliate receives a commission. This can be 30-40 percent of the monthly turnover referred for dating and up to 70-90 percent in the adult sector.”
Rogue affiliates may exploit their merchant clients by buying lists of stolen card details and entering them on their own affiliate pages to earn commissions. Other ways rogue merchants or third parties game the system include creating mirror or shell websites for acquirers to inspect prior to boarding, before switching to undeclared business once they have secured an acquiring contract. They mis-code transactions, hop from acquirer to acquirer before being terminated, or load-balance their riskier transactions between several acquirers at once.
THE DIRTY BUSINESS OF LAUNDERING
For Daniel Klein, chief operating officer at cyber risk firm EverCompliant, there has been a huge shift in online fraud activity from traditional consumer fraud towards merchant-based fraud.
“There has been a proliferation of payment systems. 10-15 years ago credit cards were pretty much the only method of payment used for online shopping. Nowadays many different payment methods can be used to create layers within a complex payment environment,” he says.
“We see today that acquirers and processors are processing anywhere from six percent up to even ten percent more merchants that they are aware of.”
Daniel Klein, chief operating officer, EverCompliant.
It is also quicker and easier to start an online business compared to a brick-and-mortar business. “There are so many platforms where, in just a few clicks and with very limited identifiable information, you can become an online merchant with the ability to process payments,” he continues. “When you combine these trends, it can become very difficult to track the origin and beneficiary of the payment — and what those payments are really for.”
Obtaining payment acceptance for websites offering illegal, restricted or scheme-prohibited content has become much more difficult over the last three years or so, according to Klein. This is due in part to increasing acquirer awareness, the brand protection programmes run by card schemes and other regulatory scrutinies. However, there is still a market — a supply and a demand — for such products and services, hence the shift towards transaction laundering.
“Transaction laundering is when a known, registered merchant knowingly or unknowingly processes transactions on behalf of another business, which is unknown to the acquirer or underwriting entity,” explains Klein.
Transaction laundering exists in the brick-and-mortar world, but the order of magnitude in the online world is arguably greater. “We see acquirers and processors processing anywhere from six percent up to even ten percent more merchants that they are aware of. So, in a merchant portfolio of 100,000, one should expect up to 10,000 unknown merchants transacting through known clients,” says Klein.
Sometimes the merchant may be an unwitting participant in transaction laundering. They may be exploited as a payment acceptance channel by another unscrupulous merchant or affiliate. There is also the problem of collusive consumers. They have participated in a potentially illegal transaction, but have what they wanted and paid for, so will not initiate a chargeback via their issuer. This turns decades of thinking around acquirer credit and chargeback risk on its head. When the biggest risks may not end in a chargeback, how can acquirers and PSPs detect and mitigate them?
The key questions an acquirer asks at the merchant underwriting stage are as valid for high-risk e-commerce merchants as for any other type: who is the merchant, what are they selling, to whom and how? However underwriters can no longer rely on quantitive data from credit reports alone. They must supplement this with qualitative data on a merchant’s business model, their sales and marketing practices, and their ecosystem.
“It’s similar to the anti-money laundering world where banks look at customers, but also at the world associated with that customer — who they do business with, who their directors do business with. Acquirers need to uncover the hidden network connected to the counter-parties.”
Hundreds of millions of websites accept payments and the network of relationships within the merchant ecosystem is complex. The scale of the task exceeds traditional database and analytic techniques. Acquirers and PSPs need to harness Big Data technology to do some of the heavy lifting.
Just as the technology focus is shifting within underwriting organisations, so must the mindset. Acquirers must expand beyond preventing risk at the on-boarding stage to detecting risk throughout the relationship by ongoing monitoring. “The fact that you do checks at the entry point is not enough,” says Klein. “It’s critical to have a very good ongoing monitoring process to spot the changes within the merchant, their website and their ecosystem.”
Finally, it may no longer be enough to be compliant. Organisations must evidence how they achieved compliance. “Processes need to be in place from a compliance point-of-view to be able to answer six months later why you on-boarded the merchant. Were there any violations associated with that merchant? How did you handle those violations? Why did you keep them operating? Under what risk layer? Having clear processes and being able to track how you operate within those processes is becoming something of a necessity within the industry,” concludes Klein.
Not for the first time in business or in payments, the internet changed everything. Acquirer risks changed from the structured, familiar risks around credit and chargebacks to complex, unpredictable risks largely related to cross-border sales. The increased numbers of payment mechanisms and players in the e-commerce ecosystem again add complexity and potential risk.
The nature of the internet itself exacerbates some of the risks posed by unscrupulous merchants, cardholders, third parties or criminals. It is a global platform with no central legal authority, making it difficult to enforce contracts. Merchants can set up shop quickly and relatively inexpensively and change locations just as quickly, making due diligence difficult. E-commerce merchants are open for business 24 hours a day, and legitimate as well as illegitimate transactions can occur quickly, which increases acquirer risk exposure.
Just as the nature, scale and clock-speed of risk exposure has changed, so the ways to manage and mitigate these risks need to change. This involves a technological as well as a cultural or mindset change: from analysis of quantitive data to analysis of qualitative and Big Data, from the merchant in insolation to the merchant ecosystem, from up-front checks to ongoing monitoring, from compliance to ongoing, trackable compliance. High-risk acquiring, irrespective of sales channel, remains a risky business.