With a wave of new regulations coming in from Washington DC, the businesses of ISOs, merchants and other leading payments providers stand to incur an extensive impact on their operations.
These shifts require providers to not only examine the latest fraud detection opportunities in far greater depth, but to also place a far more critical importance on fraud prevention, across the whole industry.
Payments providers in the United States may have had an easier time in recent years than those in the European Union – but that is all set to change, and it’s vital that payment providers are ahead of the game when it comes to regulation and compliance.
“What we're seeing is that the federal regulators in Washington DC have turned their attention to the payments industry. In the past, if a merchant committed fraud, the payments industry could say, ‘We did what we could. It is certainly part of our problem, but it's not our fault’,” explains Scott Talbott, Senior Vice President of Government Affairs at the Electronic Transactions Association (ETA).
“But, over the last couple of years, the federal regulators have taken the tact that they're going after the payments industry, saying, ‘We actually disagree, we think you had a role to play here.’ And they shifted the liability and the legal standard, to where having actual knowledge of the crime or the fraud that was being committed was set at a new standard. This is causing some challenges in the payments industry.”
From the regulatory perspective, despite already being subject to a number of federal and state laws, fintechs face uncertainty as the federal government considers how to regulate a dynamic and innovative industry. The lack of clarity on regulations is also adding pressure on payment providers to manage compliance.
The Consumer Financial Protection Bureau (CFPB) has raised concerns about fintechs, with a particular focus on the payments and lending industries. In 2022, buy-now-pay-later (BNPL) was in the spotlight.
The Federal Trade Commission (FTC) has also scrutinised fintechs and payments companies. The FTC has developed new enforcement approaches and continues to bring actions against payment processors, payment facilitators, and similar companies.
These developments demonstrate that federal regulators in the areas of consumer protection are keenly focused on the fintech industry and its potential impact on consumers, businesses, and the economy.
SUBHEAD: Regulations, due diligence and preserving consumer trust
One of the biggest questions that payment providers are facing is: Are the majority of companies in this sphere genuinely prepared for the increased liability that's coming into the industry?
“On an everyday basis, payments companies are prepared to deal with the risk of increased liability from the regulators,” Talbott asserts.
“A lot of what we're talking about is just the daily blocking, tackling, underwriting and risk management of merchants of payments processors – something payments companies do very, very well.”
But, Talbott also explains that companies are having to adjust to dealing with this new overhang in lots of different ways – learning from the case laws, settlements, consent orders, fines and penalties.
However, for newer players, Darryl Cumming, Director of Product Management at NMI, argues that this preparedness is not always the case.
“I would say some payment companies are fully prepared – that they're on top of these regulations, they're doing their enhanced due diligence,” says Cumming.
“However, there are a lot of up-and-comers in the industry, and we're seeing more and more software companies transitioning into providing card processing services. A lot of these are very new to underwriting; they're new to ongoing risk review.
“I think a lot of these novices do not have the expertise. They don't have reliable veteran staff on hand, and they're struggling with some of these new regulations and risks that we're seeing.”
So, why is it so important that we talk about this subject now? Well, to take just one example, the FTC recently published a tweet outlining their latest data, which shows that consumer reported losses to scams are up to US$8.8bn, as of 2022. That's a 30% increase from what we saw in 2021.
“I don't think there's any better time to be talking about this than the here and now,” Cumming asserts.
“This is a topic that is always pertinent and timely, because fraudsters never sleep. As we build a 10-foot wall, they’re building an 11-foot ladder. So we build a 12-foot wall and guess what? There's a 13-foot ladder coming right behind it,” Talbott adds.
“So, this is something that we can never rest on. We are charged with protecting the payments system, and making sure consumers around the globe have confidence in the payments industry, and we do that by fighting fraud. So, it will always be, unfortunately, a timely topic.”
SUBHEAD: Understanding the recent changes to liability
As well as regulations, reputational risk is also paramount – especially when the emphasis for responsibility is shifting.
So naturally, the big question is, where do the biggest vulnerabilities lie for payment providers?
“I think one area where I see a lot of payment providers in a vulnerable situation is in the automation of ongoing risk protection,” says Cumming.
“It's a critical vulnerability. For merchant businesses and owners within your portfolio, being able to automate as much of the ongoing risk review as possible is essential. It's very time-consuming work. Another major vulnerability is just a lack of audit capabilities.
“Making sure you're able to prove that you're doing this enhanced due diligence; keeping track of the merchants and their ownership structures within your portfolio having that documented; and having it to back up on for regulators are all critical pieces of the puzzle.”
Talbott also warns that – perhaps unexpectedly – one of the greatest risks to payment providers is a merchant who presents themselves as legitimate, but is actually a well-disguised fraudster.
“Probably the greatest risk is a merchant who is hell-bent on committing fraud. They know the system, know how to play the game and how it all works. If they are hell-bent on fraud, they're going to work hard to achieve that fraud,” Talbott explains.
“We have systems to try and deal with this, but those are the areas that require the most effort and are the most dangerous, because they have already earned trust and a reputation.”
SUBHEAD: NMI’s advice for payment providers
In this ever-evolving field, navigating the regulatory changes and increasing liability is no mean feat.
“The metaphors I like to use are tiles in the mosaic, or trees in the forest. You have to look at all these cases, and try to string them all together,” Talbott explains.
One of the key takeaways here is understanding what the regulators are looking for. These are the red flags, and the lessons to be learned here are pinpointing the things that are wrong with the application or behaviour, which don't seem to make sense.
“The easiest one – the one that the regulators usually start with – is, do you have a high chargeback ratio? Is it over 1% for that particular segment of merchants? If you've got a really high chargeback ratio (around 20%) the regulators are going to see it as a red flag,” Talbott advises.
“Now, any one of these in and of itself is not dispositive. But, when you add them all together and create that mosaic, this is where the regulators will hone in.”
The key questions to ask include:
- Do they have a lot of requests for refunds?
- Do they have complaints being filed against them by governments?
- Do they have lawsuits being filed against the merchant?
- Do they see the merchant engaging in activities?
- Are they load balancing?
- Are they delaying chargebacks?
- Are they spreading sales over multiple accounts, in an attempt to obfuscate the fraud that they're trying to commit?
- Do they use a lot of shell companies?
- Do they have a history of settlement actions or enforcement actions with the regulators?
- Are they missing or do they have incomplete or inconsistent info on a regular basis?
Then, it is a case of being careful not to onboard – or continue to keep on board – any merchants who engage in that type of behaviour. In short, if you understand what the red flags are that regulators are looking for, you can keep yourself ahead of the regulations curve.
“At NMI, our focus is very much on helping to automate as many of these initial early warning indicators as possible. We want to help your risk analysts focus on the items that really require their true expertise and attention, after it has been initially flagged,” Cumming outlines.
“The enhanced due diligence process is manual and labour-intensive – there's no way around that. Our mission and our goal is to help automate the easier parts of that, to help your team and your experts focus where their attention is needed. Staying on top of both what the regulatory bodies and what the fraudsters are doing is a full-time job. So, I highly recommend (in addition to documenting your policy) going through those underwriting guidelines, to make sure you have something in place that will help you carry that load.”
Undoubtedly, it’s a complicated, multi-faceted and ever-shifting situation. But, by implementing these measures and remaining diligent, payment providers can successfully keep one step ahead of both regulations and fraudsters alike.
Check that you have an understood risk guidelines that cover not just your risk underwriting and initial merchant onboarding decisions, but goes all the way through to your risk and fraud monitoring teams. It's critical that everyone is working in lockstep, understands what your policies are, and is able to pivot.
“Iif you have trouble doing that, or any part of that, seek help from experts such as NMI,” Talbott adds.
“ETA also has its guidelines available for support. Seek all the resources that you can to get yourself comfortable, because the money you spend upfront – and the peace of mind that you will gain from that – are far better than the fines, penalties, and risks that you face down the road.”