Over the past few weeks, we have been focusing heavily on how to identify fraud and how fraud has changed over the years. Those topics, while forming the cornerstone of all risk mitigation efforts only deal with the first half of the equation - identifying the problem. There is a second, equally important part ie: what to do once a problem has been identified. The methods that will be discussed and presented today might not be a cookie-cutter approach in that not all efforts will be applicable to all businesses. However, the principles and thought processes can be applied to all businesses.
Last week, we discussed the two most common risk mitigation strategies available for payment facilitators and market places. This week, we will be discussing the risk mitigation strategies available to merchants.
Similarly to last week, there are 4 vital considerations that must be taken into account when devising a risk mitigation plan. Each method will be covering these four considerations to provide the basis of the thought process that should be adopted when deciding a risk mitigation strategy. The 4 considerations are :
1) Effectiveness - How much of the identified risk will be mitigated as a result of the strategy?
2) Cost - How many good customers will be affected by the strategy?
3) Impact - What will the impact of the strategy be to your customers?
4) Reversibility - If something did go wrong, how easy would it be to reverse the decision?
With those considerations in mind, let us explore the 5 methods that can be used to mitigate risk.
Transaction Blocks is a reactive risk mitigation strategy that relies on the risk management team’s quick action to identify common links in all suspicious or fraudulent transactions. The mitigation strategy here involves the merchant being attacked by fraudsters. The merchant must then be able to find common links between the fraudulent transactions for example: are the cards issued by the same bank?. These common links can range from the issuing bank to the time of the transaction to the email provider and can often take a risk team a few hours to identify. Once the common links have been identified, the merchants would need to build a rule to block these transactions. This is made exponentially easier by use of a risk engine as most simplify the rule building process. Regardless of the method, the rule should be able to identify all transactions that fall within the defined parameters and block the transaction meaning the customer will be informed that the payment attempt has failed and the order has not gone through. The shortcomings of this risk mitigation strategy is that it relies entirely on the merchant being hit by fraudsters and the merchant recognizing the attack and creating a rule to stop the attack from recurring. This means that if the merchant did not recognize the attack or if the rule was not built effectively enough or if the fraudsters changed even 1 of the elements used to build the rule, the transaction would not be blocked.
1) Effectiveness - This risk mitigation strategy is only as effective as the risk team behind it. The ability to automate this process, while possible, poses significant challenges such as employing complex machine learning and artificial intelligence which could prove the solution to be more costly than the fraud it saves. Even without automation, this process requires high technical ability and a risk engine. However, provided all requirements are met, this strategy can only limit a recurrence of fraud and not proactively eliminate it entirely.
2) Cost - Once again, the opportunity cost of this mitigation strategy balls down to the accuracy of the risk team in identifying the common links of fraudulent transactions. For example; a risk team identifies that most of the fraudulent activity involves credit cards from Germany. The rule that should be put in place will block all activity from German cards. In doing so, the merchant has halted the ability of all good German customers from placing orders. Not only does this make completing the transaction more difficult for the customer but it also results in a merchant losing potential customers. If the risk team identifies more common links, the number of good customers impacted should be reduced.
3) Impact - The key benefit of this strategy is that it impacts customers that are following in the trend of fraudulent transactions. Provided the identification process was done properly, this means that the impact would only be felt by customers with bad intentions, delivering an accurate and concise risk mitigation strategy.
4) Reversibility - Transaction blocks are not reversible as it requires the customer to initiate the transaction. However, most risk engines allow merchants to ‘whitelist’ customers based on a criteria for example email address. This means that the transaction would be approved regardless of any existing rules provided the merchant has whitelisted the customer. Granted this would require a customer to attempt a payment, get rejected, contact the merchant, satisfy the merchant that the customer is not a bad actor and then reattempt the transaction.
Limits are not new to the payments processing. Most e-wallets have limits in place for an activity such as how much money one can spend until the KYC process has been completed for example. However, limits as a risk mitigation strategy is a fairly new concept and could prove to be a solution that offers the best protection whilst minimizing the impact on good customers. A limit is, as the name suggests, a threshold that is set that cannot be passed. This can be used in as a risk mitigation strategy with the following pre-requisites: The merchant must have a risk engine and there must be a minimum of 3 months worth of the merchant’s actual processing data available. If these two pre-requisites can be met, a merchant can review their historical processing data to determine the average number of transactions based on almost any criteria they want and use that information to set up a limit. For example, a merchant reviews 6 months worth of data and finds that there were only 50 payments where a Canadian credit card was used. The merchant could use that information to set a limit so that in any given month, the first 50 instances of a Canadian credit card being used would be permitted but the 51st attempt onwards would be blocked. This would ensure that the merchant is protected from any unusual surges in the usage of Canadian cards. This same principle could be applied to any given parameter from credit card location to IP address to time of the transaction to the sales price. This strategy relies on the same principles discussed under the header ‘deviations from the norm’ in an earlier article ie: A behaviour change that contradicts the established pattern could be a signal that customers have begun acting with bad intent. Limits can also be adjusted to reflect current patterns so if our merchant finds that more Canadian customers are attempting to buy products from him, the limit can be adjusted upwards to enable the merchant to maximise his income. However, this would require a risk engine that is capable of feeding this information to the merchant and a merchant who has the technical ability to create effective limits.
1) Effectiveness - This risk mitigation strategy can be very effective in preventing against attacks using cards stolen en mass. However, this strategy will not be effective in preventing normal, single occurrence fraudulent transactions. Yet to minimize the impact on scaled attacks that cause the most loss to merchants, this strategy can be one of the most effective around.
2) Cost - The number of good customers affected by this strategy should be very low as limits only come into effect when there are spikes in the usual activity. However, in instances where there is an attack, all good customers after the attack will be affected by the limit. Therefore, it is critical for the risk management professional to identify as many common links between fraudulent activity as possible and to create the limit in accordance with those links.
3) Impact - Once again, the impact of this strategy should be minimal as it is only triggered once something goes wrong. Therefore, in a majority of circumstances, this strategy should have no impact on the overall customer experience.
4) Reversibility - Similarly to transaction blocks, limits are not reversible. However, as we discussed, the merchant can just ‘whitelist’ a customer, allowing the transaction to be approved regardless of the limit. The level of difficulty felt by the customer here would be exactly the same as the transaction block ie: they would be unable to complete the purchase until they have been whitelisted.
These mitigation strategies, as all mitigation strategies, requires accurate data analysis and calculations of exposure. Each organization has to define their own risk appetite and based off that, an effective solution can be developed. Dicorm specializes in helping companies develop the framework to decide on their risk appetite and then, their risk mitigation strategy. With a host of contacts in the payments world, we can help you choose the right strategy to meet your targets. Contact us now to learn more.