In the payments world, cash payments are almost universally being replaced by online payments. Businesses, Payment Service Providers (PSPs), financial institutions and other players in the digital payments space are all too aware of the constantly hovering shadow of online payment risk management.
Risk management is primarily concerned with the analysis, management and reduction of risk – from both a regulatory and an operational perspective in online payments. In every payments ecosystem, risk management measures are specifically designed and implemented to control, identify, understand, and mitigate those risks when they occur.
With digital payments now an accepted way of life, organizations need to understand how to mitigate risks while processing digital payments, particularly now with the added complexity of new fintech players in this already complex terrain.
Payment risk refers to the potential of losses due to a contract default or other payment event such as fraud, security breaches or chargebacks. Companies regularly handling a high volume of online payments are subject to such risks.
The implementation of payment risk management strategies must be carefully balanced to avoid damaging a company's reputation. For example, it's important to correctly assess whether a transaction is actually legitimate, or an act of fraud. An incorrect evaluation either way can cause inconvenience, financial loss and major upheaval in the payment process.
Anyone in payment services knows that it's an on-going process managing the detection of suspicious activities and protecting their financial system from the likelihood of criminal misuse.
In this blog, we'll cover in more detail the ways in which businesses and other institutions in the digital payments and online payments space can mitigate the risks to consumers, as well as their own companies.
When comparing risk appetite vs risk tolerance, risk appetite focuses on the level of risk that an organization deems acceptable whereas risk tolerance focuses on the acceptable level of variation around those rules and risk objectives.
Within risk appetite parameters a business will not accept risks that could potentially result in a significant loss of its revenue base.
With risk tolerance, a business may, for example, decide not to accept risks that would cause revenue from its top 10 customers to diminish by more than 10%.
In the payments ecosystem, the risk landscape is wide and varied, and can occur throughout many digital channels, as every online business is aware. The three key areas are:
Fraud
Chargebacks
Card data security
Every business faces the risk of heavy financial loss due to wrongful or criminal activity, enacted either on their company or their customers. Now that real time payments and faster payments are being accepted globally, more sophisticated ways to carry out scams are emerging.
Additionally, with the increased competition from other market participants and non-traditional payment providers, fraudulent activity in all its forms is no longer confined to a single payment channel.
The risks of fraudulent activities are growing, and as payment channels become more complex and interconnected, every business has to work harder to manage it. Fraud risks occur in three main areas, where cyber-criminals will steal either personal property, money, or sensitive information.
Image source: Firstsixlastfour
Identity Theft – According to recent data, approximately one-third of US citizens have been victims of identity theft at some point in their lives. This is more than double the global average. Identity theft usually means online criminals steal personal information and banking details, and use the information to make purchases.
Friendly Fraud – Also known as chargeback fraud, this refers to a purchase with a credit or debit card, then the customer disputing the charge with their bank, even if they don’t have a legitimate reason to do so.
Clean Fraud – This is one of the most challenging types of fraud facing an eCommerce business today, because it's one of the most difficult to detect. It refers to the act where a criminal uses a credit card to make a purchase by using stolen payment information to maneuver around a company's payment protocols and fraud detection systems.
A chargeback is sometimes referred to as a payment dispute, and is a reversal of funds by a business after a customer disputes a card transaction with their bank. The FCBA (Fair Credit Billing Act) of 1974 instigated chargebacks as a consumer-protection guarantee against fraudulent charges.
When a customer files a dispute with their card issuer, funds from a transaction or transactions are withheld until the issue is resolved. Chargebacks differ from straight refunds, in that rather than contacting the business for a refund, the customer asks the bank to repay money from the business’s account. After investigating the issue, if the bank feels the cardholder’s request is valid, the merchant must pay the funds back to the client. Chargebacks can incur high costs, and can severely damage the reputation of a business.
Image source: Mymoid
Cyber-criminal activity is becoming more sophisticated and protecting the security of personal data is one of the fastest growing risks in the payments business. One of the more vulnerable areas is card financial data that has been collected during the acceptance of card payments.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally mandated institute standard adopted by banks and Card Schemes to increase the level of security to this type of data. It deals with data leak prevention (DLP) and the exposure of credit card details and other sensitive information to the wrong parties. The PCI DSS has the power to regulate the storage of credit card databases
Malicious attacks against governments, companies, and business customers are increasing. In the 2021 Association of Financial Professionals Payments Fraud and Control Report, sixty-six percent of businesses said their companies experienced fraudulent check activity.
Below: A breakdown of the different types of payment methods experiencing fraud.
The payment market is currently flooded with payment options. Cash transactions are quickly being replaced by cards and contactless systems, mobile wallets and QR-based payment systems.
The future of the payment card industry is likely to be shaped by even faster developing technologies such as the rise of blockchain and artificial intelligence. These developments bring even more risk to the payment table, and will also impact management, marketing and financial planning. Risk management professionals will need to focus on strategies to plan for both short and long-term changes in the industry.
Implementing robust risk management involves proactively assessing threats and planning mitigation measures to minimize risk impact on a business. This can be done by taking the following steps:
It should be part of the risk management process for any business to keep employees up to date with regular training, so that they can easily identify suspicious behavior across all payment technologies. For example, training sessions should teach employees not to accept damaged cards from customers, confirm the identity of customers, and never manually enter card numbers.
Unusually large purchases could potentially signify fraudulent activity. A business should scrutinize such transactions closely to determine and confirm the identity of customers. Other unusual activity for example, is a succession of purchases made with a card in a short time period, possibly indicating that someone other than the owner has access to the card.
Another way of mitigating payment risks, is for a business to add an additional layer of protection in the form of two-factor authentication, also commonly referred to as 2FA. This ensures those with online accounts are who they claim to be.
Customers are required to enter their username and a password, but instead of immediate access, they need to provide another piece of information to confirm their identity. It could be either:
Something you know, like a secret question, PIN or password
Something you have, such as a credit card, smartphone or token
Something you are, including biometric fingerprint, iris scan or voice identification.
Image source: Imperva
Tokenization has been created to secure customers sensitive data by replacing it with an algorithmically generated number, referred to as a token. A customer’s primary account number (PAN) is replaced with a series of randomly-generated numbers, and this data can be securely passed through the internet or wireless network systems to process payments without exposing actual bank details.
Image source: Payments Industry Intelligence
It goes without saying that security within a payments infrastructure is paramount, otherwise all your payments could be at risk.
Proper risk management within the financial market empowers businesses, banks, financial institutions and PSPs with the necessary tools to identify and mitigate potential risks.
As card transaction volumes and online payments continue to grow, banks, FIs, other financial services organizations and merchants need actionable insights to help make informed business decisions and deliver a seamless, secure purchasing experience.
IR Transact suite of payment solutions enables real-time access to information on all transactions, turning data into intelligence and allowing you to capture value and data analytics opportunities within complex environments.
IR Transact enables you to monitor card performance across all banking channels, look out for unusual transaction activity, and through analyzing data, gain a deeper understanding of customer behavior and channel profitability.
Payments analytics tools are vital to grow and protect business within every sector of the payments space. IR's solutions can help strengthen any business by providing in-depth payment analytics, insightful reports and clear visibility of your entire payments ecosystem.