Why Merchants’ Biggest Fraud Problem Isn’t The Payments Consumers Make

It’s becoming ever more critical for fraud management and mitigation to be part of emerging technologies such as virtual cards, digital issuing, and buy now, pay later (BNPL) offerings.

And it’s not all about technology — there’s room for humans in the fraud prevention efforts as well, Nathan Wu-Falkenborg, vice president, global strategy and analytics at i2c, told PYMNTS.


He said that the “astonishing amount of pandemic ‘benefits fraud’ ” has highlighted the opportunities for organized criminals to invest more in their chosen activity — namely, taking money from unwitting victims.

The “organized” part of organized crime is apparent in the rise of online marketplaces that let criminals buy files on their victims — with card data included — that allows the bad actors to open financial accounts.

The vulnerabilities — well, they may not be where you think they might lie.

“I don’t really see that criminals are actually compromising the new payment options and solutions that people want and love,” said Wu-Falkenborg. Transaction fraud rates with digital wallets such as Apple Pay and others are, in fact, negligible.

The criminals are attacking us through other conduits, other technologies, at other points of entry. First, they find ways to compromise identity, and then they use payments services to commit fraud under the guise of legitimate transactions.

Companies focused on mitigating fraud, he said, should concentrate on two areas: identity at origination and identity authentication done at the time of the payment transaction.

As he noted, “They’re both related to identity, but when you think about identity [authentication] in transactions, you’re collaborating with the customer and … other stakeholders to confirm the veracity of a transaction.” He pointed to 3DS as an example here, where merchants provide information, the cardholders are engaged and issuers can make risk-based decisions about transactions based on the information being provided by all parties.

Identity verification at account origination must move beyond the traditional methods of know your customer (KYC), he said — which, while compliant with cardholder information programs, are simply not as sufficient as they once were.

“The financial institutions that are using the same old ways of verifying identity … in a new world of digital acquisition and instant provisioning” are vulnerable to attacks, and better verification methods are critical, he said.

The digital age, said Wu-Falkenborg, is proving that the fraud coming through financial services, commerce and other channels is a result of not having a personal relationship with the end customer. Online document verification is expensive but effective. Biometrics help, too.

“Behavioral biometrics can be used to differentiate the patterns of criminals from good applicants,” he said, “and it’s an area that will grow.” The method of making a telephone call to make sure that an applicant is actually intending to open an account is still effective (though, he noted, a bit tongue in cheek, a phone call from a bank in 2021 seems so … yesteryear).

See also: i2c’s McCarthy: Regulations Can Tame Wild West of Financial Services Reliability

Issuers, he said, should adopt configurable fraud rules, which enables them to change their risk management strategy in real time, multiple times a day as needed.

“We are reacting to threats in real time,” with those flexible rules, he said, as issuers are able to configure deeply layered sophisticated rules in combination with scheme rules and third-party scoring systems. With those real-time data available, he said, financial institutions (FIs) can alert, decline, block transactions and even de-link user IDs.

Room for the Human Touch  

But, he noted, humans play a critical role amid all the advanced technologies.

“We really need technology and smart people to effectively manage fraud risk, and balance that customer experience. The machine can’t do it on its own,” he said. He noted that i2c has been making significant investments in risk management technology — and the staff needed to supplement that technology.

“You have got to have the automation, you’ve got to have the technology, but you need the people to make these common sense decisions,” he cautioned. Companies that maintain a human touch and are proactive with their customers should use two-way channels of communication such as transaction verification SMS or push notifications. These capabilities can cement the trust of their users.

“Why wouldn’t you do that? The customers don’t mind,” he said.

You may also like: i2c Expands Visa Partnership For BNPL At POS