Urban legends. They’re scary. And fun. And have just enough plausibility to make you wonder … are they true?
The Hook Man, slaughtering young lovers who haven’t taken sufficient cover. Pop rocks and soda, a deadly combo that felled a child actor (so much for “Life” cereal). Scary clowns with twisty balloons and even twistier minds. All things that go bump in the night.
Businesses have their share of fears and ghosts and goblins, usually involving lost sales and profits or trouble with the law. What better day to discuss the urban legends haunting the payments ecosystem than Halloween?
Beware. These urban legends have truth in them, enough so that companies must take heed before its too late (because, after all, death happens in urban legends with alarming regularity).
In a wide-ranging webinar with PYMNTS’ Karen Webster and Allison Guidette, CEO at G2 Web Services, the focus was on the dangers hidden beneath the veneer of seemingly well-vetted portfolios crafted by both acquirers and financial institutions.
Urban Legend Number One: That Sweet Dog? It’s A Rat — And A Trap!
For starters, hear the one about the sewer rat? No? This urban legend goes along these lines: Vacationing family sees cute abandoned dog, adopts said dog, brings dog home. Then, the house cats start to disappear without a trace. Then, the dog gets sick, and to the vet the dog goes … and, yeah, it’s not a dog. It’s a sewer rat. A relatively cute sewer rat, but a rodent nonetheless, and a vicious one.
There’s a real read across here for payments, as Guidette noted, stating: “In over 12 years of monitoring merchants, G2 has seen literally millions of cases of sewer rats” hidden within portfolios that, from the very beginning, are accumulating ill-gotten gains or eventually grow into bad actors.
Deception abounds, said Guidette, as “high-risk operations impersonate” or launder money through mundane businesses from “wedding dress suppliers to candy stores.” Those storefronts, virtual and otherwise, provide cover for those bad actors and wind up opening new accounts with unwitting banks.
Then, wrongdoers, said Guidette, are only sometimes outed by law enforcement or the press, to the dismay of business owners and banks.
To combat such fraud and unmask such malfeasance, said Guidette, a number of strategies can root out undesirable elements operating within a portfolio.
For starters, merchant category codes, or MCCs, can be a root case of letting the wrong elements into a portfolio. Misclassification under MCC, said Guidette, opens the door to the wrong elements. In one example, a gun dealer had purported to be a hardware store, though, obviously, the “hardware” was not the type most like to see on shelves. “They did also sell hardware, but they sold guns, which was a problem for the sponsoring bank,” said Guidette. In another example, a gambling site said it was a restaurant. Separately, a high interest rate lender claimed to be simply a business services provider. All in, these services and goods were not fully disclosed by the merchants — the very sin of omission that can get sponsoring institutions into trouble down the line, said Guidette, as they contribute to activities and sales that are, in fact, prohibited by card networks and are not allowed by sponsor banks or regulators.
Sometimes, she said, it can be an “honest mistake” in the underwriting process, as the applicant business’ website can be in a language that the underwriter doesn’t read or the application is taken at face value. Otherwise, she said, businesses can skirt the rules at the time of onboarding. Some MCCs are easier (for the less-than-legit business) to get approved than others. And in other cases, said business can latch onto growth over time and dip into illegal businesses later on.
Consistent validation is crucial, then, for acquirers when it comes to MCCs. Interestingly, added Guidette, those businesses correctly designated as high-risk MCCs, ranging from direct marketing to gambling to drug stores, tend to be “monitored much more closely by the bank and by others and, as a result, show fewer surprise violations than merchants that have more neutral classifications, by which I mean those MCCs that often [have classifications] that end in 99,” she said. That type of classification, she continued, should often be reviewed and should possibly be re-classified, more specifically, in the future. Merchants can then reduce risk by setting a better amount of reserves in place as necessary and can also set better discount rates depending on the risk profile tied to the businesses within their portfolios.
Another way for banks to identify sewer rats that might be scurrying about comes from reviews of historical data. Bad actors, usually, once found out, are terminated from other payments systems, an event that can be sussed out by looking at past events. “They don’t go to jail, but in continuing with this theme of Halloween, they reincarnate,” said Guidette. They go to another acquiring institution.
In one example, an application exists for a streaming movie service. Inherently risky, noted Guidette. The site looks reputable “and with nothing on it to warn you of fraud,” she said. “But historical data can reveal several red flags” through services like G2’s, which offer “merchant maps” and also “comfort scores” through finding out, for example, if relationships have been terminated by other acquirers in the past. In addition, taking advantage of information contained in consumer complaints can be a valuable early indicator of fraud, said Guidette, with the invaluable asset of finding out that some businesses have checkered histories.
Guidette also said that constant scanning of media, from worldwide data sources, trade publications and the like, can spot smoke before it turns into fire. “This can give you significant trends that are occurring and give you links to details,” she said. In one case, a merchant monitored by G2 had been linked to a drug cartel; in another, a merchant had been publicly accused of overbilling the United States government.
Urban Legend Number Two: “We’ve Traced The Call. It’s Coming From Inside The House.”
You know this one, no doubt, as it’s been the stuff of movie screams for quite awhile. Babysitter is in the house, gets a call to look in on the kids. Call after menacing call. Then, the kicker comes when the panicked sitter contacts the cops: “The call is coming from inside the house!”
For payments, the implication is clear: You need to monitor what goes on inside your own house. Especially when it comes to transaction laundering. Laundering, said Guidette, typically comes though an unlisted, perhaps illicit, account, which no one will onboard, and thus, firms engaged in laundering look to work behind the scenes, co-opting legitimate businesses at times.
Picture the candy store that is processing payments to a cannabis website, for example, said Guidette. The sites that are indeed “front sites” for the laundering can run the gamut of any number of industries.
But there are other conduits to laundering, such as an inactive site. How about a front site that lists ridiculously high prices for items — such as $500 a bottle for nail polish — that no one has intentions of selling or buying? Alarm bells should ring here, but then again, when the nail polish site is getting onboarded, the pricing is low enough to escape scrutiny.
The industry of choice when it comes to transaction laundering? Drugs. No longer confined to shadows and picking up pills and syringes from pushers, drugs have moved from the street to the internet. G2 has found that its percentage of transaction laundering cases confined to illegal drug buys online has gone from 13 percent two years ago to as much as nearly 60 percent in 2016.
In other examples, said Guidette, some actions, however innocent, must be corrected, such as when two merchants share terminals, a practice that is simply not allowed.
As for bitcoin, the cryptocurrency is no Holy Grail of security, Webster and Guidette agreed. After all, bitcoin has shown up on the “Dark Web” to facilitate transactions across all manner of illicit goods, from drugs to malware to credit card data. Simply put, there is no simple, “single silver bullet solution” when it comes to fighting transaction laundering, said Guidette, who noted that a “defense in depth” solution, across several layers within an organization, is the best way to combat laundering,
Urban Legend Number Three: Has Elvis Left The Building?
You saw Elvis at the supermarket. Someone else saw him pumping gas in Toledo. Maybe, he’s hiding out at a Waffle House.
Unlike Elvis (c’mon, we all wish he were here and wearing blue suede orthopedic shoes at 81 years old), Guidette said that merchants really do want the fraudsters to die — or, at least, incarcerated — and taken out of the payments system.
How can they keep coming back time and again and hiding within the payments system? The traditional payments ecosystem, said Guidette — through the linkage of cardholder, merchant, issuer and acquirer — is built for a brick-and-mortar world, where the technology-driven, online payments system of today is “way more complex.”
There are lots of places for bad actors to hide until companies and regulators catch up with them. Transactions can follow a lot of different paths, said Guidette, with multiple gateways and multiple acquirers. Simply put, bad guys don’t die easily.
One bad actor unmasked by G2 had four concurrent live sites selling spices, innocuously enough, yet were processing transactions for an opiate seller (whose products, perhaps in a tongue-in-cheek manner, were also termed “spice”) and also had four sleeper sites at the ready in case the others were disabled.
“They never lose their windows,” said Guidette of such enterprising fraudsters, “to their consumers and their ill-gotten gains.” And they are doing so by bypassing merchant account registration, said Guidette. An unnerving 25 percent of illicit actors brought down and brought offline return to their activities, undeterred.
As Webster noted, there’s a tradeoff at work: How do you keep the system moving along with minimal friction when getting a merchant account but, at the same time, safeguard the integrity of payments?
“The payments community needs to come together and help stop these rings and get them out of their portfolios,” agreed Guidette, and information is the best medicine — giving clients and merchants access to data that, in turn, can be triaged to make informed risk decisions.
Onboarding practices are among the first and strongest lines of defense, said Guidette, to avoid bringing the wrong people (and their businesses) into the portfolio. “You’ve got to be monitoring your brick-and-mortar clients to make sure that they are not adding eCommerce capabilities of which you are not aware,” cautioned Guidette. “You need to be working with service providers to make sure that they have accurate data on your portfolio … Salespeople can be trained to spot some potential risks of fraud … and validate that there have been no serious complaints lodged against the businesses” in the portfolio.
Scary stuff. But no need to panic if you face the demons head on.