Understanding risk, particularly its sources and how to most effectively manage it, is one of the most fundamentally important topics in payments for those who provide services and those who use them. It is also, according to WePay Co-Founder Rich Aberman and WePay VP of Product Risk, Compliance and Experience John Canfield, one of the most difficult topics to really get a handle on. Joining PYMNTS' Karen Webster for this week’s edition of the Unscripted Podcast, the pair agreed that in the digital age, risk management is such a complex, interconnected and vast topic that payments service providers in some sense need to write an entirely new rule book when to comes to capturing the emerging art of risk management.
“On one level, risk itself has not fundamentally changed in the last few decades,” Aberman explained. “As a merchant service provider you need to verify if the merchant is who they say they are, are they in your acceptable use category, can you support their merchant codes, will they deliver as advertised and do you understand your credit risk exposure. Same as always.”
What has changed extremely rapidly over the last two decades, on the other hand, is the entire digital context in which commerce is unfolding.
Merchant service providers have the same vetting to do as always, but merchants in the modern environment don’t expect a lengthy application and vetting process. They expect a one-page application and to be able to turn on processing capacity like a light switch.
At the same time, Aberman said, merchant services has evolved into a longer-tailed tool.
“We are opening the floodgates to tiny merchants while having less data and time to make a decision. That precipitates the need to have new ways of look at risk management.”
The Expanded World Of Risks
The new world of risk management, Canfield noted, is one one with a wholly new breadth and depth of threats to defend against. There’s payor fraud, the bane of merchants, but also emerging areas like collusion fraud where a fraudster will take advantage of easy onboarding processes to set up a series of shell businesses purely for the purposes of monetizing stolen credit data.
Layered on that, there are issues like reputation risk that get rolled in — when merchants on a platform aren’t fraudulent, but are failing to live up to user experience expectations. And, Aberman noted, overhanging all of that is the risk of account takeover — and risk of a compromised merchant’s login also compromising their data and settlement banking information.
“There is a lot more technical sophistication behind the risks merchant services providers are facing today than they have in the past,” Aberman said.
Which, Canfield notes, requires a different and more integrated risk management perspective going forward. In the past, he noted, firms have had a very hard split between underwriting and risk management, where underwriting would evaluate the credit risk, compliance and know-your-customer (KYC) data to approve a merchant — at which time that merchant would be handed off into the risk management silo.
“To enable a modern onboarding experience, you can’t have that traditional model because you need to be able to continuously evaluate risk,” Canfield explained.
Progressive Onboarding And The Bigger Data Picture
The assumption in the traditional risk model, and what makes it out of date with the time, is an idea that risk is something that can be mostly controlled for in the underwriting process, and that fraud thereafter is something gone wrong after the fact.
That’s not an assumption that one can make in a world of short applications and instant onboarding — particularly of micro-merchants with very little sales data behind them to evaluate. A better model — what Canfield and Aberman refer to as a progressive onboarding model — is one that treats risk management as an ongoing process that starts with the application and continues over the transactional life of the business.
And that model, Canfield said, looks at transactional information, but also at other contextual information about devices and about volume on the platform where the merchants is transacting.
“In essence, one is looking for a single data model that can collect all of this contextual information alongside the payment data so it can progressively evaluate and make improved risk decisions,” Canfield said. “So when a merchant's first transaction comes in, we look at the device information, the invoice data and all the other contextual data we have and say, yes we are good with this transaction. We aren’t deciding, are we good with this merchant forever on every transaction — we’re deciding are we good for this first $500 invoice.”
Capturing The Power Of Context
The ways in which various data sets can be used in context against risk are varied, Canfield said. On a crowdfunding platform, for example, they can get a pretty good idea from the pace, amount and pattern of donations coming in whether they are seeing a legitimate effort, or a fraudster using a shell sight for collusion fraud.
With invoices that come with a massive amount of data included, they can spot all kinds of patterns from what is, and isn’t filled out on the invoice.
“We’ve detected whole fraud schemes based on indicative words that have come in on invoices,” Canfield said, Going forward, he noted, the critical ability for payments services providers — particularly those working to extend that long tail of merchant services to a wider variety of businesses — will be the ability to both collect a diversity of data and find ways to automate the insights gleaned from it.
That, both Aberman and Canfield said, will amount to a technological hurdle to clear, because fraud patterns that are spottable for human eyes can often be hard to turn into data that a machine-learning algorithm can work with. Right now, Aberman noted, there is a hand-off in progress between rules-based risk management systems to machine learning powered systems.
The challenge, he said, is to find ways to quickly turn those signals into variables that can be plugged into machine learning models. And that’s not a small challenge, he noted, because a lot of that data is hard to cash out that way — and the streams of data themselves are getting ever more complex and diverse.
But challenging though it will certainly be, ultimately Aberman believes that it will be a bar that all payment service providers are going to have to clear to really cover risk management and stay in business.
“Distribution channels are evolving and the breadth and occasions for risk are increasing. And that situation mandates an evolution in risk management,” he said. “There are players that will make that evolution and survive — and players who won’t.”