New government regulations in Washington are slated to impact the regulatory environment within the payments industry. According to regulators, new standards would mean that independent sales organizations (ISOs) would be held liable for any fraud committed by merchants on their network.
To avoid unexpected losses (and potential regulatory fines) payments professionals are looking for new ways to detect and prevent fraud early and improve their underwriting and risk management processes.
In a recent webinar, Neil Perry, Managing Editor at BizClik, spoke with Darryl Cumming, Director of Product Management at NMI and Scott Talbott, Senior Vice President of Government Affairs at the Electronic Transactions Association (ETA), about what payment specialists can do to protect their businesses and prepare for increased liability.
In this blog, we’ve highlighted a portion of their conversation that looks into how regulations in Washington, D.C., can affect the businesses of ISOs, merchants and other payments providers, the latest fraud detection opportunities and product developments and the critical importance of fraud prevention across the industry.
Neil Perry: To begin, do you think most payment providers are genuinely prepared for the increased liability coming into the industry?
Scott Talbott: In short, the answer is yes, but I want to break my answer into two parts. The first is that on an everyday basis, payments companies are prepared to deal with the risks of regulatory overhang and increased liability from regulators. But what we’re talking about here is what regulators are really focusing on. The federal regulators in DC are focusing more on the payments industry, and that has created a regulatory overhang.
Companies have been working on these issues for a long time and are largely prepared. A lot of what we’re talking about is the underwriting and risk management of merchants, payments and processors; something payments companies do very well. However, companies are adjusting to this new regulatory overhang in different ways. They learn from case laws, settlements, consent orders, fines and penalties. It’s an ever-evolving landscape.
Darryl Cumming: I would say that some payments companies are fully prepared and are on top of these regulations. They’re performing their due diligence and they can prove it. It’s often very manual work, but they’re making investments to make sure they’re on top of things. They’re leading the industry and protecting their businesses. As a general consensus, many larger companies are prepared and ready to handle these changes.
There are a lot of up-and-comers in the industry, though, and we’re seeing more software companies transitioning into providing card processing services. A lot of these companies are very new to underwriting and ongoing risk review. While they might feel that they’re in a position where they’re secure, many of these novice companies don’t have the expertise or veteran staff to be fully prepared. They’re struggling with some of these new regulations and risks.
Perry: Why is it so important that we talk about this subject?
Cumming: I don’t think there’s a better time to be talking about this than the here and now. For example, just a few days ago, the FTC (Federal Trade Commission) published its latest data showing that consumer-reported losses were up to $8.8 billion in 2022. That’s a 30% increase from what we saw in 2021. Now, these are only consumer-reported numbers, so think of how much more is out there not being reported to these authorities. I think it’s imperative that we talk about this.
Talbott: I agree that this topic is always pertinent and timely. Fraudsters never sleep. If we build a 10-foot wall, they build an 11-foot ladder. Just as we work on developing new services to keep things moving forward in the payments space, we also spend the same amount of time fighting fraud. We can never rest because fraudsters never rest. We are charged with protecting the payments industry and making sure consumers around the globe have confidence in it.
Perry: What will these liability changes look like?
Talbott: In the past, if a merchant committed fraud, the payments industry could say, “Well, we did what we could. It’s part of our problem, but it’s not our fault.”
However, over the last couple of years, federal regulators have taken the stance that companies in the payments industry actually do have a role to play in preventing fraud. They have shifted the liability standard, and this is causing some challenges in regard to what payments companies know or should have known. Regulators argue that the payments companies should have seen the red flags and done something.
With that said, the liability changes we’re seeing are financial. There is an increased focus on collecting fines from payments companies on not just the amount of money they earned but on the total amount of fraud that was committed. For instance, when a payment processor onboards a merchant, they collect reserves in advance. Now, federal regulators are seizing those reserves, so payment processors are faced with losing revenue and losing their insurance policy in the form of reserves.
We’re also seeing regulators installing systems to monitor people on-site and to ensure payments companies are in compliance with these changes.
In addition to financial losses, you also have to think about reputational risk. Being accused of committing fraud has risk-averse general counsels running for cover. Reputational risk has broader implications than just a financial fine - you also have to consider legal and headline risks. All of those are on the table.
Perry: Where do you think payment providers are most vulnerable at the moment?
Cumming: One area where I see a lot of payment providers in a vulnerable situation is in regard to the automation of ongoing risk protection. It’s a critical vulnerability for merchant businesses and owners within your portfolio. Being able to automate as much of the ongoing risk review as possible is essential; it’s very time-consuming and manual work.
Another major vulnerability is a lack of auditing capabilities. Making sure that you can prove that you’re doing this enhanced due diligence and keeping track of the merchants and their ownership structures within your portfolio is essential. Having that documented for regulators is a critical piece of the puzzle.
The last thing I’ll add is that it really boils down to a numbers game. Fraudsters are always looking for new ways to stay ahead. I think it’s fair to say most payment providers are doing what they can to protect themselves and reduce these vulnerabilities, but there are still major gaps. Historically, it’s been such a labor-intensive, manual space.
Perry: We’ve talked a lot about challenges and fraudsters. Now, I’d like to discuss how people can navigate these regulatory changes and increased liability. What historic cases stand out to you, and what can everyone learn from them?
Talbott: I like to use the metaphor “tiles in a mosaic” or “trees in the forest.” You have to look at these cases and try to string them all together. We could go into each one, but let me summarize the lessons learned.
The first is what regulators are looking for. These are the red flags and the lessons learned - things that are wrong with the merchant application or behavior that doesn’t make sense. The thing regulators usually start with is if you have a high chargeback ratio. If you’ve got a high chargeback ratio, I’m talking 20%, regulators will see that as a red flag.
Then, do you have a lot of requests for refunds? Do you have complaints being filed by state and local governments against the merchant? Do you have lawsuits being filed against the merchant? Are they spreading sales over multiple accounts to hide themselves and the fraud they’re trying to commit?
When you put all of these things together - that’s what regulators are looking for.
Perry: If you understand these red flags, you almost have to think like the regulator and imagine what they’re looking for. Is that the best way for people to go about this?
Talbott: Absolutely. Thinking like the regulators is important, but also thinking like the criminals. What are they going to do?
As you put more focus on one particular area, thieves will morph into another. You need to take steps, and NMI can help you do that, to implement systems both in onboarding and ongoing monitoring to look for those risks. Companies can do several things to protect themselves, but knowing how regulators think is certainly a big part of it.
Cumming: At Agreement Express and NMI, our focus is on helping to automate as many of these initial early warning indicators as possible. We want to help your risk analysts focus on the items that require their true expertise and attention. A lot of the initial work is staying on top of your portfolio; that’s even called out explicitly in ETA’s own risk underwriting guidelines, which I highly recommend to anyone in the risk underwriting & fraud prevention spaces.
The enhanced due diligence process is manual and labor intensive. There’s no way around that. Our mission (and goal) is to help automate significant amounts of the process, so your team of experts can focus their attention where they’re most needed - the critical decisions that truly require their expertise.
As we’ve learned throughout this webinar, staying on top of what the regulatory bodies are doing and what fraudsters are doing is a full-time job. It’s a difficult thing to stay caught up with. So, I highly recommend, in addition to documenting your policy, going through those underwriting guidelines and making sure you have something in place to help you carry that load.