Scribd
Upload
267 views3 pages

Draft 4 - Types of Merchant Fraud For PAs

Merchant fraud poses challenges for payment aggregators (PAs) in India as digital payments increase. There are several forms of merchant fraud including identity theft, fake business operations, bust-out fraud, transaction laundering, and exploiting payments chains. To tackle merchant fraud, PAs must conduct thorough merchant due diligence including Know Your Customer checks, transaction monitoring, and ensuring businesses are legitimate. New technologies like artificial intelligence can help PAs more effectively detect fraud across a merchant's entire portfolio in a holistic way.

Uploaded by

Kunwarbir Singh lohat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
267 views3 pages

Draft 4 - Types of Merchant Fraud For PAs

Merchant fraud poses challenges for payment aggregators (PAs) in India as digital payments increase. There are several forms of merchant fraud including identity theft, fake business operations, bust-out fraud, transaction laundering, and exploiting payments chains. To tackle merchant fraud, PAs must conduct thorough merchant due diligence including Know Your Customer checks, transaction monitoring, and ensuring businesses are legitimate. New technologies like artificial intelligence can help PAs more effectively detect fraud across a merchant's entire portfolio in a holistic way.

Uploaded by

Kunwarbir Singh lohat
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Draft 4 (for CF’s Blog)- Types of merchant fraud for PAs and measures to tackle it

Developments in payments technology and fraud have tended to go hand-in-hand in the


past. Payments giant Paypal, which arguably popularised money on the internet, was
reportedly losing more than $1.6 Million every month on fraudulent transactions during
early days. Paypal has since resolved those fraud issues, but a similar situation is arising
today, with new avenues for fraud opening with India’s push for digital payments and the
pandemic induced accelerated digitisation. The Reserve Bank of India (‘RBI’) reports an
increase in both volume (28%) and value (159%) in reported financial fraud since last year.

Increasing payment fraud even prompted a recent regulatory advisory for industry
initiatives promoting user awareness. Tackling merchant based payment fraud however
requires diligence at other levels as well. Acquirers like banks or payment aggregators
(‘PAs’), bear the risk and responsibility here, being (often) the first to on-board merchants
into the (digital) financial system. Here, the nature of merchant fraud PAs face and how they
can be addressed is discussed.

Merchant fraud vs. transaction fraud


Payments fraud can take the form of ‘transaction fraud’, usually at the end-user level,
consisting of unauthorised transactions, false refunds/chargebacks, etc. This often relies on
extracted financial data via phishing, hacking databases, malware/screen-sharing apps,
pagejacking to redirect legitimate traffic, etc. Remedies thus entail say security measures at
the end-user level (mandatory AFA, payer authentication via 3-D Secure, tokenisation, SMS
alerts, etc.) or merchant measures (cybersecurity checks, monitoring suspicious customer
activity like multiple orders by the same person using different cards, alerts for scams like
counterfeit product sale, etc.).

Merchant fraud does involve transaction fraud, but can be differentiated given the source. It
often revolves around the merchant’s identity, and resolution methods thus turn from user
level diligence and security measures to merchant level monitoring and identity checks.
Broadly, merchant fraud may be with the intention of duping individuals (fraudulent
transactions), or the authorities (money laundering, tax evasion, terrorist financing). The
former is challenging given multiple users can be defrauded simultaneously (unlike general
transaction fraud that can be a single fraudulent transaction). Mandatory KYC, pre and post
on-boarding merchant due diligence and transaction monitoring come together to tackle
this fraud.

Forms of merchant fraud and the checks necessitated


i) Forged KYC documents and Identity theft
Forged KYC documents allow fraud like identity theft, involving assuming a legitimate
business’s identity by forging its key documents. Alternatively, the fraudster can create a
new identity altogether, or claim authorisations, etc., that he doesn’t actually have.
Document authenticity checks, signature matching, beneficial owner checks, etc., done via
API based verification, eKYC/digital signature mechanisms, etc., are thus key here. Live
photographs, geotagging and encouraging AI and face matching technology use in the RBI’s
digital and video KYC processes also target effective digital equivalent of the original in-
person KYC checks.
ii) Faking business operations
This may be an inoperative business posing as operative say for AML/CFT activities, adopting
a seemingly legitimate front to carry out illegitimate activities on the side, or attempting to
circumvent restrictions on serviceable businesses. PAs for example adhere to bank defined
lists of prohibited (eg: drugs, hacking, tobacco)/ high-risk (eg: pharmaceuticals, matrimony,
job portals, travel agencies) business. Businesses from identified ‘high-risk’ jurisdictions also
cannot be serviced. The fraud here allows a lower risk profile during on-boarding, and
thereby the ability to operate.

Actual site visits, examining balance sheets, credit history, etc., thus help. Domain name
purchase dates, evaluating social media activity and customer reviews, can also reveal
product legitimacy, possible shell companies, etc. The checks need to be on-going, for eg.,
merchant website content monitoring, checking product listings, etc. help track changes to
the front demonstrated during on-boarding. This also includes periodic updates of merchant
risk categorisation and KYC.

iii) Bust-out fraud


Fake business operations can also target effecting bust-out fraud. This involves a bank
customer applying for and obtaining loan/credit lines, exhausting them and then
abandoning the account without repayment. The fraud is typically characterised by high
chargeback rates. PAs here can be used by fraudsters to create a fake storefront to process
the required illicit payments.

iv) Transaction laundering/ Factoring


Approved merchant accounts can be used for illegitimate transactions, creating a challenge
distinguishing these from the merchant’s legitimate transactions. Transaction laundering for
instance involves fraudsters using an existing merchant’s payment credentials, for payments
through unreported/shadow sites without the acquirer/merchant’s knowledge. Factoring
involves the misuse with the merchant’s collusion, say allowing unapproved
vendors/affiliates, or even the merchant’s own alternate business/subsidiary/branch, to use
its account.

A significant concern is that money laundering becomes scalable this way, without efforts to
fake storefronts, etc. for the credentials. IP whitelisting (limiting domains on which the
credentials can be used), transaction monitoring (anomalies like Merchant Category Code
violations, URL mismatches, transaction/chargeback/refund pattern changes, exceeding
permitted limits, restructuring transactions to fall below reportable thresholds), etc. are key
here.

v) Exploiting payments chain complexities


Payment service providers providing multiple payment services also need to be alert to
misuse of the payments chain's complexity. Take a fraudulent (say) gaming merchant
routing customer funds collected through a PA’s service, for supposed direct payout to
legitimate recipients (the gaming winners, their own commissions). This is instead disbursed
to fraudulent recipients. This, for one, enables money laundering. Second, the customer
funds don’t settle in the merchant’s legitimate bank account, allowing revenue concealment
and hence tax evasion.

vi) Monitoring for corporate fraud and AML/CFT


Some factors can indicate corporate fraud or AML/CFT concerns, like verification of
beneficial owners, say investors identified from MCA documents (like shareholding
patterns), against sanction/ PEP/ international AML/CFT lists. Manipulation/ alteration of
financial statements like balance sheets, forging invoices/ receipts to cover illegitimate
transactions, unusual revenue patterns, etc. are other indicators.

vii) End-merchant fraud


With new merchant categories emerging with innovation, like online gaming, virtual
currencies and related services, various B2B platforms and aggregators, etc., risk levels need
to be assessed separately by PAs. Relevant factors here include whether they are regulated,
compliance levels and practices for end-merchant verification (particularly since these end-
merchants gain indirect access to the financial system through the platform). For example,
consider misuse internationally of crowdfunding and P2P lending platforms for money
laundering, scams with virtual currencies or their misuse for converting illegally obtained
funds, enabling illegal cross-border funds transfers, etc.

Holistic monitoring for effective fraud detection


For effective merchant fraud detection, thus a PA has to aim for holistic monitoring,
covering the merchant’s entire portfolio. Turning to new age AI/ML based fraud detection
systems will be essential. Data also holds significant promise as a risk mitigation technique,
and the proposed exemption of its use as such as a ‘reasonable purpose’ under the
upcoming Indian data protection law is thus welcome.

You might also like