Merchant Entity Fraud Managements
Developments in payments technology and fraud have tended to go hand-in-hand in the past. Payments giant Paypal, which arguably popularised money on the internet, was reportedly losing more than $1.6 Million every month on fraudulent transactions during early days. Paypal has since resolved those fraud issues, but a similar situation is arising today, with new avenues for fraud opening with India’s push for digital payments and the pandemic induced accelerated digitisation. The Reserve Bank of India (‘RBI’) reports an increase in both volume (28%) and value (159%) in reported financial fraud since last year.
Increasing payment fraud even prompted a recent regulatory advisory for industry initiatives3 promoting user awareness. Tackling merchant based payment fraud however requires diligence at other levels as well. Acquirers like banks or payment aggregators (‘PAs’), bear the risk and responsibility here, being (often) the first to on-board merchants into the (digital) financial system. Here, the nature of merchant fraud PAs face and how they can be addressed is discussed.
Merchant fraud vs. transaction fraud
Payments fraud can take the form of ‘transaction fraud’, usually at the end-user level, consisting of unauthorised transactions, false refunds/chargebacks, etc. This often relies on extracted financial data via phishing, hacking databases, malware/screen-sharing apps, pagejacking to redirect legitimate traffic, etc. Remedies thus entail say security measures at the end-user level (mandatory AFA, payer authentication via 3-D Secure, tokenisation, SMS alerts, etc.) or merchant measures (cybersecurity checks, monitoring suspicious customer activity like multiple orders by the same person using different cards, alerts for scams like counterfeit product sale, etc.).
Merchant fraud does involve transaction fraud, but can be differentiated given the source. It often revolves around the merchant’s identity, and resolution methods thus turn from user level diligence and security measures to merchant level monitoring and identity checks. Broadly, merchant fraud may be with the intention of duping individuals (fraudulent transactions), or the authorities (money laundering, tax evasion, terrorist financing). The former is challenging given multiple users can be defrauded simultaneously (unlike general transaction fraud that can be a single fraudulent transaction). Mandatory KYC, pre and post on-boarding merchant due diligence and transaction monitoring 8 come together to tackle this fraud.
Forms of merchant fraud and the checks necessitated
1. Forged KYC documents and Identity theft: Forged KYC documents allow fraud like identity theft, involving assuming a legitimate business’s identity by forging its key documents. Alternatively, the fraudster can create a new identity altogether, or claim authorisations, etc., that he doesn’t actually have. Document authenticity checks, signature matching, beneficial owner checks, etc., done via API based verification, eKYC/digital signature mechanisms, etc., are thus key here. Live photographs, geotagging and encouraging AI and face matching technology use in the RBI’s digital and video KYC processes also target effective digital equivalent of the original in-person KYC checks.
2. Faking business operations: This may be an inoperative business posing as operative say for AML/CFT activities, adopting a seemingly legitimate front to carry out illegitimate activities on the side, or attempting to circumvent restrictions on serviceable businesses. PAs for example adhere to bank defined lists of prohibited (eg.: drugs, hacking, tobacco)/ high-risk (eg.: pharmaceuticals, matrimony, job portals, travel agencies) businesses. Businesses from identified ‘high-risk’ jurisdictions also cannot be serviced. The fraud here allows a lower risk profile during on-boarding, and thereby the ability to operate. Actual site visits, examining balance sheets, credit history, etc., thus help. Domain name purchase dates, evaluating social media activity and customer reviews, can also reveal product legitimacy, possible shell companies, etc. The checks need to be on-going, for eg., merchant website content monitoring, checking product listings, etc. help track changes to the front demonstrated during on-baording. This also includes periodic updates of merchant risk categorisation and KYC.
3. Bust-out fraud: Fake business operations can also target effecting bust-out fraud. This involves a bank customer applying for and obtaining loan/credit lines, exhausting them and then abandoning the account without repayment. The fraud is typically characterised by high chargeback rates. PAs here can be used by fraudsters to create a fake storefront to process the required illicit payments.
4. Transaction laundering/ Factoring: Approved merchant accounts can be used for illegitimate transactions, creating a challenge distinguishing these from the merchant’s legitimate transactions. Transaction laundering for instance involves fraudsters using an existing merchant’s payment credentials, for payments through unreported/shadow sites without the acquirer/merchant’s knowledge. Factoring involves the misuse with the merchant’s collusion, say allowing unapproved vendors/affiliates, or even the merchant’s own alternate business/subsidiary/branch, to use its account.A significant concern is that money laundering becomes scalable this way, without efforts to fake storefronts, etc. for the credentials. IP whitelisting (limiting domains on which the credentials can be used), transaction monitoring (anomalies like Merchant Category Code violations, URL mismatches, transaction/chargeback/refund pattern changes, exceeding permitted limits, restructuring transactions to fall below reportable thresholds), etc. are key here.
5. Exploiting payments chain complexities: Payment service providers providing multiple payment services also need to be alert to misuse of the payments chain’s complexity. Take a fraudulent (say) gaming merchant routing customer funds collected through a PA’s service, for supposed direct payout to legitimate recipients (the gaming winners, their own commissions). This is instead disbursed to fraudulent recipients. This, for one, enables money laundering. Second, the customer funds don’t settle in the merchant’s legitimate bank account, allowing revenue concealment and hence tax evasion.
6. Monitoring for corporate fraud and AML/CFT: Some factors can indicate corporate fraud or AML/CFT concerns, like verification of beneficial owners, say investors identified from MCA documents (like shareholding patterns), against sanction/ PEP/ international AML/CFT lists. Manipulation/ alteration of financial statements like balance sheets, forging invoices/ receipts to cover illegitimate transactions, unusual revenue patterns, etc. are other indicators.
7. End-merchant fraud: With new merchant categories emerging with innovation, like online gaming, virtual currencies and related services, various B2B platforms and aggregators, etc., risk levels need to be assessed separately by PAs. Relevant factors here include whether they are regulated, compliance levels and practices for end-merchant verification (particularly since these end-merchants gain indirect access to the financial system through the platform). For example, consider misuse internationally of crowdfunding and P2P lending platforms for money laundering, scams with virtual currencies or their misuse for converting illegally obtained funds, enabling illegal cross-border funds transfers, etc.
Holistic monitoring for effective fraud detection
For effective merchant fraud detection, thus a PA has to aim for holistic monitoring, covering the merchant’s entire portfolio. Turning to new age AI/ML based fraud detection systems will be essential. Data also holds significant promise as a risk mitigation technique, and the proposed exemption of its use as such as a ‘reasonable purpose’ under the upcoming Indian data protection law is thus welcome.
As a payment aggregator (‘PA’), when we on-board merchants, we need to address certain risks that arise, like fraud, excessive chargebacks, money laundering, tax evasion, etc. For this, regulatory guidelines and applicable laws require us to adopt several precautionary measures, including the Know-Your-Customer (‘KYC’) and merchant due diligence procedures. We thus carry out a range of checks for merchants, which start prior to onboarding and continue until the end of merchant relationship with us. The processes discussed may be replicated by financial service entities or any other product that would want to onboard merchants onto platform — both to comply with regulations and to mitigate risk.
Regulated financial institutions like banks, PAs, investment companies, etc., conduct KYC whenever a client attempts to open an account with them or onboards with them (eg.: the KYC process you undertake when opening a bank account). A client may be an individual or a legal entity. The aim is to establish the client’s identity, address and legitimacy via a verification of its key documents. In combination with due diligence and other mandated checks, these allow us to say identify potential fraudsters, shell companies, detect money laundering, etc. See -Merchant Fraud Management section. Often non regulated entities, like an online marketplace for example, need to also perform a full or partial KYC as a precaution. These allow us to take a step towards securing not only ourselves, but also the end-customers and the financial system as a whole.
As PAs we can service a range of businesses, from e-commerce marketplaces, financial services like lending/wealth management/ credit management/payments/insurance, etc., edtech, healthtech, digital entertainment and streaming services like video/music/gaming, subscriptions like for SaaS companies, hospitality/ transportation services like taxi aggregators/hotel booking aggregators/vehicle rentals, etc. The checks we undertake thus vary from business to business, particularly based on the merchant’s legal form and line of business.
Figure 1
The Reserve Bank of India’s (‘RBI’) Master KYC Direction, the RBI PA Guidelines and the Prevention of Money Laundering Act, 2002 (the ‘PMLA’) (among others), together require the following 8 stage process:
Step 1: The KYC document check or CDD process
The first stage is the KYC document check or the Customer Due Diligence Check (‘CDD’) process. It can be one or more of the following forms- Individual KYC and Business KYC:
Platform KYC: Lastly, depending on the line of business as marketplace, marketplace may self-have on-boarded end-merchants. In turn, they may be needed to carry out a KYC or verification process for them as well, whether under regulations that apply to them or as an additional diligence measure
Figure 2
Methods of verifying the documents also vary, like the traditional physical check (original seen and verified, in-person verification). Today digital checks like digital document and signature checks (eKYC, DigiLocker, etc.), API based verification, Digital KYC and Video KYC procedures are being introduced to ease the process and replace earlier physical checks. For us as a PA, relaxations are also being brought in to the CDD process, allowing us to rely on the KYC merchant would have already undergone while opening accounts with the bank merchant’s are banking with. In another welcome move, the RBI has extended the Central KYC Registry for legal entities, introducing a new mode for digital KYC for businesses via a KYC identifier (previously this was only allowed for individuals).
Step 2: Verification against sanction and PEP lists
Next, we need to verify the names of our merchants and their beneficial owners against certain lists, like national and international terrorist lists, or ‘Politically Exposed Persons’ lists. If a name matches a sanctions list, we also need to report this to the Financial Intelligence Unit of India (‘FIU-IND’). Along with these, we verify numerous other lists, like blacklists/ greylists/ defaulter lists for companies, directors, etc. issued by banks, the Ministry of Corporate Affairs, the Securities and Exchange Board of India, the Enforcement Directorate, the Office of Foreign Assets Control (U.S.), etc. (for a detailed list please see Appendix II below). These checks aid us in the fight against terrorism and money laundering, and also helps us define risk levels for a specific client.
Step 3: Onboarding policies and merchant screening
Next we carry out a background and antecedent check, which takes the form of an initial screening, and for which we define an internal merchant Onboarding Policy. Our aim here is to verify the nature, purpose and bona fides of a prospective client’s business. We conduct a range of checks such as licensing/registration checks, credit checks, profit and loss statement checks, balance sheet reviews, etc., based on information we seek directly from the prospective client, together with checking publicly available information like the merchant’s websites, product listings, end-customer reviews, social media activity, etc., to ascertain business legitimacy. We are also required under law to ascertain whether you are PCI-DSS compliant.
Step 4: Merchant profiling and diligence levels
After these initial checks, we need to classify merchants as low/medium/high risk. Diligence levels and levels of post onboarding monitoring that we carry out are defined based on this, for example we need to conduct enhanced due diligence for PEPs, but simplified due diligence for self-help groups. Also, we are prohibited from servicing some businesses altogether (tobacco, hacking, gambling, weapons, etc.), while others are considered high-risk (pharmaceuticals, matrimony, gaming, security brokers, jewellery, etc.) requiring increased monitoring and diligence.
Post onboarding, our due diligence checks will continue to keep track of any changes in merchant behaviour that are a cause for concern. For example, a change in merchant website details or an unexpected listing of high-risk products can indicate fraud. These may also call for reviewing merchant risk profiles and due diligence levels.
Step 6: Transaction monitoring
A crucial check post onboarding we do is monitoring merchant transactions, to spot any possible red flags, such as variations in expected transaction characteristics. These can be expected total transaction volume, average order value, chargeback frequency, etc. For example, if a merchant exceeds the maximum permitted transaction limits, displays an unusual refund pattern, or we receive multiple end-customer complaints – these are causes for concern. In case of any suspicious transactions (say which raise money laundering concerns) and also transactions exceeding certain thresholds (eg. cash transactions above Rs.10L, cross border wire transfers above Rs.5L), they must be reported to FIU-IND by regulated entities.
Step 7: Record-keeping and Internal Governance requirements
Next, we keep records of all merchant transactions and identity documents, normally for at least 5 years. These need to be provided to authorities upon request, such as for an investigation. There are also numerous internal governance mandates to ensure effective implementation of requirements, like dedicated internal committees, internal audits, periodic risk assessments and adequate employee training. A Designated Director and a Principal Officer, who have specific reporting obligations under the PMLA, must also be appointed .
Lastly, we need to update both merchant risk profiles and KYC periodically. As per law, we must update merchant KYC every 10 (low risk), 8 (medium risk) and 2 (high risk) years. The ongoing due diligence checks also aid us with this.
List of Abbreviations
1. AMFI- Association of Mutual Funds in India
2. AoA- Articles of Association
3. BBPS- Bharat Bill Payment System
4. BIS- Bureau of Indian Standards
5. CBI- Central Bureau of Investigation
6. CBIC- Central Board of Indirect Taxes and Customs
7. CBSE- Central Board of Secondary Education
8. CDD- Customer Due Diligence
9. CIN-
