How to Detect and Prevent Transaction Laundering
This interview was originally posted on the goEmerchant Blog
Christian Chmiel is the CEO of Web Shield Ltd., a European company that helps Merchant Acquirers, Payment Services Providers and Banks to improve their due diligence procedures. Furthermore, Web Shield organizes Fraud Protection courses for Underwriters and Risk Managers. Last year’s Best Practice Guide for Underwriters, titled “Fundamentals of Card-not-Present Merchant Acceptance” was received well by professionals throughout the Global Card Payments industry. This year’ s edition focuses on the detection and prevention of Transaction Laundering.
Q: Hi Christian, what makes illegal aggregation or transaction laundering so difficult to detect, and in which ways can “risk indicators” help underwriters during the course of their KYC Procedures as part of a Customer Identification Program (CIP)?
Christian: Transaction Laundering is often conducted by experienced fraudsters who know how to attack cardholders, and by cyber-criminals who understand standard investigation techniques. These criminals apply schemes that hardly leave any traces, because they understand how to make a business look legitimate. The underwriter has to review, analyze and verify the merchant’s business, the Ultimate Beneficiary Owner (UBO), consider a variety of risk indicators, etc., in order to obtain a complete understanding of the client and his business prior to on-boarding. In the second edition of my Best Practice Guide for Underwriters, we explain the most common primary and secondary risk indicators and in which ways they affect the risk score of the Merchant Acquirer or Payment Service Provider (PSP).
It is important to understand that transaction laundering doesn’t always implicate the merchant as the fraudulent perpetrator. In some cases, for example during an affiliate transaction laundering attack, the merchant is the ultimate victim of fraud. Knowing and understanding different types of fraud scenarios helps underwriters and investigators during the course of their due diligence procedures. We zoom in on different research methods and provide the reader with in-depth understanding of the various risk indicators and their intrinsic significance.
Q: After defining the primary and secondary risk indicators, you propose strategic steps to develop a balanced investigative risk analysis. Could you elaborate on the differences between primary and secondary risk indicators, and explain why there is more to proper risk management than just identifying risk indicators?
Christian: In Fundamentals of CNP Merchant Acceptance, we classify and distinguish between primary and secondary indicators. Primary risk indicators do not depend on secondary information to be considered as risk. A secondary risk indicator or deductive indicator is drawn from a combination of two or more primary risk indicators. Using this approach requires knowledge on how some risk indicators interact, what these combinations imply and how or if they can be mitigated or controlled. Often, risk indicators have a direct impact on Chargeback-to-Sales ratios and could increase the Acquirers’ vulnerability to penalties and fines. Understanding these risks enables the Acquirer/PSP to impose appropriate controls prior to boarding (or refusing) a merchant.
Q: During one of my previous Interviews in this series, Robby Philips of Business Forensics discussed the tendency in the banking sector to move from Process-Driven to Data-Driven due diligence. Do you foresee similar developments in the CNP Card Payments and e-Commerce sector? Please explain.
Christian: Personally I think that the due diligence process applied in the CNP Card Payments and the e-Commerce sector are already very much data-driven. Risk managers and underwriters use a lot of databases during the course of their investigation. Historical data often helps us to understand and predict possible future behavior. Nevertheless, as stated before, online fraudsters are constantly changing their techniques, which means that a good combination of process- and data-driven due diligence is crucial. This is exactly why we are hosting a Web Shield Academy that offers hands-on training to improve online investigations, which is especially important for risk professionals in the CNP payments industry.
Q: Christian, congratulations with the second edition of your book. This year’s Edition of Web Shield’s ‘Fundamentals of Card-not-Present Merchant Acceptance’ takes CIP yet another step further and explores various investigation strategies, including primary and secondary risk indicators. In which way does this year’s guide differ from last year’s edition?
Christian: Thanks a lot, Shanty! We are really excited about this new edition. We had this idea of writing a best practice guide for underwriters for quite some time and last year we finally managed to publish the first edition. As fraud scenarios are changing and fraudsters adapt their schemes, we see the urgent need for a constant update of the CIP, as part of a company’s risk management strategy. Each year, we publish a new best practice guide for underwriters, which aims to provide a better understanding of risk management and due diligence related issues, offering new investigation tools and deeper insight into (new) fraud scenarios. This new edition further explores risk indicators that underwriters have to take into consideration as part of their investigation. We introduce excellent online resources and analytical tools, and we zoom in on illegal aggregation.
Q: Besides Underwriters in the Merchant Acquiring industry, which target audiences would benefit most from the “tips & tricks” in your best practice guides?
Our guides are primary focused on due diligence practices and investigation techniques that are relevant for the Card-not-Present (CNP) Merchant Acquiring sector. Having said this, I think these guides could provide useful insight for all those companies and/or professionals, required to mitigate risk, reduce fraud and ensure compliance to rules and regulations. We aim to write these guides for risk professionals who work in the financial services sector, but law enforcers could equally benefit and obtain useful insights from these guides. We really hope that this years’ edition will be received with as much enthusiasm as our last edition. Besides publishing yearly risk management guides, our Webshield Academy offers risk professionals in-depth fraud detection courses and we host networking conferences* for underwriters, compliance officers and other professionals in the CNP payments business. We will continue our efforts to increase awareness around all aspects of due diligence and fraud prevention.
“Fundamentals of Card-not-Present Merchant Acceptance” can be ordered via Web Shield
*Update: Webshield’ s upcoming RiskConnect is an invitation-only networking conference, specifically for the unsung heroes of the card acquiring space: The risk and compliance professionals, whose job it is to ferret out fraudsters and expose dubious businesses. It will be held in Frankfurt am Main, Germany on the 23rd and the 24th of November, 2017.
Christian Chmiel can be contacted Web Shield