Saturday, October 30, 2010

Merchant fraud: a Nasty Little Secret

Over the years we’ve been accustomed to talk about risk from buyers. The paradigm was simple: established and new businesses go to ecommerce to go global, expand reach and sell more conveniently to multiple buyers. Since this is a card not present transaction, the retailers are liable for risks of chargebacks and other types of complaints, and they need to protect themselves from fraudulent buyers, flakes and defaults. The barrier to becoming a merchant was pretty high almost everywhere – getting a merchant account required interaction with a bank and documents that at least looked real. The strain in this process meant that becoming a merchant was not a scalable operation for fraudsters who were looking to make a quick gain; buying multiple stolen credit cards and running them through retail websites was much easier. Sure, there were fraudulent sellers on eBay but that was a rather contains phenomenon. This is not the case anymore.

With the appearance – or should I say reappearance – of marketplace models, merchant/vendor fraud is quickly becoming a very profitable operating model for fraudsters. Companies that enable commerce around tangible goods (Etsy, PayPal, Square), services (AirBnB) or digital goods (Apple and many others) attract many new businesses that wouldn’t have existed otherwise since they wouldn’t have crossed the barrier to getting a merchant account, for various reasons. While mostly the reason is prohibitive cost (if you’re an iPhone app developer, it’s not cost effective to start a company and build your own capability to acquire payments), to some extent it is also because they strike on and sometimes much below the lower bound  of credit score and history needed to establish a merchant account. And while these marketplaces and ISOs are doing an amazing job on enabling new commerce activity, they are also very exposed: being an intermediary, they are exposed to disputes and chargebacks, and must support a dispute process that can be very costly – not to mention brand problems if their merchants are not sporting good business practices. This, and not consumer fraud and risk, is the growing issue of current ecommerce – and it’s a growing one.

So how do you control the risk from merchants and vendors? Here are three initial thoughts to get you started:

1.      Identity: you don’t want to push potential merchants away, but basic identity verification and authentication should be imposed so that they can get through the door. Don’t wait until it’s too late – real merchants should be proud of their brand identity and be able to prove it exists, as well as show themselves as individuals. This doesn’t necessarily mean doing a credit pull; it does mean making sure that their address exists, that their name is real, credit card working and domain is hosting a website that looks like more than a template.
2.      Velocity: one of the most concerning aspects of the ability to easily establish a merchant/vendor relationship with marketplaces is that returning fraudsters have a ball. Opening an account, making a few sells then not delivering then repeating this action in a new account is very common. Identifying significant links between accounts and acting on them to prevent a group of fraudsters from scaling is thus one of the most important aspects of merchant fraud prevention.
3.      Holds and graduation: while I’m not a big supporter of the escrow/delayed disbursement model, because of the limitation it places on legitimate businesses’ cash flow, it’s obvious that in many cases (especially in cases of delayed fulfillment) you need to be protected. The best advice in this case is to prevent from using holds and delayed disbursements as a blanket policy for all new merchants. Limitations should be correlated with risk level – based on transaction velocity, history, authentication level, industry and more. Tying limitations to a defined “graduation” process that in turn provides added benefit for the merchant is my personal favorite since it brings added value that compensates for the burden of coping with the limitation.

Merchant fraud is a complex issue but a few simple steps can go a long way for managing it correctly. The most important thing is thinking these things out before you start course-correcting in the midst of a fraud breakout case – that’s when the worst decisions are being made and your legitimate merchant population will suffer greatly.

Interested in merchant fraud? Looking to get more help in thought and implementation? Schedule an assessment with us through this page today!

1 comment:

Mike said...

Point number 3 is a good one. Holds are often too tough on the smaller struggling merchants. Along with "graduating" holds, as you suggest, the hold policy has to be clearly explained up front and in plain and simple terms. Once the merchant understands the policy it'll be easier for him to accept and plan accordingly. When there are nasty surprises, that's when things go bad. Why do so many merchants hate PayPal? It's not because of their holds policies per se, but because holds often appear "suddenly" without prior warning or reason.