This interview was originally posted on the goEmerchant Blog.
Christian Chmiel is CEO of Web Shield, a European company that helps Merchant Acquirers, Payment Services Providers and Banks to improve their due diligence procedures. Furthermore, Web Shield organizes Fraud Protection courses for Underwriters and Risk Managers. Last year’s Best Practice Guide for Underwriters, titled “Fundamentals of Card-not-Present Merchant Acceptance” was received well by professionals throughout the Global Card Payments industry.
Shanty Elena: What makes illegal aggregation or transaction laundering so difficult to detect, and in which ways can looking for certain “risk indicators” help underwriters during the course of their KYC Procedures as part of a Customer Identification Program?
Christian Chmiel: Illegal aggregation is often conducted by experienced fraudsters who know how to attack cardholders, and by cybercriminals who understand standard investigation techniques. These criminals apply schemes that hardly leave any traces, because they understand how to make a business look legitimate. The underwriter has to review, analyze and verify the merchant’s business, the UBO, consider a variety of risk indicators, etc., in order to obtain a complete understanding of the client and his business prior to onboarding. In the second edition of my Best Practice Guide for Underwriters, we explain the most common primary and secondary risk indicators and in which ways they affect the risk score of the Merchant Acquirer or Payment Service Provider (PSP).
It is important to understand that transaction laundering doesn’t always implicate the merchant as the fraudulent perpetrator. In some cases, for example during an affiliate transaction laundering attack, the merchant is the ultimate victim of fraud. Knowing and understanding different types of fraud scenarios helps underwriters and investigators during the course of their due diligence procedures. We zoom in on different research methods and provide the reader with in-depth understanding of the various risk indicators and their intrinsic significance.
Q: After defining the primary and secondary risk indicators, you propose strategic steps to develop a balanced investigative risk analysis. Could you elaborate on the differences between primary and secondary risk indicators, and explain why there is more to proper risk management than just identifying risk indicators?
Christian: In Fundamentals of CNP Merchant Acceptance, we classify and distinguish between primary and secondary indicators. Primary risk indicators do not depend on secondary information to be considered as risk. A secondary risk indicator or deductive indicator is drawn from a combination of two or more primary risk indicators. Using this approach requires knowledge on how some risk indicators interact, what these combinations imply and how or if they can be mitigated or controlled. Often, risk indicators have a direct impact on Chargeback-to-Sales ratios and could increase the Acquirer’s vulnerability to penalties and fines. Understanding these risks enables the Acquirer/PSP to impose appropriate controls and collaterals prior to boarding (or refusing) a merchant.
Q: During my previous Interview in this series, Robby Philips of Business Forensics discussed the tendency in the banking sector to move from Process-Driven to Data-Driven due diligence. Do you foresee similar developments in the CNP Card Payments and e-Commerce sector? Please explain.
Christian: Personally I think that the due diligence process applied in the CNP Card Payments and the e-Commerce sector are already very much data-driven. Risk managers and underwriters use a lot of databases during the course of their investigation. Historical data often helps us to understand and predict possible future behavior. Nevertheless, as stated before, online fraudsters are constantly changing their techniques, which means that a good combination of process- and data-driven due diligence is crucial. This is exactly why we are hosting a Web Shield Academy that offers hands-on training to improve online investigations, which is especially important for risk professionals in the CNP payments industry.
Q: Christian, congratulations with the new edition of your Book, published last winter! This year’s Edition of Web Shield’s ‘Fundamentals of Card-not-Present Merchant Acceptance’ takes CIPs yet another step further and explores various investigation strategies, including primary and secondary risk indicators. In which way does this year’s guide differ from last year’s edition?
Christian: Thanks a lot, Shanty! We are really excited about this new edition. We had this idea of writing a best practice guide for underwriters for quite some time and last year we finally managed to publish the first edition. As fraud scenarios are changing and fraudsters adapt their schemes, we see the urgent need for a constant update of Customer Identification Programs (CIP) as part of a company’s risk management strategy. Each year, we publish a new best practice guide for underwriters, which aims to provide a better understanding of risk management and due diligence related issues, offering new investigation tools and deeper insight into (new) fraud scenarios. This new edition further explores risk indicators that underwriters have to take into consideration as part of their investigation. We introduce excellent online resources and analytical tools, and we zoom in on illegal aggregation.
Q: Besides Underwriters in the Merchant Acquiring industry, which target audiences would benefit most from the “tips & tricks” in your best practice guides?
Christian: Our guides are primary focused on due diligence practices and investigation techniques that are relevant for the Card-not-Present (CNP) Merchant Acquiring sector. Having said this, I think these guides could provide useful insight for all those companies and/or professionals, required to mitigate risk, reduce fraud and ensure compliance to rules and regulations. We aim to write these guides for risk professionals who work in the financial services sector, but law enforcers could equally benefit and obtain useful insights from these guides. We are confident that this years’ edition will be received with as much enthusiasm as our last best practice guide.
Christian Chmiel was interviewed by Shanty Elena van de Sande