Shanty Elena: Christian, you are the co-writer of two books about investigation strategies when mitigating risk associated with CNP merchant acquiring. Web Shield recently published the third edition, titled: “Fundamentals of Card-not-Present Merchant Acceptance: Understanding High-Risk Business”. How would you define high-risk, from the perspective of an underwriter or risk manager in the e-commerce and e-payments business?
Christian Chmiel: ‘High-risk’ in general simply means “involving a greater than usual amount of risk”. The elusive ‘greater amount of risk’ in the particular case of merchant underwriting can be identified in five main areas, at least in our methodology: content/business risk, financial risk, reputational risk, money laundering risk and transaction laundering risk.
A growing number of business types could be considered high-risk. Fortunately, Visa and MasterCard have issued guidance for merchant acquirers and Payment Service Providers, defining which industries or business types should be highly scrutinized. These classification schemes tend to focus on higher brand or reputation risks (e.g. adult entertainment) and high financial risks (e.g. the travel industry and airlines).
Q: In your book you differentiate between ‘Official High-Risk’ and ‘Hidden High-Risk’ Industries. Could you explain this to our readers?
Christian: Official high-risk industries are industries identified as such by MasterCard or Visa. Some examples include tobacco businesses, adult entertainment, drugs and pharmaceutical merchants, skill games, gambling, and more.
As a consequence of the growth of e-commerce, m-commerce and changing (online) business models, the list of high-risk business types is expanding. Therefore we decided to have a closer look at apparently low risk business types, by applying our underwriting methodology. Based on over 5000 on-boarding and transaction laundering investigations conducted by Web Shield between January and June last year, enriched by valuable feedback we received from Web Shield Academy students, we identified ‘hidden’ high-risk business types that are not (yet) officially categorized as ‘high-risk’. Online sales of nutraceuticals, video and music streaming are examples of ‘hidden high-risk’ industries each of which are discussed into great depth in the third edition of our best-practices guide.
In this rapidly growing e-commerce market, card schemes and legislators are constantly challenged to reevaluate risk, based on new data and insights. One example is the Binary industry which we discussed in this recent edition under the chapter ‘hidden-risk’, but which has very recently been ‘upgraded’ to official ‘high-risk’ by MasterCard.
Q: This latest edition explores different deceptive Sales & Marketing tactics and the associated online traffic generation as strong risk indicators, which help underwriters during their risk assessment. Please explain the importance of traffic analysis as part of the investigation.
Christian: Thanks for asking, as this is one of the core points we wanted to raise. As you might know, there are six online sales channels typically used by non-face-to-face merchants: direct traffic, referral traffic, search traffic, social media traffic, e-mail traffic, and display traffic.
Traffic sources and patterns differ, depending on business’ specific sales procedures and marketing tactics. Nevertheless, each industry tends to follow a predictable traffic pattern. Paid video streaming websites, for example, usually attract very high direct traffic (around 60 %) due to returning users, and moderate referral traffic (about 25%). Free video streaming websites often generate nearly equal (ca. 40%) direct and social traffic.
Merchants involved in suspicious business and in deceptive marketing tactics, tend to generate low direct and very high referral traffic. Performing website traffic analysis plays a crucial role in determining whether a merchant acts legitimately or not.
Q: Hidden Risk Industries are particularly challenging to regulators and law enforcement. Why?
Christian: As its name implies, hidden high-risk industries could be hiding risky business behind ‘low risk’ Merchant Category Codes, as this saves them from the acquiring bank’s high scrutiny applied during the on-boarding process of high-risk merchants. Merchants, involved in high-risk business, use camouflage tactics to ‘fly under the radar’ and negotiate favorable (low risk) processing rates. By hiding behind low risk business, they aren’t subjected to the in-depth screening procedures applied to high-risk merchants. We foresee that a growing number of fraudsters will abuse hidden high-risk industries, especially while these business types are not yet on the radar of regulators and law enforcement.
The same phenomenon we are seeing with the cryptocurrency boom, which has led to the rise of varieties of old and new scams, with regulators struggling to keep up. Hidden high-risk industries require enhanced due diligence and immediate regulators’ attention.
Q: Online Gambling is a business type which is highly appealing to money launderers. For what reasons?
Christian: Online gambling usually involves a high volume of transactions and cash flow. At first sight, the perfect setting to disguise money laundering. Gambling is non-tangible, which makes it more complicated to ‘follow the money’ and prove real vs. virtual turnover (which is tax free in many jurisdictions). Online gambling can be abused for two major money laundering schemes: When an illegal transaction occurs, the earnings are laundered by betting them and receiving the payouts as gambling winnings. Alternatively, the criminals are using online gambling as a payment tool for illegal transactions, paying out gambling wins as cash for illegal goods.
While this industry has been problematic in the past, the online gambling market has become much more regulated, partly thanks to the efforts of the card associations. Licensing bodies stepped up their game by requiring strict Know Your Customer (KYC) procedures and providers implemented sophisticated fraud detection technology. As this trend continues, I expect that the money laundering risk associated with online gambling will decrease. Of course, the same optimism doesn’t apply to the business of unregulated gambling providers.
Q: In your 2017 edition, you guided your readers through obscure transaction laundering schemes and discussed investigation strategies to detect and prevent this type of money laundering. In your latest edition you touch this subject in relation with the nutraceutical business. What makes this industry so appealing to transaction launderers?
Christian: Nutraceutical merchant’s applications have proven to be great mules for transaction launderers, especially for those dealers that sell drugs and illegal pharmaceuticals. They use generic billing descriptors which imitate pharmaceutical language, suggesting a professional relationship with the medical and health industry. In order to avoid high chargeback rates, merchants that launder transactions through nutraceuticals adjust and manipulate their billing descriptors to avoid cardholders’ suspicion.
Q: Besides publishing books and organizing events, Web Shield also offers training courses for beginning and experiences underwriters. Where can risk professionals get specific information about these courses and where can they order your books?
Christian: A pretty good start would be our website. We offer all our courses and publications there. I would encourage underwriters, be they rookies or veterans, to participate in our Web Shield Academy, as it is structured around hands-on online investigation of real-life cases and there is something to learn for everyone.
Of course, our books are great guides for participants who attend our courses. Another great way to learn about the state of the industry and meet your peers is RiskConnect, the networking conference for risk and compliance professionals.
Thank you very much for this interview!
Christian Chmiel was interviewed by Shanty Elena van de Sande