What is Merchant Initiated Fraud?

March 2, 2022

What is Merchant Initiated Fraud? In this talk, Claire Scott-Hayes (Fraudio's Head of Product) and João Moura (Fraudio's CEO) discuss what is Merchant Initiated Fraud and the best ways to detect and prevent it:

Interview Transcript

[00:00:07 - Claire Scott-Hayes (CSH)]: All right, so João, tell me about Fraudio's merchant fraud product.

[00:00:17 - João Moura (JM)]: All right, Claire. I will. So our Merchant Initiated Fraud Detection product focuses on... maybe let me start from the problem itself. So traditionally fraudsters, or people involved in in card frauds would acquire cards, one way or the other, you know, either by skimming physical cards or by acquiring cards that were breached somehow either with malware fishing botnets, or by data leaks, and data breaches, and those cards would be would be made available somewhere on the dark web, people would would buy lists of stolen cards, and then would use them in existing businesses.

So to acquire goods or services from existing and legit businesses. This, of course, brings a lot of issues. So if you want to spend money with a credit card, or debit card, online, you need to be careful with arranging a number of things that protects you as an individual, as a fraudster, and prevents you from being caught.

So things like arranging a drop location for physical goods. A place where you can actually send the goods to and pick them up from there without having to give your real life entity or, not sending them to your own place. And this is a nuisance for frauds. Then what they would then do with those physical goods would be to sell them and then because their ultimate goal, of course, is to have cash in their pockets.

Another way is to buy digital goods, such as cash equivalents, gift vouchers, Forex. You know, whatever, counts or can be considered to be a cash equivalent and that's easier, but those businesses tend to be quite strict with whom they let in, because they are in high-risk segments. So let's say industries that are considered by the card schemes as being of high fraud or financial risk.

And so MCC codes like 7995, gambling or other types of digital goods, typically have quite strict scrutiny when it comes to onboarding new customers. So, this makes it difficult for fraudsters to traditionally use stolen credit cards and to be able to successfully put money in their pockets.

So what we've seen lately in the last few years, is that fraudsters realize that high-risk is difficult, so for them to spend money on high-risk merchants, is actually quite difficult, but then the low-risk ones are mostly in the retail and card-present space. So what they've turned to is they now open their own merchant accounts, with PSPs or acquirers and they process cards on their own stores. And this is a lot more effective, of course. So if you have a list of stolen credit cards, and you actually have a merchant account where you can use them, then within days you have the money in your pocket and you can then just go away happily with the money in your pocket.

This implies passing KYC and KYB checks, but these are typically quite easy to pass, if you are opening a business that is in the low-risk segment. So you know you have your corner coffee place, or you have an online store selling T-shirts. These are typically deemed as being low-risk and so the acquirers, especially the ones that specialize in the low-risk segments, and small SMBs or small and medium businesses, they want to onboard fast and they want the ability to enroll a lot of customers and so they want to have simple KYC and KYB processes. And this makes fraudsters’ lives very easy when it comes to opening up a merchant account and then just start processing cards with that merchant account.

So that's exactly what our Merchants Initiated Fraud Detection product is made for: detecting these fraudulent merchants, the ones that open an account and then start processing cards that are not theirs. So they process cards in their own store.

[00:07:21 - CSH]: Maybe I could ask you a couple of questions about that because the reason why these customers become merchants is because the space is quite competitive. They want to be able to onboard people quickly or else they're going to go to someone else, so it's their compromise of getting the business versus providing that oversight on the process. Maybe the next question is what size Acquirers / PSP would benefit from this product, to gain that oversight over this onboarding merchants and how quickly does this happen?

[00:08:31 - JM]: So the simple question, or the simple answer, is that any sized acquirer can benefit from this. But especially the ones that will benefit the most from this product are the ones that operate in the low-risk segments.

And the reason for that is, as I said before, it is a competitive business and they will want to be able to onboard customers very rapidly. Sometimes acquirers allow their customers to start processing transactions on the same day. And the next day they will have a terminal, a point of sales terminal, at home, and they will be able to start processing point-of-sales transactions from that terminal the day after.

So this is really crucial for business. If you think about it from a merchants perspective, you want this to be as hassle free as possible and as frictionless as possible and you want to be able to start accepting payments as quickly as possible. From an acquirer's perspective, you also want to be able to onboard businesses as quickly as possible.

The flip side of course, is that you need to be able to have controls in place that mitigate your risk. And when I say mitigate your risk, I really don't mean that risk can be completely prevented or dissipated. You need to come up with a strategy that makes sense from an onboarding perspective. You want flexible onboarding procedures that aren't too difficult to meet and pass and don't take too long, but at the same time you want to be sufficiently in control.

But what you really want is to be able to then check the merchants behavior, in real-time. And when they start processing sometimes the KYC or KYB process is very complex and time-consuming. And the merchant is able to pass it, a fraudulent merchant is able to pass it. And then the moment they start processing there are no controls, and only when the chargebacks start coming through, will the acquirer actually see that they are fraudulent and this is exactly what we want to be able to avoid.

So this is a double bounce effect, right? You have issues with onboarding, it takes too long, too difficult. And then you have no controls after that. If, and when, fraudulent merchants have access to merchant accounts, then they will start processing transactions, and the chargebacks will come through, and after a few weeks, by then, the money is in their accounts, they're long gone. And this is very bad because it prevented this acquirer or this PSP from acquiring new business, and from onboarding legit businesses quickly enough - so they lost business to their competitors - and at the same time, they are losing loads of money from fraudulent merchants or to fraudulent merchants.

[00:13:00 - CSH]: Okay. So, what types of behavior of these suspicious merchants is Fraudio’s Merchant Fraud Prevention tool picking up?

[00:13:13 - JM]: We look at the sequences of transactions, and we compare those sequences of transactions to other similar merchants, or merchants in the same segment - and we consider the segment to be a combination of an MCC code, the merchant country and the channel, the transaction channel. So an example would be 7995 Gambling, in Cyprus, E-commerce.

This of course is a very specific segment in one that's very different, from say, babies, clothes, Retail, point-of-sales, in the Netherlands. So, we will look for merchants that are similar to a given merchant - so merchants within the same segment - and then we'll look for what is normal in that segment. So, what is the normal amount of transactions with a given card per day, or per week, per month, whatever, what is the average ticket value? How many cards will you see being registered from the same person? And then sequences of failed transactions. That's a very useful pattern.

If we detect that a transaction of, for instance, 500 euros, that was rejected, and then right after that, there was a transaction of 300 Euros also rejected, then chances are that if there's another transaction coming through after that, chances are that this is some form of card abuse.

And if you see that repeatedly for this merchant then the merchant is either under attack from a fraudster, or the merchant itself is involved in the fraud. And then, what matters is the ratio of how frequent these patterns are, and how diluted they are in good traffic, in seemingly good traffic.

What we see is that in practice, about 3% of merchant accounts being opened in the low-risk segments, end up being fraudulent merchants. And what we see is that they are typically very specialized merchants. So merchant accounts that are opened with almost the only intention of committing fraud, credit card fraud.

And so this becomes very evident after just a few transactions, and we're able to close them and to shut them down very very soon after they start processing transactions.

[00:17:10 - CSH]: Okay, just going back to your talking about the segments and comparing new merchants behavior against other merchants in its segment, or comparable merchants, I'm a new acquirer, I've just integrated with Fraudio, you don't really have a lot of information from me about my merchants, how are you getting this comparison? Where are you getting this data from to make this comparison?

[00:17:41 - JM]: So we receive data in real time, transaction data from our customers, but we also need to receive information about the merchants themselves. Information that was gathered during the KYB and KYC process. What we call meta-information, metadata, about the merchant.

Then also, information about fraud flags, chargebacks, etc, that's also very valuable, but for this product, again what we really try to do is to shut down a merchant, or to enable the acquirer to shut down a merchant before the chargebacks start coming through. So we rely mostly upon information about the merchant and transaction information in real-time.

[00:18:45 - CSH]: Integration with Fraudio's Merchant Fraud product involves sending out live transaction streams, from the acquirer. Also having given Fraudio the merchant's metadata, there's an understanding of the KYC processes, and then from that point Fraudio's can detect in real-time and send alerts about merchants that are suspicious. So tell me a little bit about the alerts that Fraudio sends, and how often they send them.

[00:19:27 - JM]: Right. So it depends on our customers' needs. We can send alerts twice a day, once a day, once a week. It really depends on the rate at which our customers are onboarding new customers.

And so, our reports contain alerts, and each alert refers to a merchant. So one merchant ID and then it contains one color code for the severity of the alert. So yellow, red or black.

With black we really want our customer to shut down this merchant immediately. We almost don't make false positives, or don't make false positives at all. Because this connects to the Fraud  Transaction Detection product, or our other product, and when we flag a merchant as being of black fraud risk, then we start walking red flagging every transaction from that merchant immediately.

Then the second level of alert is red. With red, we want the customer to start an investigation, a fraud investigation, as quickly as possible. And then the lower severity alerts are yellow. And with that one, we suggest that our customer asks their customers, so the merchant, for some more information, but it's a little bit more preventative. A little bit more trying to understand and to place the merchant, that specific merchant, in a perhaps in a sub-peer group, so inside a specific segment.

We will see variance, and we'll see merchants that, for instance, process fewer transactions, but higher values, or the other way around and we don't have information about that, and we want our customer to try and obtain more information.

[00:22:24 - CSH]: So there is some knowledge, I guess, on the side of the acquirer / PSP, about these merchants, and some of them may have been processing for a long time, or some may just have a sort of unique business model that might be a little bit obscure. So, how do you start incorporating that sort of business knowledge about the merchants into the Merchant Fraud product.

[00:22:55 - JM]: So actually still about the alerts that we raise, together with each alert also goes an explanation for why we raise that alert. And those explanations help the fraud investigations teams start the investigation.

So we can say during, or within this time range, we saw a lot of transactions that were rejected, an abnormal amount of transactions that were rejected, when compared to the merchants typical behavior, or to the merchants peer group typical behavior. This is one example.

There's other alerts that refer to abnormally high ticket values, to a lot of transactions that our other product, the transaction Fraud detection product, thinks are fraudulent, etc. So we always raise an alert with a very quantitative score and color, but also with an explanation. As to why we raise this alert with this color, and also, ultimately the transactions that led to this alert being raised. This is very useful for fraud investigations teams.

As for how we can incorporate data from our customers' knowledge into this product, there's two ways: during the onboarding phase, they are able to obtain more information about the customer. So they will have different KYB or KYC levels. And then there's also their trust in this merchant. Merchants that they've been processing for a very long time. Merchants that they know very well and trust very well will have different trust levels. And we get those trust levels and we use them in our models. It doesn't mean that we will whitelist certain merchants. We don't do that. And in fact, for our customers, we have detected merchants and we've helped them shut down merchants that were processing transactions for a very long time, which actually went rogue, so to say.

Especially now during the pandemic, a lot of up until then good merchants lost a large part of their revenue streams and so they had to turn to other means in order to make money to make ends meet. And unfortunately they almost succumbed to the financial pressure and started working with criminal groups or themselves went after those stolen credit cards and started processing them. This happened a lot in Europe, but also in Latin America and so it is very useful for us to incorporate prior knowledge that our customers have about their customers but we won't, whitelist or blacklist customers or segments because of that.

[00:27:26  - CSH]: Nice and you're talking about the reports and the color coding. So black is really highly likely to be a fraudulent merchant, and then we have the red levels, and the yellow. There is a lot of good information in there that can be used for a variety of things within their business like you said, they can do more investigations or they can put people on a watch list. And also sometimes there's merchants that are actually being targeted rather than being fraudulent themselves, so these reports actually provide a lot of value

They all show changes and behavior of the merchants that perhaps need to be monitored because, like you're saying, some merchants even though they've been around for a long time, they can change it any moment. So I'm just thinking about, hearing you talk about it, there's obviously a lot of information that Fraudio is going to need to collect from a PSP or acquirer, to make this product work, we're talking about live transactions, we're talking about merchant metadata, so there's this sort of an integration phase to be able to utilize this product. Tell me a little bit about this and what that involves, with the interaction between Fraudio and a PSP.

[00:29:03 - JM]: Sure. There's two ways to do this. If the customer is interested in protecting individual transactions as well, then we will want to start with those. So there's a few steps apart from all the data transfers that we would require. The very first integration step is really to start calling our API.

So in real time they send a transaction to us, and we will return a score. This is in real time, pre-authorization.

Then a second step is to send right after a transaction is processed and authorize or rejected, we want to receive that information. So we want to know whether a transaction was accepted or rejected, for instance, and with the reason called: no funds available, do not honor, blocked by the issuer for suspicion of fraud, whatever we need to receive that information. Because as I said, we put all the individual transactions in sequence. And in context.

Then the third touch point and integrations, is for the customer to start sending us information about chargebacks. So when a chargeback occurs, or when a fraud flag of any sorts is raised about a transaction that was processed and accepted, we want to receive that information.

This gives us three moments of information about a transaction: Pre-authentication and Pre-authorization, and that's when we produce a score for that transaction that allows the customer to block the transaction in real-time or authorize a transaction or do some further investigations or checks, either in real-time, for instance, switch on 3D secure for that transaction, or do some form of manual investigation, call the card holder. And then right after that transaction has been processed; if it has been authorized, we want to receive that notification; if it was rejected, we also want to receive that notification.

That's how we improve our models. Now, off the back of that, this is a continuous stream of information coming to us.

For the merchant initiated fraud detection this gives us information about the transaction stream. There's a second level, a second layer of information that we also need to receive, which is about the merchants being onboarded on a daily basis, on a weekly basis, or I would say up to on a weekly basis. So we want to receive files or API calls with all the data about the new merchants, or a change in the configurations for an existing merchant.

After we have this, we start sending reports that I’ve mentioned with alerts. We start sending them back to the acquirer. Typically what we see is that this process will take up to a few weeks, not more than a few weeks to go through, but value can be added immediately. So, from the very first touch point is completed, we start adding value.

Then if a customer is only interested in the second product, the Merchant Initiated Fraud Detection products, then we can actually skip a few steps. We can skip the pre-authentication and pre-authorization step. A customer can just send us the stream of post-authentication, post-authorization transactions. That customer also needs to send us the chargeback notifications or the fraud label notifications and the merchant level data, and with that we can start sending reports, quite rapidly.

After we have some information about the merchants and the post-authorization information, we have enough to start adding value. We don't need the chargebacks, but again, we learn from the chargebacks, so that's also very valuable information.

[00:35:53 - CSH]: The Merchant Fraud product is like all Fraudio products: the amount of effort that the PSP or acquirer puts into the integration, the more data they can see, the cleaner the data, the more value they're going to get out of it, right? The more often they update us on merchants they're onboarding, the better. And also we can collect some information around what merchants are transferring in and out of wallets, or transferring in and out of their bank accounts associated with the PSP/ Acquirer as well to enrich the data we're using for this process, correct?

[00:36:39 - JM]: Correct. So we want to receive payments' information, but indeed, also every other type of financial flow transactions, that one way or the other move money around. That can be outbound transactions from their merchants' accounts, it can be cash withdrawals from their merchants' accounts, and certain acquirers issue, for instance, cards for their merchants accounts, so they cover both the acquiring side, and the issuing side for their merchants, and that is very rich. It allows us to have a lot of information, not only about how the merchant is collecting payments, but also about their interaction with their merchant accounts.

So, if a merchant processes a string of stolen credit cards, gets them authorized, gets money in their account and immediately goes to the ATM and withdraws cash that’s really suspicious behavior. This is something that we learn from. Past transactions that look like this. But this is something that ideally we want to be able to prevent.

What an acquirer really wants to be able to prevent is that cash-out moment or event. Because if fraud happens, but then the money actually stays in the merchant account, there's still something that can be done about it, right? You can always issue refunds, etc. So there's ways to deal with that. Some damage has been done, but it's not permanent damage. Whereas if the money actually leaves the fraudulent merchants account then only criminal actions can be taken. But then it's a police business.

[00:39:28 - CSH]: So these alerts we see in these color, these color coded alerts, they can come to the customer, to the PSP/acquirer, via an API and they can actually trigger automatic processes. So perhaps a delayed settlement on a merchant account pending investigation, they don't actually have to disrupt this merchant's business initially, but they can protect themselves from, like you're saying, that cash out moment. By just putting sort of a simple automated process while they investigate, perhaps not for all alerts, perhaps just for the red, or red and black alerts, but yeah, it definitely allows that in real time, automated security, for the PSP/acquirer.

[00:40:15 - JM]: Correct. So controlling that disbursement money moment, or the settlement moment, is very important. There's also another way the acquirers have to control their risk, which is to have rolling reserves. To always hold cash, or money, on behalf of their customers and really not to allow their customers to withdraw all the funds that they have in their accounts.

But again, this is a competitive business, especially the low-risk segment is a very competitive business. And what we see is that acquirers really are moving towards same day settlements, no rolling reserves, very easy or simple KYB and KYC onboarding processes. And this makes lives for the fraudsters very easy. So what was there before, what happened before, what was true before, really isn't applicable anymore in a market that's becoming highly commoditized.

So, the acquiring business nowadays, if you're in the high-risk segment, you still can afford to have good checks in place and to have high rolling reserves, to have a settlement in a few days, only after a few days. But if you're in the low-risk segment, you really cannot do it, otherwise you're not competitive. And especially in some countries, in some other countries, you will still see acquirers doing that. But going forward, and this is what we are seeing in the industry, going forward, acquirers really are becoming very permissive, and they have to be very permissive when it comes to their merchants.

[00:42:45 - CSH]: So then the beauty of Fraudio's Merchant Initiated Fraud Detection product is basically in real time, in analyzing these transaction streams combined with other data and metadata from the merchant, we're able to give those real-time, nearly real-time alerts, or depending on the business needs of the customer, to tell them which merchants are suspicious, and for them to take appropriate actions in a timely fashion. That's the key in a timely fashion, right?

[00:43:20 - JM]: Exactly. I mean, detecting a fraudulent merchant is actually very easy. You let the merchant process transactions, after a month, or a couple of months, you start seeing the chargebacks come through, very easy to detect. So, if a merchant has processed 50 transactions and 40 of those were rejected, 10 were authorized, from those eight were charged back, it's pretty evident. The problem is that the money is already long gone. So it's not really about detecting. The problem is, or the difficulty is not detecting a fraudulent merchant. The problem is, on the one hand, avoiding those transactions to happen in the first place., but also, and even more importantly, to detect it early enough so that the disbursement hasn't occurred. Really making it so that the acquirer is protected from a financial perspective.

[00:44:36 - CSH]: It's good. So, we've talked a little bit about, we're mostly talking about merchant fraud here, but we have also touched on transaction fraud. And that is a key aspect to the foundation of the merchant fraud product with customers. How do you feel about customers who just want to use merchant fraud and don't want to use the transaction fraud product? How do you see the value of just having the merchant fraud product as opposed to having both?

[00:42:18 - JM]: So while I think that an acquirer will be able to benefit a lot from having the Merchant Initiated Fraud Detection product, as a standalone product, i really think that the way the two products interoperate make it so that the benefit, or the value is maximized, if a customer is using both. But they are standalone products. So they can be stand alone program products. Because of that, when a customer comes to us and says, "I'm really only interested in the Merchant Initiated Fraud Detection product, because I am in control of my normal transaction fraud ratios", then by all means, we will still be able to add a lot of value.

[00:46:24 - CSH]: Okay, nice. Getting to final questions here: Fraudio uses cutting edge, complicated AI behind the scenes. We make it as simple as possible for our customers, but often people contemplate doing this sort of thing in-house. How do you feel about that consideration?

[00:47:01 - JM]: It's the typical Buy versus Build consideration. If you are in the Payments Industry, your core business is to process payments, ultimately, and to add value to your customer by reducing friction, optimizing costs, etc.

In order to, and I would say that fraud detection, really isn't your core business. However, it does have a big impact on a company's bottom line and even top line. Because of that, to think about doing it in-house, is a legitimate thought, but one that carries some risks with it: you on the one hand, you need to be in control of your data. You need to have a lot of data, good breath of data. You need to have well curated data, you need to have a very strong data science, or data team. And you need a lot of time.

So the investment isn't small. You need, on the one hand, to have really a lot of data already. You need to be in control of your data. You need to have the talent in-house to do it. And I mean, having one data scientist isn't going to do it. It's not enough. You really need a fully dedicated team. And it takes a lot of time, you just need, you need time.

Also, you know by using only your data. you are limiting yourself to the patterns that you've seen before, to the types of fraud that you've been exposed to before. If you grow into a new country that you know nothing of, you will be flying blind. If you expand to a new segment, you will be flying blind.

So there's just really a lot of risk in following a build strategy. And I think that working with a specialist company like Fraudio, or one of our competitors, brings or has the potential to mitigate that risk and to bring value a lot quicker. And more value. The reason for that is pretty simple: we at Fraudio for instance, have already billions of transactions, across the globe, we have seen a lot of fraud. And we, because of the way we develop our models, we put everyone's data together.

So, instead of building models individually for one customer, we map everyone's data to our own internal data schema, and so, we put everyone's data into one very large data table and then we produce models from that table. And this really allows us to leverage very powerful network effects.

We have a lot of transactions from the issuing side. We know a lot of cards very well. A lot of BINs, very well and even the ones that we have allows us to extrapolate to other countries very well and other regions very well.

And then of course my processing transactions from an acquiring perspective, we know merchants very well, in specific countries, in specific regions, and this is the type of data that our customers don't have if trying to build something themselves. They don't have access to as much data and they don't have access to as many resources as we have.

[00:52:07 - CSH]: Nice. Okay, I've got one last question. And in one sentence or maybe a few sentences but under a minute: what do you think is the best thing about Fraudio’s Merchant Initiated Fraud Detection product?

[00:52:25 - JM]: Okay, so it's very simple to use and for acquirers in the low-risk segment, it really allows you to onboard them very rapidly. And knowing the controls we’ve put in place after a customer has started processing transactions, will be very tight. So we allow acquirers to grow quickly. Without being overly concerned about their liability and their financial losses.

[00:53:14 - CSH]: Hey! Awesome!

Hope you've enjoyed our fireside chat conversation between Claire Scott-Hayes and João Moura about what is Merchant Initiated Fraud. See you on our next talk!

About Fraudio

Fraudio is an Amsterdam based scale-up helping companies in the payment ecosystem fight payment fraud and financial crime with its unique ability to build high performing AI and ML models without costly customisation. It is trusted by some of the fastest-growing companies in the world, protecting them from payment fraud, merchant-initiated fraud and money laundering.

Fraudio's founders are from the payments industry and don't believe in black-box solutions. They ensure that end-users are provided with insightful and timely information to control payment fraud and merchant portfolio risk while ensuring the highest level of security and auditability. It's easy to integrate with products that deliver best-in-class fraud detection from day 1, allowing clients to scale their customer bases safely, reducing operational costs and fraud losses while maximising revenue.

Measure results yourself !

How about trying our solution  and experiencing the next generation for yourself?