European Union to Consider Reduced Inter-Regional Card Processing Fees

Kevin Smith, Riskskill: What does the inter-regional interchange fee rate picture look like today and where is it moving to?

cards inter-regional interchange fees

The European Commission is the first competition authority to take action against Visa and Mastercard for their excessive inter-regional interchange fees. With its experience and successes in reducing intra-regional interchange fees in Europe, this latest action and its positive impacts has set an interesting precedent. It is great news. The European Commission move addresses both regulator and merchant concerns about the unfair and extreme costs of processing non-European cards.

Since 2015, domestic and intra-regional consumer card interchange rates within Europe have been driven down significantly. Although the end result of these fee reductions should have been passed through from merchants to customers, it is not clear how or if this has occurred. Recent Payment Systems Regulator (PSR) attention and their UK industry consultation has shown that the merchant service charge (MSC) also contains many other scheme fees, acquirer fees and margins.

And let’s not forget the myriad of other organisations in the transaction processing flow, providing their services and expecting their fees.

European regulatory attention and merchant concerns should not be a surprise. Not when typical consumer card interchange rates within Europe are now at just 0.20% (debit) and 0.30% (credit) – where they are 1.20% and up to 1.97% for equivalent inter-regional POS transactions in Europe.

Most merchants in Europe, have more domestic card payments than other European card payments; and only lastly non-EU card payments. On this basis, most European merchants, do not experience or notice the impact of accepting cards issued outside of Europe.

However, for many European merchants with lots of international customers, their cost of accepting cards is exaggerated by these disproportionately higher inter-regional interchange fees.

The wide gap between domestic and intra-Europe interchange costs and those for inter-regional transactions makes us ask what the different costs are for processing these transactions, i.e. are there really any greater risks or costs involved with the inter-regional transactions?

Based on the rhetoric use by the European Commission, Visa and Mastercard strangely, did not fight for the status quo, so quickly led to the agreement of new and reduced fees.

So what does the inter-regional interchange fee rate picture look like today and where is it moving to?

Figure 1: Card Present Transactions acquired in Europe

Face-to-Face / Card Present Transactions Inter-regional Interchange Fee – Today Inter-regional Interchange Fee – Pending
Visa Consumer Debit Between 1.10% and 1.97% 0.20%
Visa Consumer Credit 0.30%
Mastercard Consumer Debit Between 1.10% and 1.98% 0.20%
Mastercard Consumer Credit 0.30%

Figure 2: Card Not Present Transactions acquired in Europe

Online / Card Not Present Transactions Inter-regional Interchange Fee – Today Inter-regional Interchange Fee – Pending
Visa Consumer Debit Between 1.44% and 1.97% 1.15%
Visa Consumer Credit 1.50%
Mastercard Consumer Debit Between 1.44% and 1.98% 1.15%
Mastercard Consumer Credit 1.50%

The European Commission argued that this reduction: “will lead to lower prices for European retailers to do business, ultimately to the benefit of all consumers”.

For those merchants with higher card acceptance from outside of Europe, the European Commission believe that the cost savings could be 40%.

The European Commission decision does not raise important further questions about other payment scenarios:

a) Now that the parties have agreed lower inter-regional interchange rates, when will these revised fees come into force?

The European Commission states: “Under the commitments, Mastercard and Visa each undertake to reduce the current level of inter-regional interchange fees to or below the following binding caps, within six months:”

NB: the scheme commitments will apply for five years and six months from the above date.

But when does this six-month period begin?

  1. The date from the which the European Commission made the scheme commitments legally binding under EU antitrust rules, or
  2. Is it from the date communicated by each scheme to its respective client issuers and acquirers?
  3. Or as reported by the BBC UK website on 29th April 2019, i.e. on 19th October 2019 for five years.

Scheme updates posted following the European Commission press release confirm that the effective date for the inter-regional interchange alterations is indeed 19th October 2019.

b) What about inter-regional debit and credit cards in mail order and telephone order (MO/TO) in Europe?

The European Commission only refer to online payments. Can we assume that MO/TO transactions, though not specifically mentioned, are included in the European Commission definition of Card Not Present transactions?

Scheme updates posted following the European Commission press release confirm that Card Not Present transactions are all transactions other than card present transactions, so MO/TO transactions are included in the planned fee reduction.

c) A trustee will be appointed by the Commission to monitor the implementation of the commitments. Who will be monitored?

  1. Will they monitor Visa and Mastercard and whether they enforce the fee reductions in line with the agreement?
  2. Or will they monitor individual merchant acquirers and their agents to see if they deploy lower pricing within the agreed timeframe?
  3. Or will they monitor individual merchants to see if the lower costs lead to lower consumer prices?

d) How will EU card issuers justify and defend their continued receipt of higher interchange rates for card usage outside of Europe – i.e. the reverse of this agreement?

Will similar regulatory and merchant pressure outside of Europe lead to reduced interchange fee costs elsewhere and therefor reduced income for European issuers for non-EU based transactions?

As with previous interchange fee rate reductions, we should expect unexpected and unintended consequences?

e) If a South African-issued card accepted in Europe incurs the new lower interchange rate, what does that mean for the same card accepted in Australia or the US?

This is not a matter for the European Commission, but clearly, they will provide essential guidance and advice to other national payments and competition regulators around the globe to challenge Mastercard and Visa further.

International merchants with a presence in Europe and in other regions and countries around the world will increasingly question why they are incurring very different interchange fees across different regions and markets.

Is this the ‘beginning of the end’ for over-inflated and higher global inter-regional and local interchange rates?

f) What about the three-party model?

Inevitably, such schemes will be forced to revisit their merchant pricing to ensure any merchant preference or favour for such brands.

g) Will lower interchange fees, mean increases in other card processing fees?

In the UK most noticeably, and across the rest of Europe, we have witnessed that lower interchange rates have been offset by increases in acquirer pricing, such that the positive pricing effect does not pass through to the end customers.

Are we going to see a similar offset of inter-regional interchange fees with poorly explained increases in scheme fees for inter-regional transactions and corresponding acquirer processing fees?

h) What about non-EEA countries? The European Commission press release on 29th April 2019 states that the inter-regional interchange rate reduction will positively impact transactions acquired in EEA countries.

Effective April 2019, Visa no longer treats Israel, Switzerland and Turkey as part of their EEA market definition. This means that transactions into and out of these countries, for example the UK or US, are now treated as international for interchange purposes and scheme fee levels.

i) So what does this mean for commercial cards and any other programmes? These have been excluded from regulatory pressure on interchange reimbursement fee reductions.

Inter-regional commercial card transactions do remain a very small percentage of total card expenditure for many European merchants.

Commercial card interchange rates are typically between 0.20% and 2.10%.

Small Business, Commercial and Corporate Card Transactions Inter-regional Interchange Fee – Today
Visa Commercial Debit Between 0.20%+ GBP 0.01 (according to Visa Business Immediate Debit) and 2.00%
Visa Commercial Credit
Mastercard Commercial Debit Between 0.20% (according to Mastercard debit Government payments) and 2.10%
Mastercard Commercial Credit

So how long will it be before commercial debit and credit cards are included in the regulatory challenges to reduce interchange fees?

The changes and this agreement are all great news and positive developments, but the implications and implementation still need to be better understood and defined, and there remain many questions and some big issues there-in.

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring. At Visa, Kevin headed acceptance and acquiring development and was instrumental for changing how Visa viewed payment acceptance, acquiring and retailers in Europe. Kevin also led fraud and compliance management functions at a senior level at Visa. Kevin has worked in retail management for a major UK retailer, and for a major UK high street bank in its retail banking cards and acquiring development business; in senior roles at Switch, the original UK domestic debit card scheme; as well as in Visa Europe and Visa International in the US.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy, with an impressive international track record of helping payments businesses to find and mitigate payments challenges and risks. The firm works with clients to put in place strategies and programmes of work to make payments businesses or functions more profitable, less susceptible to losses, risks and regulatory issues and compliance problems. is a global GARS Reviewer for Visa and a member of AIRFA, the Association of Independent Fraud and Risk Advisors

For further information, please contact: Bill Trueman or Kevin Smith at and

11 Must Know Facts about EMV Chip Cards and Technology

emv chip card technology expert

This is an FAQs for the emerging USA market that is today moving towards EMV – i.e. in the USA – EMV is now starting to happen quickly in order to catch up with the rest of the world where EMV has been implemented over the last 15 years.

1. What is EMV?

EMV is the standard that was created about 15 years ago to increase the security of payments globally and reduce fraud at the same time as making payments easier for all parties. It was originally conceived by Europay,MasterCard and Visa – hence the name. It was a US company initiative, but was adopted much faster around the rest of the world for a number of reasons.

2.Does EMV work – Is it proven?


It is used almost globally now. The USA market may be a large market in itself, but it is now just a small final part of the global solution left to implement EMV. Overall, EMV has reduced fraud where cards are present at the point of sale to almost $0 and created a safe card processing architecture for all parties. There has been a lot of misreported problems that often stem to articles written 20 years ago, but all the pre-EMV doom-mongering has proven unfounded. EMV has been a global success.

Sadly, the US market is where the fraudsters have moved their operations to – i.e. away from from the markets that have implemented EMV – where EMV based OTC fraud has reduced to almost $0. The compromised cards from say, the Target and Home Depot data thefts have been little more than useless in EMV environments.

emv chip card

3.Why has the US become one of the last markets to adopt EMV?

The easy answer is to say: ‘we do not know’.

The more complex answer is that there were a series of technical, strategic, legal (Dodds Frank / Durbin) and operational issues that delayed implementation of EMV. There were also many less relevant reasons that managed to be cited for non-adoption of EMV over the years.

4.What are the main reasons that have held us back in the USA?

The reasons are many, but fall into the following broad categories:

  • The US does not have a national payments ‘card strategy’ direction body. In the rest of the world, implementations have been either directed by a government or national body or have been supported by a strong collection of interested parties who have created the business cases, statistics, and losses for the problem. Similar bodies that have driven forward the solutions and project managed the communications, and change management.
  • Many interest groups have examined their own costs of implementing an EMV solution in isolation from the industry as a whole – and based upon assumptions that benefits would not be realised or passed-on. The average interchange costs from the schemes for ‘secure transactions’ – which are defined as EMV transactions in an OTC environment – are lower than those for non-secure transactions; which form a large part of the financial benefits differential for an EMV implementation .
  • Without a strong ‘national’ lobby group, retailer groups in the US have not been able to so readily ‘demand’ softer benefits for an EMV programme such as making the customer journey easier, cheaper, and quicker at the till. Retailer groups have assumed that the costs would fall to them, without benefits.
  • The payments market is fragmented with so many different parties with their own P&Ls; and interests – e.g. card schemes, Issuer banks, Acquirer banks, processors, technology providers and merchants. Some of these groups are stronger and bigger than others, and the best decisions for ALL parties may not have been made.

emv chip and card

5.What other reasons have been cited for not implementing EMV?

There are many of these, so it is hard to know where they start and finish, but the main ones seem to be:

  • The costs of card upgrades is perceived as high – whereas in costs have fallen exponentially over the last 15 years; and we still see people who quote costs associated with the 1990s. Costs of CHIPs on cards or on SIM cards are now a cheap commodity.
  • The costs for merchants is perceived to be too high : which is a perception that is unfounded. Most merchants upgrade their POS equipment regularly and in doing so, the wise-ones will implement CHIP readers. This technology is relatively cheap and technically much more robust than magnetic stripe readers. In other markets, large retailer groups have demanded PIN implementations because this removes the need to take and store signature; and puts the card and customer ‘checking’/ security process back into the hands of the card issuers rather than as a part of the duties of a till operator. Experienced PIN users find the ‘signature processes’ both slow and cumbersome. Retailers like PIN as the throughput of customers is faster, documentation storage, production and retrieval is removed.
  • There are legal reasons that prevent adoption in the US. The main reasons seem to be associated with a need for payers to be allowed to select payment methods at the point of sale (often associated with the Durbin Act). EMV standards were amended many years ago to permit such choices at the point of sale in order to accommodate needs for such flexibility within other countries in the world.
  • EMV is only for off-line transactions – A belief that EMV is either only for offline transactions, or mainly for off-line transactions persists. EMV has security, handshakes and flexibility for all parties in many ways, and it allows for cards to be used in off-line environments securely and safely too, but ONLY if defined by the card issuer as a requirement. Many issuers will not require such functionality, as the world is moving fast to become fully ‘online’. Where customers travel to countries (or indeed regions without ‘on-line’ capability in the US or EU, i.e. where they need to deal with merchants which are away from a telecoms infrastructure, it can be useful for banks to allow customers to spend in such locations that may be off-line. Scheme rules are however continuously changing and Telecoms are becoming much better than they were 10 years ago.
  • The USA infrastructure is too complex to change: often accentuated by the woes of the numbers of suppliers, gateways and issuers/acquirers within the market. This may well be perceived to be the case, but we also have to bear in mind that the experience globally is of far greater complexity, and that times change as solutions and markets evolve. We must also remember that we moved (globally) from zip-zap machines (knuckle-busters) to magnetic stripe processing, and exactly the same arguments were used then.
  • NFC is not supported in EMV – this is very incorrect. The EMV standard provides ‘the rails’ upon which NFC runs – and removes the insecure NFC that is based around ‘open’ unencrypted magnetic-stripe ‘Tap and Go’ cards that were issued a few years ago in the US. There has been a long-term re-hashed investigative TV reporting on card details being stolen via NFC readers, which is just not possible in an EMV environment. Of late, we have also seen reports that the EMV is vulnerable because of NFC – which again is incorrect and confusing.
  • There are better solutions – if we wait. This is true – There are always better solutions tomorrow, for any market and any solution. However, in payments there is nothing proposed or planned that will work – nor anything that is being designed by any significant body anywhere. The EMV standard was designed 2 decades ago by US companies, agreed to by most of the global card schemes and has been implemented as the global standard almost everywhere. It has also become the global standard and platform for building upon, with amendments adopted to accommodate things such as PCI DSS, greater levels of security, NFC and multiple transaction routings. ApplePay and AndroidPay are technologies that are evolving fast, but they adopt the security that forms part of the EMV standards – rather than replacing them or evolving them.
  • Delays are inevitable now that retailers need to accept Applepay and Googlepay/Androidpay: No. The EMV architecture can be used for these payment types with no need for further POS Terminal changes. The EMV infrastructure is all that is needed and around which these payment methods were designed.
  • Restaurants cannot accept tippingwith EMV: Another Urban Myth, but one that is still quoted widely.

We would be happy to add other interesting entries to this list if you please provide them to us. We know of many others, but those provided above are the main ones that have substance and traction; and where we can see where some of the confusion or misunderstanding might have come from.

emv chip card

6.How will EMV stop frauds associated with the big data compromises like Home Depot?

Generally, with Data Hacks /Compromises that seem to be common news these days, card details are captured from the records kept at the retailers and these are then used by the fraudsters to create fake cards or use them on the internet. Fraudsters can purchase a magnetic stripe Card encoder for less than $10 and go into business making magnet strip cards with stolen details. So the card numbers have great re-sell value on the ‘Dark Market’.

Card details can also be collected from an EMV card, and whilst these cannot be used to re-programme another EMV card, they CAN be encoded onto a Counterfeit Card onto the magnetic strip. In this case the Card Issuer will know that this has been done and stop any fraud. If the Merchant’s terminal has a Chip reader the card will not communicate correctly, and if it is a magnetic stripe card the correct magnetic strip security details will not be present as these are not available on the EMV chip. Fraudsters can try and re-programme an EMV card chip; but this is a lot harder and has not successfully been done. Even if it was possible to re-programme an EMV Chip card, there are much easier ways to commit card fraud.

So, whilst the EMV Chip will not stop data compromises, the stolen data becomes very much harder to use and almost not worth stealing. Indeed today, whenever data is stolen from anywhere in the world, the fraudsters will sell the data for use in non-EMV environments – which is why the US has the largest fraud losses globally.
7.What happened on October 1st 2015?

Counterfeit Liability Shift for the US market began on this date. From this date card issuers around the world with EMV Chip cards can recover money from counterfeit transaction in the US (and anywhere else), where their card details have been placed on a Counterfeit card and where the transaction is undertaken with a magnetic stripe (usually because they have been stolen or compromised as in Q5 above). Accordingly, the losses go to the merchants / acquirers who do not have EMV Chip processing in place.

see more about this on our 1st October liability page – here, or on our roving reporter’s blog.
8. What is all of this happening at the last minute and so quickly?

Fundamentally, this is NOT ‘last minute’ at all: plans for EMV have been in place for more than a decade.

President Barrack Obama signed an Executive Order requiring all government departments are EMV implemented/secure, to lead the way.
9.What are the issues around Signature vs. PIN?

Simply, Visa requires Signature under it’s Chip and Choice program and MasterCard prefer PIN.
10.Why is the USA moving towards a less secure Signature as an authentication of a customer rather than PIN ?

We do not have a clue! Maybe the FBI can explain it to you. Maybe not – it will all depend on the time of day when you ask.
11.I have Signature, but I have to use my PIN abroad – What do I do?

IF your Card Issuer has set-up your card for overseas use, then it will work with Signature in the US and PIN overseas. If not, a merchant may accept Signature overseas, so it will still work!
Please contact us on for more details or with any questions that we should add, or with any details that are incorrect – but please do provide supporting details and documents to support further FAQ answers that we can add to this list.

The author, Bill Trueman a highly experienced specialist in payments, risk review, fraud prevention and due diligence. Bill is a member of AIRFA, and director of RiskSkill.



Top 7 Due Diligence Procedures in Merger and Acquisition

Commercial Due Diligence, Financial Due Diligence, Corporate Due Diligence

A buyer is one responsible for carrying out substantive amount of due diligence in a merger and acquisition transaction (M&A transaction). The buyer will want to ensure that it knows all the points related to the agreement and parties, before committing to the contract. Some of these points might be:

  • Entities etc it is buying
  • Issues related to intellectual property
  • Its assumed obligations
  • Problematic contracts
  • Risks associated with litigation
  • Type and range of the liabilities of the target company
  • And many others.

This fact holds water especially in acquisition of private companies that are not subjected to any kind of scrutiny. This is also true in case where buyer has less ability to collect data from publicly available sources. A point to note is that the target company might implement ‘reverse diligence activities’ if the transaction includes substantial stock to the buyer. And this is where you may need due diligence services to properly investigate the company before buying. This is because it has larger scope.

In this article, you will find a concise of important activities of business due diligence that are associated with a standard M&A transaction(both sides/parties). After reading this post, you will be enlightened with the top 20 Due Diligence Procedures in Merger and Acquisition Transaction. Hence, you will be able to plan better and anticipate the issues beforehand to ensure a completely successful consummate of a sale.

  1. Antitrust and Regulatory Issues
  2. Competitive Landscape
  3. Customers/Sales
  4. Disclosure Schedule
  5. Employee/Management Issues
  6. Environmental Issues
  7. Financial Matters
  8. General Corporate Matters
  9. Governmental Regulations, Filings, and Compliance with Laws
  10. Insurance
  11. Litigation
  12. Marketing Arrangements
  13. Material Contracts
  14. Online Data Room
  15. Production-Related Matters
  16. Property
  17. Related Party Transactions
  18. Strategic Fit with Buyer
  19. Tax Matters
  20. Technology/Intellectual Property

Due Diligence Investigation, Merger Due Diligence, Acquisition Due Diligence

  1. Antitrust and Regulatory Issues: Recent years have seen an increase in scrutiny of acquisitions in this field. Buyers are now looking to undertake the below listed activities for assessing the facets of a potential deal such as regulation and antitrust implications:
  • Assessment of the scope to which an anti-trust issue can extend
  • Conclusive understanding of the effect of consolidation trends in an organization on the speed and probability of regulatory / antitrust approval
  • Confirmation of the company’s involvement in preceding inquiries / investigations
  • If the company belongs to regulated industry then it is important to acquire the approval of acquisition from a regulator. In this case, one must have understanding of the issues that are associated with the approval (in terms of pursuing it and acquiring it)
  • In case the buyer is competing with the targeted company, then it is imperative to comprehend the limitations and work around those on the level or timing of diligence disclosures
  • In case the transaction includes foreign investment issues or nation security concerns, then Exon-Florio issues must be considered
  • Issues must be addressed that might include preparation of a Hart-Scott-Rodino filing (that is if the thresholds are being met)
  • And also giving an effective response to “Second Request” from the Federal Trade Commission or Department of Justice.
  1. Competitive Landscape: As a buyer, you must understand the competitive environment wherein the prospected business is operating. You can gather the information on the following points:
  • Benefits and liabilities of the products as well as technologies in comparison to that of competitors
  • Existing or new technologies that will obsolete the company’s present technology and processes
  • Main competitors of the company (existing as well as visioned)
  1. Customers/Sales: As a buyer, you must comprehend the clientele of the targeted company. It should include concentration level of major clients and their sales schemes. You may prepare questionnaire, which should include:
  • Are there any issues or risks related to customer concentration?
  • Are there any issues present with the clientele (present or former customers)?
  • How will the acquisition affect the financial incentives (if any) that are offered to staff? Before this, you should find whether the sales team is motivated or compensated in any way?
  • Is the current customer base satisfied with the company? For this, you can gather the client’s calls.
  • Is there an existing client backlog?
  • What are the comprehensive terms and policies of sales? Has the company faced returns / refunds or exchanges that can be termed out-of-the-way.
  • What is standard revenue rate and what are the basic requirements of the working capital?
  • Which customers are rated in the top 10 and what amount of revenue is generated from each client?
  • Will you be able to retain customers after acquisition of the targeted company?
  1. Disclosure Schedule:

Preparation of disclosure is an important part of M&A transaction that should be done by the targeted company. It should address all the standard points of a due diligence process. Further, it should identify the exceptions related to warranties and representations in the M&A agreement. Preparation of disclosure is a time-consuming process as it requires regular revision and update. Hence, its readying should begin at the initial stage of Merger and Acquisition Transaction.

The disclosure schedule should compulsory cover the following topics:

  • Are the patents (issued + pending) listed and briefed?
  • Are there any disclosures in the said schedule that will disallow the buyer to raise legitimate claims in case some warranty or representation turns out to be false.
  • Does the disclosure schedule list every contract in the targeted online data room? Whether or not their review has been done?
  • Does the listing includes outstanding capital stocks and warrants?
  • Dose any odd agreement exist?
  • Is the analysis of litigation’s potential exposure done?
  • Is the schedule completely as per the warranties and representations that have been imbibed in the acquisition agreement?
  • Is there a full-fledged list of material contracts and corrections that also includes dates and counter-parties?
  • Is there any possible issue in the company’s existing contracts that might cause trouble after the merger?
  • Is there any presence of liens on assets? If yes, then what are its removal procedures during the closure?
  • With the change in company’s control, will there be any affect of any important contract?

Due Diligence Procecedures

  1. Employee/Management Issues:

It is important for the buyer to understand the issues pertaining to the management and/or employees of the targeted company. These issues might include:

  • Biographical data and the complete chart of management structure
  • Solved, present and possible labor disputes / stoppage
  • Transactions involving person of interests like key employees, directors, and officers. The transactions may include documents, loan agreements and consultation agreements.
  • Listings of compensation remunerative to person of interests like key employees, directors, and officers. This should be collected for last 3 fiscal years. The listing should be detailed and must include bonuses, salary and non-cash compensation (all listed separately).
  • Data of benefits, pension, retirement schemes, compensation, incentives, sharing of profit concerning the employees.
  • If stocks are issued, then you must obtain the proof of compliance with IRS Section 409A
  • Potential acquisition is possible, so you should get hold of abidance with IRS Section 280G (golden parachute) rules
  • Manuals as well as policies of employment in the targeted company
  • Participation of important employees and officers in various issues or proceedings related to criminal and civil
  • Existing, discontinued or futuristic plans related to vacation, loans, relocation help, tuition fees, compensation, educational help, loan guarantees, fringe advantages and others
  • Suitability of company’s handling of employees as personnel vs independent contractors
  • What are the retention requisites of agreements with important employees and are these suitable to be retained?
  • Related to acquisition, what are the costs of layoffs and their results
  1. Environmental Issues

As a buyer, you should assess the potential environmental issues concerning the targeted company. In addition, you must analyze the scope of said issues that might impact your business. A standard environment review is among the Top 20 Due Diligence Procedures in Merger and Acquisition Transaction; it should include the following:

  • Accepted Superfund exposure
  • Contractual bonds / agreements, Environmental claims, litigation and investigations
  • Environmental authorizations and licenses
  • Files, notice and/or correspondence concerning EPA, or local / state regulatory agencies
  • Harmful items used in company’s work
  • Information about asbestos that is included in the improvements on company’s owned premises
  • Investigation records or data should be acquired from possible sources like neighboring properties or public agency
  • Reports, data and audits related to environment for all the properties (owned or leased)
  • Unforeseen liabilities related to environment or chronic indemnification accountability
  • Whether petroleum products are used elsewhere other than in passenger automobiles?
  1. Financial Matters.

Herein, you should assess and consider the financial metrics including the historical financial statements of the targeted company. Also, you should consider its potential future performance. Various topics that you can cover under financial matters are:

  • What are the effects / results of the financial statement of last three years on its current performance?
  • Is auditing done? If yes, then what was its frequency?
  • Are the current as well as contingent liabilities covered in the financial statements and allied metrics?
  • What is trend of business growth or loss?
  • What are the facet of company’s futuristic projections – believable and reasonable?
  • What does the chart says for projections in a financial year – company’s vs board-approved?
  • Is the standard working capital enough to pursue the business?
  • What is the formula of “working capital”?
  • What are the current commitments of the company regarding its capital?
  • For growth of business, what additional adjustments are needed and what are extra capital expenditures that are required.
  • What are the stipulations of assets and liens thereon?
  • What is the status of indebtedness? Is it outstanding or company guaranteed? Further, are its terms defined, if yes, that are those terms? What is its repayment time?
  • Is there any undesired or suspicious issue related to revenue recognition?
  • What is the status of receivable accounts and related issues?
  • Are the capital budget and operation budget suitable for the company? What are its future plans in terms of its deferring?
  • Are the calculations related to EBITDA been done suitably? This points becomes mandatory if your are buying a debt financing firm.

One can also contact Bill Trueman a highly experienced specialist in risk review and due diligence for Due Diligence Investigation Services. Bill is a member of AIRFA, and director of RiskSkill.

How Risk Management Strategies Can Minimise Losses

After reading this post you will get information on following questions:

enterprise risk management, corporate risk review

what is business risk management?
what is corporate risk?
what is enterprise risk?
what is enterprise risk management framework?
what is enterprise risk management in insurance?
what is enterprise wide risk management?
why enterprise risk management is important?
what is corporate risk management?
what is enterprise risk management?
what is enterprise risk management in banks?
what is financial risk management?
why enterprise risk management is necessary?
why risk management is necessary?
the value of corporate risk management?
the value of enterprise risk management?
benefits of enterprise risk management?
benefits of implementing enterprise risk management?
meaning of risk management
benefits of risk management

Introduction to Risk Management

Risk Management is basically a specified process of identification, examination & determination, evaluation and treatment of loss exposures. The definition of risk management also includes monitoring the financial resources and risk controls, for alleviating the detrimental effects of loss.

The Said Loss Can be an Outcome of:

  • Financial risks like liability judgments and cost of claims
  • Perimeter risks related to political transition or weather variation
  • Operational risks, especially labor strikes
  • Possibility of external fraud(committed by outsiders) or internal fraud (committed by own employees)
  • Strategic risks like reputation loss or changes in management
  • Any new government policies or change in any particular existing government policy(s)

What is Enterprise Risk?

Enterprise Risk Management (ERM), widens the scope of standard risk management definition. ERM defines a risk as any factor, visible or unforeseen, which can thwart the company’s endeavor of achieving it’s objectives. In case of unforeseen events like accidents, some methods or guidelines can be delineated which can help in anticipating such events.

Remember that, a predictable event always causes less risk, as there are always ways to prevent it, minimize it’s effects, do an estimation of loss.

What is Enterprise Wide Risk Management?

Enterprise Risk Management is crucial in allowing companies to pragmatically deal with risks and uncertain situations so that their profitability and brand value is increased. It helps in finding and choosing the alternatives to the situations that are termed as ‘risks’. Enterprise Risk Management is also helpful in ensuring effective compliance with the prescribed regulations and laws.

What is Corporate Risk Management?

Herein, the framework comprises those practices that can optimize the risk taking factor; when the market value as well as book value accounting are relevant but not completely sufficient.

From one corporation to another, risks vary on the basis of numerous factors, important ones being industry, size, multifariousness of the business, and capital’s sources. A specific set of practices which are perfect for one, might not be as beneficial for the other corporation. In line with this, the value of corporate risk management may be more mysterious as compared with that of financial risk management.

Corporate Risk Review, Enterprise Risk Review

Types of ERM Frameworks

1. Casualty Actuarial Society (CAS) Framework

ERM is also defined by the Casualty Actuarial Society (CAS) as the discipline using which a company does multiple works like assessment, controlling, exploiting, financing and monitoring different types of risks that may occur from different source, with the aim of increasing the company’s value in short term and long term.

Risk Types Examples:

1. Hazard Risk – Property Damage, Liability, Natural
2. Financial Risk – Asset, Currency, Pricing, Liquidity
3. Operational Risk – Client Satisfaction, Integrity, Internal
4. Strategic Risk – Competition, Social trend, Capital availability, Government Policies

2. COSO ERM Framework

In 1994, the COSO Internal Control-Integrated Framework was amended. It has 8 Components and 4 Objectives.

The 8 components are:

1. Control Activities
2. Event Identification
3. Information and Communication
4. Internal Environment
5. Monitoring
6. Objective Setting
7. Risk Assessment
8. Risk Response

4 objectives are:

Financial Reporting

3. RIMS Risk Maturity Model (RMM)

The RMM for ERM is a canopy framework which comprises content and methodology which explains the needs for sustainable and effective ERM. This model include 25 competency drivers for 7 attributes which make the ERM valuable. These attributes are:

I. Business resiliency and sustainability
II. ERM process management
III. ERM-based approach
IV. Performance management
V. Risk appetite management
VI. Root cause discipline
VII. Uncovering risks

What is Enterprise Risk Management for Banks?

In the banking sector, risk management is in spotlight as today banks understand the importance of an ERM program or Enterprise Risk Management in creating a risk function which will help them stay at bay from the known and unknown risks of this sector.

Benefits of Implementing Enterprise Risk Management (ERP)

  1. ERM can be considered as a set of procedures through which banks can effectively deal with varied risks, thereby augmenting the stakeholder’s value.
  2. It allows banks to move ahead towards the “holistic scenario” of their enterprise wide risks.
  3. Through ERM, factors like redundancies and duplicates can be eliminated

risk review, risk management

Instituting and Implementing Enterprise Risk Management (ERM) for Banks

The landscape of banking and financial sector has plethora of risks, which are only increasing with the passage of time. Hence, ERM program is quintessential for the entire banking sector.

1st Step: Understand all possible risks and risk factor. Promote the risk culture throughout the entity.

2nd Step: Develop a framework which should be standardized and enterprise-wide. It should include general definitions assumptions and analytic.

3rd Step: Frame all the risk objectives in perfect alignment to corporate targets, culture and risk appetite.

4th Step: The risk management should be autonomous of the business lines. It means that ERM should be reported directly to the higher management like Board of Directors instead of CEOs and other seniors.

5th Step: Identify all the “Risk Areas and Domains”. This will help in defining the perimeter of “risk management” in the company.

6th Step: Frame all the threats, and vulnerabilities. Create a ‘risk profile’ for every specific risk.

7th Step: Select the strategies which will mitigate the risks and it’s effects. Also, set up a system which will monitor and manage all the ‘risk profile’ continuously.

Strategically, there are many benefits of risk management and the ERM is considered as the crucial part of corporate governance framework.

What are the Challenges in Following and Implementing Enterprise Risk Management (ERM)

There are a number of inherent challenges which needs to be overpowered to implement ERM. Top 4 challenges are:

1. Strong and continuous support from the higher management.
2. Exhaustive and adequate resources, especially in terms of trained experts and cost.
3. Professionals and all-inclusive knowledge of every aspect of risk management.
4. The focus on achieving the target without giving up in the middle.

Example: One of the most difficult step is to integrate the risk management of credit, operational, market and liquidity with the other “financial” risks as it requires momentous efforts, time as well as cost to better the fundamental data management.

What are the challenges for Banks in adopting ERM?

Betterment of Efficiency: Attaining optimum efficiencies in every process of risk and control. Improvising the unifying, coordination and streamlining various procedures.

Challenging the Regulatory: Often changing regulatory requirements
Rigorous regulatory investigations etc.

Pulling & Retaining Talent: Inadequacy of talent in rising geographies or specialized areas

Some other challenges are:

1. Staying abreast with growth and complexity of the business
2. Handling the issues concerning people and organization according to the demands of new processes and methodology

Who is a Risk Management Specialist?

Risk management specialists are financial managers who are responsible for managing various risk taking activities to keep the business growing steadily along with yielding profits. These specialists have specific training, talent, skills and experience for identifying a set of risks that may lower the cash flow, affecting the revenue of the business.

What does a Risk Management Specialist do?

Their main purpose is to minimize the possible losses or risk for the business they serve. Some of the mentioned losses include cash flow, personnel / employees, or property. Their responsibilities also include identification and dealing with issues which may concern safety or insurance, that could lead to litigation if overlooked.

The work of a Risk Management Specialist can Include:

1. Assessment of areas which can result in a risk; thereafter taking action to minimize or eliminate the found risks.

2. Examining work conditions, filing workers comp claims, reading the guidelines / requirements related to code & legal aspects, surveying clients, looking for situation where liability might occur and discussing workers’ pay, working environment and other factors with the union.

3. Analyzing reports and cash flow data to identity and/or prevent any fraudulent activity.

4. On discovering a risk, the risk specialist should compile all the information to create a streamlined report, which should be clear and info-graphic.

5. Apart from creating reports, the expert should draft plans for reducing, avoiding, or eliminating losses and liabilities within the organization.

6. Their job responsibility also includes enforcement of the drafted plans, which may include assorted schemes related to problematic employees, blueprinting work and safety regulations, and up-scaling various procedures that comply to the latest laws and legislation.

Various Job Positions of a Risk Management Specialist:

Credit Risk Management Specialist, Financial Risk Management Specialist, Global Risk Management Specialist, Risk and Insurance Specialist, Risk Management Expert, Risk Management Professional, Risk Specialist.

Requirements / Skills of a Risk Management Specialist:

1. Perfect organization, management and communication skills
2. Analytical, mathematical and critical thinking skills
3. Experienced and seasoned experts
4. Should be able to handle stress of the profile

Example of Enterprise Risk Management (ERM) – The Reserve Bank of Australia

This bank has constituted a risk appetite statement in reference to it’s primary risks which include the main risk appetite statement, supporting framework for risk management along with guidelines of implementation.


It is quintessential for a successful ERM process to assure that the risk taken by a organization is remunerated with some proportionate reward. It is also important that the organization is completely and comprehensively aware of all types and level of risks, which it is willing to take on. ERM is now considered as a method of integrating risk and control processes that creates a standard blueprint which is helpful in the assessment and monitoring of each kind of risk. A unified model delivers actual benefits in terms of cost apart from giving a much better overview of risk to the organization. With Enterprise Risk Management process in banks, corporate, financial companies, and other businesses, the aim is to make it more robust which supports the entire functioning of the business and to minimize every possible loss.

Author Bill Trueman is Fraud and Risk Management Specialist providing his risk management consulting services to businesses & organizations worldwide. Currently he is director of RiskSkill as well as he is an active member of AIRFA.

Other Posts Which You Would Also Find Useful:

FAQs on Risk Review, Risk Management, Compliance, Due Diligence

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Pin Card Technology

Top Technology Trends in Payments, Risk and Fraud

Top 10 Business Loss Prevention Techniques

Patience Increases Enterprise Fraud Risks in Asia

enterprise risk management

The Asian culture of patience may inevitably put enterprises at risk of enterprise fraud, warned risk and fraud consultancy Riskskill Managing Director Bill Trueman.

“In terms of fraud, this means that fraudsters will also be less impatient, and feel happy to ‘take their time’ with the fraud to make sure that it is right and for the biggest sum,” he said

One way to mitigate this is for Asian enterprises to support or drive the business into making sure that IT supports the relevant processes.

“Every new product or programme change should have ‘fraud thinking’ in it as the fraud losses will be high if the deterrents, protections and processes are not planned for up front.”

He stressed that Asian businesses need to be more aware and pre-emptive, and have a longer time-span in its thinking about fraud and fraudsters.

“Asian business will need to take the same precautions as any other business around the world – not least as they will have the similar issues of technology, systems, processes and of course, people too.”

Other tips he offered for strengthening enterprise IT infrastructures are:

  • Focus attention and efforts on the payments and money transmission areas of the business, and in particular the authorisation of payments, and the tendering for business and projects.

“Make sure that all such transactions are dual-controlled. At least two people need to be involved in payments and these people need to be within a hierarchy and graded by the payment sizes.”

  • Use business technology solutions along with strong operational processes and procedures to monitor what the team is doing. Review the monitoring and exceptions 100% of the time and ensure that there is a system and process for dealing with the problems that occur. And lastly as a deterrent, communicate to the team that the monitoring is happening.
  • Retain, keep, store and back-up data and transactions.

“Nothing should be deletable and people should see and know that this is the case – again as a deterrent.”

Bill Trueman (an independent fraud and risk specialist) is director of RiskSkill and member of AIRFA.

This article originally published here.

Other Useful Posts You Would also Like:

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

25 FAQs on Risk Review and Risk Management

Fraud Prevention Strategies for Business & Corporates

Strategies for Fraud Prevention in Business & Corporates

Strategies For Defeating The Cheats Within an Organization or Business

How Companies of All Sizes Can Prevent Fraud

Tips to Prevent Employee Theft and Fraud

Ways to Protect Your Business Against Employee Fraud

Strategies for Fraud Prevention in Your Business

Tips to Prevent Employee Theft and Fraud

How to Prevent Employee Fraud

How to Prevent Corporate Fraud

By Bill Trueman, Fraud & Risk Management Specialist.

With the recent high profile cases of senior fraud and online security managers being caught perpetrating fraudulent activity, there has been a degree of shock across the corporate world, combined with an initial feeling of helplessness. This is the worst thing that can happen in financial and banking organisations where one would expect the very tightest security to prevail. After a ll, if you can’t trust those executives in the most credible organisations who were specifically recruited to identify and counter fraudulent financial behaviour, then what can you do to ensure that your own organisation does not become a victim. The word victim is used advisedly, as internal fraud is not a victimless crime; rather it impacts in varying degrees on management, staff, shareholders and customers.

fraud and risk management specialist

Any crime committed by those in a position of trust is far more serious, so the penalties should surely be far higher than normal. This is particularly true with fraud prevention mangers that cheat. However, it does seem that once an internal fraudster is caught, that any offer to ‘return funds in return for a leverage for legal plea bargaining should be disallowed. The ideal must be for companies to find ways to decipher and identify such practices and to eradicate them at ground level.

Still reeling from the shock of the media coverage of the latest betrayals, UKFraud asked its independent corporate fraud prevention SIG (Special Interest Group) to draw up a new set of benchmarks which will help organisations identify the signs that something is awry from ground level up. The SIG also defined and deciphered the most effective strategies for countering these risks. The Corporate Fraud Prevention SIG consists of leading fraud prevention consultants from across a range of industries, coupled with a wide range of fraud industry skill sets. The aim of the SIG is to analyse approaches taken to fraud in the corporate sector and to make recommendations for change at local, national and global levels.

According to the SIG’s research, the most likely signs of wayward behaviour by fraud and security management are relatively easy to spot and yet often overlooked. They include:

  • Fraud Systems that are below par. The fraud systems chosen by an organisation can be unfit for purpose and may not deliver what is required. There is also often an unwillingness, due to the influence of the internal fraudster, to consider competitive fraud technology products that do deliver or that can deliver more quickly. Often, the SIG says, it is easy enough with hindsight to see that a change to effective systems had been deliberately avoided, and typically, career minded employees are reluctant to blow whistles.
  • Erratic,  incomplete, late or excuse laden management and system reporting is a classic sign that line managers are covering something up and says the SIG, this is just as likely to be the case with those fraudulently managing the security and anti-fraud systems of a company. Normally, further investigation will reveal that ‘lip service’ and increasingly tenuous explanations are given assertively to thwart follow up activity. When though one is dealing with an errant fraud manager, these explanations are more difficult to see through and more than likely to pass the plausibility test. Often the blame for the cause of any suspicion will be thrown onto inadequate IT systems or on the political gaps between corporate silos.
  • Frequent excuses are often based around IT related issues, such as technology compatibility problems between different company systems or even between international systems.
  • Unexplained wealth of managers outside of work. There will be plenty of evidence of the rewards of wrong-doing with fraudsters purchasing luxury housing, wardrobes, holidays, cars and home computing equipment together with other rewards for family and friends which can even extend to private school fees for children.
  • Work place rumours, jokes and tip-offs. These are often dismissed as political jibes but often this is a tell tale sign that something is wrong and that staff are too afraid to ‘blow the whistle’ formally.
  • Frequent use of the ‘privileged rank’ of Security or Anti-Fraud Manager to divert questions or to avoid enquiries from those who might raise suspicion, such as the internal or financial auditors. This also includes the robust use of the ‘we don’t want to compromise security by answering your questions’ excuse.
  • Where fraud specialists know the latest trick, for example how on-line fraud works, the unique symptoms of that particular scam will show up in the company where the internal fraudster is using it themselves.

UKFraud’s Corporate Fraud Prevention SIG believes that ‘maintaining an independent review perspective managed by those with the greatest experience’ is the most effective solution for combating inside jobs by fraud and security management. Amongst the strategies the SIG would recommend are:

  1. A greater emphasis on the use of Non-Executive Directors. This is crucial, says the SIG, as usually Non-Execs are appointed for their experience of skills and operations in other organisations and sectors. They have that ‘other worldly’ eye that is able to cast a different perspective. They should have the ability to review all aspects of a company’s anti-fraud strategy and to ask awkward questions ‘from the top’ as this carries more weight.
  2. Up-to-date reporting must be a core mantra of good company management, with the details of repeated exceptions thoroughly investigated. Organizations should also ensure that reports are not only timely but that they are also complete, real and updated as required. These processes should also then be built into the internal audit schedule for checking. This in turn should feed into the main GRC (Governance Risk and Compliance) systems. In addition, wherever appropriate, organisations should adopt an enterprise-wide approach to technology as this will help with systems issues. Thus, if the technology works well in all other parts of an enterprise, it is highly noticeable if it fails in the management of the fraud department or the control of online and financial systems.
  3. From the ground up, organizations need to establish records both electronically and on paper. This should include specifying where documents are and when they should and should not be stored. One should identify who is in control of these systems, processes and procedures and who has ownership of specific records. Organizations also need to decide who is responsible for checking that these measures are followed. The scanning, and indexing of work needs to be carried out to professional standards and there must be rules to ensure that no-one can intercept/edit documents at an inappropriate stage or in a fraudulent way. It is also important, the SIG believes, to ensure that your storage capacity is controlled properly.
  4. Where acquisitions and mergers are concerned, organizations need to ensure that all documents are available and stored appropriately and securely, especially those that relate to IP protection, IP development records, audit trails and staff contracts. In particular, when acquiring a business, companies must make sure that they have indemnities and penalty clauses built into the acquisition agreements which relate to the availability of data, logs, audit trails and so forth.
  5. An extra fraud prevention ‘task-set’ should be drawn up for auditors and IT auditors whether they are internal or external. This can have a real impact, although sadly most auditors are simply there to either report on financial results or check asset lists and software licence compliance. There are though many specialists that can undertake ‘special’ tailored checks to find frauds within all manner of business systems including: payroll, invoicing or payments. By turning them towards checking the efficacy of the security and fraud systems in place, says the SIG, it is not only a greater deterrent but also a far more certain way of catching wrong doing whilst in flight.
  6. Getting HR more involved. This allows organisations to define responsibilities and handle warnings for non-compliance and to do so at all ranks from the ground level upwards.
  7. Organisations should actively consider the use of external risk consultants who can offer solutions which benefit from an independent viewpoint that resides outside of a company or   its politics.
  8. Where doubts exist, organisations should contemplate the use of private investigators to look deeper into the processes used by those who are deemed to be high risk people. These need to be the breed of computer literate investigators with corporate fraud experience.

A leading member of the SIF is Malcolm Gardner. He believes that the situation may be worse than many fear. In his view, “Typically, when fraud or security managers are caught, it is either because they went too far, having become complacent, or where there has been a tip off. This tends to suggest that those who are caught might simply be the tip of the iceberg. With sectors such as the online market, now so very tempting to fraudster, it can also be tempting for internal cheats too. Corporations need to be sure of their staff and need to put the right systems in place to help the loyal staff who are the ones still working for the good of the company.”

So to conclude it is especially negative situation whenever any fraudster is identified within a business as they are the person who has the responsibility for fraud prevention themselves. IT is a complete betrayal.  The first step in planning the fight back is finding these people and then managing the problem. The trouble is that many of them are exceptionally well hidden. Whether one can ever be 100% certain that there is no problem internally is probably too much to expect. However my belief,  is that if you start to introduce the kind of checks and measures the Corporate Fraud Prevention SIG has outlined, there is every chance that the risk will be minimised or driven away.

Bill Trueman (an independent fraud and risk specialist) is director of RiskSkill and permanent member of AIRFA.

This article originally published here.

Other Useful Posts You Would also Like:

What is Risk Management? Definition & Importance

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

25 FAQs on Risk Review and Risk Management

RiskSkill Warns That Risks Will Grow Together With The Mobile Payments Sector

fraud and risk management specialist

The leading UK corporate risk prevention consultancy and analyst Riskskill is warning that the expected rapid growth of the global mobile payments market will create a potential cocktail of different risks that pose new challenges for risk managers and other stakeholders in the sector.

In its latest research, Riskskill studied developments in the mobile payments (M-Commerce) arena, i.e. all types of mobile payment services including mobile money and mobile wallets, which are subject to financial regulation and performed from or by mobile devices.

Riskskill identified where it feels the key areas of risk lie in the sector, including:

1. The scale of sector growth and technology change

With commentators suggesting that the mobile payments sector will reach US $1 trillion in global transactions by 2015, the Riskskill research highlights that many risk professionals are concerned by the sector’s significant rate of growth. In Riskskill’s view, this rapid growth could mean that many proven risk strategies, once thought of as realistic and elastic, could be left out of touch in the medium term and lack the solid infrastructure required to be able to accommodate such growth.

Riskskill recognizes that as a consequence of this growth, one of the greatest challenges to the development of plans and strategies that align organizations within the mobile payments sector is not only the diversity of sources of change but also the sheer speed of technology change be this hardware, software or the technology platforms used.

According to Riskskill, the main ‘mobile payment’ players are now extremely keen to produce the next ‘big thing’ and this is reflected in the significant investment being made. Many feel that Apple with its i-infrastructure and significant market presence has the potential to launch something ground-breaking within iOS7. Other market leading names such as PayPal, Google and Amazon are also likely to have a significant and positive market impact with upcoming developments of their own, as will global and EU based telecom infrastructure owners. The international card schemes too, believes Riskskill, have a positive influence on the development route(s) in the sector, as will many other highly innovative and respected third parties including: iZettle and mpowa.

Riskskill believes that it is the technology organizations that act the most responsibly and altruistically now that will help minimize market risks over time. They are concerned though that in the rush to ‘jump on the bandwagon’, smaller players will adopt solutions that are based upon outmoded foundations and infrastructures. If this happens some regulators and stakeholders could struggle to keep up with the pace of technology change. This could mean that they might be unable to introduce the safeguards, protected environments and fraud prevention methodologies that are required at this early stage of market evolution. Fraud is deemed to be the greatest risk here. The fraudster thrives in such fast-paced environments, especially when there is no history, formality, process standards, anti-risk architecture or common IT foundations. Typically, fraudsters just ‘adapt’ and outsmart their targets.

2. Globalization of mobile payments

Riskskill also points to the rapid spread of mobile payments globally, with the explosive growth of M-Commerce in China, India, Latin America and the Far East. Recent data from the ITU (International Telecommunication Union) reveals that global mobile subscriptions are now reaching 6 billion. In some of these newer territories, the mobile payments sector is compensating for the lack of a physical and sufficiently robust banking structure and therefore proves extremely popular. Consequently, whilst the growth figures are impressive, the rate of growth could draw into question whether the existing and on occasion nascent regulatory systems and controls are sufficient to cope. Indeed, Riskskill believes that the most worrying aspect of this global spread is whether the technical and security infrastructures are built and based upon the solid foundations required.

3. Consumer communication and information risks

Riskskill believes, in addition, that in the mobile payments sector there is a continuous stream of new financial products that are all seeking to outdo each other in the eyes of providers and consumers. Riskskill is concerned that, alongside other areas of rapid market change, a fast churn of product lifecycles and the sheer variety of product nomenclature might cause consumers to become confused, and thus more vulnerable to fraudsters exploiting their confusion. This will also be compounded by the absence of adequate fraud systems, which will not have been put in place by all the main players at an early stage, as some will only just have kept up with competitive product development.

4. Standards and regulation outpaced?

The impact of such a rapid evolution of technology and financial products could threaten the applicability and implementations of many existing ‘standards’ programs. Other newer standards will need to be evolved, although these too might still struggle to keep up with the rate of change. Riskskill believes that as there is such a broad range of organizations and bodies from which such standards might come, that this in itself could cause confusion for market stakeholders and consumers alike. Once again, the most likely beneficiary of such confusion could well be ‘professional’ fraudsters. The hope is then, says Riskskill, that standards bodies will harmonize with other similar organizations around them, especially those who take a lead.

According to Riskskill there are a number of widely regarded bodies whose intervention could have a major impact in reducing market risk. This includes highly respected organizations such as UK Payments (formerly APACS), the ISO or the European Payments Council, which could potentially, some feel, develop a new SEPA-type regulation for the mobile payment sector. Other widely acclaimed and respected card schemes (such as Visa / MasterCard etc.) might also take a lead as they have a strong commitment to acting responsibly and correctly in the market.

Riskskill believes that if the standards that do emerge could drive the right risk–reduced conditions, it could in turn lead to both an evolution and a revolution in M-commerce practice and risk management. This could then prove to be a facilitator for wider adoption of mobile-based NFC /contactless payments.

RiskSkill has also studied whether the effects of the ‘potential standards debacle’ might also have a ‘knock-on’ effect upon government regulation too, as there is always the possibility that more interventionist governments might take the opportunity to play a constructive role. The company feels that with the respected EU Cyber Security Directive, focusing on setting good foundations with the Network and Information Security standards in individual member states, the current thrust seems potentially a long way from specifically addressing mobile payments.

In the UK, Riskskill questions whether the government is likely to drive innovation in this area, as the risk, payments and fraud skills within the leading departments (Cabinet Office, FED and the National Fraud Bureau) might not be those required to lead direction and strategy in the mobile payment sector.

Riskskill’s CEO Bill Trueman believes that whilst the risk in each of these areas can be incorporated into risk strategies, the combined effects are harder to predict. In his view, “It is easy to plan for many risks individually – however, the wide and varied nature of the risks associated with the changing and rapidly growing mobile payments sector creates a whole array of risks that will challenge even the best of plans and strategies for addressing problems within the mobile payments sector. This is a simply enormous issue to address. Organizations, and indeed many governments, are often now too ‘silo based’ to evolve direction and protection from the attacks in a market that is so rapidly evolving. The ideal solution for leading sector stakeholders should be to drive proper standards through appropriate bodies that will in turn drive both a governmental and a business response globally. It’s a ‘tall order’ and only time will tell if it is possible.” 

News Source

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

To continue reading visit here.

Bank Fraud Charges Against Former President of Rural Bank of Subangdaku Inc.

Another case of bank fraud surfaced this time in Phillipines. The Bangko Sentral ng Pilipinas has filed criminal charges against Radaza, the ex president of the mentioned bank, for allegedly taking part in creating fictitious loans amounting to P2.6 billion when she was the president of the defunct Rural Bank of Subangdaku Inc.

To read full coverage, please read here.


Is EMV ‘A Colossal Waste of Time’ for Retailers?

Source: Is EMV ‘A Colossal Waste of Time’ for Retailers?