Top Technology Trends in Payments, Risk and Fraud

fraud and risk management specialist

1. Big-Data – Big-data has become a buzz-word to capture many things, but in finding risks and fraud, the more data that we look at, the better chance we have of finding unusual features and problems that should not be there. The manipulation of data and looking for such anomalies and patterns is getting ever faster and better – and there are generally lots of clues on ways to make better decisions – e.g. merchants looking at their own trading / selling for unusual sales.

2. Sharing Data within the confines of Data Protection laws (In Uk DPA s29) – This might sound complex, but it is not. Data Protection laws vary slightly market to market across Europe, but the principles are the same as they are governed by EU Data Protection law. Organisations cannot share much data between them because of Data Protection laws that protect us as consumers – and quite rightly so. But they can and do share details of fraudsters and confirmed fraud, and without the same constraints, but there are VERY strict rules on how this can be done and what can be shared in order to protect you and me from abuse of this. There are increasingly more people understanding what the rules are and what can be done, which will help stop more cheats. But equally there are many projects that have been going on for a long time that will never work because of the understanding of the restrictions on what can, and what cannot be done.

3. Making greater use of public data / bureau data. More and more, the value and usage of data bureaux data is being expanded, by the development of new products in the market and the need for organisations to use publically available data to better effect. With much better and stronger payments data, voters’’ role and default data (like County Court Judgments etc.), but also more shared databases available and more people using and sharing such information there are many more things that then can be done with the data. Remember, that every time that we get an insurance quote, ask for a loan, request a credit card or a new phone or gas contract, we are leaving ‘footprints’ at the Data Bureaux, that is all making our habits much more accessible.

4.Greater use of Identity and Authentication Data – almost an extension of the data from the Data Bureaux, but with many more people doing things in the market to ‘know the customer’ better electronically and using data. We have almost gone full circle on this – as we evolved from a) Knowing who we were dealing with, b) Letters of introduction and c) “My word is my bond”. uberrimae fidei through to formal identification through d) the submission of passports and utility bills etc., and now to more and more e) electronic pattern analysis identification and crypto-based authentication services. The Electronic identification methods are becoming more refined and using more sources and more data to check that we are kind-of who we say we are, which in a way is a more complex way of knowing the person that we are dealing with (a) and letters of introduction (b). With government initiatives on identity management setting the ‘gold-standard’ of people identifying themselves through approved data identity bureaux, this can only change things for the better in the next 2-3 years.

5. Device identification / fingerprinting. Whenever we are ‘connected’ to the internet, the connectee can see how we are connected – and knows, with some degree of accuracy, what type of device it is that we are connected to and where it is. They have to know to deliver content to us. There are also companies evolving services that are going to become a lot more important who look at the devices that we are using in much more depth to make sure that when we connect to them, they recognise us. This is why, recently, when I tried to pay quite a large bill with my new iPhone, I was asked by the merchant to wait until I was using my normal computer. It realised that I might not be me, because they did not recognise my device. This technology area has a long way to go.

6. Movement away from ‘profiling types of people’ towards ‘knowing individuals’ – this is again a step towards a time in history when one knew exactly who one was dealing with. Insurance companies and loan providers historically have looked at the ‘groups that we fall into’ to predict the type of repayments or claims history that we might exhibit from the post-code / area that we live in, our age, the type of car/house that we have, how long we have been doing something etc.  This of course assumes that we all act the same as our neighbours, people who drive the same type of car/live in the same type house, or geography, or have the same job or family size.; which of course is not usually the case in today’s faster-moving world.  Whether for targeted marketing purposes or more targeted risk assessment and understanding, technology is helping us to be assessed as individuals and increasingly our behaviours are being used to determine what we can purchase and price what we pay for. For instance, insurance companies can price using telematics – devices attached to our car to assess our driving ‘style’ and thereby determine the potential risks involved to the insurance company.

7. Better use of the technology that we already have. The typical example of this today for me is the way that Apple has seen a commercial opportunity to enter the payments sector with ApplePay in the USA. The USA has not yet adopted EMV (CHIPs on payment cards) like the entire rest of the globe, and is losing more fraud than everywhere else, and has an outdated infrastructure that is causing problems for the financial services industry worldwide. The EMV backbone in the UK and across Europe is 15 years old, but the USA infrastructure dates back nearly 50 years. In one announcement, Apple did nothing new, but pulled together EMV, tokenisation (linking payment details at the point of purchase to the real payment credentials stored securely elsewhere and using a standard that exists today, but not widely used), NFC (again a common ‘tap & go’ technology used by millions on the London underground and more increasingly across the UK, but mandated by MasterCard for all payment terminals by 2020 across Europe; fingerprint identification/authorisation on the phone, and less talked about; geolocation technology to determine that the phone is physically where it is supposed to be when making a transaction.  They packaged this with some clever commercial arrangements to get issuer, acquirer, card scheme and merchant buy-in. This ‘sets a standard’ by using existing technology and ‘pulling it all together’ without inventing anything new. Despite the efforts of others, we should see a lot more of this type of using the current technology more in the year to come.

8. CHIP and PIN –  again in the same arena, the use of EMV Chip and enhanced cardholder verification, e.g. PIN, will evolve quickly in the USA to catch up with the rest of the globe. The losses and the stakes are too high for this not to happen. Despite continuing resistance in parts of the US market, with a desire by some people to stick with signature to verify transactions, or no cardholder verification at all; it must change. Signatures, however captured, take longer, are less secure, cannot be electronically checked, put the onus onto sales staff at every store and generally cause more disputes, chargebacks and fraud.  It is also a market acceptance of payment cards is still seen as expensive and with complex rules – so a major reason why Apple and others are invading this ‘space’. The USA strategy must be to move decisively towards EMV CHIP and PIN – and the recent presidential order for the US government to lead the way in this direction must help with this.  There is no denying that migrating to CHIP and PIN usage and acceptance on debit cards is an easier challenge due the familiarity with PIN usage already, but the real issue will be PIN on credit and charge cards amongst others. There was a co-ordinated national (not just industry) engagement in the UK to drive CHIP and PIN success. It is hard to see the national or industry cohesion across the US market today on these issues.  The final ‘doubters’ must however be persuaded to put aside their own commercial interests in favour of the wider community interests, the answer is not signature.

9. Large-Scale thefts of data – not a month, not a week in many cases goes by without us learning that clever IT hacks have caused another major retailer to lose the card details (and much more) of millions of cardholders and customers. Home Depot lost 56million earlier this year, but similar lost data sizes have been seen at TKMaxx, Target, JP Morgan and more recently at Kmart and Staples.  The attacks exploit technical and procedural weaknesses in the management of systems holding sensitive data as well as the POS terminals and systems. The data would not be so valuable or costly to deal with if there was an EMV payments infrastructure (see above). Misuse of card data would be more easily identifiable in an EMV-compliant set-up, but this type of attack will continue to happen until the data security technology is in place to stop it from happening or being worth stealing the data.

10. Data ‘in flight’ or data ‘at rest’ – whether sensitive data is being stored, temporarily or longer, or if transmitted between various endpoints, it is always at risk of being ‘snooped-upon’, captured, deleted, redirected, or amended – generally for financial or nuisance. Further to point 9 above, the data security issues that we hear more and more about can be prevented or significantly  reduced through proper controls and monitoring, whether PCI DSS, ISO, POS terminal estate management, Point-to-Point Encryption (P2PE), or just by using a little common sense. ‘Cyber security’ is another new ‘buzzword’ but an old problem. It challenges our current thinking on making things secure, regular monitoring, mitigation, proper management, plus real ownership and accountability – from the CxO level down.  ‘Cyber criminals’ seeking financial gain, test systems either to prove a point, or just for their own entertainment because they can. It is no longer called hacking or theft of data and money, but now it is called cyber crime.

11. Increasing IT skills of the global fraudster – Probably the weakest bullet point here to be described as a ‘trend’ – because this is not new; it has been happening for 2,000 years, where the crook always uses his slightly better knowledge or technology than the good guys. Dick Turpin used an alibi that he was somewhere else because the horses and roads available at the time were not developed enough to place him at the scene of the crime and at that time. On this occasion law enforcement matched his guile; but this rarely happens this quickly today as the crooks develop the attacks with new methods and technology quicker than we can implement the counter-measures.  The only thing that we can do, is ‘stay awake’, look out for the issues, ensure the controls and procedures are ‘fit for purpose’, and stay ahead of the market. We should worry that many attacks start with inside information, knowledge and access. Staying awake means constantly looking internally as well as externally. Bat note too that sometimes, if you are being chased by a hungry bear,  you do not have to outrun him, you just have to out-run the rest of the crowd!

12. The answer is mobile – what’s the question? – Industry pundits challenge the traditional card payment brands as ‘dinosaurs’, particularly now that we all transact, bank and shop more online than face-to-face. The mobile, PDA, tablet, watch or similar devices are now seen as the place to transact with customers.  Traditional card payments are being tested, alternative payment methods and new authentication solutions that are more flexible and more adaptable to the virtual space are entering the marketplace every DAY and  with a real vengeance. But how security-enabled are the devices, the new ‘apps’ and gateways. Leaving aside concerns about interoperability, commercial success, etc., the biggest challenges rest with sensitive data being stored or accessed by personal devices with uncontrolled hardware/software security standards, questionable accreditation, payment/security apps with potential weaknesses and users who believe that if there is a problem – that someone else will deal with it.

Author Bill Trueman, is an independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

Other Posts Which You Would Also Find Useful:

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence and Fraud Prevention

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Card Technology

10 Mistakes to Avoid on Your Management Plans to Prevent Losses

 

Advertisements

Business Loss Prevention Techniques by RiskSkill

10 Things to Avoid on Your Management Plans to Prevent Loss in Your Business

If you’re on a mission to turn away your investors then by all means explain to them how you want them to sign a non-disclosure agreement or that you don’t have any competitors. But if you’re serious about attracting competitors then you’d do best to steer well clear of these 10 classic business plan mistakes. Make an attractive business plan and a powerful power point presentation to convey all the information about your business so that they get right information about the business and can turn into real investors. Below I am going to explain some such important aspects one by one which can really help you:

1. Asking Investors to Sign an NDA

NDAs (Non-Disclosure Agreements) are not usually signed by investors, angel investors or venture capitalist , because the strategy or concept of a business is not normally confidential. Although an important partnership may be confidential, it is the execution of the concept and strategy that make the company successful. When the concept or strategy has to stay confidential this indicates that there are no blocks to competitive entry, and if it can be copied by a competitor then it probably won’t be sustainable.

Proprietary technology, however, is confidential. Although the business plan does not want to mention aspects of the technology that are confidential, it should include details of what the benefits are and how they fulfill the need of customers. During the due diligence process, serious investors will review the technology itself, and this is when the NDA should be discussed.

business management tips

2. Excluding Thriving Firms from the Competitive Analysis

Although you may be tempted to show how unique you are in your business plan by saying you have very few competitors, this doesn’t normally look too good from the investor’s point of view. If there are not many companies in the market space then this suggests that there may not be a large enough customer base for the company’s products or services. Including successful firms can often be positive because it suggests a large market size, as well as assuring investors that the company has a large potential for profit and liquidity:

3. Focusing on First Mover Advantage

It is not a good argument to focus on first mover advantage alone. Rather, it is imperative that a business plan includes the strategies that show how the company will develop long lasting barriers around the customers.

The business plan should discuss how the company will retain customers, which could include building network externalities, value-added services over time and the implementation of customer relationship management tools.

4. Presenting Generic Market Sizes

If you define the size of the market too broadly, the value to the investor will be very low. Far more meaningful is the relevant market size, which is equal to the sales of the company if it managed to capture a large % of its niche in the market.

5. Giving too Much Attention to Proprietary Technology

Proprietary technology is important when it comes to investment decisions, but what is more important is to display how this technology satisfies a large and as-yet-unfulfilled customer need. Unsuccessful companies often fail to truly understand the needs of their customers. Identifying the target markets that show these needs and detailing a plan to penetrate the markets is key to the success of funding and execution.

6. Exaggerating Partnerships with Known Companies

Even though forming partnerships is common practice, more important than who a partnership is with are the terms of the partnership. The equitable terms of the partnership must be explained in the business plan, along with the partnership structure and how the partners will both improve operations and sales for you.

7. Too Much Focus on the Future

Rather than just focus on projections of future performance, it is far more important to study the previous track record of a company. Demonstrating the past success of a company is a good practice for providing investors with confidence for the future, and it is therefore important for a business plan to show the company’s previous accomplishments.

8. Failing to Change the CVs of the Management Team to the Ventures Development Cycle

CVs of the key members of the management team should be included in the business plan, along with their responsibilities. These need to be tailored specifically to the growth stage of the company because different skills are required for launching, growing and maintaining a company. Whereas a start-up company would do better to focus on the success of the management in launching other companies, a mature company would get more from showing how members of the team operated successfully within larger enterprise frameworks.

9. Aggressive Financial Projections

The projections in the financial section of the business plan have to be realistic because many investors will go straight to this section. If a plan shows unrealistic or inconsistent operating margin and penetration then this will damage the credibility of the whole plan. Instead, accurate and credible projections and assumptions will translate into increased credibility and maturity. Companies can prove that their projections and assumptions are attainable by basing these projections on the performance of public companies in their marketplace.

10. Ignoring Fraud Prevention System

Whether you are 100% confident about the loyalty of your employees still you need to put a proper and effective fraud prevention and fraud detection system to curb any fraud losses. One can see in history that most of the time loyal employees and relatives have been found indulged in the frauds and scams which results in a huge loss to the enterprises. Even some CEOs, loyal employees and close persons have committed such financial crimes in many companies and organizations. By putting a proper fraud detection and fraud prevention system enterprises can save millions and billions.

If you are following these steps then definitely it is going to help you in raising capital for your business, but just remember these facts which i have mentioned above, as many entrepreneurs know everything but do not stick to the plan.

Bill Trueman is payments, fraud & risk specialist and director of the UKFraud and RiskSkill based in UK which provide valuable consultancy services for fraud prevention, fraud detection, risk review, risk management, due diligence, compliance solutions to corporates, banks, business, banks, insurance companies, telecom companies, enterprises and government organizations worldwide. Bill Trueman is also an active member of AIRFA a global fraud & risk management organization. One can also visit him at Google+

Other Posts Which You Would Also Find Useful:

What is Risk Management? A Detailed Guide

25 FAQs on Risk Review, Risk Management, Compliance, Due Diligence

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

11 FAQs on EMV Chip & Pin Card Technology

Top Technology Trends in Payments, Risk and Fraud