Wirecard Acquiring is ‘Dead’: Who Will be Next?

Image Credit: CNBC

Wirecard has gone: one of the biggest card acquirers in Europe and elsewhere too. It was a major ‘new tech’ company in Germany, and only last year planned its bid to buy the 150 year old Deutsche Bank. We now know this was part of the deliberate ruse.

In 2019, the UK Financial Times reported the Wirecard fraud and how it had taken several years for its auditors to expose what had been detailed as a ‘financial reporting’ fraud – i.e. a company that said it had €1.9 billion more in cash than the auditors could find!

But why did it fail? Why do other acquirers fail? Why did this one struggle? And what makes acquirers succeed?

But more importantly, who will be next?

Card acquirers fail each year, typically doing so quietly, and as a result of national regulator actions, card scheme sanctions or pressure. Once a regulator or the card schemes ‘get their teeth into’ these companies: it most certainly signals ‘the start of the end’.

Many acquirers struggle to make profits, because of a combination of:

  • High processing costs and thereupon small margins,
  • The need to employ sales agents that take large cuts from the margins,
  • The need to spread fixed costs across a broad/ wide number of merchant businesses,
  • A hard and very competitive market, where acquirers undercut one another and seek to acquire volumes at the expense of profits,
  • Increasing card scheme fees, that cannot always be quickly passed on to merchants.

Card acquirers must then:

  1. a) have a ‘volume business acquisition’ strategy to distribute the ‘costs of being an acquirer’ over large numbers of customers and/or
  2. b) Identify and choose a higher-margin, higher-risk business that they are likely to be able to service well, manage well, and where they control and understand the risks.

This brings serious challenges. In the case of Wirecard, we know from the reporting that:

  1. a) Control mechanisms and governance controls were not strong. The incoming chairman in 2020 was appalled at what he found. The key executives were able to hide this: which demonstrates the significant failings of the independent board members along with second/third lines of defense in corporate governance. The fact that the CEO and COO (and others?) were able to hide a €1.9 Billion ‘hole’, to control their independent board members and to control the ‘message and direction’ should never, ever happen. Equally and potentially, Wirecard were able to ‘bully’ and/or deceive the national regulators (BaFin especially), auditors and card schemes. So even though these people did not have their ‘fingerprints on the daggers’ they were all clearly also culpable.
  2. b) Safeguarding: It is clear that customer funds were NOT safeguarded: up to a staggering €1.9 billion. Does the ‘buck stop’ with the CEO. Of course, but the auditors again failed to ‘get to the bottom of this’ for several years. So did the rest of the Wirecard board and certainly the independent directors. There are a lot more people that are culpable here and more than just the CEO: some of whom should also go to jail. It seems that everyone else that might also be culpable: will surely now make sure that it is the CEO that is blamed and will be the only one that will be ‘left swinging’.
  3. c) National Competent Authorities, i.e. the regulators, along with the card schemes should also not be too easily exonerated. It is clear that whatever they did know or should have known: the size of the Wirecard business, and the sheer gall of the executives (older and newer alike) allowed Wirecard ‘certain privileges’ that permitted it to continue trading where and when others would have failed. It seems that Wirecard was probably deemed ‘too big to fail’ for too long.
Image Credit: Reuters

Wirecard had such a sizable portfolio, and such a significant gap in its financials: that we can only start to speculate the full extent of the dishonesty, deception and incompetence. We now know from the Wirecard auditors that the EU business was loss-making and that the Asia/Pacific business was ‘seemingly’ profitable (but also where the alleged ‘missing funds’ were supposedly located). So we must look for signs: which we need to remember were always present; even if it is to review the ‘Zatarra papers’ that are increasingly proving to have been correct in more and more places.

These documents named and detailed culprits several years ago, and were consistently attacked by Wirecard when various allegations therefrom were picked up in the media. We should hope that these are now being looked at by the ‘prosecutors’, and consider whether even those who were behind the publication of these papers were they implicated too. Maybe they were not just stock-shorters as alleged by Wirecard: but insiders that did not ‘do their duty’ to formally raise and report concerns. Or where they people who were uncomfortable put under pressure not to act, so they took an anonymous stance?

Our speculation must therefore lead us to:

  1. a) The board and the CEO/ COO that must have amongst them known exactly where and what the losses were; and conspired to conceal the losses. In theory, they could have been utterly stupid, which we should clearly dismiss: given their repeated investigations and dismissal of them, and ultimate findings that the money clearly did not exist.
  2. b) Conclude that the Wirecard business in Europe was either:
  3. Priced to undercut the competitors in search of volume business.
  4. Priced poorly, OR, much more likely and possible to evidence:
  • Inaccessible to other acquirers in the market because of the dubious nature of this business – i.e. not fully scheme compliant, potentially illegal, breaching AML law through significant cross-regional transactional laundering.

And the profitability of the business is Asia? Was this business really profitable?

There are far too many unknowns and also too much that will yet be revealed (or ultimately veiled to protect the financial systems and reputation of regulators and card payment schemes) in relation to this case. But we know that there is so much and so many aspects of this case that simply ‘do not add-up’.

Industry mutterings and speculations indicate that the key people at Wirecard (again the CEO and COO but others too?):

  1. Allowed or conspired to aid and abet, cross-continental transaction laundering. This has been the inference in the reporting that has appeared either the official ‘reporting’ or the often under-recognised Zatarra documents: all of which has kept surfacing over the last five years.
  2. Somehow elicitly involved executives and/or counterparty claw-offs (knowingly or passively?) for acquiring loss-making merchants, illegal transactions and money laundering processing where others could not do so. This is a problem that will now challenge us as a heavily regulated industry and will quickly be transferred to other acquirers and continue to haunt our industry into the future. Every regulator and card scheme should now be worried about:
    1. Where the more questionable Wirecard customers will have moved to next. Industry insiders will have witnessed a ‘feeding frenzy’ from the Wirecard portfolio,
    2. Which acquirers will require additional supervision. This is very concerning.
Image Credit: Bloomberg

Every acquirer across Europe should be aware, but who will have no chair ‘when the music next stops’?

The writers have a high level of confidence in the regulators – BaFin and also in the card schemes. They will now ‘follow the money’ and establish who the next acquirers are that start to process, to find and track the illegal money laundering now that Wirecard is no longer a vehicle. But will the card schemes and regulators move more assertively now, or allow ‘another Wirecard’. “Wirecard, jailed executives, fail to learn, then repeat” perhaps?

Who will take-over now that Wirecard ‘has left the party’?

We are aware that there are key individuals who know where this business is going. There are agents that are busily and knowingly ‘placing this business’ with the next, and the not so diligent acquirers around the globe. It is really a matter of how long it will take the card schemes, the regulators and then for law enforcement to act. They have the tools now and do know where and how the traffic is travelling. They just need to now act assertively and not be frightened-off by the ‘next bully’ who processes this business.

Hopefully, the Wirecard events will educate us all, deter some, frighten others and drive a few more people towards reporting these matters appropriately to the right authorities, and hopefully in a more public way than we saw in the ‘Zatarra papers’.

We will continue to monitor regulatory and payment network progress as we learn more about this case and hopefully everyone will be more observant and challenging going forward. Failure to do so will lead to serious and more fundamental questions on the effectiveness of those who should ensure that as an industry, that we have a legal, compliant, competitive and transparent payment system.

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring.

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at www.riskskill.com

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

Cash and Sex! But What Will Covid-19 Do For Payments After 2020?

 

The Covid-19 lockdown has already ‘hit’ many aspects of our lives: so let’s predict some of the potential impacts upon payments. Predictions will always be contentious, but we can guarantee more accuracy than almost any forecast from January 2020.

Job security, the health service, travel, holidays, fuel, office space, public events and retail shopping have been dramatically impacted, in some cases decimated; but on a positive note, the New Scientist reported the pandemic-caused fall in carbon-emissions in 2020 of between 4.2% and 7.5% on 2019; and by only April 2020, had led to a 17% drop in global CO2 emissions.

Whilst family life has been enhanced, children have bonded more with their parents (usually a good thing!), school education has been impacted (probably a bad thing!) as has the loss of extended family contact. However, home DIY projects have risen dramatically too (not sure if this is good or bad!).

There has been less litigation, less reported violence, less prostitution, less casual sex, crime, and illness. We have all become cleaner and more hygienic (at least when we do go out). Hand gel, wipes and toilet paper sales have out-stripped razors, condoms and shampoo sales.

But what about payments?

More obviously in payments, we know that:

  • Contactless payments have dramatically increased (to 78% of over the counter (OTC) sales) and rising,
  • Cash use has ‘fallen off a cliff’ (60% fall) – if ‘Cash is king’ then ‘the king is dead’ or at least: ‘on his last legs!’,
  • E-commerce payments have displaced face-to-face payments – driven online shopping, home delivery, ‘click ‘n’ collect’ and other models,
  • Food consumption has moved from restaurants to home cooking and take-aways,
  • Amazon, ASOS, Boden etc. have flourished and struggle to recruit staff to cope with sales growth; and home entertainment products sales have rocketed.

Financial crime has grown exponentially too, especially push payment scams and remote payments fraud, and driven a need for multi-factor authentication in e-commerce payments (the timing being good, but not perfect!). OTC fraud has been under control, but with less travel: cross-border transactions and forex revenues have been largely killed as well.

So prediction time…….

  1. Strong Customer Authentication / EMV3DS2.x

With Covid-19 and more e-commerce the UK needed to expedite complex SCA systems changes, certification and communication. But the FCA deferred enforcement from March 2021 to September 2021, which is now two years behind the original ‘EBA date’.

SCA delays will lead to more fraud in the short term; but the confusion will aggravate regulators across the EU and drive them to push harder for push-payment solutions, further revolt against the card scheme duopoly. Globally, we should then see new rush towards SCA to copy the EU solution and address a new global (but non-EU) e-commerce fraud pandemic.

  1. Payment Processing Costs

With higher relative card processing costs, including new EMV3DS2.x support fees, lost foreign currency and other cross-border revenues, we will see the card schemes try to reduce costs, but again increase processing fees. Again, this will fuel the ire of Europe’s regulators and accelerate the rollout and adoption of Open Banking, and much more innovation including more AISP and PISP participants.

  1. Central Bank Digital Currencies

With more contactless (78% OTC payments now) and more remote payments, often for smaller amounts card processing costs are increasingly disproportionate. With a 60% fall in cash use, maintaining a cash economy also gets increasingly expensive.  The Bank of England sponsored a review of the Future of Finance in June 2019: and these significant changes will fuel desire and speed of changes proposed within the report to the Bank’s Governor.

Central banks have been ‘playing’ with the need for their own CBDC, and our Covid ‘attack’ will cause banks across the EU and globally to move faster and more assertively towards national and global digital currencies, to more effectively compete with the international payment brands.

In turn these will either adopt some of the current digital currencies, or more likely make them redundant and kill off their values especially and including many of the blockchain currencies such as Bitcoin.

Local competent authorities and central banks will licence and encourage companies that can help them towards this goal, but they will inevitably need to legislate further to steer the direction.

  1. New Commercial Solutions

With good, innovative and intuitive people being mad unemployed, they will drive new payments solutions in the market with business cases made anew from the massive impact of the pandemic; which may well be accelerated because of the pandemic or the new dynamics. People will want a myriad of new solutions that we can’t conceive of yet: but we know that our sports clubs, taxis, coffee shops, newsagents and other low-cost purchases too will seek non-cash solutions e.g. for ‘pitch/court lighting’ and booking to pay for bar bills and food, through to loyalty card scheme designs linked to bank-based push payments; and all the way up the value chain to relaunches of commercial (closed loop) digital currencies. We are likely to see a ‘second-generation’ to the disappointment that Libra-1.0 was: but this time central banks and regulators will drive the solutions. This will not involve the same people.

  1. New Launches, ‘same-old’ ‘big players’

Covid-19 has created a new opening for more urgent innovation and change, because every business case has changed forever. Remote commerce, remote business, home delivery, ‘click and collect’ are now ‘essential’ offerings. Instalment programmes, short-term credit, peer-to-peer lending will all see a new resurgence.

Whilst this will involve smaller innovators, it will be those that can leverage opportunities quickly and adroitly that will ‘win’: e.g. we can be assured that some or all of the following:

  • More payments linked to loyalty and stakeholders like the airlines and large supermarket loyalty brands will be overhauled to leap more towards a) ecommerce, b) towards push-payments, c) cross industry business relationships.
  • A UK or EU collaboration for a more localised version of the planned global; ‘Libra’ initiative (as above) but the regulatory gaps that Libra-1 saw addressed.
  • Big banks and retailers with new payments and banking solutions, moving with extreme vigour and innovation-centred collaborations: both with and without regulator partnerships and sanction; often across multiple jurisdictions.
  • Telecoms entering the payments space again to use their market presence and infrastructure for payments solutions, but in a more focused and successful way than they did in the last decade.
  1. Global – new business infrastructures

With strong guiding legislation, the EU in particular, is in a strong position to become a future centre for a new global payments’ infrastructure and a place for innovation, alongside robust governance: rather than through the USA anymore.

International governments have quashed the ability for the Chinese or Russians to lead the way  (in the main) due to human rights abuses, disrespect for global IP protection, and/or anti-competitive pushes or state sponsored commercial espionage, and of course hygiene issues around Wuhan.  China and Russia continue to lose their impetus in payments through being rebuked by international governments for other economic, political and social actions. However, other Asian economies must not be disregarded. They will remain behind the EU for the moment due to geopolitics, social issues, language or location, but they remain the source of great innovation and creative thinking.

We believe (hope?) therefor that the EU and maybe even the UK with a renewed political position could start to lead new solutions and direction after a Brexit, Covid19 and geopolitical shake-up. But we will have to stay on top of and lead discussions in political, economic, regulatory, trade restrictions, global diplomacy, cyber security matters, and any local conflicts.

Conclusions

It is clear that the Covid-19 pandemic has caused loss of life, financial uncertainty, job insecurity and has changed lives and commerce forever. But it is also accelerating technological thinking and innovation, regulation and politics, speed of change and making compelling business cases for doing something different or simply better.

The payment industry is not different. Things are going to change – for better and worse: but we can take advantage of this if we embrace the future.

Even if things quickly ‘go back to normal’ we must ensure that we do abandon ‘the old ways’ and adopt the new desire, spirit and pace of change and adopt new ways and to challenge the status quo when we need to do so.

Businesses, Central Banks, governments and national regulatory bodies should move faster than before and adopt changes faster too. If not, just in fear of the next pandemic.

We can expect a ‘fun ride’, more change, more (trade) wars and faster competition; but also the demise of some of the oldest and slower industries in the world.

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring.

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at http://www.riskskill.com/

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

ENDS

E-Money Risk, Fraud & Compliance Advisory Service by RiskSkill

About RiskSkill’s e-Money Compliance Services

Mobile Payment Fraud Prevention

RiskSkill help businesses avoid €multi-million fines and embarrassing brand damaging mistakes from regulatory non-compliance and process and regulatory mistakes. We help clear up the mess when we are called in later.

E-money Licence Changes:

Recent new financial services legislation in the UK, has led to the Financial Conduct Authority (FCA) introducing a Payments Systems Regulator from April 2014. The ECB, and the European Commission are also proposing ways to regulate and police the whole e-money arena, as are the international card schemes. The FCA is now also starting to review and audit the e-money licences they have granted previously and for observance with ALL regulations and also best-practices.

We believe that the FCA have seen that the governance of payment systems, including e-money issuers, is a difficult and continuous task and needs several layers of supervision and oversight in the way that other payment methods have already established (e.g. through the regulations of the international card schemes).

Requirements:

As an e-money licence holder, you need to ensure that your organisation and all of its agents, including passport holders, are fully conversant with and engaged in all due diligence in customer selection and identification, transaction/event screening, suspicion reporting, record-keeping, corporate assessment of exposures and risk, and the Base II (and III) capital assignment to the exposures. Having reporting to the FCA, a clear payment strategy and ABOVE ALL understanding and observance of laws relating to payments in all areas of operation are all also essential.

The main legislation that is pertinent is the meeting of the requirements of the Money Laundering regulations for all countries in which an e-money licence holder, and its agents and Passport Holders, operates. Not doing what is right by the European Money Laundering directives is the quickest way of losing money, being fined, suffering crippling bad media attention, or losing a market – or a full e-money licence (which will happen when firms are reviewed).

emv chip and pin online payment fraud

ACTIONS 

In advance of the FCA performing its own validation on individual license holders (and making high profile examples of those who are not fully compliant), you need to:

A. Make sure that all your processes, operations and compliance teams are all fully observant of all applicable regulatory requirements, laws and best practices.

B. More importantly though, are you confident that your third party agents are also fully compliant?

We Can and Will Help You In: 

1. Determining your current state of preparedness and identify areas for attention and action before the FCA requests an onsite review of your business.

2. Review the state of compliance and preparedness of your third party agents or passport-licences and report to you on them as the principal e-money licence holder?

We can provide you with our credentials when you need help, as we are a team of payment industry specialists, that have previously worked in many banks and card schemes, and now help organisations assess their current operational status, and become and remain compliant. We have also worked extensively with the rules, regulations, legislation and best practice across the sector, in the UK and across Europe and advise payment organisations on market strategy and direction rather than simply focusing on ‘tick-box’ auditing.

Contact RiskSkill for our Services for all Risks, Fraud and Compliance solutions for e-money, e-payment, internet payments, e-funds, e payment systems, online payment and digital cash’s safe transactions. RiskSkill is also a permanent member of AIRFA an independent and global risk and fraud advisors organization.

How to Protect from Being Victim of Mobile Payment & Internet Banking Fraud?

All About Safe ‘Mobile Payments’ and Internet Banking Transactions

What is Mobile Payments and what are the top 10 things that we should be doing to stop us from losing all our money?

Bill Trueman - Risk Review Specialist

Well as technology moves forward we’re now increasingly using our ‘mobile devices’ – we used to call them phones – to make payments. In its simplest form it is calling the bank to make a payment to someone; or using an iPhone/android app to contact our Bank to make a payment, or pay for something with a credit card. Looking forwards there’s the prospect that our mobiles will become the main payment device in shops and cinemas etc. We will probably just ‘tap and go’ for small transactions. There is naturally then a lot of evolution that has happened and this will continue as everyone from credit card companies to banks jump on the bandwagon. In response phone companies are rapidly integrating device and software technology to make payment by phone easier and easier.

The pace of technology protection for consumers is also developing, but not as fast as the growing number of solutions or providers that are involved. Things like encryption, virus protection and chips and PINS, secret codes and memorable passwords etc are all protections, but the weakest point in the chain is you and me as the users. We are only human, and have to be careful too. More of us will run the risk of having our identities stolen, and with them have all our money stolen and our lives invaded by the people behind these attacks.

How can we Protect Ourselves, and Make Sure that we do not Become the Victims of Mobile Payment and Internet Banking Frauds?

  1. Don’t think that it will not happen to me.Because it will. With more technology use, and easier access to our data, and through more routes, the identities of people in their teens and twenties is increasingly becoming more of a problem as they are the group most eager to embrace new technology.
  2. Stop people from getting to our technology.There are password locks on most devices now. Use them. And make sure that they are not easy to guess, no “PASSWORD”, “0000”, or “Mary” if you or your best friend or dogs are called “Mary”.
  3. Do not keep data on your devices that could be used by others.Invest in an app that password protects your data / details. They only cost a small amount, and make sure that the details are then stored encrypted. If you have to store details on the device without these things, put them behind a code that only you can understand.
  4. Keep key information in different places.A lot of fraud and losses occur because people are still ‘silly’ with their details. Keeping a PIN with the card number, with address details and/or personal details that will help a fraudster. Whilst the advice used to be ‘do not write your PIN on your card”; now it should be ‘do not keep the log on details and password with the web access address!
  5. Beware of Phishing emails.Many fraudsters, half way across the world get your details from you WITH YOUR HELP. They make an email look like it is from your bank, a delivery company or someone else you are expecting emails from – like Paypal, the tax office, Facebook or Ebay; and then present you with a screen to sign on with your password. Then they have your private details. Be extra cautious of such incoming emails.
  6. Beware of sharp talking callers.Many frauds still start with crooks who call/text/email you or me and explain that there has been a problem on your account that has been blocked, and to disclose your card details/PINs addresses or other information, in order to unblock the account. Remember, if they want to ID you, who contacted who? Identify them first.
  7. Do not make payments in a hurry or when you do not want to.This is when we make mistakes and expose ourselves.
  8. Only use machines that you know.Internet Cafes can be infiltrated, have software added, hardware added or any combinations. DO NOT MAKE PAYMENTS from other people’s machines unless you really know what you are doing and you have a safe, end-to-end secure conversation going on; that you know that you are not being overseen, that there is no hardware/software running etc. And do not enter / remember passwords on any machines, especially not strange machines.
  9. Avoid using the same passwords.Obvious that one isn’t it, but so many people do!
  10. Look after all personal details.Be protective with personal details. Do not use your PINs, card numbers, card expiry dates, addresses, phone numbers or mother’s maiden names etc. in public, in earshot of others. Type PINs and passwords covered up, and always assume that someone is watching or that there is a micro-camera installed by crooks anywhere that you are putting, reading or typing personal details.

Remember, that as the technology and connectivity leaps forward it is the fundamentals and people issues that become the biggest weaknesses, and we all have to work to ‘mind the gap’ that this leaves open; until we have remote/mobile real-time DNA testing – which is a long, long way off.

Bill Trueman is a leading payment, risk & fraud expert who provide payment fraud prevention consultancy services to card issuers, banks, and business organizations worldwide. For more information one can visit website at RiskSkill, apart from this Bill is also a permanent member of AIRFA.

Card payments – Who am I dealing with? The parties involved are changing… again

Bill Trueman from Riskskill.com talks about who is involved in the four-party payment models and how and why these are changing

In four party models (those that involve Mastercard and Visa), include:

  • Cardholders – like us.
  • Merchants – the shops that we use, whether in the high-street or on-line.
  • Card Issuers: usually banks that provide us with the plastic-card, the CHIP, PIN and then our statements and customer services.
  • Merchant Acquirers: which provide the equipment to accept payments, but which also settle against the issuers globally through the card schemes and most importantly take the risks involved in doing so.

How these parties operate with one another is shown in figure 1 below. Contracts exist between each party, whether formal, OR

a) the sale of goods and services contract (in shop),
b) Visa and Mastercard rules and contracts – through which issuers and acquirers connect globally.

Base four-party model for Card Payments.png
Base four-party model for Card Payments

This is how the processes have worked in the past, but things are changing and getting increasingly complicated.

Newer Parties

Businesses have evolved because of a need for evolution, and/or because of an evolving internet, mobile technology, increasing demands of ‘new solutions’ from merchants and the need to serve ever-newer cardholder services. Acquirers of yesteryear (banks) did not or could not change with market demands. The types of organisations that have evolved include:

Sales/Introducer organisations

Organisations that ‘sell to’ merchants on behalf of acquirers. Often these ‘take a cut’ of all transactions, and often contractually taking some of the work and the risks.

Technical Gateways

Companies that provide merchants with specialist connectivity / IT solutions in the process; aim to link the merchants to the acquirer akin to an internal IT department for payments. These may include specialist data security and tokenization solutions.

Intermediate Processors – PSPs/ Payment Facilitators

Companies that work with the merchants to process transactions to acquirers, and/or other parties for ‘other’ payment types; adding services that acquirers did not or could not provide. These may be specialisms for particular markets or for particular software or applications. Elements of technical gateways and/or specialist data security and tokenization solutions may be involved.

Acquirer Processors

Companies who will provide the processing services for multiple acquirers, or increasingly, also act as acquirers too; and/or offer ‘white-label’ acquiring solutions/platforms and services.

These are shown in figure 2 – Complications include:

– Many different ‘names’ for parties involved across geographies, by the organisations themselves, through the categorisation of these by the card schemes/ regulators. These names change as the market changes.

– Many of these parties overlap into one another e.g.

  • A sales/introducer may also start to provide equipment or software, a gateway solution, and/or become an intermediate processor themselves.
  • Intermediate processors, may apply for their own acquiring licences to become banks and/or Visa / Mastercard licensed businesses; or set-up or acquire sales businesses.
  • Acquirers may buy or establish intermediate processors, or other parties in the chain and;
  • Technical transaction processors (Gateways) may become sales businesses or provide intermediate processing and/or other services to the merchants.

– Three-party card schemes such as American Express and Diners can also be processed through the different parties involved above, in parallel or separately.

– AliPay and WeChat Pay are making big inroads in Europe, and are now by many reports bigger than Mastercard and Visa and have big ambitions.

– Domestic card schemes operate in many markets across the EU.

– Other payments schemes – electronic money, wallets, digital currencies.

Acquirer intermediates and disintermediation.png
Acquirer intermediates and disintermediation

Challenges

The challenges that arise and cause difficulties include:

a) Bank regulators required Banks to understand, monitor and continually manage all risks involved. The ‘art’ of doing so is being lost as other parties move into acquiring without the same regulation and knowledge.

b) Risks are often not identified, with credit risk largely uncalculated, untracked or ‘priced for’.

c) Customer identification can become diluted when multiple parties are involved; especially when contracts are written without it being clear who is responsible for the risks/exposures; so problems evolve.

d) Regulators and card schemes introduce many and varying rules and requirements that are often hard to understand and to communicate.

e) Capital adequacy / liquidity – banks are always required to manage this; but as non-bank acquirers develop, there is no non-bank regulator to force these business protection solutions with active regulators examining progress.

f) The fallacy that “acquiring is simple”, has led to more ‘new breed’ acquirers emerging with many quickly failing or required to stop trading when things ‘go wrong’.

Common Challenges that must be mitigated

1. Understand a) exposures, b) risk of failure, c) reward for exposures/risks; as well as all the ‘tricks’ used to con acquirers.

2. Have a clear strategy, policy, procedures, documented risk appetite, calculation methodology, management information and reporting structure.

3. Ensure that all card scheme, regulator, AML and other laws and rules are understood, stayed abreast of and corrected when they arise

4. Measure and manage all changes in business models, exposures, risks, management etc.

5. Look for daily / real-time unusual business features and ‘blips’ in the transactions away from norms and then act upon them.

6. Manage and monitor all third-parties employed or delegated-to in the process of card acquiring.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy, with an impressive international track record of helping payments businesses to find and mitigate payments challenges and risks. The firm works with clients to put in place strategies and programmes of work to make payments businesses or functions more profitable, less susceptible to losses, risks and regulatory issues and compliance problems. Riskskill.com is a global GARS Reviewer for Visa.

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line. For the last 12 years he has been diving-into many other businesses: largely advising merchants, acquirers and others in the payment chain; to reduce risks and costs, and to find improved ways to do business and/or to make significant organisational change. He is a mentor for innovative payments startups and sits on working parties and panels for the UK regulators.

Source: https://www.thepaypers.com/expert-opinion/card-payments-who-am-i-dealing-with-the-parties-involved-are-changing-again-/776837

In Wake of EMV Switch, US e-Commerce Fraud Soars!

Payments Specialist, Risk Specialist

As the US switched to EMV chip cards system, e-commerce fraud rates jumped by 33% last year, according to Experian. In late 2015 the US finally followed much of the rest of the world when Visa and other card schemes switched the liability for fraud-related losses to retailers that have not upgraded their hardware for EMV.

Experian notes that the increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.

“We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks,” says the firm.

Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success, and as more attackers enter a rapidly growing mobile and online commerce space it becomes increasingly difficult for merchants to spot them.

This means that businesses need to expect the increase in e-commerce fraud to continue over time and to be prepared to deal with it by employing a multi-layered approach that pairs transactional data elements with details about the user and their device.

Experian says that the biggest component of credit card fraud trends is the fact that 2016 was a record year for data breaches. There were 1,093 breaches, a 40% increase from 2015, according to the Identity Theft Resource Center.

Meanwhile, the Federal Trade Commission recently revealed a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016.

The record number of data breaches is a signal that future fraudulent activities will take place, warns Experian.

What Bill Trueman, an Eminent Risk Specialist Says About This:

1. Of course e-commerce fraud will rise. It is rising everywhere as e-commerce and m-commerce get used more.

2. Naturally, if you stop fraudsters using cards at the point of sale with EMV, they will move to CNP.

3. If you do not put in protections in your CNP channel, fraud will rise.

4. USA fails to adopt (or plan for) protections in the e-commerce channel.

5. The late adoption of EMV in the USA, has caused a lot more data compromises for longer in this market.

6. EMV adoption is starting to see fraudsters deterred from CO fraud opportunities already as they move to other softer targets.

Bill Trueman is an eminent independent payments and risk specialist helping business and bank owners manage risk & fraud and save millions. He is director of globally well known RiskSkill, and is an active member of a worldwide fraud and risk advisors organization i.e. AIRFA.

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

EMV Chip Card

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

Accordingly, this figure MUST be calculated to include some of the ‘consequential loss’ – i.e. that the compromised cards were then used. Accordingly the banks will have to show a loss on their cards (as well as the costs to them of re-issue).

If I were in Target (and/or the Lawyers in the the defence team) then I would have plenty of defence arguments to tender:

  1. a) What did the banks do to mitigate the losses.
  2. b) What did their systems look for in the unusual transactional activity.
  3. c) As the cards were compromised with limited security feature details lost, why did the banks not check the security feature details and prevent the transactions at the time of the authorisations for the fraud losses on these cards (as is done in most other banks – certainly around the rest of the world).
  4. d) As a preventative solution, why had the banks not implemented greater security with EMV (and/ or EMV with CHIP and PIN) as this would have significantly (or completely) removed the possibility that these cards could have been of use. The US issuers involved are far behind the global ‘curve’ on upgrading to the latest technology that was introduced across the rest of the world 15 – 10 years ago.

Someone please introduce me – or any other card-fraud/risk/loss specialist to the consortium of banks or their lawyers to help build their case against Target – or better still to the Target people (and/or their indemnity insurers) – they probably have the much better and more fun case to present to the courts.

In all cases and scenarios, this will be a superb case to watch; and reveals how poor the infrastructure in the USA is, and how far behind both the infrastructure and the thinking actually is – on all sides of the argument.

Thanks

Bill Trueman