Airlines – Which One Will Fail This Autumn?

How and when do Airlines fail?

Airlines fail each year. Fact. Many more are likely to fail in these troublesome times too. Most airlines fail in the autumn, so it is worth trying to understand why this is the case. We all know that airlines tend to be seasonal because most of us want to use airlines during the summer; so unless the airline is for business travel only; they will:

a) Take payments throughout the year,
b) Take more payments from February to June,
c) ‘Deliver’ the flights in the summer months,

This makes airlines awash with cash in the period up-to the summer, after which they lose the cashflow as the bills start to come in; and when they have to continue to pay staff costs, for airport slots, fuel, and (the big one) their quarterly airline leasing payments.

Airline creditors then need to enforce any defaulting debt, which is generally after the end of September ‘quarter date’; after which the failing airlines file for bankruptcy, liquidation or receivership.

So, we can expect to see the weakest airlines fail from this month and next. Covid-19 further exasperates these issues and impacts those operators that are less robust. Cashflow difficulties in ‘normal years’ can often be ‘limped-through’ at this time by such airlines as they start to take winter booking and bookings ‘for next summer’; but will this be so clear-cut this year?

The pandemic has highlighted airline industry challenges in protecting customer money, along with cashflow within the airlines and wider payments stakeholders, e.g. acquirers and card schemes, which work to safeguard customer funds.

Good news though for airlines (maybe), is that this may have come at the right time of year:

  • Some of the cashflow ‘came-in’ during February and March; at the same time as Covid
  • This gave airlines time to ground planes, cut costs and renegotiate with airports, staff (furlough schemes), and leasing renegotiation / delayed payments;
  • With the public accepting ‘vouchers’ from the airlines for the cancelled flights, this also equated to a new funding method for the airlines through this difficult time.

Who normally loses, and who will lose this time?

When any business fails, it is the creditors that lose. For airlines, the biggest ‘creditor’ is the large numbers of customers who have paid for, but not yet taken their flights; they in the main, then recover the money from insurance policies or from their card company, who in turn recover the money from the card acquirer that processed the transactions for the airline.

The leasing companies recover their planes, whilst unpaid fuel suppliers and airports and staff lose out too. But let’s focus on the card payments part……

Each customer that recovers their card payments does so at the expense of the merchant acquirer; i.e. the bank (typically a bank but increasingly other types of licensed payment institutions) that has been contracted to provide the card processing for the airlines. In the last few years such acquirers have taken more of the risks and shared more of the risks across multiple acquirers.

This means that the airlines have leveraged multiple card processors, that have effectively advanced funds to an airline where the airline CFO negotiations have taken advantage of naïve acquirers. These acquirers have participated in such transactions to greedily seek the processing volumes and revenues with little to no understanding of the potential liabilities that they are covering: i.e. they are then funding the airline cashflow, for their fee, but also accepting that if the airline fails: the loss will be theirs!

So again, some of these less-aware ‘banks’ and newer acquirers that decided to blindly fund these airlines will also lose out. With each airline that fails, we may well see the collapse of some of the acquirers that effectively funded and guaranteed the payments to the airline. If the acquirers do not then fail, they may otherwise suffer significant financial and operational strain. Where the acquirers do not have the capital to survive (or if they have not stored the pre-payments as reserves) then Visa, Mastercard and other card companies will need to step-in to cover the losses. And as we can see from airline annual accounts these customer pre-payments can be tens of millions for very small airlines and £billions for the larger ones.

How will this change in the future – protecting customer money?

Sadly, this infrastructure will no longer function once the ‘music stops’ and we see the next tranche of airline and acquirer failures. Visa, Mastercard, and acquirers will rightly no longer have an appetite for funding airline cashflow and look for alternative ways to funds these arrangements. They should have lost this appetite years ago, but had not really in most cases understood the real extent of the problem!

When you and I pay money into a bank, into a financial instrument of any sort, financial regulators across the EU and around the globe ‘guarantee’ such payments and require financial institutions to have very specific and comprehensive ‘safeguarding’ of customer funds. i.e. our cash is not available to the financial institutions (in the main) for funding the financial institutions’ own cashflow, its losses and/or mis-management. If they fail, in general, your money is safe, or at least up to specific limits.

With AIRLINES this is different. We pay them €£$ billions each year through our cards, and the card companies pay this money almost immediately to the airlines to fund their operations with no regulatory oversight or protections whatsoever. The card companies ‘once upon a time’ had rules that required only the biggest and most capitalised card processing companies (USD100,000,000 balance sheet capital) to support the airlines in this way: but now many others have entered this trading:

• without understanding the potential losses
• not put in place systems to protect, hold or look after the customer money

• agreed to pay the money to the airlines with the airlines having no segregation of customer funds from their own finds in the way that any other business holding customer funds MUST do.

Reading the accounts of some of the biggest airlines in Europe, we have seen that they use these funds (openly) in lieu of corporate-banking finance, or debenture funding. Such funding might not even be available, as the funders of such airlines will be afeared to provide such facilities to such poor credit risks. This means that as customers, we always fund airlines that professional lenders would often not help fund.

Travel bodies that usually ‘step-in’ such as ATOL/ABTA/CAA, or national equivalents, have realised that this is not a very positive position and have started to re-position themselves as uninvolved in the ‘financial guarantee’ part of the transactions.

What should be done and how will or should the industry change?

By default, the card schemes are very aware, as are the acquirers and airlines that this issue exists; so will need to work together to ensure that the customer money is at all times protected and effectively ‘held in escrow’ by trusted and independent parties until they have taken their flights. They will make sure that airlines, should they fail, have the money, and that this money is ‘immediately’ available to be refunded to the customers; and never, never accessible to the liquidators, administrators, or bankruptcy officials to use to favour other creditors.

In the EU and in the UK (not sure whether the UK is part of the EU anymore), we have a regulatory system to protect customer funds in most financial institutions: but we have no strong travel industry regulator that has insisted, or is insisting that customer funds ‘in the travel pre-payments world’ are protected. Nothing in law requires the airline CFO to protect customer funds either.

We have as a payments industry, that readily allows the airline liabilities to be passed to the card payment sector, which then plays ‘Russian roulette’ with our holiday funds without understanding the risks, the liabilities and greedily fighting over the transaction processing revenues and at the same time passively funding the airlines. We now urgently need:

• A strong government (EU/UK) to step-in and insist upon regulation that safeguards our money when we buy flights and holidays;

• Airlines that think about customer funds ahead of trading cashflow to make sure that they separate out these funds from their trading; and when they do not do so, have consequences. Personal consequences;

• An accounting industry / sector that properly reports if an airline accounts the customer funds that are held as liabilities (prepayments) rather than as a working capital item in the airline accounts, and which realises the income only at the time that the product has been delivered (akin to the way that insurance companies only realises its income at the time of exhausting the insurable risks liability).

And to do this our governments need to recognise this problem. Sadly, they may not recognise this challenge until later this year (or next) when we have lost a few more major EU airlines, have created financial hardship for many consumers and adversely impacted the reputation and operations of a chunk of the card payments industry and its participants.
“There is turbulence ahead”. But not the normal kind.

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring.

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at http://www.riskskill.com/

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

Wirecard Acquiring is ‘Dead’: Who Will be Next?

Image Credit: CNBC

Wirecard has gone: one of the biggest card acquirers in Europe and elsewhere too. It was a major ‘new tech’ company in Germany, and only last year planned its bid to buy the 150 year old Deutsche Bank. We now know this was part of the deliberate ruse.

In 2019, the UK Financial Times reported the Wirecard fraud and how it had taken several years for its auditors to expose what had been detailed as a ‘financial reporting’ fraud – i.e. a company that said it had €1.9 billion more in cash than the auditors could find!

But why did it fail? Why do other acquirers fail? Why did this one struggle? And what makes acquirers succeed?

But more importantly, who will be next?

Card acquirers fail each year, typically doing so quietly, and as a result of national regulator actions, card scheme sanctions or pressure. Once a regulator or the card schemes ‘get their teeth into’ these companies: it most certainly signals ‘the start of the end’.

Many acquirers struggle to make profits, because of a combination of:

  • High processing costs and thereupon small margins,
  • The need to employ sales agents that take large cuts from the margins,
  • The need to spread fixed costs across a broad/ wide number of merchant businesses,
  • A hard and very competitive market, where acquirers undercut one another and seek to acquire volumes at the expense of profits,
  • Increasing card scheme fees, that cannot always be quickly passed on to merchants.

Card acquirers must then:

  1. a) have a ‘volume business acquisition’ strategy to distribute the ‘costs of being an acquirer’ over large numbers of customers and/or
  2. b) Identify and choose a higher-margin, higher-risk business that they are likely to be able to service well, manage well, and where they control and understand the risks.

This brings serious challenges. In the case of Wirecard, we know from the reporting that:

  1. a) Control mechanisms and governance controls were not strong. The incoming chairman in 2020 was appalled at what he found. The key executives were able to hide this: which demonstrates the significant failings of the independent board members along with second/third lines of defense in corporate governance. The fact that the CEO and COO (and others?) were able to hide a €1.9 Billion ‘hole’, to control their independent board members and to control the ‘message and direction’ should never, ever happen. Equally and potentially, Wirecard were able to ‘bully’ and/or deceive the national regulators (BaFin especially), auditors and card schemes. So even though these people did not have their ‘fingerprints on the daggers’ they were all clearly also culpable.
  2. b) Safeguarding: It is clear that customer funds were NOT safeguarded: up to a staggering €1.9 billion. Does the ‘buck stop’ with the CEO. Of course, but the auditors again failed to ‘get to the bottom of this’ for several years. So did the rest of the Wirecard board and certainly the independent directors. There are a lot more people that are culpable here and more than just the CEO: some of whom should also go to jail. It seems that everyone else that might also be culpable: will surely now make sure that it is the CEO that is blamed and will be the only one that will be ‘left swinging’.
  3. c) National Competent Authorities, i.e. the regulators, along with the card schemes should also not be too easily exonerated. It is clear that whatever they did know or should have known: the size of the Wirecard business, and the sheer gall of the executives (older and newer alike) allowed Wirecard ‘certain privileges’ that permitted it to continue trading where and when others would have failed. It seems that Wirecard was probably deemed ‘too big to fail’ for too long.

Image Credit: Reuters

Wirecard had such a sizable portfolio, and such a significant gap in its financials: that we can only start to speculate the full extent of the dishonesty, deception and incompetence. We now know from the Wirecard auditors that the EU business was loss-making and that the Asia/Pacific business was ‘seemingly’ profitable (but also where the alleged ‘missing funds’ were supposedly located). So we must look for signs: which we need to remember were always present; even if it is to review the ‘Zatarra papers’ that are increasingly proving to have been correct in more and more places.

These documents named and detailed culprits several years ago, and were consistently attacked by Wirecard when various allegations therefrom were picked up in the media. We should hope that these are now being looked at by the ‘prosecutors’, and consider whether even those who were behind the publication of these papers were they implicated too. Maybe they were not just stock-shorters as alleged by Wirecard: but insiders that did not ‘do their duty’ to formally raise and report concerns. Or where they people who were uncomfortable put under pressure not to act, so they took an anonymous stance?

Our speculation must therefore lead us to:

  1. a) The board and the CEO/ COO that must have amongst them known exactly where and what the losses were; and conspired to conceal the losses. In theory, they could have been utterly stupid, which we should clearly dismiss: given their repeated investigations and dismissal of them, and ultimate findings that the money clearly did not exist.
  2. b) Conclude that the Wirecard business in Europe was either:
  3. Priced to undercut the competitors in search of volume business.
  4. Priced poorly, OR, much more likely and possible to evidence:
  • Inaccessible to other acquirers in the market because of the dubious nature of this business – i.e. not fully scheme compliant, potentially illegal, breaching AML law through significant cross-regional transactional laundering.

And the profitability of the business is Asia? Was this business really profitable?

There are far too many unknowns and also too much that will yet be revealed (or ultimately veiled to protect the financial systems and reputation of regulators and card payment schemes) in relation to this case. But we know that there is so much and so many aspects of this case that simply ‘do not add-up’.

Industry mutterings and speculations indicate that the key people at Wirecard (again the CEO and COO but others too?):

  1. Allowed or conspired to aid and abet, cross-continental transaction laundering. This has been the inference in the reporting that has appeared either the official ‘reporting’ or the often under-recognised Zatarra documents: all of which has kept surfacing over the last five years.
  2. Somehow elicitly involved executives and/or counterparty claw-offs (knowingly or passively?) for acquiring loss-making merchants, illegal transactions and money laundering processing where others could not do so. This is a problem that will now challenge us as a heavily regulated industry and will quickly be transferred to other acquirers and continue to haunt our industry into the future. Every regulator and card scheme should now be worried about:
    1. Where the more questionable Wirecard customers will have moved to next. Industry insiders will have witnessed a ‘feeding frenzy’ from the Wirecard portfolio,
    2. Which acquirers will require additional supervision. This is very concerning.

Image Credit: Bloomberg

Every acquirer across Europe should be aware, but who will have no chair ‘when the music next stops’?

The writers have a high level of confidence in the regulators – BaFin and also in the card schemes. They will now ‘follow the money’ and establish who the next acquirers are that start to process, to find and track the illegal money laundering now that Wirecard is no longer a vehicle. But will the card schemes and regulators move more assertively now, or allow ‘another Wirecard’. “Wirecard, jailed executives, fail to learn, then repeat” perhaps?

Who will take-over now that Wirecard ‘has left the party’?

We are aware that there are key individuals who know where this business is going. There are agents that are busily and knowingly ‘placing this business’ with the next, and the not so diligent acquirers around the globe. It is really a matter of how long it will take the card schemes, the regulators and then for law enforcement to act. They have the tools now and do know where and how the traffic is travelling. They just need to now act assertively and not be frightened-off by the ‘next bully’ who processes this business.

Hopefully, the Wirecard events will educate us all, deter some, frighten others and drive a few more people towards reporting these matters appropriately to the right authorities, and hopefully in a more public way than we saw in the ‘Zatarra papers’.

We will continue to monitor regulatory and payment network progress as we learn more about this case and hopefully everyone will be more observant and challenging going forward. Failure to do so will lead to serious and more fundamental questions on the effectiveness of those who should ensure that as an industry, that we have a legal, compliant, competitive and transparent payment system.

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring.

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at www.riskskill.com

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

RiskSkill Attends WebShield’s RiskConnect Conference 2019 in Warsaw

Webshield RiskConnect Conference 2019 Warsaw

The team at Riskskill were both honoured and pleased to attend and support our friends at Web Shield and yet another successful networking conference for risk management people, this time at RiskConnect 2019 in Warsaw.

Over the 19th and 20th November, Web Shield hosted some 250 risk practitioners from across Europe and many from further afield.

There was a superb group of presenters at the event, who rewarded the audience with powerful presentations; such as:

– Keynote presenters from Süddeutsche Zeitung (Obermayer and Obermaier – who were the original ‘Panama Papers’ 2017 pulitzer-prize winners) who signed copies of their book at the conference.

– Mastercard and Visa executives who presented their visions and key changes to global chargeback and fraud rules.

– USA-based; Better Business Bureau: on the extent of global Deceptive Marketing Practices (also the title of a new publication from our hosts at Web Shield)

– G2A.com and the Belgian Gaming Commission: who presented massively engagingly upon loot boxes.

– The Royal Canadian Mounted Police talking about significant investigations into malpractice

– Deloitte and Deloitte RegTech Lab, MarketScape, Nethone, Bankingblocks, Ethoca and Crystal Blockchain all produced extraordinary presentations about current, interesting and informative topics, as did great people from Web Shield too – who also announced the launch of its multi-language training academy courses on risk management.

Fuller agenda and details on the event can be found on the Web Shield / RiskConnect website.

Bill Trueman from Riskskill moderated a lively and fascinating panel discussion on Day-1 on the rapidly emerging and poorly understood issue of loot boxes (aka loot crates) and the various views taken by individual national regulators, the card schemes and the ultimate need for a greater understanding and potential need for further clarifying regulation. The panel comprised Peter Naessens (Belgium Gaming Commission), Olav Leonov (G2A) and Markus Prause (Web Shield).

Webshield RiskConnect Conference 2019 Warsaw attended by Bill Trueman

Kevin Smith moderated a panel discussion on Day-2 on the thorny topic of deceptive marketing. The panel comprised Steve Baker (Better Business Bureau), Kyle Smith (Ethoca) and Iveta Korenciakova and Chris West (Bankingblocks). They provided further guidance, experiences and emerging challenges that pulled together a lot of the content from their earlier presentations and the entire event overall. The discussion highlighted the growth and global expansion of the ‘tricks’ used against consumers and the risk of harm (or worse) that, for example counterfeit products can cause, as well as those of unlicensed pharma and neutra products – and their often inert, harmful or even illegal ingredients.

Webshield RiskConnect Conference 2019 Warsaw attended by Kevin Smith

Christian Chmiel chaired the event in his usual calm, confident and professional manner. The common theme remains industry collaboration in what is becoming an ever complex and diverse environment.

The quote of the conference, first introduced by Peter Bayley from Visa was: “What are the brakes on a car for? …. To make the car go faster”

Books from Christian Chmiel and Markus Praus, edited by Joyrene Thomas – also available at the conference): https://about-fraud.com/author/christian-a-chmiel/
Panama Papers book on Amazon: https://www.amazon.co.uk/Panama-Papers-Breaking-Story-Powerful/dp/1786070707/ref=sr_1_1?keywords=panama+papers&qid=1574442501&sr=8-1

Bill Trueman and Kevin Smith are leading payment, risk & fraud specialists who provide payment fraud prevention consultancy services to card issuers, banks, and business organizations worldwide. For more information one can visit websites at RiskSkill, and AIRFA.

E-Money Risk, Fraud & Compliance Advisory Service by RiskSkill

About RiskSkill’s e-Money Compliance Services

Mobile Payment Fraud Prevention

RiskSkill help businesses avoid €multi-million fines and embarrassing brand damaging mistakes from regulatory non-compliance and process and regulatory mistakes. We help clear up the mess when we are called in later.

E-money Licence Changes:

Recent new financial services legislation in the UK, has led to the Financial Conduct Authority (FCA) introducing a Payments Systems Regulator from April 2014. The ECB, and the European Commission are also proposing ways to regulate and police the whole e-money arena, as are the international card schemes. The FCA is now also starting to review and audit the e-money licences they have granted previously and for observance with ALL regulations and also best-practices.

We believe that the FCA have seen that the governance of payment systems, including e-money issuers, is a difficult and continuous task and needs several layers of supervision and oversight in the way that other payment methods have already established (e.g. through the regulations of the international card schemes).

Requirements:

As an e-money licence holder, you need to ensure that your organisation and all of its agents, including passport holders, are fully conversant with and engaged in all due diligence in customer selection and identification, transaction/event screening, suspicion reporting, record-keeping, corporate assessment of exposures and risk, and the Base II (and III) capital assignment to the exposures. Having reporting to the FCA, a clear payment strategy and ABOVE ALL understanding and observance of laws relating to payments in all areas of operation are all also essential.

The main legislation that is pertinent is the meeting of the requirements of the Money Laundering regulations for all countries in which an e-money licence holder, and its agents and Passport Holders, operates. Not doing what is right by the European Money Laundering directives is the quickest way of losing money, being fined, suffering crippling bad media attention, or losing a market – or a full e-money licence (which will happen when firms are reviewed).

emv chip and pin online payment fraud

ACTIONS 

In advance of the FCA performing its own validation on individual license holders (and making high profile examples of those who are not fully compliant), you need to:

A. Make sure that all your processes, operations and compliance teams are all fully observant of all applicable regulatory requirements, laws and best practices.

B. More importantly though, are you confident that your third party agents are also fully compliant?

We Can and Will Help You In: 

1. Determining your current state of preparedness and identify areas for attention and action before the FCA requests an onsite review of your business.

2. Review the state of compliance and preparedness of your third party agents or passport-licences and report to you on them as the principal e-money licence holder?

We can provide you with our credentials when you need help, as we are a team of payment industry specialists, that have previously worked in many banks and card schemes, and now help organisations assess their current operational status, and become and remain compliant. We have also worked extensively with the rules, regulations, legislation and best practice across the sector, in the UK and across Europe and advise payment organisations on market strategy and direction rather than simply focusing on ‘tick-box’ auditing.

Contact RiskSkill for our Services for all Risks, Fraud and Compliance solutions for e-money, e-payment, internet payments, e-funds, e payment systems, online payment and digital cash’s safe transactions. RiskSkill is also a permanent member of AIRFA an independent and global risk and fraud advisors organization.

How to Protect from Being Victim of Mobile Payment & Internet Banking Fraud?

All About Safe ‘Mobile Payments’ and Internet Banking Transactions

What is Mobile Payments and what are the top 10 things that we should be doing to stop us from losing all our money?

Bill Trueman - Risk Review Specialist

Well as technology moves forward we’re now increasingly using our ‘mobile devices’ – we used to call them phones – to make payments. In its simplest form it is calling the bank to make a payment to someone; or using an iPhone/android app to contact our Bank to make a payment, or pay for something with a credit card. Looking forwards there’s the prospect that our mobiles will become the main payment device in shops and cinemas etc. We will probably just ‘tap and go’ for small transactions. There is naturally then a lot of evolution that has happened and this will continue as everyone from credit card companies to banks jump on the bandwagon. In response phone companies are rapidly integrating device and software technology to make payment by phone easier and easier.

The pace of technology protection for consumers is also developing, but not as fast as the growing number of solutions or providers that are involved. Things like encryption, virus protection and chips and PINS, secret codes and memorable passwords etc are all protections, but the weakest point in the chain is you and me as the users. We are only human, and have to be careful too. More of us will run the risk of having our identities stolen, and with them have all our money stolen and our lives invaded by the people behind these attacks.

How can we Protect Ourselves, and Make Sure that we do not Become the Victims of Mobile Payment and Internet Banking Frauds?

  1. Don’t think that it will not happen to me.Because it will. With more technology use, and easier access to our data, and through more routes, the identities of people in their teens and twenties is increasingly becoming more of a problem as they are the group most eager to embrace new technology.
  2. Stop people from getting to our technology.There are password locks on most devices now. Use them. And make sure that they are not easy to guess, no “PASSWORD”, “0000”, or “Mary” if you or your best friend or dogs are called “Mary”.
  3. Do not keep data on your devices that could be used by others.Invest in an app that password protects your data / details. They only cost a small amount, and make sure that the details are then stored encrypted. If you have to store details on the device without these things, put them behind a code that only you can understand.
  4. Keep key information in different places.A lot of fraud and losses occur because people are still ‘silly’ with their details. Keeping a PIN with the card number, with address details and/or personal details that will help a fraudster. Whilst the advice used to be ‘do not write your PIN on your card”; now it should be ‘do not keep the log on details and password with the web access address!
  5. Beware of Phishing emails.Many fraudsters, half way across the world get your details from you WITH YOUR HELP. They make an email look like it is from your bank, a delivery company or someone else you are expecting emails from – like Paypal, the tax office, Facebook or Ebay; and then present you with a screen to sign on with your password. Then they have your private details. Be extra cautious of such incoming emails.
  6. Beware of sharp talking callers.Many frauds still start with crooks who call/text/email you or me and explain that there has been a problem on your account that has been blocked, and to disclose your card details/PINs addresses or other information, in order to unblock the account. Remember, if they want to ID you, who contacted who? Identify them first.
  7. Do not make payments in a hurry or when you do not want to.This is when we make mistakes and expose ourselves.
  8. Only use machines that you know.Internet Cafes can be infiltrated, have software added, hardware added or any combinations. DO NOT MAKE PAYMENTS from other people’s machines unless you really know what you are doing and you have a safe, end-to-end secure conversation going on; that you know that you are not being overseen, that there is no hardware/software running etc. And do not enter / remember passwords on any machines, especially not strange machines.
  9. Avoid using the same passwords.Obvious that one isn’t it, but so many people do!
  10. Look after all personal details.Be protective with personal details. Do not use your PINs, card numbers, card expiry dates, addresses, phone numbers or mother’s maiden names etc. in public, in earshot of others. Type PINs and passwords covered up, and always assume that someone is watching or that there is a micro-camera installed by crooks anywhere that you are putting, reading or typing personal details.

Remember, that as the technology and connectivity leaps forward it is the fundamentals and people issues that become the biggest weaknesses, and we all have to work to ‘mind the gap’ that this leaves open; until we have remote/mobile real-time DNA testing – which is a long, long way off.

Bill Trueman is a leading payment, risk & fraud expert who provide payment fraud prevention consultancy services to card issuers, banks, and business organizations worldwide. For more information one can visit website at RiskSkill, apart from this Bill is also a permanent member of AIRFA.

Card payments – Who am I dealing with? The parties involved are changing… again

Bill Trueman from Riskskill.com talks about who is involved in the four-party payment models and how and why these are changing

In four party models (those that involve Mastercard and Visa), include:

  • Cardholders – like us.
  • Merchants – the shops that we use, whether in the high-street or on-line.
  • Card Issuers: usually banks that provide us with the plastic-card, the CHIP, PIN and then our statements and customer services.
  • Merchant Acquirers: which provide the equipment to accept payments, but which also settle against the issuers globally through the card schemes and most importantly take the risks involved in doing so.

How these parties operate with one another is shown in figure 1 below. Contracts exist between each party, whether formal, OR

a) the sale of goods and services contract (in shop),
b) Visa and Mastercard rules and contracts – through which issuers and acquirers connect globally.

Base four-party model for Card Payments.png
Base four-party model for Card Payments

This is how the processes have worked in the past, but things are changing and getting increasingly complicated.

Newer Parties

Businesses have evolved because of a need for evolution, and/or because of an evolving internet, mobile technology, increasing demands of ‘new solutions’ from merchants and the need to serve ever-newer cardholder services. Acquirers of yesteryear (banks) did not or could not change with market demands. The types of organisations that have evolved include:

Sales/Introducer organisations

Organisations that ‘sell to’ merchants on behalf of acquirers. Often these ‘take a cut’ of all transactions, and often contractually taking some of the work and the risks.

Technical Gateways

Companies that provide merchants with specialist connectivity / IT solutions in the process; aim to link the merchants to the acquirer akin to an internal IT department for payments. These may include specialist data security and tokenization solutions.

Intermediate Processors – PSPs/ Payment Facilitators

Companies that work with the merchants to process transactions to acquirers, and/or other parties for ‘other’ payment types; adding services that acquirers did not or could not provide. These may be specialisms for particular markets or for particular software or applications. Elements of technical gateways and/or specialist data security and tokenization solutions may be involved.

Acquirer Processors

Companies who will provide the processing services for multiple acquirers, or increasingly, also act as acquirers too; and/or offer ‘white-label’ acquiring solutions/platforms and services.

These are shown in figure 2 – Complications include:

– Many different ‘names’ for parties involved across geographies, by the organisations themselves, through the categorisation of these by the card schemes/ regulators. These names change as the market changes.

– Many of these parties overlap into one another e.g.

  • A sales/introducer may also start to provide equipment or software, a gateway solution, and/or become an intermediate processor themselves.
  • Intermediate processors, may apply for their own acquiring licences to become banks and/or Visa / Mastercard licensed businesses; or set-up or acquire sales businesses.
  • Acquirers may buy or establish intermediate processors, or other parties in the chain and;
  • Technical transaction processors (Gateways) may become sales businesses or provide intermediate processing and/or other services to the merchants.

– Three-party card schemes such as American Express and Diners can also be processed through the different parties involved above, in parallel or separately.

– AliPay and WeChat Pay are making big inroads in Europe, and are now by many reports bigger than Mastercard and Visa and have big ambitions.

– Domestic card schemes operate in many markets across the EU.

– Other payments schemes – electronic money, wallets, digital currencies.

Acquirer intermediates and disintermediation.png
Acquirer intermediates and disintermediation

Challenges

The challenges that arise and cause difficulties include:

a) Bank regulators required Banks to understand, monitor and continually manage all risks involved. The ‘art’ of doing so is being lost as other parties move into acquiring without the same regulation and knowledge.

b) Risks are often not identified, with credit risk largely uncalculated, untracked or ‘priced for’.

c) Customer identification can become diluted when multiple parties are involved; especially when contracts are written without it being clear who is responsible for the risks/exposures; so problems evolve.

d) Regulators and card schemes introduce many and varying rules and requirements that are often hard to understand and to communicate.

e) Capital adequacy / liquidity – banks are always required to manage this; but as non-bank acquirers develop, there is no non-bank regulator to force these business protection solutions with active regulators examining progress.

f) The fallacy that “acquiring is simple”, has led to more ‘new breed’ acquirers emerging with many quickly failing or required to stop trading when things ‘go wrong’.

Common Challenges that must be mitigated

1. Understand a) exposures, b) risk of failure, c) reward for exposures/risks; as well as all the ‘tricks’ used to con acquirers.

2. Have a clear strategy, policy, procedures, documented risk appetite, calculation methodology, management information and reporting structure.

3. Ensure that all card scheme, regulator, AML and other laws and rules are understood, stayed abreast of and corrected when they arise

4. Measure and manage all changes in business models, exposures, risks, management etc.

5. Look for daily / real-time unusual business features and ‘blips’ in the transactions away from norms and then act upon them.

6. Manage and monitor all third-parties employed or delegated-to in the process of card acquiring.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy, with an impressive international track record of helping payments businesses to find and mitigate payments challenges and risks. The firm works with clients to put in place strategies and programmes of work to make payments businesses or functions more profitable, less susceptible to losses, risks and regulatory issues and compliance problems. Riskskill.com is a global GARS Reviewer for Visa.

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line. For the last 12 years he has been diving-into many other businesses: largely advising merchants, acquirers and others in the payment chain; to reduce risks and costs, and to find improved ways to do business and/or to make significant organisational change. He is a mentor for innovative payments startups and sits on working parties and panels for the UK regulators.

Source: https://www.thepaypers.com/expert-opinion/card-payments-who-am-i-dealing-with-the-parties-involved-are-changing-again-/776837

RiskConnect 2018: The Anatomy of a Good Risk Management Strategy

Webshield Riskconnect Conference 2018 at Frankfurt

Thought leaders and industry experts met at RiskConnect conference in Frankfurt to discuss the newest challenges that risk professionals face within the payments industry and to provide hands-on knowledge they can use in their daily work. RiskConnect is organised by Web Shield, one of the leading onboarding, underwriting and monitoring solution providers.

The event started with a presentation held by Pulitzer Prize winner Carl Bernstein on fake news, the impact this has on our societies and the way truth is perceived via ‘fake news lenses’. Bernstein has preached the gospel of finding ‘the best obtainable version of truth’, stressing the fact that journalists are similar to data miners, permanently searching for info, and that their ultimate role should be connecting these data to offer the best obtainable version of truth. This ideal can be achieved if we present information in context, as simple facts presented isolated from the bigger picture do not cover the truth. A crucial role in this system is played by the validation of our data sources.

He concluded his presentation by drawing a parallel between the role of journalists and risk management professionals, as both categories use similar investigative principles to grasp the whole picture of a given situation / merchant profile, for instance. When you don’t know/suppose you know the truth you face a risk, the risk of missing out the factors that made that truth happen, of not knowing what will be the right consequences, of being part of a distorted world, hence, facing unreal consequences/facts.

What exactly is risk?

There have been a lot of debates around this concept, as it is not a fix, but a variable one, depending on the degree of risk a business/person is willing to accept, the impact the accepted risk has on the business/consumer, risk appetite, the way it makes a business/consumer feel when they take a particular risk etc.. Nevertheless, risk can be monitored/assessed due to ISO 31000 standard on ‘Risk management – Principles and guidelines on implementation’ that states that the process of risk management consists of several concrete steps, such as establishing the context and identifying potential risks and assessment – once risks have been identified, they must then be assessed as to their potential severity of impact.

According to Shaun Lavelle, Senior Vice President Risk, Payment Processing, Paysafe Group and Bill Trueman, Director, RiskSkill (http://www.riskskill.com/) the concept of high-risk is meaningless if the types of risk are not specified. Moreover, the lack of a proper risk scoring analysis can be caused by not taking into consideration operational risk, currency risk, reputational risk, fraud and regulatory risks.

For instance, at the moment there are too many shady merchants under some acquirers’ custody conducting illegal activities, such as child pornography, nutraceuticals, and unfair billing practices causing great fines applied to these acquirers by the regulators/schemes. Not to mention the different perspectives regulators have over these risks and the vast terminology used within this market (that not everyone understands/has consensus over its meaning). Within this context, risk managers plan hard – and put-in place early –warning processes and measures to avoid their business going bust.

Bitcoin, ICOs, crypto… a risky business?

Over the past few years, cryptocurrency has grown exponentially and it seems that a new cryptocurrency pops up every day (currently there are more than 1500 available). The appeal of making a fortune by joining the cryptocurrency market is enticing with mining facilities multiplying and the emergence of “Initial Coin Offerings” (ICOs). Similar with IPOs, ICOs enable startup businesses to raise capital for their projects by issuing their own digital tokens.

However, fraudsters are also exploiting this new digital asset ecosystem. For instance, there are sites that teach you how to launch an ICO in just 20 minutes, or others that through deceiving advertising trick users into thinking that they are buying ‘the next worldwide crypto’ (when actually they don’t receive anything). Also by co-opting well-known brands, such as card schemes – Mastercard, Visa – or by using celebrity names/faces in a deceiving way, ICOs can gather over 30,000 registrants in just a few days, according to the Canadian Financial Authority investigators Annie Leblanc and Maude Blanchette.

The good news is that there are regulators and authorities throughout the world, such as the North American Securities Administrators Association (NASAA), European Securities and Markets Authority (ESMA), Financial Action Task Force (FATF), and many others that monitor these fund raising activities/transactions, investigate any illegal/illicit/deceiving involvement and prosecute where needed.

How to lower the risk?

Mastercard and Visa are preparing their clients/merchants on how to deal effectively with the evolving risk management challenges. During RiskConnect, Jonathan Trivelas, Director, Customer Compliance and Fraud, Mastercard, covered Mastercard’s Business Risk Assessment and Mitigation (BRAM) program and its latest requirements concerning high risks merchants. These initiatives are called AN 1683—Addition of High-Risk Securities Merchants to the BRAM Program and Revised Standards—High-Risk Securities Merchant Registration and AN 1695—Addition of Cryptocurrency Merchants to the BRAM Program and Revised Standards— Cryptocurrency Merchant Registration and apply mainly to cryptocurrency use and chosen high-risk financial instruments trading. This includes recent developments regarding cryptocurrency merchants, high risk security traders (Binary, Forex, etc.), sports betting and high risk negative option billing merchants.

These standards came into effect on October 12th, though discussions around them have been started by Mastercard in spring 2018. Generally speaking, they apply to high risk merchants. It is also worth mentioning that ESMA (European Securities and Markets Authority) has already taken the intervention measures and temporarily prohibited the marketing, distribution or sale of binary options to retail clients. AN 1683 and AN 1695 also aim to provide legal opinions on the possibility of carrying out cryptocurrency business in a particular country.

In a world where anyone can be a merchant, everyone can be a customer, and the regulatory environment continues to extend their enforcement. Another option to lower this risk is to leverage global data points to automate and revolutionise online verifications and fraud prevention.

There are companies such as 4Stop or IdentityMind that, through the power of data, they can achieve automated risk mitigation, even for … cryptocurrency transactions, as technology has the capability to deanonymize an address on the Bitcoin network, thus attaching it to the real world identity of the person controlling it. Once this happens, all transactions made from and to this address become visible and traceable since the beginning of the blockchain and till the very last block.

Education in risk management is crucial

We have the tools and technology, we have the regulations and best practices examples, but how can risk professionals establish a knowledge base in an industry that lacks an established professional educational path and is evolving as quickly as it is? Clearly, by setting industry standards for professionalism and proficiency for the acquiring industry. There are a few associations, companies, groups like Electronic Transaction AssociationWeb ShieldMerchant Acquirer’s Committee that through programs, trainings, book releases, events, and many more are trying to offer new market players the tools to understand the risks associated with financial services.

We cannot but agree with Jason Oxman, CEO, Electronic Transactions Association who says “Through the ETA Certified Payments Professional program, as well as ETA’s new Self-Regulation Program, we are raising the level of education and professionalism in the payments industry, and events like RiskConnect help us increase awareness of the importance of global partnerships.”

We want to take this opportunity to thank the Web Shield team for inviting us for the RiskConnect event and conclude by adding Christian’s Chmiel, CEO&Founder Web Shield remark: “In the fight against fraud, education and collaboration are at least as important as technology”.

Original Source: https://www.thepaypers.com/expert-opinion/riskconnect-2018-the-anatomy-of-a-good-risk-management-strategy/776286

Riskskill Attends 2nd RiskConnect conference – 2018 at Frankfurt

Webshield Riskconnect Conference 2018 at Frankfurt

Riskskill is once again proud to be supporting Web Shield at their second RiskConnect conference – 2018, in Frankfurt.

The networking conference for risk and compliance professionals took place at the Hilton Hotel next to the airport at Frankfurt-am-Main on 29th and 30th November 2018.

RiskConnect a networking conference was hosted by Web Shield, who provide on-boarding, underwriting and monitoring solutions to many in the payments industry.

The two-day conference was attended by thought leaders and payment industry experts to debate the existing and newest challenges faced by the payments industry. Relevant industry developments and challenges are discussed, with opportunities to network with event participants. RiskConnect is the independent event where risk and compliance experts can share their knowledge and broaden their horizons over the topics at hand. so that they can remain ahead of others.

Riskskill is pleased to be supporting Web Shield at this event again. I am talking about the credit risk challenges in the merchant acquiring sector along with Shaun Lavelle, SVP Risk Management at Paysafe Group; we like to support the team from Web Shield as they are doing much to ‘shake-up’ the approach to enhanced risk management, and to improve risk awareness and knowledge in the industry.”

Riskskill is also honoured to be presenting along side a wide range of influential organisations, including senior risk management representatives from both Mastercard and Visa: but also rather pleased to be sharing the stage with Pulitzer Prize winner (and almost a legend in his lifetime: Carl Bernstein.” : http://www.carlbernstein.com

Other speakers include: Brian Kinch from Visa, Jonathan Trivelas from Mastercard, DJ Murphy from Card Not Present, Jason Oxman from the Electronic Transactions Association (ETA), along with speakers from 4Stop, Schiltz & Schiltz, Coinbase, Canadian regulator AMF and the FBI, Deloittes and the Dating Factory.

Riskskill, a boutique payments and risk management consulting company, encourages interested risk and compliance professionals to attend these events as they are a great opportunity to stay in the forefront of industry developments.

Further information on this event is available at http://www.riskconnect.eu

Web Shield RiskConnect Conference 2017: Kevin Smith Also Takes Part

Web Shield RiskConnect event in Frankfurt, Germany in 23-24 November 2017. Web Shield RiskConnect Conference 2017 Focused on Risk Management and Payments Takeaways. Kevin Smith of RiskSkill, presented on Day 1 of the inaugural Web Shield RiskConnect event, held on 23-24 November 2017 in Frankfurt am Main, Germany, he emphasized on the power of networking and information sharing for payments industry risk professionals.

RiskConnect Conference - Risk management and payments takeaways

FRANKFURT, Germany – A well-organised and informative conference held in the Hilton Hotel at Frankfurt Airport in November 2017. It was positioned as the networking event for risk professionals. It really was a superb networking and informative event, an opportunity to meet senior global payment scheme representatives, regulators, acquirers, processors, vendors, industry risk and payment specialists and consultants, and not forgetting our knowledgeable hosts from Web Shield.

Why is this relevant now?

Well, Web Shield in conjunction with Payvision & Acapture have now just released their blog and a YouTube video, summarising the highlights of the event and some thoughts from those who presented and participated in the event, including yours truly.

Web Shield really have challenged the status quo in risk management in payments, through their products and services, technical expertise and knowledge, the training academy and now their networking event and conference.

Supporters and sponsors helped make RiskConnect possible and a success, including Payment Consultants, Payvision, iSignThis, Foregenix and Fibonatix.

Payvision also played an important role of contributing to the event’s success, through their media sponsorship and capturing the two day proceedings on a short video. The seven minute video, summarising the event and engaging with most of the presenters was released on Tuesday, 27th February 2018, along with the Payvision blog.

RiskConnect 2017, was held over two days in November 2017; it brought together a wonderful array of payments and risk management experts. All noted that they may seen as professionals and experts, but all willing to meet a new industry colleague, learn something new and listen to and share industry best practices.

Presenters included senior risk management at the global payment systems, Visa and Mastercard, plus excellent and topical presentations and updates from organisations including Thomson Reuters, Verifi, IWF, HSBC, iSignThis, Vendorcom, the Malta Gaming Authority and the Brunswick and Manitoba regulatory bodies in Canada.

A couple of panel sessions were held that put some of the speakers together on the stage to take questions from the moderator and importantly to take questions from the audience.

Kevin Smith at RiskConnect Conference 2017

Early on Day 1, Kevin Smith representing RiskSkill talked through the challenges affecting the industry and participants, including understanding and managing acceptable risk considering effective risk management in the bigger business picture, and ensuring risk management is viewed as a better business enabler.

Positioned by Web Shield as the networking event for risk professionals, it really did hit the mark“, said Kevin.

Kevin continues….

“This was the first Web Shield conference, building on the success of their training Academy. With an excellent line-up of presenters over the full two-day event, a really good audience of industry professionals eager to learn more, a great location next to Frankfurt airport, and meticulous organisation by Web Shield, it really was a very successful and powerful event. Web Shield have set the bar high for these types of industry event”

Bill Trueman at RiskSkill, added

“RiskSkill has a close business relationship with Web Shield. We were very pleased to be invited to be part of this Web Shield event, and supporting the opportunity to drive greater awareness and education of new as well as existing challenges and developments impacting risk managers in the payments industry. “

“Payvision were an excellent sponsor of the event and pulled together a short video summary of the event. It ha snow been made publicly available and clearly demonstrates the benefits of getting risk management professionals together, excellent networking opportunities and the ability to learn and share best practices.

Last but not least, lets not forget the latest Web Shield book release – The Fundamentals of CNP Merchant Acceptance: Understanding High-Risk Business, 2018 edition. All attendees took away a valuable copy (or more!) of the book, an essential how-to companion for underwriters.

Further details can be located at payvision blog at http://blog.payvision.com/riskconnect-recap-risk-management-and-payments-takeaways/

For full coverage of event watch video https://www.youtube.com/watch?v=fC3_EhiOCG0

Bill Trueman and Kevin Smith are well known and highly trusted specialist in risk review and risk management who works globally independently, are associated with RiskSkill, and AIRFA.

 

In Wake of EMV Switch, US e-Commerce Fraud Soars!

Payments Specialist, Risk Specialist

As the US switched to EMV chip cards system, e-commerce fraud rates jumped by 33% last year, according to Experian. In late 2015 the US finally followed much of the rest of the world when Visa and other card schemes switched the liability for fraud-related losses to retailers that have not upgraded their hardware for EMV.

Experian notes that the increase in e-commerce fraud follows a similar trend pattern from countries that previously rolled out EMV cards – UK, France, Australia, and Canada – that also saw gradual increases in card-not-present fraud.

“We suspect that the EMV liability switch and increased adoption by merchants of chip-and-pin enabled terminals have had a profound impact on driving up e-commerce attacks,” says the firm.

Fraudsters that typically relied on committing counterfeit fraud have shifted their focus to the digital channels where they could have more success, and as more attackers enter a rapidly growing mobile and online commerce space it becomes increasingly difficult for merchants to spot them.

This means that businesses need to expect the increase in e-commerce fraud to continue over time and to be prepared to deal with it by employing a multi-layered approach that pairs transactional data elements with details about the user and their device.

Experian says that the biggest component of credit card fraud trends is the fact that 2016 was a record year for data breaches. There were 1,093 breaches, a 40% increase from 2015, according to the Identity Theft Resource Center.

Meanwhile, the Federal Trade Commission recently revealed a jump in consumers who reported that their stolen data was used for credit card fraud, from 16% in 2015 to more than 32% in 2016.

The record number of data breaches is a signal that future fraudulent activities will take place, warns Experian.

What Bill Trueman, an Eminent Risk Specialist Says About This:

1. Of course e-commerce fraud will rise. It is rising everywhere as e-commerce and m-commerce get used more.

2. Naturally, if you stop fraudsters using cards at the point of sale with EMV, they will move to CNP.

3. If you do not put in protections in your CNP channel, fraud will rise.

4. USA fails to adopt (or plan for) protections in the e-commerce channel.

5. The late adoption of EMV in the USA, has caused a lot more data compromises for longer in this market.

6. EMV adoption is starting to see fraudsters deterred from CO fraud opportunities already as they move to other softer targets.

Bill Trueman is an eminent independent payments and risk specialist helping business and bank owners manage risk & fraud and save millions. He is director of globally well known RiskSkill, and is an active member of a worldwide fraud and risk advisors organization i.e. AIRFA.