RiskConnect 2018: The Anatomy of a Good Risk Management Strategy

Webshield Riskconnect Conference 2018 at Frankfurt

Thought leaders and industry experts met at RiskConnect conference in Frankfurt to discuss the newest challenges that risk professionals face within the payments industry and to provide hands-on knowledge they can use in their daily work. RiskConnect is organised by Web Shield, one of the leading onboarding, underwriting and monitoring solution providers.

The event started with a presentation held by Pulitzer Prize winner Carl Bernstein on fake news, the impact this has on our societies and the way truth is perceived via ‘fake news lenses’. Bernstein has preached the gospel of finding ‘the best obtainable version of truth’, stressing the fact that journalists are similar to data miners, permanently searching for info, and that their ultimate role should be connecting these data to offer the best obtainable version of truth. This ideal can be achieved if we present information in context, as simple facts presented isolated from the bigger picture do not cover the truth. A crucial role in this system is played by the validation of our data sources.

He concluded his presentation by drawing a parallel between the role of journalists and risk management professionals, as both categories use similar investigative principles to grasp the whole picture of a given situation / merchant profile, for instance. When you don’t know/suppose you know the truth you face a risk, the risk of missing out the factors that made that truth happen, of not knowing what will be the right consequences, of being part of a distorted world, hence, facing unreal consequences/facts.

What exactly is risk?

There have been a lot of debates around this concept, as it is not a fix, but a variable one, depending on the degree of risk a business/person is willing to accept, the impact the accepted risk has on the business/consumer, risk appetite, the way it makes a business/consumer feel when they take a particular risk etc.. Nevertheless, risk can be monitored/assessed due to ISO 31000 standard on ‘Risk management – Principles and guidelines on implementation’ that states that the process of risk management consists of several concrete steps, such as establishing the context and identifying potential risks and assessment – once risks have been identified, they must then be assessed as to their potential severity of impact.

According to Shaun Lavelle, Senior Vice President Risk, Payment Processing, Paysafe Group and Bill Trueman, Director, RiskSkill (http://www.riskskill.com/) the concept of high-risk is meaningless if the types of risk are not specified. Moreover, the lack of a proper risk scoring analysis can be caused by not taking into consideration operational risk, currency risk, reputational risk, fraud and regulatory risks.

For instance, at the moment there are too many shady merchants under some acquirers’ custody conducting illegal activities, such as child pornography, nutraceuticals, and unfair billing practices causing great fines applied to these acquirers by the regulators/schemes. Not to mention the different perspectives regulators have over these risks and the vast terminology used within this market (that not everyone understands/has consensus over its meaning). Within this context, risk managers plan hard – and put-in place early –warning processes and measures to avoid their business going bust.

Bitcoin, ICOs, crypto… a risky business?

Over the past few years, cryptocurrency has grown exponentially and it seems that a new cryptocurrency pops up every day (currently there are more than 1500 available). The appeal of making a fortune by joining the cryptocurrency market is enticing with mining facilities multiplying and the emergence of “Initial Coin Offerings” (ICOs). Similar with IPOs, ICOs enable startup businesses to raise capital for their projects by issuing their own digital tokens.

However, fraudsters are also exploiting this new digital asset ecosystem. For instance, there are sites that teach you how to launch an ICO in just 20 minutes, or others that through deceiving advertising trick users into thinking that they are buying ‘the next worldwide crypto’ (when actually they don’t receive anything). Also by co-opting well-known brands, such as card schemes – Mastercard, Visa – or by using celebrity names/faces in a deceiving way, ICOs can gather over 30,000 registrants in just a few days, according to the Canadian Financial Authority investigators Annie Leblanc and Maude Blanchette.

The good news is that there are regulators and authorities throughout the world, such as the North American Securities Administrators Association (NASAA), European Securities and Markets Authority (ESMA), Financial Action Task Force (FATF), and many others that monitor these fund raising activities/transactions, investigate any illegal/illicit/deceiving involvement and prosecute where needed.

How to lower the risk?

Mastercard and Visa are preparing their clients/merchants on how to deal effectively with the evolving risk management challenges. During RiskConnect, Jonathan Trivelas, Director, Customer Compliance and Fraud, Mastercard, covered Mastercard’s Business Risk Assessment and Mitigation (BRAM) program and its latest requirements concerning high risks merchants. These initiatives are called AN 1683—Addition of High-Risk Securities Merchants to the BRAM Program and Revised Standards—High-Risk Securities Merchant Registration and AN 1695—Addition of Cryptocurrency Merchants to the BRAM Program and Revised Standards— Cryptocurrency Merchant Registration and apply mainly to cryptocurrency use and chosen high-risk financial instruments trading. This includes recent developments regarding cryptocurrency merchants, high risk security traders (Binary, Forex, etc.), sports betting and high risk negative option billing merchants.

These standards came into effect on October 12th, though discussions around them have been started by Mastercard in spring 2018. Generally speaking, they apply to high risk merchants. It is also worth mentioning that ESMA (European Securities and Markets Authority) has already taken the intervention measures and temporarily prohibited the marketing, distribution or sale of binary options to retail clients. AN 1683 and AN 1695 also aim to provide legal opinions on the possibility of carrying out cryptocurrency business in a particular country.

In a world where anyone can be a merchant, everyone can be a customer, and the regulatory environment continues to extend their enforcement. Another option to lower this risk is to leverage global data points to automate and revolutionise online verifications and fraud prevention.

There are companies such as 4Stop or IdentityMind that, through the power of data, they can achieve automated risk mitigation, even for … cryptocurrency transactions, as technology has the capability to deanonymize an address on the Bitcoin network, thus attaching it to the real world identity of the person controlling it. Once this happens, all transactions made from and to this address become visible and traceable since the beginning of the blockchain and till the very last block.

Education in risk management is crucial

We have the tools and technology, we have the regulations and best practices examples, but how can risk professionals establish a knowledge base in an industry that lacks an established professional educational path and is evolving as quickly as it is? Clearly, by setting industry standards for professionalism and proficiency for the acquiring industry. There are a few associations, companies, groups like Electronic Transaction AssociationWeb ShieldMerchant Acquirer’s Committee that through programs, trainings, book releases, events, and many more are trying to offer new market players the tools to understand the risks associated with financial services.

We cannot but agree with Jason Oxman, CEO, Electronic Transactions Association who says “Through the ETA Certified Payments Professional program, as well as ETA’s new Self-Regulation Program, we are raising the level of education and professionalism in the payments industry, and events like RiskConnect help us increase awareness of the importance of global partnerships.”

We want to take this opportunity to thank the Web Shield team for inviting us for the RiskConnect event and conclude by adding Christian’s Chmiel, CEO&Founder Web Shield remark: “In the fight against fraud, education and collaboration are at least as important as technology”.

Original Source: https://www.thepaypers.com/expert-opinion/riskconnect-2018-the-anatomy-of-a-good-risk-management-strategy/776286

Advertisements

Riskskill Attends 2nd RiskConnect conference – 2018 at Frankfurt

Webshield Riskconnect Conference 2018 at Frankfurt

Riskskill is once again proud to be supporting Web Shield at their second RiskConnect conference – 2018, in Frankfurt.

The networking conference for risk and compliance professionals took place at the Hilton Hotel next to the airport at Frankfurt-am-Main on 29th and 30th November 2018.

RiskConnect a networking conference was hosted by Web Shield, who provide on-boarding, underwriting and monitoring solutions to many in the payments industry.

The two-day conference was attended by thought leaders and payment industry experts to debate the existing and newest challenges faced by the payments industry. Relevant industry developments and challenges are discussed, with opportunities to network with event participants. RiskConnect is the independent event where risk and compliance experts can share their knowledge and broaden their horizons over the topics at hand. so that they can remain ahead of others.

Riskskill is pleased to be supporting Web Shield at this event again. I am talking about the credit risk challenges in the merchant acquiring sector along with Shaun Lavelle, SVP Risk Management at Paysafe Group; we like to support the team from Web Shield as they are doing much to ‘shake-up’ the approach to enhanced risk management, and to improve risk awareness and knowledge in the industry.”

Riskskill is also honoured to be presenting along side a wide range of influential organisations, including senior risk management representatives from both Mastercard and Visa: but also rather pleased to be sharing the stage with Pulitzer Prize winner (and almost a legend in his lifetime: Carl Bernstein.” : http://www.carlbernstein.com

Other speakers include: Brian Kinch from Visa, Jonathan Trivelas from Mastercard, DJ Murphy from Card Not Present, Jason Oxman from the Electronic Transactions Association (ETA), along with speakers from 4Stop, Schiltz & Schiltz, Coinbase, Canadian regulator AMF and the FBI, Deloittes and the Dating Factory.

Riskskill, a boutique payments and risk management consulting company, encourages interested risk and compliance professionals to attend these events as they are a great opportunity to stay in the forefront of industry developments.

Further information on this event is available at http://www.riskconnect.eu

Web Shield RiskConnect Conference 2017: Kevin Smith Also Takes Part

Web Shield RiskConnect event in Frankfurt, Germany in 23-24 November 2017. Web Shield RiskConnect Conference 2017 Focused on Risk Management and Payments Takeaways. Kevin Smith of RiskSkill, presented on Day 1 of the inaugural Web Shield RiskConnect event, held on 23-24 November 2017 in Frankfurt am Main, Germany, he emphasized on the power of networking and information sharing for payments industry risk professionals.

RiskConnect Conference - Risk management and payments takeaways

FRANKFURT, Germany – A well-organised and informative conference held in the Hilton Hotel at Frankfurt Airport in November 2017. It was positioned as the networking event for risk professionals. It really was a superb networking and informative event, an opportunity to meet senior global payment scheme representatives, regulators, acquirers, processors, vendors, industry risk and payment specialists and consultants, and not forgetting our knowledgeable hosts from Web Shield.

Why is this relevant now?

Well, Web Shield in conjunction with Payvision & Acapture have now just released their blog and a YouTube video, summarising the highlights of the event and some thoughts from those who presented and participated in the event, including yours truly.

Web Shield really have challenged the status quo in risk management in payments, through their products and services, technical expertise and knowledge, the training academy and now their networking event and conference.

Supporters and sponsors helped make RiskConnect possible and a success, including Payment Consultants, Payvision, iSignThis, Foregenix and Fibonatix.

Payvision also played an important role of contributing to the event’s success, through their media sponsorship and capturing the two day proceedings on a short video. The seven minute video, summarising the event and engaging with most of the presenters was released on Tuesday, 27th February 2018, along with the Payvision blog.

RiskConnect 2017, was held over two days in November 2017; it brought together a wonderful array of payments and risk management experts. All noted that they may seen as professionals and experts, but all willing to meet a new industry colleague, learn something new and listen to and share industry best practices.

Presenters included senior risk management at the global payment systems, Visa and Mastercard, plus excellent and topical presentations and updates from organisations including Thomson Reuters, Verifi, IWF, HSBC, iSignThis, Vendorcom, the Malta Gaming Authority and the Brunswick and Manitoba regulatory bodies in Canada.

A couple of panel sessions were held that put some of the speakers together on the stage to take questions from the moderator and importantly to take questions from the audience.

Kevin Smith at RiskConnect Conference 2017

Early on Day 1, Kevin Smith representing RiskSkill talked through the challenges affecting the industry and participants, including understanding and managing acceptable risk considering effective risk management in the bigger business picture, and ensuring risk management is viewed as a better business enabler.

Positioned by Web Shield as the networking event for risk professionals, it really did hit the mark“, said Kevin.

Kevin continues….

“This was the first Web Shield conference, building on the success of their training Academy. With an excellent line-up of presenters over the full two-day event, a really good audience of industry professionals eager to learn more, a great location next to Frankfurt airport, and meticulous organisation by Web Shield, it really was a very successful and powerful event. Web Shield have set the bar high for these types of industry event”

Bill Trueman at RiskSkill, added

“RiskSkill has a close business relationship with Web Shield. We were very pleased to be invited to be part of this Web Shield event, and supporting the opportunity to drive greater awareness and education of new as well as existing challenges and developments impacting risk managers in the payments industry. “

“Payvision were an excellent sponsor of the event and pulled together a short video summary of the event. It ha snow been made publicly available and clearly demonstrates the benefits of getting risk management professionals together, excellent networking opportunities and the ability to learn and share best practices.

Last but not least, lets not forget the latest Web Shield book release – The Fundamentals of CNP Merchant Acceptance: Understanding High-Risk Business, 2018 edition. All attendees took away a valuable copy (or more!) of the book, an essential how-to companion for underwriters.

Further details can be located at payvision blog at http://blog.payvision.com/riskconnect-recap-risk-management-and-payments-takeaways/

For full coverage of event watch video https://www.youtube.com/watch?v=fC3_EhiOCG0

Bill Trueman and Kevin Smith are well known and highly trusted specialist in risk review and risk management who works globally independently, are associated with RiskSkill, UKFraud, and AIRFA.

 

Risk Review FAQ – A Guide to Risk Review

Fraud Specialist, Risk Specialist, Compliance Specialist, Due Diligence Specialist

A Comprehensive Guide to Commercial Risk Review, Risk Management, Fraud Prevention, Business Loss Prevention, Bank Fraud Prevention, Due Diligence, Compliance, Audit, and Much More…

Recently Bill Trueman (an independent fraud and risk specialist) director of RiskSkill, wrote a comprehensive article on Risk Review, Due Diligence, Compliance, Fraud Prevention, Risk Management, Fraud Detection, Mobile Payment Risks, Card Risks, and lot more. After reading this article you will get answers of all the following questions.

What should I do to prevent Losses in my Business/ Bank/ Organisation/ etc?
What can I do to Stop/Detect/Prevent any kind of risk in my Organisation?
How a Risk Specialist Can Help to Stop Losses in a Company/ Bank/ Organisation?
How to Review the risk within an organisation before making an acquisition?
What is Due Diligence?
What is Compliance?
What is Operational Risk Review?
What is Credit Risk Review?
What is Financial Risk Review?
What is Enterprise Risk Management?
Can Fraud/Risk be Prevented ?
Can Card Fraud be Prevented ?
What is a Risk Review?
Can Mobile Payment Fraud be Prevented ?
How can Frauds be Prevented in Insurance Companies?
How can Frauds be Prevented in Telecom Companies?
Is Hiring a Fraud & Risk Professional is Costly Affair?
Where can I Find a Good Reliable Risk & Fraud Specialist?
Does RiskSkill Provide its Services Globally?
When Should I take Solutions provided by Riskskill or other Consultants?
What is VISA/MasterCard Compliance?
Our organisation has been instructed to perform an independent risk review by one or more the international cards schemes, what should we do?
Is hiring a Risk / Fraud professional expensive?
What are the Benefits of Hiring a Risk Specialist?
What does a Risk Specialist do?
How to Hire a Risk Specialist?
Where to Hire a Risk Specialist from?

I hope you got lots of good & useful information about risk review and fraud prevention, if you like this article please also share this with  others.

Other Posts Which You May Also Like:

What is Risk Management? Definition & Importance

11 FAQs on EMV Chip & Pin Credit Card Technology

Is EMV Chip and Pin Really the ‘Money Pit’ for Retailers?

Riskskill Appointed by Visa Inc. as an Approved GARS Reviewer

Is EMV ‘A Colossal Waste of Time’ for Retailers?

Top Technology Trends in Payments, Risk and Fraud in 2014

 

Latest Technology Trends in Payments, Risk and Fraud

fraud prevention expert, risk review expert

1. Big-Data – Big-data has become a buzz-word to capture many things, but in finding risks and fraud, the more data that we look at, the better chance we have of finding unusual features and problems that should not be there. The manipulation of data and looking for such anomalies and patterns is getting ever faster and better – and there are generally lots of clues on ways to make better decisions – e.g. merchants looking at their own trading / selling for unusual sales.

2. Sharing Data within the confines of Data Protection laws (In Uk DPA s29) – This might sound complex, but it is not. Data Protection laws vary slightly market to market across Europe, but the principles are the same as they are governed by EU Data Protection law. Organisations cannot share much data between them because of Data Protection laws that protect us as consumers – and quite rightly so. But they can and do share details of fraudsters and confirmed fraud, and without the same constraints, but there are VERY strict rules on how this can be done and what can be shared in order to protect you and me from abuse of this. There are increasingly more people understanding what the rules are and what can be done, which will help stop more cheats. But equally there are many projects that have been going on for a long time that will never work because of the understanding of the restrictions on what can, and what cannot be done.

3. Making greater use of public data / bureau data. More and more, the value and usage of data bureaux data is being expanded, by the development of new products in the market and the need for organisations to use publically available data to better effect. With much better and stronger payments data, voters’’ role and default data (like County Court Judgments etc.), but also more shared databases available and more people using and sharing such information there are many more things that then can be done with the data. Remember, that every time that we get an insurance quote, ask for a loan, request a credit card or a new phone or gas contract, we are leaving ‘footprints’ at the Data Bureaux, that is all making our habits much more accessible.

 

4.Greater use of Identity and Authentication Data – almost an extension of the data from the Data Bureaux, but with many more people doing things in the market to ‘know the customer’ better electronically and using data. We have almost gone full circle on this – as we evolved from a) Knowing who we were dealing with, b) Letters of introduction and c) “My word is my bond”. uberrimae fidei through to formal identification through d) the submission of passports and utility bills etc., and now to more and more e) electronic pattern analysis identification and crypto-based authentication services. The Electronic identification methods are becoming more refined and using more sources and more data to check that we are kind-of who we say we are, which in a way is a more complex way of knowing the person that we are dealing with (a) and letters of introduction (b). With government initiatives on identity management setting the ‘gold-standard’ of people identifying themselves through approved data identity bureaux, this can only change things for the better in the next 2-3 years.

5. Device identification / fingerprinting. Whenever we are ‘connected’ to the internet, the connectee can see how we are connected – and knows, with some degree of accuracy, what type of device it is that we are connected to and where it is. They have to know to deliver content to us. There are also companies evolving services that are going to become a lot more important who look at the devices that we are using in much more depth to make sure that when we connect to them, they recognise us. This is why, recently, when I tried to pay quite a large bill with my new iPhone, I was asked by the merchant to wait until I was using my normal computer. It realised that I might not be me, because they did not recognise my device. This technology area has a long way to go.

6. Movement away from ‘profiling types of people’ towards ‘knowing individuals’ – this is again a step towards a time in history when one knew exactly who one was dealing with. Insurance companies and loan providers historically have looked at the ‘groups that we fall into’ to predict the type of repayments or claims history that we might exhibit from the post-code / area that we live in, our age, the type of car/house that we have, how long we have been doing something etc.  This of course assumes that we all act the same as our neighbours, people who drive the same type of car/live in the same type house, or geography, or have the same job or family size.; which of course is not usually the case in today’s faster-moving world.  Whether for targeted marketing purposes or more targeted risk assessment and understanding, technology is helping us to be assessed as individuals and increasingly our behaviours are being used to determine what we can purchase and price what we pay for. For instance, insurance companies can price using telematics – devices attached to our car to assess our driving ‘style’ and thereby determine the potential risks involved to the insurance company.

7. Better use of the technology that we already have. The typical example of this today for me is the way that Apple has seen a commercial opportunity to enter the payments sector with ApplePay in the USA. The USA has not yet adopted EMV (CHIPs on payment cards) like the entire rest of the globe, and is losing more fraud than everywhere else, and has an outdated infrastructure that is causing problems for the financial services industry worldwide. The EMV backbone in the UK and across Europe is 15 years old, but the USA infrastructure dates back nearly 50 years. In one announcement, Apple did nothing new, but pulled together EMV, tokenisation (linking payment details at the point of purchase to the real payment credentials stored securely elsewhere and using a standard that exists today, but not widely used), NFC (again a common ‘tap & go’ technology used by millions on the London underground and more increasingly across the UK, but mandated by MasterCard for all payment terminals by 2020 across Europe; fingerprint identification/authorisation on the phone, and less talked about; geolocation technology to determine that the phone is physically where it is supposed to be when making a transaction.  They packaged this with some clever commercial arrangements to get issuer, acquirer, card scheme and merchant buy-in. This ‘sets a standard’ by using existing technology and ‘pulling it all together’ without inventing anything new. Despite the efforts of others, we should see a lot more of this type of using the current technology more in the year to come.

8. CHIP and PIN –  again in the same arena, the use of EMV Chip and enhanced cardholder verification, e.g. PIN, will evolve quickly in the USA to catch up with the rest of the globe. The losses and the stakes are too high for this not to happen. Despite continuing resistance in parts of the US market, with a desire by some people to stick with signature to verify transactions, or no cardholder verification at all; it must change. Signatures, however captured, take longer, are less secure, cannot be electronically checked, put the onus onto sales staff at every store and generally cause more disputes, chargebacks and fraud.  It is also a market acceptance of payment cards is still seen as expensive and with complex rules – so a major reason why Apple and others are invading this ‘space’. The USA strategy must be to move decisively towards CHIP and PIN – and the recent presidential order for the US government to lead the way in this direction must help with this.  There is no denying that migrating to CHIP and PIN usage and acceptance on debit cards is an easier challenge due the familiarity with PIN usage already, but the real issue will be PIN on credit and charge cards amongst others. There was a co-ordinated national (not just industry) engagement in the UK to drive CHIP and PIN success. It is hard to see the national or industry cohesion across the US market today on these issues.  The final ‘doubters’ must however be persuaded to put aside their own commercial interests in favour of the wider community interests, the answer is not signature.

9. Large-Scale thefts of data – not a month, not a week in many cases goes by without us learning that clever IT hacks have caused another major retailer to lose the card details (and much more) of millions of cardholders and customers. Home Depot lost 56million earlier this year, but similar lost data sizes have been seen at TKMaxx, Target, JP Morgan and more recently at Kmart and Staples.  The attacks exploit technical and procedural weaknesses in the management of systems holding sensitive data as well as the POS terminals and systems. The data would not be so valuable or costly to deal with if there was an EMV payments infrastructure (see above). Misuse of card data would be more easily identifiable in an EMV-compliant set-up, but this type of attack will continue to happen until the data security technology is in place to stop it from happening or being worth stealing the data.

10. Data ‘in flight’ or data ‘at rest’ – whether sensitive data is being stored, temporarily or longer, or if transmitted between various endpoints, it is always at risk of being ‘snooped-upon’, captured, deleted, redirected, or amended – generally for financial or nuisance. Further to point 9 above, the data security issues that we hear more and more about can be prevented or significantly  reduced through proper controls and monitoring, whether PCI DSS, ISO, POS terminal estate management, Point-to-Point Encryption (P2PE), or just by using a little common sense. ‘Cyber security’ is another new ‘buzzword’ but an old problem. It challenges our current thinking on making things secure, regular monitoring, mitigation, proper management, plus real ownership and accountability – from the CxO level down.  ‘Cyber criminals’ seeking financial gain, test systems either to prove a point, or just for their own entertainment because they can. It is no longer called hacking or theft of data and money, but now it is called cyber crime.

11. Increasing IT skills of the global fraudster – Probably the weakest bullet point here to be described as a ‘trend’ – because this is not new; it has been happening for 2,000 years, where the crook always uses his slightly better knowledge or technology than the good guys. Dick Turpin used an alibi that he was somewhere else because the horses and roads available at the time were not developed enough to place him at the scene of the crime and at that time. On this occasion law enforcement matched his guile; but this rarely happens this quickly today as the crooks develop the attacks with new methods and technology quicker than we can implement the counter-measures.  The only thing that we can do, is ‘stay awake’, look out for the issues, ensure the controls and procedures are ‘fit for purpose’, and stay ahead of the market. We should worry that many attacks start with inside information, knowledge and access. Staying awake means constantly looking internally as well as externally. Bat note too that sometimes, if you are being chased by a hungry bear,  you do not have to outrun him, you just have to out-run the rest of the crowd!

12. The answer is mobile – what’s the question? – Industry pundits challenge the traditional card payment brands as ‘dinosaurs’, particularly now that we all transact, bank and shop more online than face-to-face. The mobile, PDA, tablet, watch or similar devices are now seen as the place to transact with customers.  Traditional card payments are being tested, alternative payment methods and new authentication solutions that are more flexible and more adaptable to the virtual space are entering the marketplace every DAY and  with a real vengeance. But how security-enabled are the devices, the new ‘apps’ and gateways. Leaving aside concerns about interoperability, commercial success, etc., the biggest challenges rest with sensitive data being stored or accessed by personal devices with uncontrolled hardware/software security standards, questionable accreditation, payment/security apps with potential weaknesses and users who believe that if there is a problem – that someone else will deal with it.

Bill Trueman and Kevin Smith are well known and highly trusted specialist in risk review and risk management who works globally independently, are associated with RiskSkill, UKFraud, and AIRFA.

 

Source: Top Technology Trends in Payments, Risk and Fraud 2014