Riskskill Has Partnered with Primed for a Joint Venture!

We are delighted to announce that Riskskill and Primed have partnered for joint venture for bringing together decades of card payment risk and compliance best practice. With Primed’s ability to extend the reach of good governance in fluid times for payment companies with real time penalties ever evolving rules to understand and apply good governance which is hard to find and an ever increasing administrative burden to manage.

Primed and Riskskill have combined their expertise and are digitising good practice providing rules mapping, policy and compliance oversight, horizon scanning and remediation tracking.

The first of five brand new propositons, the first arriving in December 2020, reducing business risk, removing administrative cost, improving insight and oversight.

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at http://www.riskskill.com/

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

PRIMED is a software service provider which help reduces the administrative burden of information gathering and gap analysis.. For more information about Primed visit https://www.primedfor.com/

AML: Have We Forgotten What We’re Trying To Achieve?

Around $2 trillion or 2-5% of global GDP is laundered annually, according to UNODC estimates in a 2017 study. At the same time, only around 1% of criminal proceeds are confiscated in Europe each year.

Financial institutions are in the line of sight for both money launderers and regulators. But are their AML efforts too literal, too narrow and too patchy? Or are firms just overwhelmed by the amount of regulation and competing demands on their time to be truly AML-effective? The panel moderators of RiskConnect Virtual 2020 – Kevin Smith and Bill Trueman from Riskskill take a back-to-basics look at fighting financial crime and remind us what we are trying to achieve with AML.

This article is part of the RiskConnect 2020 Magazine.

Implementing AML controls frequently comes up against the Goldilocks problem. What is not too much or too little, but just the right amount?

To some extent, the financial services industry has gone too far in implementing AML controls. It places huge onus on repeating on-boarding checks, particularly around re-identifying customers, for example. But at the same time, it does not go far enough with ongoing monitoring and management of existing customer relationships.‍

“People understand that you need to do customer due diligence on new customers. But as the relationship develops, you should always be monitoring, looking for fraud and suspicious activity. It’s part of a broader understanding of the business and people, not just a one-off activity,” says Kevin Smith.

Conducting know-your-customer and know-your-business (KYC/KYB) checks and verifying data on potential customers is critical — as well as being a legal requirement. But if an organisation does not really understand the purpose and intended nature of a customer relationship, they may not have a full picture of the risk associated with that customer. Or have a meaningful basis for deciding what is normal in the context of their business, so unusual or out-of-pattern behaviour stands out more clearly.‍

This is all part of a risk-based approach. Instead of taking a blunt-instrument or one-size-fits-all approach to identifying suspicious transactions or behaviour, if you know what genuine customer behaviour looks like, anomalous behaviour will stand out more clearly. There is little to be gained, and much to be lost, by inconveniencing genuine customers, blocking or declining particular transactions and creating more false positives. With a risk-based approach, only higher-risk transactions are pulled out for extra scrutiny. The overwhelming majority of business can proceed without this as it is not high risk.‍

Building Capacity

We must focus on not just doing AML for AML’s sake, says Kevin. Part of this is a capacity issue. Risk management and compliance staff, but also their colleagues in business development and account management roles, need to be sufficiently empowered to ask difficult questions. They need to look in detail at customer relationships and, of course, know what they are looking for.‍

“During client engagements, it often becomes quite apparent that underwriting and compliance teams don’t know the questions they should be asking potential and existing customers. There is always a drive to get clients on-boarded, and people can often forget the mechanics of why it was important to understand the true merchant business and to be cognizant of a concerns in the data presented and noteworthy changes,” says Smith.

Continue reading at original source https://www.webshield.com/post/anti-money-laundering-have-we-forgotten-what-we-are-trying-to-achieve?

The FCA “Dear CEO” Letter

Did you receive and action the “Dear CEO” letter from the FCA, dated 9th July 2020? We hope so.

The communication, was targeted at all organisations, and especially new and smaller businesses, was entitled:

‘Portfolio strategy letter for payment services firms and e-money issuers – We expect you to act to prevent harm to your customers.’  

It explained that the FCA expected every UK regulated business to take appropriate action and be ready to explain what they did when the FCA makes contact with individual organisations.

Directors and the boards must be able to demonstrate compliance with FCA requirements and what actions the board has taken to ensure its customers are adequately protected in the areas that they highlighted. Failing to meet FCA requirements or breaching a Principle could lead to FCA disciplinary sanctions.

We should all be concerned about the FCA letter, not least as the FCA highlights its concerns and the main areas in which it sees failings. It is clear from the letter that there are real issues with respect to customers not being sufficiently protected. These concerns have increased with increasing business failures, compounded by Covid-19, but also as the ‘new breed’ of authorised firms ‘let into the fold’ to try and boost innovation and competition have started to fail because their business practices and resilience may be as wanting as their compliance and customer protection.

We urge everyone to refresh themselves with the contents of the FCA letter and to check in particular that the requirements on protecting customer funds (safeguarding arrangements), governance and oversight as well as records management and reporting are all in place. And evidenced.

But as the FCA explains, financial promotions and customer communication, combatting financial crime and even prudential risk management all fall strongly within the remit of the issues that the FCA expects us to be able to answer to; and for which the FCA may start to take action if insufficient progress is made.

We talk to people widely across the payments sector and are astounded by the inability of newly licenced businesses to understand and adhere to regulatory requirements. They do apply to everyone and we do need to know what we are doing. If we have any sort of licence, then we cannot defend ourselves to the FCA with claims of being unaware of the requirements.

And the bigger we get, especially when we have a market presence, and even more so whilst if we are in a ‘cash-burn’ / funded stage of development, the more likely it is that we need to operate to the FCA requirements. Increasingly safeguarding, governance and financial crime strategies have become more critical. The FCA are actively monitoring non-compliance cases, whether reported anonymously to them or through formal/informal reporting from other oversight bodies; which are all becoming more common: especially with people within organisations that fear prosecution personally when companies do not follow ‘the rules’.

And it is clear that the FCA is now on the hunt, as we have discovered are other regulators that we have talked to. We know well, that there are other National Competent Authorities around the EU also now starting to take strong action, especially those that have been criticised for their previous laxness in recent years and in their own oversight responsibilities.

We have come to a juncture now where major financial institutions, which incorrectly believe that ‘the requirements do not apply to them’ or which flout the regulatory requirements, e.g. Wirecard, can now quickly end up failing, and lead to the company officials being either arrested or ‘on the run’. BaFin in Germany have been bitten and other EU regulators do not want that to happen to them.

When we perform ‘health checks’ upon financial services firms, we see more and more severe regulatory issues; which lead to significant actions being taken before they act to get ‘on-track’, or worse still, find their actions to be too little and too late and start them going down the route of regulator penalties, sanctions, operating restrictions or license removal. Or worse in the case of criminal negligence or intent.

You have been helped a lot with the ‘tip-off’ from the FCA. The FCA will ‘not take prisoners’. Or maybe they will!

About Kevin Smith

With over 25 years in the payments business, Kevin is a trusted and experienced practitioner and thought leader in payments, technology, issuance, acceptance and acquiring.

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy. Riskskill.com is a global GARS Reviewer for Visa. For more information visit website at http://www.riskskill.com/

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

Tips to Help Avoid Payment Fraud & Identity Theft!

Mobile Payment Fraud Prevention

Skimmers & cybercriminals are some of the terms used for fraudsters, who are responsible for payment frauds. Such criminals strip the funds, property, and crucial personal information of victims. Generally, three scenarios can result in payment frauds. First, being stolen / lost goods; second being unauthorized transactions on Internet; and lastly false requests for refund or similar scenario. The main reason of these being prevalent factors for online frauds is the immense boom in e-commerce sector, which majorly relies on online payments for selling / buying of goods.

There is various modus operandi or interactions that the fraudsters follow for acquiring sensitive information and make an online fraud possible. The popular ways are Email, instant messaging, online auctions, phone calls, rerouting internet traffic to fallacious websites and lastly by sending text containing malware to smart phones. Since everything is online nowadays, there are an increasing number of gaps or patches or glitches in some online systems. These are the weakness, which is targeted by the cybercriminals. Even if there is firewall, which is not updated as per new technology, then also it can be explored by fraudsters to steal user’s sensitive data and make payment fraud a possibility.

There are some ways by which you and e-commerce industry can help reducing or keeping the payment frauds at bay. The first method is to ensure regular automatic update of your anti-virus, anti-malware, and firewall. These software programs play the role of shield against hackers and blocks their attempts to gain access to a secure network. Hence, their continuous update is necessary. Talking about few other ways to safeguard your online presence and shopping experience are mentioned below:

1. Stay update with the latest fraud trends. You can subscribe to a newsletter of reputed organization delivering such service
2. Always pay online via the authorized and well-known payment gateway
3. Change your login credentials and tokens on regular basis
4. For each transaction, customer should log in to complete the payment.
5. Keep checking your system with the anti-virus and anti-malware software
6. Try using an encryption program for emails and / or transactions where important information sharing is needed

Types of Payment Frauds

Phishing Scams: These are the most common forms of payment frauds. These frauds are prevalent in those emails or URLs wherein it is required to enter private / personal data. Some examples are bank account and credit card login credentials. You can stay away from the phishing swindles by trusting only the known and original websites of the merchants. In case you receive an e-mail from unknown account or person, then just mark it as spam.

Page jacking: Here, the hackers take control on some part of an e-commerce website through which they reroute the website traffic to a different website that may have malicious codes that can be used to access a network security system. It is the responsibility of e-commerce business owners to be aware of such activities.

Identity theft: This type of fraud is not limited to Internet; it is possible offline as well. Once the user’s personal information is stolen by a fraudster, it is used under false pretense – this is identity theft. One way of avoiding it is NOT to log into public Wi-Fi.

Authors of this post are Bill Trueman and Kevin Smith who are leading payment, risk & fraud expert who provide their payment fraud prevention consultancy services to card issuers and banks worldwide. For more information one can visit their website at RiskSkill, and AIRFA.


Will The PSR(Payment Services Regulator) Changes Work?

Fraud Prevention Specialist, Risk Review Specialist

The Payment Services Regulator may make major UK infrastructural changes and legal changes to ‘open up’ the payments industry and access to it in the UK in order to encourage innovation. They have the powers to do many things, but care is certain needed. Caution is most certainly needed.

a) Only yesterday, I received an email telling me that they are not well staffed and resourced; and from my discussion and the stakeholder meetings so far, it appears that they have very little payments industry experience in the team. The objectives of the PSR need to be clear and not driven by a few disgruntled small banks wanting free access to many established infrastructures that are maintained and paid for by all of us.

b) There seems to be a format for these types of regulators who adopt an ‘economic’ regulator agenda. This format of addressing these things has opened up the telecoms networks to new operators, and the water pipe infrastructure in the water business (and Gas and electricity), and the PSR CEO comes straight from one of these. But payments are not the same, and without payment industry knowledge there is a danger that the PRS will regulate in the same way. Some creativity is required by the PSR – to ensure it does not simply act in ‘the same way’.

c) The biggest danger is that because payment systems are global and becoming more global, and as the UK is a leading global payments hub, that action by the PSR will make the UK market something different – uncompetitive, and isolated – so care must be taken NOT to do this.

d) The main restrictions on the payments ‘gateways’ are not competitive or restrictive as they were with water, electricity, gas and telecoms. The payments infrastructure is open to anyone who wants to ‘play’. The bigger restrictions are quite rightly about the governance and controls over money laundering – which requires very tough controls and restrictions to be imposed, managed, and governed. Again, The PSR needs to step carefully.

By Bill Trueman, Managing Director of Riskskill(http://www.riskskill.com/) and member of AIRFA.

Originally Published at http://www.prlog.org/12411859-will-the-psrpayment-services-regulator-changes-work.html


Top Technology Trends in Payments, Risk and Fraud in 2014

fraud prevention expert, risk review expert

1. Big-Data – Big-data has become a buzz-word to capture many things, but in finding risks and fraud, the more data that we look at, the better chance we have of finding unusual features and problems that should not be there. The manipulation of data and looking for such anomalies and patterns is getting ever faster and better – and there are generally lots of clues on ways to make better decisions – e.g. merchants looking at their own trading / selling for unusual sales.

2. Sharing Data within the confines of Data Protection laws (In Uk DPA s29) – This might sound complex, but it is not. Data Protection laws vary slightly market to market across Europe, but the principles are the same as they are governed by EU Data Protection law. Organisations cannot share much data between them because of Data Protection laws that protect us as consumers – and quite rightly so. But they can and do share details of fraudsters and confirmed fraud, and without the same constraints, but there are VERY strict rules on how this can be done and what can be shared in order to protect you and me from abuse of this. There are increasingly more people understanding what the rules are and what can be done, which will help stop more cheats. But equally there are many projects that have been going on for a long time that will never work because of the understanding of the restrictions on what can, and what cannot be done.

3. Making greater use of public data / bureau data. More and more, the value and usage of data bureaux data is being expanded, by the development of new products in the market and the need for organisations to use publically available data to better effect. With much better and stronger payments data, voters’’ role and default data (like County Court Judgments etc.), but also more shared databases available and more people using and sharing such information there are many more things that then can be done with the data. Remember, that every time that we get an insurance quote, ask for a loan, request a credit card or a new phone or gas contract, we are leaving ‘footprints’

at the Data Bureaux, that is all making our habits much more accessible.4.Greater use of Identity and Authentication Data – almost an extension of the data from the Data Bureaux, but with many more people doing things in the market to ‘know the customer’ better electronically and using data. We have almost gone full circle on this – as we evolved from a) Knowing who we were dealing with, b) Letters of introduction and c) “My word is my bond”. uberrimae fidei through to formal identification through d) the submission of passports and utility bills etc., and now to more and more e) electronic pattern analysis identification and crypto-based authentication services. The Electronic identification methods are becoming more refined and using more sources and more data to check that we are kind-of who we say we are, which in a way is a more complex way of knowing the person that we are dealing with (a) and letters of introduction (b). With government initiatives on identity management setting the ‘gold-standard’ of people identifying themselves through approved data identity bureaux, this can only change things for the better in the next 2-3 years.

5. Device identification / fingerprinting. Whenever we are ‘connected’ to the internet, the connectee can see how we are connected – and knows, with some degree of accuracy, what type of device it is that we are connected to and where it is. They have to know to deliver content to us. There are also companies evolving services that are going to become a lot more important who look at the devices that we are using in much more depth to make sure that when we connect to them, they recognise us. This is why, recently, when I tried to pay quite a large bill with my new iPhone, I was asked by the merchant to wait until I was using my normal computer. It realised that I might not be me, because they did not recognise my device. This technology area has a long way to go.

6. Movement away from ‘profiling types of people’ towards ‘knowing individuals’ – this is again a step towards a time in history when one knew exactly who one was dealing with. Insurance companies and loan providers historically have looked at the ‘groups that we fall into’ to predict the type of repayments or claims history that we might exhibit from the post-code / area that we live in, our age, the type of car/house that we have, how long we have been doing something etc.  This of course assumes that we all act the same as our neighbours, people who drive the same type of car/live in the same type house, or geography, or have the same job or family size.; which of course is not usually the case in today’s faster-moving world.  Whether for targeted marketing purposes or more targeted risk assessment and understanding, technology is helping us to be assessed as individuals and increasingly our behaviours are being used to determine what we can purchase and price what we pay for. For instance, insurance companies can price using telematics – devices attached to our car to assess our driving ‘style’ and thereby determine the potential risks involved to the insurance company.

7. Better use of the technology that we already have. The typical example of this today for me is the way that Apple has seen a commercial opportunity to enter the payments sector with ApplePay in the USA. The USA has not yet adopted EMV (CHIPs on payment cards) like the entire rest of the globe, and is losing more fraud than everywhere else, and has an outdated infrastructure that is causing problems for the financial services industry worldwide. The EMV backbone in the UK and across Europe is 15 years old, but the USA infrastructure dates back nearly 50 years. In one announcement, Apple did nothing new, but pulled together EMV, tokenisation (linking payment details at the point of purchase to the real payment credentials stored securely elsewhere and using a standard that exists today, but not widely used), NFC (again a common ‘tap & go’ technology used by millions on the London underground and more increasingly across the UK, but mandated by MasterCard for all payment terminals by 2020 across Europe; fingerprint identification/authorisation on the phone, and less talked about; geolocation technology to determine that the phone is physically where it is supposed to be when making a transaction.  They packaged this with some clever commercial arrangements to get issuer, acquirer, card scheme and merchant buy-in.

By Bill Trueman, Managing Director, Riskskill and permanent member of AIRFA.

To read full report visit http://riskandfraudsolution.wordpress.com/2015/01/06/top-…

ApplePay in Europe – Will it work?

There is a big issue that Apple have probably faced in their negotiations with the card schemes. They probably had one of those days where they met with MC/Visa and and Apple executive said: “And this will of course apply globally?” – with an answer that introduced to Apple – Interchange rate differentials, Visa International vs Visa Europe, EMV 100% in EU and 0% in US, NFC issues on Mag-stripe vs CHIP, NFC implementation in EU, multi-currency issues with exchange rate setting issues etc.

Click Here to Read Full News.