E-Money Risk, Fraud & Compliance Advisory Service by RiskSkill

About RiskSkill’s e-Money Compliance Services

RiskSkill help businesses avoid €multi-million fines and embarrassing brand damaging mistakes from regulatory non-compliance and process and regulatory mistakes. We help clear up the mess when we are called in later.

E-money Licence Changes:

Recent new financial services legislation in the UK, has led to the Financial Conduct Authority (FCA) introducing a Payments Systems Regulator from April 2014. The ECB, and the European Commission are also proposing ways to regulate and police the whole e-money arena, as are the international card schemes. The FCA is now also starting to review and audit the e-money licences they have granted previously and for observance with ALL regulations and also best-practices.

We believe that the FCA have seen that the governance of payment systems, including e-money issuers, is a difficult and continuous task and needs several layers of supervision and oversight in the way that other payment methods have already established (e.g. through the regulations of the international card schemes).

Requirements:

As an e-money licence holder, you need to ensure that your organisation and all of its agents, including passport holders, are fully conversant with and engaged in all due diligence in customer selection and identification, transaction/event screening, suspicion reporting, record-keeping, corporate assessment of exposures and risk, and the Base II (and III) capital assignment to the exposures. Having reporting to the FCA, a clear payment strategy and ABOVE ALL understanding and observance of laws relating to payments in all areas of operation are all also essential.

The main legislation that is pertinent is the meeting of the requirements of the Money Laundering regulations for all countries in which an e-money licence holder, and its agents and Passport Holders, operates. Not doing what is right by the European Money Laundering directives is the quickest way of losing money, being fined, suffering crippling bad media attention, or losing a market – or a full e-money licence (which will happen when firms are reviewed).

ACTIONS 

In advance of the FCA performing its own validation on individual license holders (and making high profile examples of those who are not fully compliant), you need to:

A. Make sure that all your processes, operations and compliance teams are all fully observant of all applicable regulatory requirements, laws and best practices.

B. More importantly though, are you confident that your third party agents are also fully compliant?

We Can and Will Help You In: 

1. Determining your current state of preparedness and identify areas for attention and action before the FCA requests an onsite review of your business.

2. Review the state of compliance and preparedness of your third party agents or passport-licences and report to you on them as the principal e-money licence holder?

We can provide you with our credentials when you need help, as we are a team of payment industry specialists, that have previously worked in many banks and card schemes, and now help organisations assess their current operational status, and become and remain compliant. We have also worked extensively with the rules, regulations, legislation and best practice across the sector, in the UK and across Europe and advise payment organisations on market strategy and direction rather than simply focusing on ‘tick-box’ auditing.

Contact RiskSkill for our Services for all Risks, Fraud and Compliance solutions for e-money, e-payment, internet payments, e-funds, e payment systems, online payment and digital cash’s safe transactions. RiskSkill is also a permanent member of AIRFA an independent and global risk and fraud advisors organization.

Card payments – Who am I dealing with? The parties involved are changing… again

Bill Trueman from Riskskill.com talks about who is involved in the four-party payment models and how and why these are changing

In four party models (those that involve Mastercard and Visa), include:

• Cardholders – like us.
• Merchants – the shops that we use, whether in the high-street or on-line.
• Card Issuers: usually banks that provide us with the plastic-card, the CHIP, PIN and then our statements and customer services.
• Merchant Acquirers: which provide the equipment to accept payments, but which also settle against the issuers globally through the card schemes and most importantly take the risks involved in doing so.

How these parties operate with one another is shown in figure 1 below. Contracts exist between each party, whether formal, OR

a) the sale of goods and services contract (in shop),
b) Visa and Mastercard rules and contracts – through which issuers and acquirers connect globally.

Base four-party model for Card Payments

This is how the processes have worked in the past, but things are changing and getting increasingly complicated.

Newer Parties

Businesses have evolved because of a need for evolution, and/or because of an evolving internet, mobile technology, increasing demands of ‘new solutions’ from merchants and the need to serve ever-newer cardholder services. Acquirers of yesteryear (banks) did not or could not change with market demands. The types of organisations that have evolved include:

Sales/Introducer organisations

Organisations that ‘sell to’ merchants on behalf of acquirers. Often these ‘take a cut’ of all transactions, and often contractually taking some of the work and the risks.

Technical Gateways

Companies that provide merchants with specialist connectivity / IT solutions in the process; aim to link the merchants to the acquirer akin to an internal IT department for payments. These may include specialist data security and tokenization solutions.

Intermediate Processors – PSPs/ Payment Facilitators

Companies that work with the merchants to process transactions to acquirers, and/or other parties for ‘other’ payment types; adding services that acquirers did not or could not provide. These may be specialisms for particular markets or for particular software or applications. Elements of technical gateways and/or specialist data security and tokenization solutions may be involved.

Acquirer Processors

Companies who will provide the processing services for multiple acquirers, or increasingly, also act as acquirers too; and/or offer ‘white-label’ acquiring solutions/platforms and services.

These are shown in figure 2 – Complications include:

– Many different ‘names’ for parties involved across geographies, by the organisations themselves, through the categorisation of these by the card schemes/ regulators. These names change as the market changes.

– Many of these parties overlap into one another e.g.

• A sales/introducer may also start to provide equipment or software, a gateway solution, and/or become an intermediate processor themselves.
• Intermediate processors, may apply for their own acquiring licences to become banks and/or Visa / Mastercard licensed businesses; or set-up or acquire sales businesses.
• Acquirers may buy or establish intermediate processors, or other parties in the chain and;
• Technical transaction processors (Gateways) may become sales businesses or provide intermediate processing and/or other services to the merchants.

– Three-party card schemes such as American Express and Diners can also be processed through the different parties involved above, in parallel or separately.

– AliPay and WeChat Pay are making big inroads in Europe, and are now by many reports bigger than Mastercard and Visa and have big ambitions.

– Domestic card schemes operate in many markets across the EU.

– Other payments schemes – electronic money, wallets, digital currencies.

Acquirer intermediates and disintermediation

Challenges

The challenges that arise and cause difficulties include:

a) Bank regulators required Banks to understand, monitor and continually manage all risks involved. The ‘art’ of doing so is being lost as other parties move into acquiring without the same regulation and knowledge.

b) Risks are often not identified, with credit risk largely uncalculated, untracked or ‘priced for’.

c) Customer identification can become diluted when multiple parties are involved; especially when contracts are written without it being clear who is responsible for the risks/exposures; so problems evolve.

d) Regulators and card schemes introduce many and varying rules and requirements that are often hard to understand and to communicate.

e) Capital adequacy / liquidity – banks are always required to manage this; but as non-bank acquirers develop, there is no non-bank regulator to force these business protection solutions with active regulators examining progress.

f) The fallacy that “acquiring is simple”, has led to more ‘new breed’ acquirers emerging with many quickly failing or required to stop trading when things ‘go wrong’.

Common Challenges that must be mitigated

1. Understand a) exposures, b) risk of failure, c) reward for exposures/risks; as well as all the ‘tricks’ used to con acquirers.

2. Have a clear strategy, policy, procedures, documented risk appetite, calculation methodology, management information and reporting structure.

3. Ensure that all card scheme, regulator, AML and other laws and rules are understood, stayed abreast of and corrected when they arise

4. Measure and manage all changes in business models, exposures, risks, management etc.

5. Look for daily / real-time unusual business features and ‘blips’ in the transactions away from norms and then act upon them.

6. Manage and monitor all third-parties employed or delegated-to in the process of card acquiring.

About Riskskill

Riskskill is a leading Europe-based payments and risk management consultancy, with an impressive international track record of helping payments businesses to find and mitigate payments challenges and risks. The firm works with clients to put in place strategies and programmes of work to make payments businesses or functions more profitable, less susceptible to losses, risks and regulatory issues and compliance problems. Riskskill.com is a global GARS Reviewer for Visa.

For further information, please contact: Bill Trueman or Kevin Smith at enquiries@riskskill.com

About Bill Trueman

Bill Trueman is a professional banker and a payments and risk specialist, with over 25 years of experience. He headed-up risk functions and special investigations in Lloyds Bank issuing and acquiring; acquiring and processing at First Data, and then for insurance risks at RBS / Direct Line. For the last 12 years he has been diving-into many other businesses: largely advising merchants, acquirers and others in the payment chain; to reduce risks and costs, and to find improved ways to do business and/or to make significant organisational change. He is a mentor for innovative payments startups and sits on working parties and panels for the UK regulators.

Source: https://www.thepaypers.com/expert-opinion/card-payments-who-am-i-dealing-with-the-parties-involved-are-changing-again-/776837

Judges Pave Way for Banks in US to Sue Target over 2013 Data Breach

I read with interest that news in Finextra and elsewhere that the banks have been given the go-ahead to sue Target for $30m for the reissue costs associated with the data compromise in 2013. This puzzles me, as I then want to know how the figure of $1200 per card is calculated.

The cost of re-issue will be less than a tenth of that per card. How they can justify that size of loss based upon a reissue alone is not conceivable.

Accordingly, this figure MUST be calculated to include some of the ‘consequential loss’ – i.e. that the compromised cards were then used. Accordingly the banks will have to show a loss on their cards (as well as the costs to them of re-issue).

If I were in Target (and/or the Lawyers in the the defence team) then I would have plenty of defence arguments to tender:

1. a) What did the banks do to mitigate the losses.
2. b) What did their systems look for in the unusual transactional activity.
3. c) As the cards were compromised with limited security feature details lost, why did the banks not check the security feature details and prevent the transactions at the time of the authorisations for the fraud losses on these cards (as is done in most other banks – certainly around the rest of the world).
4. d) As a preventative solution, why had the banks not implemented greater security with EMV (and/ or EMV with CHIP and PIN) as this would have significantly (or completely) removed the possibility that these cards could have been of use. The US issuers involved are far behind the global ‘curve’ on upgrading to the latest technology that was introduced across the rest of the world 15 – 10 years ago.

Someone please introduce me – or any other card-fraud/risk/loss specialist to the consortium of banks or their lawyers to help build their case against Target – or better still to the Target people (and/or their indemnity insurers) – they probably have the much better and more fun case to present to the courts.

In all cases and scenarios, this will be a superb case to watch; and reveals how poor the infrastructure in the USA is, and how far behind both the infrastructure and the thinking actually is – on all sides of the argument.

Thanks

Bill Trueman