Fighting Fraud Is Still Personal
It's a fine line between legitimate payments and fraud. The possibility always exists that customers are not who or what they seem. Questioning an actual, loyal customer could, in some instances, hurt a company's reputation and coffers more than the loss of a missing payment.
This dilemma is a daily one for Colleen Lindow, a senior director overseeing transaction risk at PayPal. Lindow says her biggest challenge is balancing customers' experiences with mitigating the online-payment company's risk of fraud. "It's important that when customers try to pay that they can," she said at the the Association for Financial Professionals's (AFP) annual conference in Boston earlier this week. If the risk-management processes and tools she uses backfires and a real customer is unable to use PayPal, she may get a call from senior managers asking what went wrong.
At the same time, companies struggle to know with certainty if they made a correct decision by shutting someone out of their payment system. "It's a difficult thing to deal with because it can be hard to draw the conclusion of whether you turned away a good customer or not," says Don Bush, marketing director at Kount, a risk-management company. Kount's technology helps uncover the mystery of whether a customer is who he says he is by looking at more than 200 variables during a transaction to assign that customer a risk score. For example, the risk score would go up if the customer claims he's from Chicago but has logged in from Vietnam. The merchant using Kount's tool may automatically decline the transaction (say, if it refuses to accept any business from a certain region) or bring in a sales representative at a certain point to decide whether the deal should move forward.
Only a small percentage of transactions are suspect, according to Kount, but the prospect of getting hit by fraudsters places a heavy burden on the executives who manage risks at their companies. Transactions between companies and their customers -- whether they be individuals or businesses -- rely on some trust that the checks, credit cards, and bank transfers used to pay for services and products are legit. And every once in a while, they are not, and the seller ends up with an empty deposit or a fake check -- or worse, a compromised bank account. In a report released earlier this year, the AFP found that 71% of organizations experienced either attempted or successful payment frauds in 2010.
Fraud-prevention software and authentication processes can help stop fraud from occurring, of course, but too many safeguards can also also turn off actual customers. For example, a merchant may ask consumers to enter a password that their credit-card company will verify, an extra step that may make the consumer balk. "Merchants report increased abandonment when they implement these schemes, particularly for lower-value transactions," says Gabriel Hopkins, head of e-commerce products at payment processor WorldPay.
Companies like PayPal have created their own homegrown solutions, and others use products like WorldPay's or Kount's that rely on automating processes for detecting and preventing fraud. These products have their limits. "Tools help, but not 100% of the time," says Frank Fiorille, director of enterprise risk management at payroll provider Paychex. To improve companies' ability to mitigate the risk of payment fraud, Fiorille and other experts offer these unconventional tips that rely on a human element:
Establish a risk culture. Extend the task of stemming fraud risk beyond the company's pure risk-management and finance functions. Educate all employees about fraud trends, red flags, and security measures. At Paychex, for example, salespeople are included in this endeavor and are rewarded when they make saves. The company has also made up a training game for detecting fraud and a handy card for employees that includes phone numbers to call if fraud is suspected.
Keep track of all bank accounts. Steven Bernstein, executive director at J.P. Morgan Treasury Services, has helped two companies this year recover from the fraudulent use of accounts the companies considered minor. "Protect all your bank accounts even though it may not seem like you need to," he says. Criminals are increasingly trying to make electronic transactions through the Automated Clearing House (ACH) network by stealing credentials from unprotected bank accounts to appear legitimate. While checks still dominated payment fraud made or attempted in 2010, according to the AFP survey, fraudulent ACH debits are the second-most problematic area (in 25% of the cases).
Look tough. Let it be known that when a suspected fraud occurs, your company will quickly contact local authorities and federal agencies. Also consider adding former law-enforcement officials to your risk-management staff. The company can gain from their expertise and the perception that it may have inside information. "If your company is not tough on fraud, [fraudsters will] go after you," Fiorille says.
Written by Sarah Johnson for CFO.com.