Through our interaction with our customers (I am using consumers to indicated the individual making a purchase or a payment, merchants to indicate the providers of goods or receivers of payments, and customers to indicate both), from first encounter to termination, we see changes in the details they provide us, how they act on our website, their interaction with us through email and phone, and much more. We constantly re-evaluate our customers at any of these points to see if there are any alarming changes that require our attention. How do we make sense of them? By using them to answer three questions:
Who is this? Our interaction with our customers—whether they make a purchase, start using a service, or call customer care—starts with a simple assertion of identity. There are two things to establish here:
- Validation: Does person X or company Y really exist? Dealing with a nonexistent entity (person or company) exposes you to multiple problems, from simple fraud (as a company, I sell products but never ship them) to money laundering. That is why companies are subject to KYC/KYB regulations (Know Your Customer/Know Your Business, a set of regulations defining the minimal set of information to collect about your customers). Still, even for unregulated companies, being able to make sure that your customer’s identity is valid and exists in the world is basic.
- Authorization and Authentication: Establishing that someone or something exists is one thing. The other question is whether the person currently claiming to be X or Y is indeed that person, or someone authorized by that person/company to act on their behalf. An authorized person may be a family member, a friend, or a co-worker, not necessarily the person whose details they provide—but nonetheless they need to be authenticated (have the right credentials) and authorized (have permission to use those credentials). Failing to check that exposes your system to the use of stolen identities by both fraudsters and relatives. In addition, if you offer password-protected accounts, your accounts will be targeted for hacking (since it’s easier to steal a password for an established account than fake one). If you manage a marketplace, having one of your trusted merchants’ accounts hacked and maliciously used to sell nonexisting inventory is highly unpleasant and creates loss that’s hard to recover. While difficult, users’ needs (parents letting kids use their account, multiple employees using a single account, or MMO players buying “power leveling” services) dictate that you must be able to identify authorized and unauthorized uses of the same identity by multiple people.
- Can they keep their commitment? The question of financial and operational ability is the one most debated in credit modeling and less so when dealing with fraud and “classic” RMP for eCommerce. Failure to address this question exposes you to customers taking on financial commitments for extended periods of time, some of them in good will, and then defaulting. While consumers may not be getting a credit line from you, merchants essentially are. If they presell a large amount of stock and get defrauded into bankruptcy by a supplier, fail to provide adequate customer care and provide defective products, or fraudulently sell something they don’t intend to ship, you are exposed for the whole sum. Most probably you are going to pay at least some, if not all, of the proceeds to your merchant—and be left with the complaints when they disappear. You should also think of any situation in which you are effectively fronting a customer money by paying them in advance of having money in your bank account as credit granting. If you enable same-day direct bank payments without ensuring positive balance in customers’ account, you are in fact extending credit. Since customers’ ability to keep their commitment is undertreated in many RMP teams and most of the knowledge about merchant credit is from banking (and therefore not easily adjusted for online or contemporary business needs), merchant-driven losses are constantly on the rise. Looking at customers’ ability should be twofold: what they can afford now as well as what they will be able to afford in the future; whether their ability to pay is stable. This is true to consumers getting a long-term loan and also to merchants whose financial standings can deteriorate.
- Will they keep their commitment? Customers can be who they say they are and also capable of fulfilling on their commitments but never intend to do so. Since the online experience is not a personal one (online businesses look for scale, which is contrary to personal 1:1 communication) the psychological barrier to fraud, or just neglect to pay or communicate properly, is much lower. As a result, customers are not adverse to having late payments, false charge-backs, and other unfounded claims. Serial abusers will identify a way to reduce their liability and get away with a certain behavior and will do so repeatedly unless detected and stopped. Therefore, being able to either detect good intent or impact customers’ mindset to want to keep their commitments is another component of a RMP system.
A lot of the loss you deal with, up to mid-double digits, can be caused by various mistakes made by employees or customers. Of course you may see cases of customers claiming to not understand something about your product as an excuse for not paying or even experience employee fraud, but more often than not there are genuine, large-scale problems in your product, experience, or operations that cause losses. Whenever you look into a loss case, you must first rule out any of those.
Your product may drive losses by the way it works. This comes into play when customers fail to understand features they are buying, or that in fact they are buying something. If your user acquisition is based on a free sample followed by automatic registration or a change of cost, some of your customers will end up being unable to pay or just uninterested in paying. These could be built into your product and be considered a cost of doing business and will be almost impossible to detect in advance.
Your customer experience can drive losses. Disputes are an example: if a consumer tries to submit a legitimate dispute about a merchant and has a hard time going through your dispute flow, you will be slapped with an unnecessary chargeback and additional fees for a case that could have ended with a refund. Another simple example is your dynamic descriptor, the text that appears next to your charge in the credit card’s statement; if that is unclear or hard to search and identify, you will see unjustified chargebacks.
Operational issues may also cause losses. Multiple problems can be caused by money movement just being complicated, but also from relying on increasingly old and malfunctioning financial systems. Corruption of the acquirer’s settlement file, the file contains the payments it captured (actually debited) for you, could lead to some payments being incorrectly allocated and appearing as losses when they’re not supposed to; the same can happen with internal accounting allocation of payment revenues. Wrong procedures in dispute handling may cause wrong settlements in either side’s favor that are inconsistent with your protection policy—driving angry merchants to not pay their fees and leave your platform—or just drive consumers to issue more chargebacks.
People makes mistakes, and that’s part of every day life in your business. Those mistakes can many times be fixed easily (by a change in procedure or text in an email) and make a big difference in your losses. Always take that into consideration when you analyze root cause, because assuming intentful actions by customers may often lead you to the wrong conclusions.
Using the three questions (Who are they? Can they meet their obligations? Will they?), we can explain and describe most loss occurrences. While theoretically these questions are mutually exclusive and describe the majority of phenomena we’ll run across, we must remember that:
- The indicators we collect from our users will not point at one or the other in a mutually exclusive manner. Does a consumer providing slightly altered details show bad will, stolen identity, or simply privacy awareness? If a consumer tries to shop, gets rejected, and then tries again for a lower amount, is this lack of finances or abusive behavior? Even if a negative event occurred and loss has materialized, it’s often hard to distinguish what the absolutely real cause for it has been.
- People make mistakes. A lot of the theory and many policies assume that customers’ actions are a reaction to something (even if not rational, such as the feeling that they don’t need to pay a virtual service because it’s a victimless crime). The truth, however, is more complicated. If you do your work well, big shifts in your actual losses will be driven by major events (big new merchant introducing a completely different population, macroeconomic shifts, a new product). On a day-to-day level, though, the majority of losses will be driven by mistakes. These causes can be detected and eliminated by root cause analysis but are not covered by the above framework.
Putting aside integration issues, as discussed, customer behavior should all fit into this matrix. Most of your customers in a standard eCommerce operation will be who they say they are (own the identity they’re using) as well as have the money and the willingness to pay. They are the people shopping from work or home, providing their own payment details, and are unlikely to charge back unless there’s a huge issue with your service.
Most of the fraud you’ll see is at the other side of the spectrum: perpetrated by fraudsters who use stolen or fake identities and do not have an intent to pay. In most cases, however, they (or rather the person who’s details they stole) will have the funds to pay—if the card they’re using doesn’t have any balance on it, their purchase won’t go through, and therefore fraudsters will not be interested in their cards; that means that any detection mechanism aimed at figuring out whether there’s money in one’s account is not going to help detect most blatant fraud.
A third example is abuse, sometimes referred to as friendly fraud. As noted previously, cases of “borrowed” identity (the person expected to pay is related to the person initiating the purchase, as in cases in which children use their parents’ card details) are not really fraud: there’s ability to pay and the identity was not stolen, but the willingness to pay is missing. This is a unique type of behavior, where the “borrower” feels that nonpayment online is a victimless crime or maybe that the use of the Internet’s semi-anonymity allows different behavior than when face to face (some consumers almost treat online fraud as the equivalent of stealing cash from their parents’ wallet). Fraud is about identity theft and forging details, and abusers should be treated as misguided individuals who are lax on personal standards but will behave well when reminded. A vast body of research repeatedly demonstrates how this works in real life.
As you can see, there is a vast range of behaviors for both consumers and merchants to understand and work with, and detecting them is both science and art. Being able to detect, analyze root cause, and then act on major problems and emerging trends is the core of what the RMP team should do day to day. Now that we’ve established basic terminology, we are free to discuss the topics that build on it.
Get Introduction to Online Payments Risk Management now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
