Stealth new security threat requires protection for 'low risk' merchants
The terms ‘high-risk’ merchant or ‘high-risk’ MCC (Merchant Category Code), may grab your attention if you’re in the payment industry.
The latest crop of online fraudsters are quite aware of the banks’ vulnerabilities, and use merchants with seemingly low-risk lines of business as fronts for their crimes. The fraudsters mask the payment platforms of legitimate websites to sell illicit goods so that charges will show up as innocent transactions in the bank’s records.
Banks and processors have developed different and unique methodologies for allocating risk scores to the merchants they engage with. Typically, this risk score attempts to be a generalized attribute representing different types of risks that may be introduced by the relationship with the merchant such as credit risk, fraud risk, brand risk, etc. The risk score is based on parameters such as a merchant’s KYC profile, financial background, volume of chargebacks, MMC and checks against external databases. If any or a combination of these factors are jeopardous, the bank will score a merchant higher.
As vetting these factors can be quite complex, many banks devote entire departments to determine which merchants are high vs. low-risk, and how to treat them. Trusting these scores allows banks to pay less attention to low-risk merchants as compared to high-risk ones in their risk management processes. However, this generalization does not always work with some devious types of financial experts: transaction launderers.
Traditionally, money launderers used physical storefronts to launder their funds, but with the evolution of payment systems along with ecommerce technology, criminals have become increasingly sophisticated migrating their money laundering online. This has given birth to a new kind of fraud called transaction laundering (TL), whereby seemingly legitimate businesses process card transactions on behalf of another merchant, knowingly or unknowingly. Even if a bank doesn’t know that TL is occurring within its merchant portfolio, it still will be responsible for the sanctions or fines that the credit card brand can levy upon them.
Research shows that it is the low-risk merchants who are hiding unreported or illegal activity. For example, an online shoe store can appear to be selling running shoes while accepting payments for sales from cannabis or cocaine. The shoe and drug sellers cooperate (sometimes they are the same people) so that the payments for illegal substances are routed through the payment page of the shoe store.
In the above scenario, the bank has issued the shoe store with a suitable MCC, allocated according to the reported products or services it sells. In this case, it’s not just the code that is unbefitting: When a merchant sells shoes using a particular payment processor, while also using the same gateway to process an unreported business, it’s an infringement of credit card brand association policies. As everything being processed on unreported sites is unknown, these unreported businesses create new risks. And these risks aren’t just the merchant’s crime—the bank is ultimately responsible. Not only can banks be facilitating the sales of illegal goods—they may be also breaching AML requirements, KYC rules and/or other legalities.
Using low-risk merchants for TL is more common than one may think. Findings cite several of the top merchant codes used by transaction launderers to funnel their payments include book stores, convenience stores, household appliance stores, cosmetics stores, souvenir shops; hobby, toy and game shops among others. Research also shows that 26% of illegal products and services hidden by criminals through low-risk sites are pharmaceuticals.
That makes sense: If you’re planning to sell drugs online, it’s unwise to try and do it via a high-risk front, which could attract unwanted attention from internal risk departments. It makes more sense to maneuver via a low-risk merchant, and remain below the radar. These ‘low-risk’ merchants make sure they’re on their best business behavior during the onboarding process and maintain good conduct after receiving authorization to collect payments for their products and services.
And as far as transaction laundering is concerned, chargebacks will be minimal or non-existent because purchasers and merchants exert great efforts to make the transactions appear inconspicuous. And these crooks profit from their patience—we’ve seen such ‘harboring’ processes prolonged for 6 months or more.
Many risk officers may presume that low-risk merchants are ‘safe’. However, rejecting high-risk merchants as clients or making onboarding too stringent may turn away clients with high potential for profitability for both parties long-term. That’s why banks need to shift focus if they want to ensure that no illegal activity slips into their merchant portfolio. Failure to detect such activity can subject the banks to fines, penalties or sanctions from the credit card brands.
How can banks protect themselves? Clearly, traditional risk scoring will not work here. It’s recommended that banks decouple the traditional risk-scoring from the transaction laundering risk management process. Banks should submit their entire portfolio, high and low-risk, to be monitored for TL. A cyber-intelligence based solution would be able to monitor all merchants and uncover associated websites and entities connected to their networks. Banks should look beyond credit scores and volume of chargebacks to measure poor business practice.
Focusing your risk mitigation policies only on high-risk clients is not effective in the current ecommerce atmosphere. And the forecast of this atmosphere appears clear for transaction launderers. It looks like they’re going to stick around for a while, unless banks take action to reverse the high-risk factor strategy.