Addressing merchant fraud and the KYC challenge for B2B platforms and aggregators

Asheeta Regidi Head, Fintech Policy at Cashfree.

This article was first published on Medianama, dated December 9th, 2020.

By Asheeta Regidi and Reeju Datta

Many Business-to-Business (B2B) service providers today perform a function much like payment aggregators (PAs), of on-boarding merchants into the digital ecosystem. Whether through easing access to financial services, markets access or resolving any other issue via a range of services, these players enable businesses of all shapes and sizes to explore their potential.

PAs, banks, Business-2-Business (B2B) and Business-2-Consumer (B2C) e-commerce marketplaces, aggregators of offline retailers (like digital bookkeeping apps), non-bank lending to Small-Medium-Enterprises (SME), B2B neo-banks, and others (collectively, ‘Aggregators’) all play a similar role. While these players bring benefits like efficiency and financial inclusion, they also encounter the same problem, the scale of which is fairly unique to India, of tackling merchant fraud1.

Fraud during online transactions is very often associated with payment processing, and payment processors and PAs consequently. Today, as providers of indirect access to the financial system, effective end-merchant verification is an equally crucial challenge for all Aggregators.

Fraud at the merchant level

Transaction level fraud in payments, such as unauthorized transactions via stolen cards/phishing or false refund/chargeback claims, often occurs at the individual level, and is largely mitigated due to mandatory two factor authentication2. However,  merchant level fraud occurs at the business level, and is rampant. The larger scale is because multiple users can be duped at once, also making merchant fraud the major cause of fraud induced losses for PAs.

The fraud itself can occur through multiple means:

  • An inoperative business posing as an operative one
  • A restricted/prohibited business posing as a lower risk business
  • A fake storefront set up to execute bust-out fraud 3 (for utilising fraudulently obtained credit lines)
  • Transaction laundering4, or utilising a legitimate merchant’s credentials without its knowledge to process illegal transactions
  • Straightforward identity theft assuming an existing merchant’s identity, or creating an altogether new identity
  • Approved, legitimate merchants allowing fraudulent activities, like factoring (allowing unapproved affiliates to use their payment credentials), or engaging in money laundering/tax evasion.

Different service providers face different types of merchant frauds. For example, while e-commerce marketplaces face issues with sale of inauthentic products or non-delivery, lenders providing business loans can find that these are utilised for personal purposes or were disbursed to shell companies. The aim of the fraud can also vary, PAs, for example, face fraudulent transactions which aim to dupe users, and also money laundering and tax evasion tactics which aim to dupe the authorities. Identity, however, often forms the crux of merchant fraud, whether as a fake business or a legitimate business conducting fraudulent activities.

Challenges and solutions for merchant fraud detection

The means of deception can range from forging identification documents, creating fake business profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall below reportable thresholds and other techniques. To effectively monitor fraud, a holistic approach, involving the merchant’s entire portfolio and proper technological support is thus, required.

Applicable regulatory mandates also require risk management frameworks comprising pre on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of merchant behaviour and transactions. These do however permit risk-based flexibility with actual adopted solutions. Internal risk profiling, periodic updates, and fraud reporting (to the Financial Intelligence Unit of the Government (FIU-IND)5, Central Bureau of Investigation/Police6, Reserve Bank of India’s (RBI) Department of Banking Supervision7, and others) are also required. Even where there are no mandates, Aggregators carry out these via self-imposed checks. Different checks allow recognizing different fraud indicators, and in the process also encounter specific challenges:

  • Digital on-boarding processes: Consider the digital checks backing increasingly digital on-boarding processes, for example the RBI8 and Insurance Regulatory and Development Authority’s9 Video KYC norms, or  the Securities and Exchange Board of India’s (SEBI) recent e-KYC permissions10. One issue here is the ease of faking a storefront online via seemingly professional business websites, regardless of whether an actual brick and mortar storefront exists. Therefore, steps like verifying domain name purchase dates, actual site visits and social media activity, can help spot shell companies, for instance. Business authenticity also needs to be verified through licensing/registration checks, credit checks and examining balance sheets. Here, progress in digital crime capabilities (for example, the deep-fake threat11 to Video KYC) also needs to be tracked.
  • Merchant website checks: A merchant’s website also provides indicators to Aggregators, like reviewing product listings and online customer reviews to help identify the sale of prohibited/fake products. This also helps reassess merchant risk levels post on-boarding, like identifying merchants who maintained an artificially low-risk profile at the time of on-boarding. One challenge here is of merchants themselves being unaware of their website’s misuse, be it a crime like pagejacking12 or an end-merchant enabling an illegitimate sale.
  • Money laundering/tax evasion detection: Detecting money laundering or tax evasion is challenge given the payments chain’s complexity13, which can involve multiple intermediaries or variations in payment cycles. For example, the merchant can route customer funds through multiple payment intermediaries, to enable a direct disbursement to fraudulent recipients thereby, enabling laundering, or so the funds never reach the merchant’s legitimate bank account. This helps in concealing revenue and avoiding tax obligations. A beneficial owner check can also help identify money laundering/terrorist financing concerns, say an investor identified from the company’s filings with the portal of the Ministry of Corporate Affairs, whose name matches one on a sanction14, Politically Exposed person (PEP) or international Anti-Money-Laundering/Combating Financing Terrorism list.
  • Payments innovation: Fraud detection strategies also need to keep track of vulnerabilities arising out of payments innovation itself (for instance wallets, Unified Payments Interface, fintech participation through open banking/Application Programming Interface access15 and other new payment channels that are opening up). Internet Protocol (IP) whitelisting for instance is necessary to ensure only authorised access takes placethrough open banking channels. A banks’ transaction monitoring algorithms also would need to become more intelligent for transactions routed through such channels, for example, the data points to be assessed would differ.
  • Real-time fraud detection at scale: Further, instant on-boarding and instant settlement today, requires real-time fraud detection. The proliferation of digital payments and numerous new merchants (like micro-merchants) also requires effective fraud prevention at scale. New age anti-fraud technology can offer the requisite tools here, including:
    • Automated alerts for transaction anomalies (Merchant Code Category violations16, URL mismatches, unusual transaction/refund/chargeback frequencies/patterns, or exceeding permitted limits, to name a few,
    • Artificial Intelligence based document and identity authentication,
    • Automated web monitoring for identifying illicit merchant websites or payments processing through unreported/ shadow sites,
    • Automated underwriting

Regulatory steps to improve fraud management

Along with the above steps that Aggregators can take, regulatory initiatives (that are balanced with ease of business) can also help. Currently, all ‘regulated entities’ (PAs, non-bank lenders and others,) have to conduct merchant due-diligence and KYC as per the RBI’s KYC norms17. Applicable regulatory frameworks for specific Aggregators—PA Guidelines18, Consumer Protection (E-Commerce) Rules 19, 2020, NBFC-P2P Lending Directions20, Trade Receivables Discounting System Guidelines21, among others—also mandate steps to protect end-customers. There are a few further steps that regulators can implement to help ease verification processes:

  1. Improving merchant fraud data and access: Existing published data on financial fraud 22 doesn’t distinguish between transaction and merchant fraud, which is data that can help identify fraud/risk patterns. While the Central Fraud Registry23 and the pilot Central Payments Fraud Information Registry24 —with its focus on real-time data sharing for preventive action and identification of suspect beneficiaries—are welcome steps, their focus on merchant fraud is unclear. Positive indications nevertheless come from reports of the Payments Council of India’s efforts to develop a merchant fraud registry25. A common negative database of customers defrauding several merchants is also proposed, and an equivalent fraudulent merchant database would be welcome. Additionally, reporting obligations prescribed under the Prevention of Money Laundering Act26, or the RBI’s KYC Direction, for example, currently focus on fraud detected via irregular transactions. Fraud detected via due diligence and KYC goes unreported, even though these can also be a valuable source, for a scam discovery for instance. At present, pre-transaction reporting happens only when a name matches terrorist/sanctions lists27. A second factor is improving current reporting mechanisms—for instance bringing in faster FIU-IND on-boarding and enabling fast-track handling for escalations, particularly when the fraudulent transactions’ quantum is high. This includes implementing FINnet 2.0 plans28 (the tender for this was awarded29 recently).
  2. Digitising business verification: Digitising business checks needs steps like permitting API-based document verification and on-boarding. The RBI for example currently only permits KYC documents as ‘certified copies’ (signed, verified physical copies) or ‘equivalent e-documents’ (digitally signed using eSign, Digi Locker documents or official e-documents like National Securities Depository Ltd’s e-PAN30 or Ministry of Corporate Affairs’ e-AoA/e-MoA31). The RBI appointed U.K. Sinha Expert Committee32 (which first suggested current video KYC norms) advocates for a API based verification for ‘entity-proof’, via MCA, Goods and Services Tax, Service Tax, Tax Payer Identification Number, Importer-Exporter Code, Professional Tax, Shops & Establishments certification, Institute of Chartered Accountants of India, and others. Another recommendation is a ‘Universal Enterprise ID’ or the PAN/GST Identification Number acting as such. Such an ID is to enable all ‘entity-proof’ verification and to directly fetch details like name, registered address, and other details, from databases. The proposal for mandatory PAN for non-individual KYC33 also serves as groundwork for this. Further, The proposed Public Credit Registry34 will also allow digitised merchant credit checks. Where required, frameworks for Aggregator access to such data (directly, via intermediaries, or other means) should be created.
  3. Simplifying business KYC for micro-merchants: On-boarding rural and micro merchants, by B2B and B2C marketplaces, is a challenge due to the lack of proper business KYC documents. The Wattal Committee report35 recommended flexible KYC for small merchants, like substituting individual KYC for business KYC when necessary. In particular, the Committee noted the ability to monitor transactions and account activity, even without official business documentation, thus allowing even small merchants to benefit from the formal financial system.
  4. Enabling KYC sharing The RBI’s KYC norms permit entities to rely on third parties for KYC, much like the one-time KYC seen in the securities industry36. Among the key challenges for such KYC sharing however, for banks for example, is the lack of ‘digital’ KYC data and inefficient sharing mechanisms. Though the C-KYC registry37 is in place, it has been facing issues with adoption38. Additionally, C-KYC for business verification is not yet operational. For PAs specifically, KYC relaxations are being brought in by distinguishing between account-opening (banks) and on-boarding (PAs) relationships, allowing reliance on the former’s already completed KYC checks. Liability, nevertheless (here), remains with the PA, requiring and assessment of the KYC checks’ adequacy 39 without relaxing other checks. These are welcome safeguards, considering the differing due diligence checks required based on the Aggregator’s service/ the merchants (a PA for instance conducts these checks from a business legitimacy and payments purpose perspective). Alternative solutions for KYC have been proposed, like blockchain based KYC sharing. The Account Aggregator (AA) framework40 can also be utilised post a KYC relaxation, allowing consent-based sharing (banks for example are prohibited from sharing KYC data except under a law or with customer consent), followed by API based verification. This would allow sharing of KYC identifiers (PAN numbers, GST-INs, Corporate Identification Numbers among others.) via the AA schemas 41, together with KYC data like business names, address, beneficial owner details, for example. The actual documentation records however cannot be shared under the AA framework.
  5. Regulatory frameworks: Legal ambiguities also add to on-boarding challenges. Consider the gaming/gambling conundrum, virtual currenies 42 or even crowdfunding platforms. Clear regulatory frameworks would aid for example assessing the legality of servicing them or verifying compliance/licensing, and from a scams perspective 43, understanding user verification responsibilities (SEBI’s Crowdfunding Consultation Paper44 for example recommended project vetting by the platform). Additionally, under the upcoming data protection law45, unless exempted (say ‘reasonable purposes like fraud), self-adopted KYC practices can run into consent issues. With the proposed amendment to the Information Technology Act46, basic Aggregator regulation comprising basic consumer protection norms, applying (only) in the absence of specific regulation, can also be explored, providing legal backing to self-regulation.

Enabling proper fraud safeguards

While fraud primarily impacts consumers, involved entities aren’t spared either, be it through regulatory sanctions/fines, legal action, chargeback liability, or significantly, damage to reputation and public trust47. The Phatak Committee48 identified on-boarding as the biggest hindrance in bringing India’s 45-60 million merchants (including mom and pop stores and small format merchants) online. B2B services and aggregators play an important role, and the suggested steps work towards both effective fraud tackling and removing on-boarding friction.

Digitisation with proper safeguards are thus essential on both counts.

  1. Article by Ron Teicher: Three Types of Merchant Fraud: A Guide For Merchant Acquirers, Finextra, dated November 21st, 2017.
  2. RBI Notification: Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions, RBI/2011-12/145, dated August 04, 2011.
  3. White Paper by Experian: Bust-out Fraud – Knowing what to look for can safeguard the bottom line, 2009.
  4. White Paper by Kasturi Chattopadhyay: Transaction Laundering – A Growing Threat In The Payments Industry, Infosys Document, 2018.
  5. Website of Financial Intelligence Unit – India.
  6. RBI Notification: Frauds – Classification and Reporting, RBI/2014-15/85, dated July 01, 2014.
  7. RBI Notification: Master Direction – Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016, RBI/DNBS/2016-17/49, dated September 29, 2016.
  8. RBI Notification: Amendment to Master Direction (MD) on KYC, RBI/2019-20/138, dated January 09, 2020.
  9. IRDAI Circular: Video Based Identification Process (VBIP), IRDAI/SDD/CIR/MISC/245/09/2020, dated September 18, 2020.
  10. SEBI Circular: Entities permitted to undertake e-KYC Aadhaar Authenticationservice of UIDAI in Securities Market – Addition of NSE to the list, SEBI/HO/MIRSD/DOP/CIR/P/2020/167, dated September 08, 2020.
  11. Article by Rhodri James: Are deep fakes a threat to the future of identity verification?, Bobsguide, dated November 29, 2019.
  12. Pagejacking, Techopedia, updated on September 8, 2011.
  13. White Paper by Kasturi Chattopadhyay: Transaction Laundering – A Growing Threat In The Payments Industry, Infosys Document, 2018.
  14. United Nations Security Council: The List established and maintained pursuant to Security Council res. 1267/1989/2253.
  15. Media Report: Open Banking Takes On Financial Crime Big Time, Pymnts, dated June 30, 2020.
  16. Article by Yowana Wamala: Merchant Category Codes (MCCs): What You Need To Know, ValuePenguin, dated November 17, 2020
  17. RBI Notification: Master Direction – Know Your Customer (KYC) Direction, 2016, RBI/DBR/2015-16/18, updated on April 20, 2020.
  18. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, updated on November 17, 2020.
  19. Ministry of Consumer Affairs, Food and Public Distribution Notification: Consumer Protection (E-Commerce) Rules, 2020, The Gazette of India : Extraordinary, dated July 23, 2020.
  20. RBI Notification: Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017, RBI/DNBR/2017-18/57, updated on December 23, 2019.
  21. RBI Guidelines: Guidelines for the Trade Receivables Discounting System (TReDS), updated on July 02, 2018.
  22. RBI Publications: Annual Report,Chapter VI. Regulation, Supervision and Financial Stability, updated on August 25, 2020.
  23. RBI Notification: Fraud Reporting and Monitoring, RBI/2015-16/295, dated January 21, 2016.
  24. RBI Press Release: Oversight Framework for Financial Market Infrastructures (FMIs) and Retail Payment Systems (RPSs), dated June 13, 2020.
  25. Media Report by Advait Rao Palepu: RBI To Set Up A Central Fraud Registry For Payments Systems, Bloomberg Quint, dated August 07, 2019.
  26. The Prevention of Money Laundering Act, 2002
  27. Search engine for the United Nations Security Council
  28. FIU-IND Publications: Annual Report 2018 – 19,Chapter 8.
  29. FIU-IND Notification: Tendering Process for FINnet 2.0: Publication of Tender Results, No. 9-28/ISMG/2019/FIU-IND (Vol-3).
  30. Download e-PAN Card, Website of NSDL e-Governance Infrastructure. .
  31. MCA Help and FAQs: FAQs on SPICe+ Forms.
  32. RBI Publication: Report of the Expert Committee on Micro, Small and Medium Enterprises, dated June 25, 2019.
  33. RBI Notification: Amendment to Master Direction (MD) on KYC, RBI/2018-19/190, dated May 29, 2019.
  34. Article by Ritu Singh: What is Public Credit Registry? How can it help banks and you?, CNBC TV18, updated on August 01, 2020.
  35. Ministry of Finance Publication: Committee on Digital Payments: Medium Term Recommendations to Strengthen Digital Payments Ecosystem, dated December 09, 2016.
  36. Media Report by Sunil Dhawan: Tata Mutual Fund launches ‘contact-less’ on-boarding for first-time investors, Financial Express, updated on September 24, 2020.
  37. Central KYC Registry,Website of CERSAI.
  38. RBI Publication: Report of High Level Committee on Deepening of Digital Payments, dated May 17, 2019.
  39. RBI Publication: Report of the Committee on the Analysis of QR (Quick Response) Code, dated July 10, 2020.
  40. RBI Notification: Master Direction- Non-Banking Financial Company – Account Aggregator (Reserve Bank) Directions, 2016, RBI/DNBR/2016-17/46, updated on November 22, 2019..
  41. ReBIT Specification: NBFC-AA API Specification, dated November 08, 2019.
  42. Article by Asheeta Regidi: The Cryptocurrency Verdict: On the need for interim clarity as the RBI mulls over regulation, FirstPost, dated March 23, 2020.
  43. Blogpost: Crowdfunding: Risk of Fraud in Online Collective Funds, Integrity-Asia.
  44. SEBI Publication: Consultation Paper on Crowdfunding in India.
  45. The Personal Data Protection Bill, 2019..
  46. Media article by Aditi Agarwal: MEITY starts consultations on amending the Information Technology Act, 2000, Medianama, dated April 7th, 2020.
  47. Media Report by Himanshi and Ashwin: Digital payment firms join Paytm in fight against Trai, telcos over financial frauds, The Economic Times, updated on September 22, 2020.
  48. RBI Publication: Report of the Committee on the Analysis of QR (Quick Response) Code, dated July 10, 2020.
Asheeta Regidi Head, Fintech Policy at Cashfree.