Types of merchant fraud encountered by Payment Aggregators and measures to tackle it

A different version of this article was published previously on Medianama.

By Asheeta Regidi and Reeju Datta

Developments in payments technology and fraud have tended to go hand-in-hand in the past. Payments giant Paypal, which arguably popularised money on the internet, was reportedly losing more than $1.6 Million every month on fraudulent transactions during early days. Paypal has since resolved those fraud issues¹, but a similar situation is arising today, with new avenues for fraud opening with India’s push for digital payments and the pandemic induced accelerated digitisation. The Reserve Bank of India (‘RBI’) reports an increase in both volume (28%) and value (159%)² in reported financial fraud since last year.

Increasing payment fraud even prompted a recent regulatory advisory for industry initiatives³ promoting user awareness. Tackling merchant based payment fraud however requires diligence at other levels as well. Acquirers like banks or payment aggregators (‘PAs’), bear the risk and responsibility here, being (often) the first to on-board merchants into the (digital) financial system. Here, the nature of merchant fraud PAs face and how they can be addressed is discussed.

Merchant fraud vs. transaction fraud

Payments fraud can take the form of ‘transaction fraud’, usually at the end-user level⁴, consisting of unauthorised transactions, false refunds/chargebacks, etc. This often relies on extracted financial data via phishing, hacking databases, malware/screen-sharing apps, pagejacking to redirect legitimate traffic, etc. Remedies thus entail say security measures at the end-user level (mandatory AFA⁵, payer authentication via 3-D Secure, tokenisation⁶, SMS alerts⁷, etc.) or merchant measures (cybersecurity checks, monitoring suspicious customer activity like multiple orders by the same person using different cards, alerts for scams like counterfeit product sale, etc.).

Merchant fraud does involve transaction fraud, but can be differentiated given the source. It often revolves around the merchant’s identity, and resolution methods thus turn from user level diligence and security measures to merchant level monitoring and identity checks. Broadly, merchant fraud may be with the intention of duping individuals (fraudulent transactions), or the authorities (money laundering, tax evasion, terrorist financing). The former is challenging given multiple users can be defrauded simultaneously (unlike general transaction fraud that can be a single fraudulent transaction). Mandatory KYC, pre and post on-boarding merchant due diligence and transaction monitoring ⁸ come together to tackle this fraud.

Forms of merchant fraud and the checks necessitated

1. Forged KYC documents and Identity theft: Forged KYC documents allow fraud like identity theft, involving assuming a legitimate business’s identity by forging its key documents. Alternatively, the fraudster can create a new identity altogether, or claim authorisations, etc., that he doesn’t actually have. Document authenticity checks, signature matching, beneficial owner checks, etc., done via API based verification, eKYC/digital signature mechanisms, etc., are thus key here. Live photographs, geotagging and encouraging AI and face matching technology use in the RBI’s digital

Holistic monitoring for effective fraud detection

For effective merchant fraud detection, thus a PA has to aim for holistic monitoring, covering the merchant’s entire portfolio. Turning to new age AI/ML based fraud detection systems will be essential. Data also holds significant promise as a risk mitigation technique, and the proposed exemption of its use as such as a ‘reasonable purpose’ under the upcoming Indian data protection law⁹ is thus welcome.

1. Media Report by Chelsea Allison: PayPal’s history of fighting fraud, Fin, dated March 01, 2019.  
2. RBI Publications: Annual Report, Chapter VI. Regulation, Supervision and Financial Stability, updated on August 25, 2020.
3. RBI Notification: Increasing Instances of Payment Frauds – Enhancing Public Awareness Campaigns Through Multiple Channels, RBI/2019-20/256, dated June 22, 2020.  
4. Media Report by Samarth Bansal: The murky world of India’s fintech scams, Mint, updated on March 24, 2020.
5. RBI Notification: Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions, RBI/2011-12/145, dated August 04, 2011.
6. RBI Notification: Tokenisation – Card transactions, RBI/2018-19/103, dated January 08, 2019. 
7. RBI Notification: Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, RBI/2017-18/15, dated July 06, 2017.
8. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, updated on November 17, 2020.
9. The Personal Data Protection Bill, 2019.