Types of merchant fraud encountered by Payment Aggregators and measures to tackle it

Asheeta Regidi Head, Fintech Policy at Cashfree.

A different version of this article was published previously on Medianama.

By Asheeta Regidi and Reeju Datta

Developments in payments technology and fraud have tended to go hand-in-hand in the past. Payments giant Paypal, which arguably popularised money on the internet, was reportedly losing more than $1.6 Million every month on fraudulent transactions during early days. Paypal has since resolved those fraud issues1, but a similar situation is arising today, with new avenues for fraud opening with India’s push for digital payments and the pandemic induced accelerated digitisation. The Reserve Bank of India (‘RBI’) reports an increase in both volume (28%) and value (159%)2 in reported financial fraud since last year.

Increasing payment fraud even prompted a recent regulatory advisory for industry initiatives3 promoting user awareness. Tackling merchant based payment fraud however requires diligence at other levels as well. Acquirers like banks or payment aggregators (‘PAs’), bear the risk and responsibility here, being (often) the first to on-board merchants into the (digital) financial system. Here, the nature of merchant fraud PAs face and how they can be addressed is discussed.

Merchant fraud vs. transaction fraud

Payments fraud can take the form of ‘transaction fraud’, usually at the end-user level4, consisting of unauthorised transactions, false refunds/chargebacks, etc. This often relies on extracted financial data via phishing, hacking databases, malware/screen-sharing apps, pagejacking to redirect legitimate traffic, etc. Remedies thus entail say security measures at the end-user level (mandatory AFA5, payer authentication via 3-D Secure, tokenisation6, SMS alerts7, etc.) or merchant measures (cybersecurity checks, monitoring suspicious customer activity like multiple orders by the same person using different cards, alerts for scams like counterfeit product sale, etc.).

Merchant fraud does involve transaction fraud, but can be differentiated given the source. It often revolves around the merchant’s identity, and resolution methods thus turn from user level diligence and security measures to merchant level monitoring and identity checks. Broadly, merchant fraud may be with the intention of duping individuals (fraudulent transactions), or the authorities (money laundering, tax evasion, terrorist financing). The former is challenging given multiple users can be defrauded simultaneously (unlike general transaction fraud that can be a single fraudulent transaction). Mandatory KYC, pre and post on-boarding merchant due diligence and transaction monitoring 8 come together to tackle this fraud.

Forms of merchant fraud and the checks necessitated

  1. Forged KYC documents and Identity theft: Forged KYC documents allow fraud like identity theft, involving assuming a legitimate business’s identity by forging its key documents. Alternatively, the fraudster can create a new identity altogether, or claim authorisations, etc., that he doesn’t actually have. Document authenticity checks, signature matching, beneficial owner checks, etc., done via API based verification, eKYC/digital signature mechanisms, etc., are thus key here. Live photographs, geotagging and encouraging AI and face matching technology use in the RBI’s digital9 and video KYC10 processes also target effective digital equivalent of the original in-person KYC checks.
  2. Faking business operations: This may be an inoperative business posing as operative say for AML/CFT activities, adopting a seemingly legitimate front to carry out illegitimate activities on the side, or attempting to circumvent restrictions on serviceable businesses. PAs for example adhere to bank defined lists of prohibited (eg.: drugs, hacking, tobacco)/ high-risk (eg.: pharmaceuticals, matrimony, job portals, travel agencies) businesses. Businesses from identified ‘high-risk’ jurisdictions also cannot be serviced. The fraud here allows a lower risk profile during on-boarding, and thereby the ability to operate. Actual site visits, examining balance sheets, credit history, etc., thus help. Domain name purchase dates, evaluating social media activity and customer reviews, can also reveal product legitimacy, possible shell companies, etc. The checks need to be on-going, for eg., merchant website content monitoring, checking product listings, etc. help track changes to the front demonstrated during on-baording. This also includes periodic updates11 of merchant risk categorisation and KYC.
  3. Bust-out fraud: Fake business operations can also target effecting bust-out fraud12. This involves a bank customer applying for and obtaining loan/credit lines, exhausting them and then abandoning the account without repayment. The fraud is typically characterised by high chargeback rates13. PAs here can be used by fraudsters to create a fake storefront to process the required illicit payments.
  4. Transaction laundering/ Factoring: Approved merchant accounts can be used for illegitimate transactions, creating a challenge distinguishing these from the merchant’s legitimate transactions. Transaction laundering14 for instance involves fraudsters using an existing merchant’s payment credentials, for payments through unreported/shadow sites without the acquirer/merchant’s knowledge. Factoring involves the misuse with the merchant’s collusion, say allowing unapproved vendors/affiliates, or even the merchant’s own alternate business/subsidiary/branch, to use its account.A significant concern is that money laundering becomes scalable15 this way, without efforts to fake storefronts, etc. for the credentials. IP whitelisting (limiting domains on which the credentials can be used), transaction monitoring (anomalies like Merchant Category Code violations16, URL mismatches, transaction/chargeback/refund pattern changes, exceeding permitted limits, restructuring transactions to fall below reportable thresholds), etc. are key here.
  5. Exploiting payments chain complexities: Payment service providers providing multiple payment services also need to be alert to misuse of the payments chain’s complexity17. Take a fraudulent (say) gaming merchant routing customer funds collected through a PA’s service, for supposed direct payout to legitimate recipients (the gaming winners, their own commissions). This is instead disbursed to fraudulent recipients. This, for one, enables money laundering. Second, the customer funds don’t settle in the merchant’s legitimate bank account, allowing revenue concealment and hence tax evasion.
  6. Monitoring for corporate fraud and AML/CFT: Some factors can indicate corporate fraud or AML/CFT concerns, like verification of beneficial owners, say investors identified from MCA18 documents (like shareholding patterns), against sanction19/ PEP/ international AML/CFT lists. Manipulation/ alteration of financial  statements like balance sheets, forging invoices/ receipts to cover illegitimate transactions, unusual revenue patterns, etc. are other indicators.
  7. End-merchant fraud: With new merchant categories emerging with innovation, like online gaming, virtual currencies and related services20, various B2B platforms and aggregators, etc., risk levels need to be assessed separately by PAs. Relevant factors here include whether they are regulated, compliance21 levels and practices for end-merchant verification (particularly since these end-merchants gain indirect access to the financial system through the platform).  For example, consider misuse internationally of crowdfunding22 and P2P lending platforms23 for money laundering, scams with virtual currencies or their misuse for converting illegally obtained funds, enabling illegal cross-border funds transfers, etc.

Holistic monitoring for effective fraud detection

For effective merchant fraud detection, thus a PA has to aim for holistic monitoring, covering the merchant’s entire portfolio. Turning to new age AI/ML based fraud detection systems will be essential. Data also holds significant promise as a risk mitigation technique, and the proposed exemption of its use as such as a ‘reasonable purpose’ under the upcoming Indian data protection law24 is thus welcome.

  1. Media Report by Chelsea Allison: PayPal’s history of fighting fraud, Fin, dated March 01, 2019.  
  2. RBI Publications: Annual Report, Chapter VI. Regulation, Supervision and Financial Stability, updated on August 25, 2020.
  3. RBI Notification: Increasing Instances of Payment Frauds – Enhancing Public Awareness Campaigns Through Multiple Channels, RBI/2019-20/256, dated June 22, 2020.  
  4. Media Report by Samarth Bansal: The murky world of India’s fintech scams, Mint, updated on March 24, 2020.
  5. RBI Notification: Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions, RBI/2011-12/145, dated August 04, 2011.
  6. RBI Notification: Tokenisation – Card transactions, RBI/2018-19/103, dated January 08, 2019. 
  7. RBI Notification: Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, RBI/2017-18/15, dated July 06, 2017.
  8. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, updated on November 17, 2020.
  9. Ministry of Finance Notification: Prevention of Money-laundering (Maintenance of Records) Third Amendment Rules, 2019, The Gazette of India : Extraordinary, dated August 19, 2019.
  10. RBI Notification: Amendment to Master Direction (MD) on KYC, RBI/2019-20/138, dated January 09, 2019.
  11. RBI Notification: Master Direction – Know Your Customer (KYC) Direction, 2016, RBI/DBR/2015-16/18, updated on April 20, 2020. 
  12. White Paper by Experian: Bust-out Fraud – Knowing what to look for can safeguard the bottom line, 2009.
  13. Article by Ron Teicher: Three Types of Merchant Fraud: A Guide For Merchant Acquirers, Finextra, dated November 21st, 2017.
  14. White Paper by Kasturi Chattopadhyay: Transaction Laundering – A Growing Threat In The Payments Industry, Infosys Document, 2018.
  15. Blogpost: Transaction Laundering is the New, Advanced form of Money Laundering, Ever Compliant.
  16. Article by Yowana Wamala: Merchant Category Codes (MCCs): What You Need To Know, ValuePenguin, dated November 17, 2020 
  17. White Paper by Kasturi Chattopadhyay: Transaction Laundering – A Growing Threat In The Payments Industry, Infosys Document, 2018.
  18. Website of the Ministry of Corporate Affairs. 
  19. Search engine for the United Nations Security Council
  20. Article by Asheeta Regidi: The Cryptocurrency Verdict: On the need for interim clarity as the RBI mulls over regulation, FirstPost, dated March 23, 2020.
  21. Ministry of Consumer Affairs, Food and Public Distribution Notification: Consumer Protection (E-Commerce) Rules, 2020, The Gazette of India : Extraordinary, dated July 23, 2020.
  22. Blogpost: Crowdfunding: Risk of Fraud in Online Collective Funds, Integrity-Asia.
  23. Media Report by Omar Faridi: $115 Billion in Losses Reported due to Scams Involving China’s P2P Lending Platforms, Crowdfund Insider, dated August 15, 2020. 
  24. The Personal Data Protection Bill, 2019.
Asheeta Regidi Head, Fintech Policy at Cashfree.