Fraud Risk for Platforms

Some companies provide advanced fraud monitoring as an integral part of their payments product to keep fraud rates low

John Canfield
John Canfield

According to the U.S. Justice Department, credit fraud now costs businesses $5.5. billion a year, with the bulk of that coming from transactions that occur online. Clearly, the Internet is a hotbed for fraud.

But who has the worst fraud exposure? Who stands to lose when a fraudulent transaction gets through online? You may expect that the person whose card was stolen would be the loser, since the money came out of his or her account. But a victim of identity theft can have his or her bank reverse the charges—it’s annoying to have to go through a chargeback process, but ultimately, the cardholder can be made whole. So you may expect it would be the merchant, who for card-not-present transactions like those that occur online is liable when a chargeback occurs. But while it’s true that merchants face a lot of losses for fraud, they can at least partially mitigate their risk by faithfully holding up their end of the deal.

Since the merchant is exposed to fraud loss, there is a loser sitting on the merchant side if the buyer is bad. But what if merchants themselves are bad? Then the platform is left holding the bag.

What Is a Platform?

When we talk about platforms, what we really mean is any website or app that’s acting as a facilitator for transactions between its users. Unlike traditional merchants, they don’t maintain inventory or provide services directly. Rather, they make finding and doing business with individual merchants easier for consumers, and usually earn money by taking a small cut of every transaction. Airbnb is a platform, as are eBay, Uber, Etsy, GoFundMe and most other high-flying e-commerce companies you can name.

Many platforms use a simple payment scheme called aggregation: They settle all funds paid into an account they control, keeping track of who is owed what, and then make the payouts to the merchants themselves. This makes signing up new merchants easy, but it also makes them the merchant of record for all transactions from a liability standpoint. That means that they, and not the end merchant, are the ones that are first in the line of fire when a chargeback occurs.

This means that they accept fraud risk from the payer and merchant side of the transaction, including risk for some types of fraud that are unique to platforms.

Payer Risk

Part of the chargeback risk that platforms face, of course, is plain old payer fraud. This includes the fraud you’re likely to be most familiar with—criminals using stolen cards to make purchases with the intention of getting free things or fencing those purchases for cash.

Another, more specialized type of fraud platforms face is so-called friendly fraud. In this case, there is no identity theft. The transaction completes as normal, the purchase ships or the service is carried out, and then the payer reverses the charges anyway. In some cases, this is intentional fraud—the payer is abusing the chargeback system to try to get free stuff. But just as often, it’s actually an honest mistake on the part of the payer, who doesn’t remember the purchase, and doesn’t recognize the charge when he or she looks at his or her credit card statement. Either way, this generally leads to a dispute that the platform may have to mediate.

Merchant Risk

Merchant fraud, on the other hand, is the risk associated with merchants who can’t or don’t deliver on their promises. Like friendly fraud, this is not always intentional—a merchant may fully intend to deliver, but be prevented for any number of reasons, and a payer may initiate a chargeback rather than dealing with them directly to get a refund.

In addition to the ordinary risks associated with underwriting merchant risk, online platforms are also at risk to a certain kind of fraud that is unique to their situation: shell selling.

Shell selling is a way for thieves to turn a stolen credit card into cash and it works sort of like a traditional money laundering scheme. In a shell sale, both the buyer and the seller are actually shell accounts set up by a criminal. They simply use their fake buyer account to buy something from their fake seller account, which then pays them out. This is especially easy on platforms for services rather than hard goods, like a platform for booking massage clients or listing your home for vacation rentals, since money often just changes hands without the need to actually fake a shipment.

Shell sellers are only really interested in selling to themselves, so they keep a low profile. That means that things like user feedback scores are less useful for spotting them than for other kinds of risky merchants. In some cases, criminals may use account takeover attacks to take control of legitimate merchants with good reputations before pushing through a bunch of shell sales, a tactic that can be hard to fight.

Protecting Yourself from Fraud as a Platform

In order to protect themselves from the risk of chargebacks, while still maintaining the great buying and selling experience they need to attract users, most platforms eventually adopt a risk mitigation system that evaluates each transaction as it goes through. The goal is to gather as much data as possible about both parties involved in the transaction in order to determine that they are whom they say they are and can do what they say they can do.

This, unfortunately, is easier said than done. A risk program includes a fair degree of automation and machine intelligence to deal with the sheer amount of demand that is placed on the system by the many thousands of transactions the platform deals with daily. However, there must always be a human element: experienced risk professionals who can evaluate flagged transactions and deal with the gray areas in which a machine would make the wrong call.

Some companies provide advanced fraud monitoring as an integral part of their payments product to keep fraud rates low. Even if your payments processor doesn’t offer similar protections, the past few years saw a slew of fraud-monitoring companies that provide businesses with tools to fight fraud.

The one thing a platform doesn’t want to do is nothing because fraud is not a problem that’s going to just go away.

John Canfield is the vice president of trust and safety for WePay. WePay provides a payment application program interface (API) specifically designed for companies that want to enable many small users to accept credit cards on their platform without taking on the fraud risk and operational burdens associated with payments. WePay powers some of the top platforms, including GoFundMe, StayClassy, CustomMade, Honeyfund and hundreds more. Prior to WePay, Canfield was senior director of risk at eBay.  

 

Latest