As simple and easy as credit cards have made our lives, they have unfortunately also opened up a persistent stream of new scams, targeting both consumers and businesses. As technology has become more sophisticated, so too have criminals and the syndicates in which they operate. So just how do payment service providers protect businesses and consumers?
James Kramer, Head of Data & Risk at fintech company Yoco speaks to Hiwot Wolde-Senbet on how they have changed the way they evaluate data and risk, and how using new technology is enabling businesses to combat fraud, through real-time analysis and pro-active fraud and risk monitoring.
How do payment service providers protect businesses and consumers from oncoming threats?
Yoco has visibility into a large number of SMEs across the country (>8,000). Using this large base we are able to track any trends and spikes in fraud occurrences, once we have identified the modus operandi we are able to rapidly make adjustments to our monitoring systems which mitigate the threats without our merchants having to change their behaviour.
An example of this would be if we noticed an unusually large number of fraudulent transactions from cards of a particular country, e.g. the US, where there may have been a data breach. We would create real time alerts notifying our risk team who would then evaluate transactions on a case-by-case basis to legitimate merchants are protected.
A key differentiator for Yoco is that all receipts are digitally stored for card transactions, including the customer’s signature - when it is required. This means that should there be a dispute on a transaction, Yoco will always be able to retrieve the appropriate documentation without having to require the business to the keep hard-copy receipts.
What are the key challenges you face when dealing with data?
The major problem was creating a system that could react to risks in real-time. It is common for a significant amount of fraud to be conducted in a very short period of time. Therefore having a system that can only alert and respond once a day is not sufficient, a real-time system is needed.
After significant development Yoco built such a system which enables a set of rules to be run against every transaction in real-time to determine whether to allow the transaction to be processed or alert the risk team, in addition these rules can be customised for particular businesses or industry segments.
Proactively responding to fraud has allowed Yoco to consistently remain well below industry fraud levels, protecting consumers and SMEs.
How do you evaluate customers’ data and risk using technology?
One of the historic misconceptions with SMEs is that they are more likely to be exposed to fraud than large businesses. After several years of SME exposure we have found this not to be true, in fact SMEs are more likely to be aware of fraud attempts given their closer relationship to customers. In most cases when we alert our merchants to fraud attempts, they were already suspicious and in some circumstances had taken additional precautions or turned the customer away.
Generalising from this lesson; Yoco applies a first-principles, empirical approach to evaluating risk. We continuously learn from experience based on the data we receive to evaluate risk as it occurs and not as it is perceived in the market, using technology to support this approach.
How much pro-active fraud and risk monitoring should businesses do to avoid a crisis?
Within the current system it can take a number of days for a merchant to be informed that a particular transaction they conducted was fraudulent, the cardholder would have to report the incident to their bank, their bank would inform Yoco and Yoco would inform the merchant.
With this delay not adopting a proactive approach can be costly, as fraudsters could make multiple attempts during this time. Requesting a proof of ID to match the name on the card or obtaining a signature could be used in unusual purchases for large amounts. Yoco will also reach out to merchants and can support in fraud mitigation efforts.
Are businesses, particularly SMEs in South Africa affected by GDPR? If so what is being done to help them comply and avoid hefty fines?
South African businesses processing the data of EU subjects will have to make sure they meet the GDPR’s data security requirements. South Africa’s data protection regulation (the Protection of Personal Information Act - POPIA) was broadly based on the UK and EU regulations, meaning they align in many areas, which will make compliance for South African companies less onerous. POPIA is expected to be enacted in full later this year - only some of its provisions are currently in force.