Payment Risk Management
- Payment Risk Management: Overview
- Payment Risk Management: Facts and Information
- Payment Risk Management: Tutorial and Course
- Payment Risk Management: References
Payment Risk Management: Overview
Tutorial and Course for Payment Risk Management is the ultimate SEO tutorial and course created by SEO University to help you to learn and understand Payment Risk Management and other related technologies.
Payment Risk Management: Facts and Information
Losses and fraud are as old as human society. Scams and acts of fraud were not started nor invented by the digital generation. As more and more financial activity goes online, the potential payout becomes larger. It was once only possible to steal a credit card. Now you can lend money, refinance your loan, or start a new business online. Increasingly, consumers go shopping online. 2012's Cyber Monday saw sales of almost $1.5 billion, the biggest in history. Consumers have their lives online on Facebook and Twitter. Identities are easy to steal, replicate, and invent; Facebook reports that about 9% of its profiles are fake. On top of all that, consumer activity creates enormous amounts of data that require novel techniques for simple searches, let alone understanding who's real and who isn't, who's a fraudster and who's telling the truth. When operating a financial services business you are faced not only with fraud, but with other causes for losses driven by multiple factors: credit default, misunderstandings, bad operational procedures, and more. I realized that there needs to be a single source for a methodical and comprehensive way to find, describe, understand, and deal with these problems so that businesses could succeed online.
Tutorial and Course for Payment Risk Management offers an introduction, overview, and overarching framework for dealing with risk in online payments. The material in it has been accumulated, shaped, tested, and proven to work over several very busy years of working in various payments companies, specifically in risk management and fraud prevention for payments, as well as consulting and discussing with many others. It aims to spark a discussion around the practice of risk management in payments in particular and eCommerce in general, as well as give the layout of what one should think about when approaching this vast field. It brings together data, organization, technology, UX, product, and other insights to present a blueprint for the best-possible loss and risk management organization in a rapidly changing digital environment, from a one-person task force to dozens of agents and analysts. It covers the essentials of the first couple of years and points toward following steps.
Tutorial and Course for Payment Risk Management is aimed at those who are tasked with starting a RMP function, whether in a small or large corporation. Veterans will find best practices that they have worked with through the years and new ideas that they may want to adopt. CFOs, COOs, and CEOs that have a RMP team reporting to them will learn more about its internals and what to expect of it, as well as some insight into how to measure its performance.
Payment Risk Management: Tutorial and Course
Payment Risk Management: Introduction
Risk management in payments is a peculiar practice. Generally, risk management is focused on the analysis and reduction of risk in various types of activities. Specifically, it regards analysis (in its simplest definition: understanding a problem by dividing it into the smaller parts it is comprised of) of those activities, identification of potential risks (from operational through regulatory ones), and the design and implementation of controls in order to identify, understand, and mitigate those risks when they occur. As such, risk management in general can be and is carried out by business and policy analysts, dealing with the best way to impose controls on operating business units. The term risk management therefore refers to many parctices, most of them unrelated to the topic of the Tutorial and Course for Payment Risk Management.
Is RMP different when done for a retailer versus a payment provider or an issuer? In essence, no: all are dealing with similar fraudsters, in a similar space, and the range of tools and customer behaviors they see are similar. There are differences, though: losses are driven by different factors, since retailers mainly deal with consumers, and payment providers deal with both. Available data are different since retailers can see browsing patterns, and issuers don't know what the product is. Even the ability to react is different, since issuers can only block a card from transacting, but payment providers can block individual purchases or block a customer completely. Their ability to implement real-time detection, scale of available data, and tolerance to loss vary. Historically, retailers could be slightly less concerned with cutting-edge technologies, since their margins were higher and a lot of their business was done offline. As many online businesses mature and start worrying more about margins, as well as increasingly become targeted by organized fraudsters, we see more convergence in the knowledge and tools required from all types of businesses.
There are two guiding principles to the way RMP should be thought of:
- RMP is a core function of a payment organization. Forcing your RMP team into Finance or Operations drives the team to look for solutions from a limited toolbox. If you are a RMP leader, you must be able to recognize and use trade-offs between rejections, losses, and cost of operation; therefore, RMP must be a separate, self-sufficient team that owns and impacts such trade-offs with input from the Sales team.
- RMP is a data- and engineering-heavy activity. RMP is not a human-intensive operational team aimed at reducing losses to a minimum using manual review. A substantial percentage of losses occurs due to operational, experience, and general product issues that should be managed with appropriate tools—not improved manual decisions by an ever-growing operations team. To deal with those, RMP teams must own product and data analysis responsibilities, creating substantially more value by independently identifying and fixing issues that would not be otherwise uncovered. Furthermore, day-to-day interaction with customers, together with the instrumentation (documenting and tracking events in your system and their impact on your data in a way that allows real-time and look-back analysis of actions taken) and tracking required for reporting losses and performance, adds to the team's competence to deal with systematic problems holistically. That also makes RMP teams the most qualified to come up with user-behavior-driven solutions that are otherwise hard to replicate.
The two guiding principles above dictate a specific structure and set of activities that should be carried out by the RMP team. This means that the team should be separate as a part of a data, analytics, or "data science" team. Setting the team up this way will not only drive higher success in controlling losses but also improve other value-creating activities that a data team can initiate and lead in your organization.
Payment Risk Management: Problems
Actively going after further detection and analysis of problems, trends, and phenomena in your data and system is what drives the daily improvement that supports your strategy; it is a cycle where you identify your top issues, understand what causes them, and solve them so that other issues become your top concern. However, when you go after these issues, or when you find them, you need to deal with terminology; How will you describe your findings? What is it that you're trying to solve?
We are trying to optimize our risk, according to our risk appetite, measured as a balance between our losses and rejections. Let's look at it step by step:
- Optimizing risk. Risk is determined by the probability of an adverse event happening (fraud chargeback, merchant going out of business, a renter's property being trashed) multiplied by the magnitude of damage we will incur (be it financial, reputational, or other).
- According to our risk appetite. Determining whether we're taking too much or too little risk is a decision owned by various officers of the company and/or external regulations—depending on the level and type of governance the company is subject to. The company's appetite determines the amount of risk it's willing to take; as any Head of RMP discovers, that appetite changes rapidly and is one of the major influences you must manage on a day-to-day basis. Regulation is a significant part of your risk appetite considerations. You will be regulated differently based on your business model, geography, volume, and license type. Some regulations and regulating bodies are more conservative than others, expecting certain types of decision models and style of decision making and documentation; others are open to reasonable explanations of innovative risk-taking models. All are concerned with what they understand as protecting consumers and businesses from various violations. This impacts the type of business decisions you are free to make.
- Measured by losses and rejections. When dealing specifically with RMP, the most obvious numbers to track are loss rate - the total cost of chargebacks, disputes, defaults, and other penalties that we couldn't recoup from customers - and rejections - specifically, ones that were confirmed as false positives.
A proactive approach to risk management dictates repeatedly identifying risk factors, understanding them, and acting on them. Root cause analysis is a key process that allows the understanding needed to make sure you are using the right tools for the right problems. Root cause analysis is an iterative process: first isolate a sample of problematic cases, review a few of them to analyze what happened with each of them that led to loss to identify various types of loss causes, then split the sample into smaller groups until you have several subsamples, each driven by a specific combination of reasons causing loss (or any other problem you're trying to solve).
Root cause requires tracking an application's lifecycle step-by-step in order to understand exactly what happened to it. For example, if the cause of the problem isn't clear when looking at purchase details but the purchase had a dispute (I use dispute to describe customers contacting you to complain about a problem with your service, rather than talking to their bank or another third party) tied to it, you may interview the customer-care agent that dealt with it. You may track the type of emails or other messages sent to the customer to see if something got lost in translation or in delivery. You may check whether the package was actually delivered and whether the customer's signature was collected. This kind of deep investigation provides the best hints for detecting similar cases in the future and fixing the problems that caused them.
Let's say you have commerce activity in a few countries, and one day in August you look at your chargeback reports (a chargeback is a process that starts with a consumer disputing a credit card charge for fraud or bad service with their issuer, followed by your acquiring bank puling money from your account to compensate the consumer) and discover that you went from 0.2% in total chargeback volume to 0.4%. That's double the number, so obviously you're worried. What's going on? First you'll need to understand when the problem occurred. The fact that you got 0.4% in August doesn't mean a lot, because chargebacks come in at different times after the purchase. So you chart a graph by purchase date and discover that the bump stems from purchases made in April. What happened in April? Looking at incoming disputes you realize that complaints about nondelivery of goods peaked for purchases that month. It turns out that one of your suppliers was late and many customers got their products later than usual. Many complained and some gave up on the deal and charged back because customer-care staff was not properly briefed to give refunds. Loss? Indeed. Fraud? Not at all.
Consider another one: you work for a payments provider and your ops team reviews purchases and suddenly they notice multiple iPod purchases. That immediately seems suspicious, so you take a look at whether there's something connecting them. Quickly you discover that all of these purchases, although seemingly done by different people, were all done from the same IP at a computer lab at a university in Nevada. What's more, most of the people whose identity was used don't live anywhere close to Nevada, and it doesn't seem like their kids go there, either. One fraud attack on an electronics retailer averted!
A coherent and consistent framework or "risk language" must be used to describe the current state of affairs of your team's knowledge, assimilate new findings, and make sure that when a phenomenon is discussed using certain terms it is understood by everyone (analysts, modelers, developers, etc.) in a similar way. It has proven to cover most if not all phenomena while being sufficiently lightweight.
Fraud is a limiting definition causing us to look at the customer's intent as the root of all loss events. That is not the case. Misunderstanding, product issues, technical and process breakdowns, and general lack of financial planning can all lead to loss events. By looking at loss, we do not limit our thinking and investigative ability (this is why I choose to not use the term friendly fraud but rather abuse to describe some loss events). Customer behavior online is impacted by so many factors: your product features, the time of year, whether they had a little too much to drink and are aimlessly browsing the Web. They are often operating without malicious intent and, sometimes, without intent at all. The fact that they are sitting in front of a computer instead of physically interacting with a live human being impacts their mindset. They may have easier access to another's payment details at home or at work or just share a computer and not pay attention to who is logged in.
RMP domain experts must be able to understand a multidisciplinary collection of factors and processes that impact the eventual loss numbers, rather than look for malicious actions everywhere. This will also allow them to better cooperate with the revenue-creating side of your business. Losses have an impact on your margin not only by the money you lose but also as a result of the money you spend on risk activities; from direct cost for operations and data sources per purchase to investment in development of future models, risk is a cost center. Understanding that will help your team pay attention to their holistic impact on your business.
When data source usage is big, measuring overall spending on RMP activities is another important KPI (key performance indicator, the metrics you follow indicating your business' performance) to be measured and optimized. Data cost can reach the same level as losses and often much more, as could operational expenses on review staff. While this is an important aspect of the costs, this Tutorial and Course for Payment Risk Management is basic and only deals with the loss line.
Payment Risk Management: Approaches
How do we reduce the percentage of rejected customers and losses? The Portfolio Approach & The Behavioral Approach are the two leading complementary approaches to the analysis and optimization of losses.
Payment Risk Management: The Portfolio Approach
This approach looks at the company's portfolio of customers top down and looks for optimizations regardless of individual customers' behavior. This means that to reduce losses and rejections we need to provide an inflow of better customers—target safer industry segments, attract repeat consumers with lower risk profiles, etc., as well as block segments of ill-performing ones. If we need a shift in losses or rejections for a market or a large merchant, we can adjust our scoring threshold (which means a change to the trade-off between rejections and losses) to accept more or fewer consumers. Accordingly, this approach supports certain types of modeling and reporting that allow it to be effectively applied. The portfolio approach is most effective when dealing with long credit times: e.g., credit card, auto, and mortgage portfolios. This is because credit trends are local, sometimes hyperlocal, and are greatly impacted by macroeconomic trends not only for new applications (when I refer to principles relevant to both consumers and merchants, I use the term application(s)) but also in existing loans' due payments. The portfolio approach and its related modeling techniques have permeated from banking to RMP through companies like HNC/Fair Isaac and their alumni moving to PayPal, Amazon, and other large companies.
Payment Risk Management: The Behavioral Approach
This approach looks at the company's business as a discrete series of interactions with customers and aims to make the right decision in every case based on correct classification of the customer's behavior. While there are different ways to go about doing so, they generally agree - if we have a problem with losses or rejections, we must identify trends and behaviors that drive that trend and solve its underlying reasons. This usually means case-by-case investigation and uncovering of "root causes" for losses and rejections, in an attempt to correctly classify wanted and unwanted phenomena.
Which of These Methods Works Better? They are complementary, with each fitting different circumstances. Both are highly effective when used correctly. The portfolio approach is especially effective when working in mature markets (where product issues and major problematic behaviors have been identified, modeled, and solved) and for dealing with macroeconomic risks (such as shifts in debt-to-income ratio due to high unemployment or targeting of a subprime population). The portfolio approach can also help guide a company's entrance to a new market: it is easier to set standards for what are "safe" industry segments to target and mid-market merchants to partner with than to predict individual behaviors when initially entering a market.
The behavioral approach is effective and needed when you deal with high-magnitude risks or in cases where behaviors can change rapidly. In RMP, a large proportion of loss cases are a result of a malicious and planned action by a prepared adversary. Those patterns change rapidly in response to your actions and any weakness you may expose, since there is clear incentive for overcoming your defenses. In addition, unlike with long-term loans such as credit lines, every purchase or merchant on-boarding (on-boarding means deciding to accept the business as your customer) is a decision point. At that point, your decision or the user's behavior may change, allowing flexibility in response from both sides; the portfolio approach is limited at dealing with such threats. Therefore, to deal with fraud, abuse, and nascent markets, one must be able to use the behavioral approach, while for mature markets and credit decisions, you must be able to use the portfolio approach to make top-down trade-offs.
Payment Risk Management: References
- Payment Risk Management: Books
- Payment Risk Management: eBooks