August 19, 2016
After the Dust Settles: N.J. Fraud Ring Raises Questions for Acquirers, Merchants
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
When news broke recently about a massive credit-card fraud ring based in New Jersey, the headlines screamed about the $200 million in losses that U.S. Attorney Paul J. Fishman said could grow as knowledge of the extent of the sophisticated scams grew. Instead of targeting consumers and buying big-ticket items with stolen credit card information, however, the 18 men charged in federal court mostly defrauded financial institutions, getting tens of thousands of credit cards issued to more than 7,000 false identities.
Even more problematic, the thieves allegedly created dozens of completely fictitious businesses that were able to receive merchant accounts and card-acceptance capability. Once secured, the defendants are accused of filling the accounts with false transactions using the fraudulent credit cards and cleaning out the accounts and repeating the cycle until processors, acquirers and ISOs caught on and shut the fraudulent accounts down.
Observers still are marveling at the time, patience and meticulous care required to nurture false identities worthy of high credit ratings on this scale. It was a new twist on an old con the accused had allegedly been running since 2007. But, the episode also has highlighted what some in the industry are calling “woefully inadequate” underwriting coupled with market conditions in which shrinking margins are ratcheting up the pressure to onboard merchants quickly.
Underwriting Must Evolve
Rey Pasinli, executive director at Southern California-based ISO Total Apps, says current conditions in the payment processing market are fueling an environment that is ripe for fraudsters. Savage price competition has commoditized credit-card processing to the point where profit margins are steadily eroding and each merchant client generates less revenue over time, according to Pasinli.
“In order to combat this decrease in revenue per merchant, the agents, ISO’s, processors and acquirers must proportionally increase the number of applications they approve per month,” he explains. “The end result is a lot of accounts are approved based on how much revenue potentially can be generated versus how thoroughly the application was vetted.”
Pasinli says his organization has seen a noticeable increase in fake-merchant applications. He calls current underwriting protocols in use by acquirers “woefully inadequate” and says they must adapt to become more relevant.
“I get underwriters asking for merchant-application supporting documents that have zero relevance or benefit in underwriting a merchant’s level of risk,” he says.
Good underwriting is time consuming, and the steps many acquirers currently are taking—which might include matching addresses to actual locations, seeing if a company has readily apparent privacy or delivery policies and terms of service, a Better Business Bureau record, complaints on file, a working Website, etc.—need to evolve along with fraudsters, according to Jeffrey De Petro, senior vice president of risk and underwriting for Amsterdam-based payment services provider Payvision. And, it doesn’t end when the merchant’s application is approved and the terminal installed.
“The acquiring community will have to enhance their underwriting procedures to keep ahead of the new tricks fraudsters use to gain access to merchant accounts,” De Petro says. “Further underwriting requirements and ongoing daily monitoring of the activities, Websites and processing, will also need to be performed to ensure any fraud can be eliminated and the fraudsters prevented from gaining access to merchant accounts.”
One tactic some acquirers use to validate merchants before granting card-acceptance capability is retaining a company that performs physical site visits. Financial underwriting procedures combined with physical validation of a merchant location should eliminate most fraudulent merchant applications, according Brad Meyer, president of Trinity Field Services, a Dallas-based company that specializes in site visits for the mortgage lending, insurance and merchant acquiring industries.
While many companies provide these types of services, however, many acquirers do not want to devote the additional time and expense site visits require, Meyer explains. And, as Pasinli noted, the pressure to onboard increasing numbers of merchants in the face of decreasing margins leads to short cuts.
“There are quite a few acquirers who do not do the physical onsite inspection,” Meyer says. “They say it isn’t a big deal and that they can shut [fraudulent merchants] off any time.”
But, a quick trip to Google Maps, which is how many acquirers handle a visual validation, he notes, is not a good substitute for sending a person out to validate a business.
“A really sophisticated crime ring can take something and make it look real for Google Maps,” he says. “But getting human eyes on a storefront makes it a little bit harder for them to get by.”
Merchants’ Burden Increases
While high-profile fraud events like the one that will begin to unfold in federal court in New Jersey lead observers to assign blame in the name of “we can’t let this happen again,” the flip side is a merchant population that just saw it get harder to do business.
Never an easy prospect, applying for a merchant account and enduring acquirers’ attempts at authentication probably just got more difficult for new merchants that want to accept credit cards. In light of a $200 million loss, the industry likely will heed a general call to tighten underwriting standards.
“It is conceivable to believe that acquirers would institute further due diligence to ensure fraudulent applications and merchants are uncovered and prevented from obtaining a merchant account for the fraudulent sales usage,” says Payvision’s De Petro. “Enhanced due diligence and ongoing monitoring are vital to ensuring a portfolio absent of fraudsters.”
At the moment, regulators have not weighed in on underwriting standards and how they might change. For the moment, any action taken will be by acquirers themselves in an effort to stave off further losses. The competitive environment, however, will not change nor will the tension between diligent underwriting and the pressure to onboard merchants at a faster rate. So, whether any new standards will truly reduce fraud or simply represent self-imposed barriers acquirers need to find new ways around remains unclear.