RiskConnect 2018: the anatomy of a good risk management strategy

On 29-30 November 2018, thought leaders and industry experts met at RiskConnect conference in Frankfurt to discuss the newest challenges that risk professionals face within the payments industry and to provide hands-on knowledge they can use in their daily work. RiskConnect is organised by Web Shield, one of the leading onboarding, underwriting and monitoring solution providers.

The event started with a presentation held by Pulitzer Prize winner Carl Bernstein on fake news, the impact this has on our societies and the way truth is perceived via ‘fake news lenses’. Bernstein has preached the gospel of finding ‘the best obtainable version of truth’, stressing the fact that journalists are similar to data miners, permanently searching for info, and that their ultimate role should be connecting these data to offer the best obtainable version of truth. This ideal can be achieved if we present information in context, as simple facts presented isolated from the bigger picture do not cover the truth. A crucial role in this system is played by the validation of our data sources.

He concluded his presentation by drawing a parallel between the role of journalists and risk management professionals, as both categories use similar investigative principles to grasp the whole picture of a given situation / merchant profile, for instance. When you don’t know/suppose you know the truth you face a risk, the risk of missing out the factors that made that truth happen, of not knowing what will be the right consequences, of being part of a distorted world, hence, facing unreal consequences/facts.

What exactly is risk?

There have been a lot of debates around this concept, as it is not a fix, but a variable one, depending on the degree of risk a business/person is willing to accept, the impact the accepted risk has on the business/consumer, risk appetite, the way it makes a business/consumer feel when they take a particular risk etc.. Nevertheless, risk can be monitored/assessed due to ISO 31000 standard on ‘Risk management – Principles and guidelines on implementation’ that states that the process of risk management consists of several concrete steps, such as establishing the context and identifying potential risks and assessment - once risks have been identified, they must then be assessed as to their potential severity of impact.

According to Shaun Lavelle, Senior Vice President Risk, Payment Processing, Paysafe Group and Bill Trueman, Director, RiskSkill the concept of high-risk is meaningless if the types of risk are not specified. Moreover, the lack of a proper risk scoring analysis can be caused by not taking into consideration operational risk, currency risk, reputational risk, fraud and regulatory risks.

For instance, at the moment there are too many shady merchants under some acquirers’ custody conducting illegal activities, such as child pornography, nutraceuticals, and unfair billing practices causing great fines applied to these acquirers by the regulators/schemes. Not to mention the different perspectives regulators have over these risks and the vast terminology used within this market (that not everyone understands/has consensus over its meaning). Within this context, risk managers plan hard - and put-in place early –warning processes and measures to avoid their business going bust.

Bitcoin, ICOs, crypto… a risky business?

Over the past few years, cryptocurrency has grown exponentially and it seems that a new cryptocurrency pops up every day (currently there are more than 1500 available). The appeal of making a fortune by joining the cryptocurrency market is enticing with mining facilities multiplying and the emergence of “Initial Coin Offerings” (ICOs). Similar with IPOs, ICOs enable startup businesses to raise capital for their projects by issuing their own digital tokens.

However, fraudsters are also exploiting this new digital asset ecosystem. For instance, there are sites that teach you how to launch an ICO in just 20 minutes, or others that through deceiving advertising trick users into thinking that they are buying ‘the next worldwide crypto’ (when actually they don’t receive anything). Also by co-opting well-known brands, such as card schemes – Mastercard, Visa – or by using celebrity names/faces in a deceiving way, ICOs can gather over 30,000 registrants in just a few days, according to the Canadian Financial Authority investigators Annie Leblanc and Maude Blanchette.

The good news is that there are regulators and authorities throughout the world, such as the North American Securities Administrators Association (NASAA), European Securities and Markets Authority (ESMA), Financial Action Task Force (FATF), and many others that monitor these fund raising activities/transactions, investigate any illegal/illicit/deceiving involvement and prosecute where needed.

How to lower the risk?

Mastercard and Visa are preparing their clients/merchants on how to deal effectively with the evolving risk management challenges. During RiskConnect, Jonathan Trivelas, Director, Customer Compliance and Fraud, Mastercard, covered Mastercard’s Business Risk Assessment and Mitigation (BRAM) program and its latest requirements concerning high risks merchants. These initiatives are called AN 1683—Addition of High-Risk Securities Merchants to the BRAM Program and Revised Standards—High-Risk Securities Merchant Registration and AN 1695—Addition of Cryptocurrency Merchants to the BRAM Program and Revised Standards— Cryptocurrency Merchant Registration and apply mainly to cryptocurrency use and chosen high-risk financial instruments trading. This includes recent developments regarding cryptocurrency merchants, high risk security traders (Binary, Forex, etc.), sports betting and high risk negative option billing merchants.

These standards came into effect on October 12th, though discussions around them have been started by Mastercard in spring 2018. Generally speaking, they apply to high risk merchants. It is also worth mentioning that ESMA (European Securities and Markets Authority) has already taken the intervention measures and temporarily prohibited the marketing, distribution or sale of binary options to retail clients. AN 1683 and AN 1695 also aim to provide legal opinions on the possibility of carrying out cryptocurrency business in a particular country.

In a world where anyone can be a merchant, everyone can be a customer, and the regulatory environment continues to extend their enforcement. Another option to lower this risk is to leverage global data points to automate and revolutionise online verifications and fraud prevention.

There are companies such as 4Stop or IdentityMind that, through the power of data, they can achieve automated risk mitigation, even for … cryptocurrency transactions, as technology has the capability to deanonymize an address on the Bitcoin network, thus attaching it to the real world identity of the person controlling it. Once this happens, all transactions made from and to this address become visible and traceable since the beginning of the blockchain and till the very last block.

Education in risk management is crucial

We have the tools and technology, we have the regulations and best practices examples, but how can risk professionals establish a knowledge base in an industry that lacks an established professional educational path and is evolving as quickly as it is? Clearly, by setting industry standards for professionalism and proficiency for the acquiring industry. There are a few associations, companies, groups like Electronic Transaction Association, Web Shield, Merchant Acquirers Committee that through programs, trainings, book releases, events, and many more are trying to offer new market players the tools to understand the risks associated with financial services.

We cannot but agree with Jason Oxman, CEO, Electronic Transactions Association who says “Through the ETA Certified Payments Professional program, as well as ETA’s new Self-Regulation Program, we are raising the level of education and professionalism in the payments industry, and events like RiskConnect help us increase awareness of the importance of global partnerships.”

We want to take this opportunity to thank the Web Shield team for inviting us for the RiskConnect event and conclude by adding Christian’s Chmiel, CEO&Founder Web Shield remark: “In the fight against fraud, education and collaboration are at least as important as technology”.

About Mirela Ciobanu

Mirela Ciobanu is a Senior Editor at The Paypers and has been actively involved in covering digital payments - related topics, especially in the cryptocurrency, online security and fraud prevention space. She is passionate about finding the latest news on data breaches, machine learning, digital identity, blockchain, and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor degree in English language and holds a Master in Marketing.