Government Relations Newsletter: Vol 10 Iss 3: "Payments Risk Management ..."
Payments Risk Management in an Increasingly Challenging Regulatory Environment
By: The MAC Government Relations Strategic Interest Group
Over the past several years, the payments space has witnessed increased regulatory involvement from the Federal Reserve, the Office of the Comptroller of the Currency (OCC), the Federal Trade Commission (FTC), and the Consumer Financial Protection Bureau (CFPB), among others, as a result of concerns regarding deceptive practices harming consumers. As technology continues to evolve, there are more products available, offering a more seamless and easy process for accepting payments and access to other products. This has led to a changing landscape with newer players, such as Fintech’s offering a broad spectrum of products that can encompass card acceptance, ACH, lending, and other financial products like Buy Now Pay Later (BNPL). This changing and expanding landscape generated a new level of regulatory focus and requires a broad-based skill set to manage risk.
While these products are meeting the demands of today’s consumers, it is still important to ensure that these products are being offered in a way in which the consumer is clear on what products or services they are purchasing. Many of these products are not new, but the marketing and delivery of these products in a digital manner are expanding quickly. Card acceptance, ACH, and lending are traditional products but can be offered by Fintechs via an application programming interface (API) such that a merchant can leverage one Fintech to access all of these products. This digital form of delivery offers a more seamless distribution by leveraging APIs and relationships between a Fintech, merchants, and other providers such as financial institutions.
At the same time, regulators have started looking more closely at the products offered by Fintechs, and how those products are marketed and sold. Specifically, there has been recent legal action by the CFPB focusing on digital patterns or websites that are designed to manipulate consumers. The CFPB has also announced that they will examine nonbank financial companies that pose risks to consumers. This is in addition to the preexisting focus on merchants and their merchant acquiring and Fintech partners that use marketing methods that can be interpreted as deceptive by implementing tactics that have the potential to deceive consumers. Whether an integrated software vendor (“ISV”), Payment Facilitator (“PayFac”), or traditional payments provider such as merchant acquirers, all participants in the payments industry must operate with a clear understanding of where regulators are focused. This regulatory understanding should translate into day-to-day risk policies and procedures, as well as the tools necessary to automate and support risk policies and procedures.
Resources and Tools
Between the card brands, industry associations like MAC, and other resources, there is much documentation available on best practices to ensure merchants and their providers of merchant services properly market products and services. Over time, these practices have expanded with new tools and methods to access data. These data access and analysis tools allow Fintechs and other providers to underwrite new merchants and provide ongoing monitoring of existing merchants in an automated, easily scalable way. They allow for automation such as APIs to automate the process of assessing credit worthiness, identity verification, bank account validation, MATCH checks, as well as models for auto approvals and more. From a monitoring perspective, today’s risk systems automate the exception-based rules used and align with merchant information to provide a risk team with the information necessary to decision a merchant. Artificial intelligence (AI) and machine learning are also being used in risk management systems (AI and machine learning are also a focal point for regulators). Ultimately, these tools help risk managers identify fraud and mitigate losses and are all examples of best practices to ensure merchants are properly marketing their services. Depending on your organization, some of these practices may be automated. However, at some point, these processes still require some level of human intervention to execute a decision. For example, URL monitoring services can be purchased from a third party which automates the process of identifying potential web content or transaction laundering issues. But a risk analyst is still required to decision any individual issues identified. This, along with other daily underwriting and risk work, can be somewhat manual and require additional resources.
The multiple processes in place to manage risk, combined with the multiple systems and tools required to manage risk can become inefficient, making it harder to meet expanding regulatory expectations. This also leads to difficulty scaling a business for growth and can require more risk and compliance headcount. In order to solve for these challenges, companies managing risk in the payments space must be able to leverage automation to efficiently manage risk.
The Modern Risk Manger’s Skillset
The challenges and complexity of today’s risk environment require today’s risk managers to not only manage risk, but also to effectively operate within multiple disciplines. Specifically, today’s risk managers must be able to understand traditional risk management and be well versed in legal and regulatory issues, data management, and financial analysis. They must also be effective leaders and communicators on a cross-functional team. Not only does this mitigate fraud risk and potential losses, but it ensures that appropriate focus can be placed on merchants operating in a manner that could be considered deceptive.
First and foremost, a risk manager must be skilled in risk management. This requires all of the skills and experience that are well documented and inherent in most payment companies. A risk manager must have a thorough understanding of credit risk, inclusive of AML/KYC polices, to create and manage the supporting policies and procedures. In addition, a risk manager must have knowledge of transaction monitoring, and the experience necessary to manage merchants that are identified for excessive volume, declination activity, chargebacks, and other indicators of potential problems and the supporting procedures. A risk manager should have the ability to understand the risk environment and existing and new products supporting payments. A risk manager must be able to evolve as trends change and build teams and systems for a growing business to mitigate risk.
Legal and Compliance
This includes working closely with available legal resources to ensure the risk manager is current on regulatory actions in the industry. Actions taken by regulatory agencies in the payments space clearly depict an expectation that processors should know who they are doing business with and have the systems and tools in place to monitor for actions that could be considered deceptive to consumers. This can mean implementing additional steps in the underwriting process to better identify legitimate businesses, as well as avoiding tactics such as load balancing. From a transaction monitoring standpoint, web content monitoring and assessing transaction laundering require additional expertise and tools. An important part of this is to be able to work with compliance and legal functions to properly interpret the current legal and regulatory environment and then translate this understanding into policies and procedures to mitigate the risk of legal and regulatory current trends. The potential fines and legal costs associated with these types of actions demand that today’s risk managers position their organizations to mitigate this risk.
Data Management and Analytics
As the need to mitigate financial and regulatory risks has increased, today’s risk manager must also be skilled in data management and how data flows through the various systems used to board and process for merchants. As risk tools continue to evolve and leverage machine learning and artificial intelligence, the ability of a risk manager to understand, manage, and document the necessary data elements and requirements to leverage new systems and tools is critical. This can come in the form of building a business requirements document that outlines all of the data elements and how these data elements are used to build or modify a risk system. This would involve working with IT and Project Management teams to properly document requirements relative to the current IT infrastructure. These requirements should reflect evolving risk trends and the need to ensure that risk systems are modified to reflect this.
At the same time, the financial acumen necessary to justify the investment in evolving risk tools plays an important role. As resources are limited in any organization, the ability to provide a financial model justifying the investment in a risk system that provides an acceptable ROI will help justify the investment. This starts with engaging the financial resources within the company and working with them to develop a cost/benefit financial model that clearly outlines the anticipated revenue, incremental costs, and return on investment required. Topics to consider include possible new revenue streams from merchants that may have been avoided in the past for risk reasons but which can now be pursued with better risk tools. Also included would be efficiencies gained with an enhanced risk system in the form of less daily work and reduced headcount. This will help justify the cost of the investment and allow the senior management team of the company to weigh the competing capital expenditure (CapEx) needs of the company across other various needs of capital.
The various skill sets required by today’s risk manager requires the ability to be an effective communicator on cross-functional teams. The reliance on other areas of the organization such as legal, finance, product, sales, information technology, and operations require the risk manager to be able to understand the role of risk for the broader organization and effectively communicate this to build teams, design risk systems, justify an ROI, and work with other teams in the organization to accomplish this. By doing this, today’s risk manager can effectively mitigate traditional financial risks as well as the expanding regulatory risks as a result of new products and services.