As digital transactions become more prevalent, payments teams are increasingly on the front lines of defence against fraud, making KYC processes more crucial than ever. Fraud tactics are evolving, and payment departments must be proactive in their strategies to protect both businesses and consumers.
Rahul Das, Director of Payments at LiveScore Group, shares his insights into this complex landscape, exploring how payments teams can combat identity attacks, strengthen fraud prevention through collaboration, and leverage KYC and emerging technologies to ensure secure and seamless transactions.
Payment Expert: What are some of the key trends in fraudulent activity you’ve observed recently, and how are payments teams adapting to these new challenges?
Rahul Das: The first challenge is to frame the nature of fraud: PSD2 means that payment transactions are authenticated/challenged, so chargebacks are at all-time lows, but that doesn’t mean there’s no fraud.
We are seeing an uptick in impersonation fraud, as syndicates try to deploy the personal data stolen from genuine individuals to create accounts to exploit acquisition bonuses.
It’s an arms-race against the syndicates, who are well-trained, technically capable, and of course motivated – operators need to deploy new technologies, payments methods, and masses of analytics resources to identify the patterns of abuse and close it down.
PE: How can data sharing and collaboration between payment departments and operator teams improve overall fraud prevention efforts?
This aspect is critical – without sharing data across departments, it’s hard to spot the bad guys from the good.
For example, if a payments team focuses just on chargebacks from an issuer, then everything may look quite rosy. However, by analysing the profitability of customers using a particular issuer/card type, in conjunction with other segmentation data, a fuller understanding can be had.
This insight, in combination with rules/fraud engines at the disposal of Payments teams, can help the organisation fight fraud. The fraudsters are sophisticated, as it’s not just chargebacks and stolen cards, so the response to them needs to be just as enlightened and multi-faceted.
PE: What inspiration can operator payments departments take, if any, from the financial services and banking sectors when it comes to fraud prevention?
RD: There’s a lot we can learn from finance services – just as challenger banks have created great user experiences in onboarding and fraud prevention; we must do the same.
The Fintech sector has also helped make consumers more comfortable with verifying their identity electronically (e.g. biometric video checks on top of document capture and using/sharing data via Open Banking). Operators can benefit from this consumer familiarity and deploy new technologies with a little less worry now.
For example, 3D Secure is ubiquitous after the PSD2 rollout – gone are the days when ‘walkaways’ and ‘cart abandonment’ were a major worry. Now, we see an uplift in acceptance rates when 3D Secure is enabled.
PE: What are some of the day-to-day challenges when it pertains to combatting payment fraud? Could you give us a brief outline of the processes involved?
The fraud is multi-layered, with multiple objectives. Each of these objectives (e.g. impersonation fraud vs. access funds from stolen payment instruments) requires a different approach. The fraudsters are sophisticated, and their knowledge of how to hide their tracks requires at least an equal understanding in-house or the use of specialist vendors.
It’s hard to know what you don’t know – keeping up with fraud trends, getting very familiar with your own data/signals, and acknowledging that you don’t know it all are key to keeping up with the bad guys. Avoiding complacency is the biggest challenge.
PE: How can emerging technologies like Artificial Intelligence and Machine Learning be leveraged by payments departments to enhance fraud detection and prevention?
RD: This is a tricky one and very quickly lands up in a ‘build vs. buy’ discussion. While Payments are a source of success for a business, it’s not really core to the business model from a technology perspective.
This is possibly where my views diverge from a lot of my peers – if we have five developers assigned to a payments workstream to work on improving the user experience, I think it’s money well spent. But if they are instead working on updating SDKs and APIs to the latest iteration from a PSP – with no discernible uplift to the user experience/fraud rate – then it’s best to outsource it and hand the developers over to the Gaming or Sportsbook teams.
Similarly, when it comes to using AI or ML to enhance fraud detection and prevention – these are complex problems that require data from across the business to build these models. The domain is vast, and it’s a challenge to have staff who understand the data to that extent across business units. AI/ML could help solve some of these problems – but then you need the staff to train the models too and assess the output.
Managing our ambitions is key here.
For example, we already have AI/ML models deployed narrowly to assess the riskiness of payment transactions. However, the risk being mitigated here is the chargeback risk. These are also bought from our PSPs and apply only to specific use cases. To mitigate other forms of risk (e.g. impersonation fraud, arbitrage players etc.), we would need to have these models built in-house and to be able to execute in real-time. The time will come for these more complex use cases – but not quite yet.
PE: Is the industry adequately prepared for the threat posed by AI-driven fraud, particularly advanced methods such as deepfakes?
RD: In some ways, yes; in others, no. The hard part here is detecting the use of AI-driven fraud, as most issues already have a solution provider. It would be naive to think that we’re the first company experiencing a particular type of problem.
As I like to say, our product is money, and to use an old quote – “follow the money”. Impersonation fraud, chargebacks, money laundering etc. always come back to displaying the same symptoms: business losses.
If you’re able to segment your customer base sufficiently (e.g. by marketing campaign, demographics, payment method types etc.), then you’ll start to see the patterns of abuse emerging.
PE: From your experience, what are the best ways to integrate KYC into payment systems for strong identity verification while ensuring a smooth user experience?
RD: This is an evolving area, and it depends on the market in question. The only way to smooth the user experience is through building reams of market-specific matching logic to compare identity data to information received from payment providers. The gold standard when it comes to data is Open Banking (“OB”) – but, in my opinion, it is still clunky, so I think players do need to be compensated in some way (e.g. enhanced offers, faster withdrawals, higher transaction limits etc.) for the friction imposed on them. OB does create friction – but the ‘blame’ is shared with the banks (and unique per bank) – so it can be viewed by the player as acceptable with a little incentive.
The UK consumer is used to a low-friction onboarding process, where operators use credit bureaux to verify consumer identities silently. While this approach gives customers the smoothest user experience, it is vulnerable to exploits where lists of consumer identities are compromised, especially if funding is through cards. In our experience, there are some major card providers that don’t appear to verify the name of the payer through their systems and only provide a modicum of assurance through the use of tools like the Address Verification Service (AVS).
My thinking right now is that some friction is inevitable – it is a case of determining when is best to introduce the friction, compensate for the inconvenience, and how to mitigate the impact through technology (matching logic, enhanced API’s to support payer data etc.).
PE: Could the relationship between betting operator and payment provider be improved, in terms of sharing knowledge to enhance one another’s operations?
RD: Yes. We have regular conversations with our PSPs to discuss data sharing and to get away from manually processed RFIs (Requests For Information) to assist them with their own compliance objectives and to simplify our own. We also work closely with the PSPs to implement technology that can help them detect and fight fraud better (i.e. their Fraud and Identity SDKs).
It might sound like we’re already there…but we’re not. PSP support for extra data fields to help operations on both sides is done on a one-off basis, and the level of support/flexibility between PSPs varies greatly. Often, data is available in the PSP back-offices that aren’t available via API or SFTP, forcing manual workarounds.
Utopia is well-understood and well-defined, and we’re closer to it with some PSPs and a long way from it with others.
PE: Many consumers share concerns about fraud in Open Banking. How can the industry address this to encourage adoption of this technology for gaming payments?
RD: Open Banking payment transactions can’t be recalled, so there’s a degree of risk that comes to the consumer from that perspective – in case they don’t get value for their purchase/deposit or pay the wrong account.
Payments to most merchants must be authenticated using the consumer bank’s payments app, so they can be considered secure and at least equivalent to 3D Secure v2. Moreover, till VRPs (Variable Recurring Payments) are rolled out, every transaction has to go through the rigorous bank app authorisation process (unlike with Card Transactions, where just the first transaction has to go down the 3DS route) like with iDeal in the Netherlands.
This is where the gaming industry needs to follow the lead of FinTechs, who have been able to show the way to consumers with their Open Banking (including VRP) implementations. If VRPs aren’t available to regular (non-FinTech) merchants, OB will mean added friction to players for using OB; gambling merchants will need to incentivise the use of OB in order for customers to adopt OB. The benefits to merchants are clear – fixed-price transactions, no chargeback risk, high-quality payer data – and we need to pass on some of the savings to players now to drive adoption.
PE: What do you think will be the key insights Payment Expert Summit attendees will gain in Lisbon regarding fraud identification and prevention?
RD: The format of the series is unique, and most speakers will debate vigorously and encourage audience participation.
The fraud identification and prevention space is changing rapidly, and as a gambling industry event, the experts all share similar challenges and have approached solutions differently. The diversity of thought, markets, technology solutions and regulatory risk appetite guarantee that there’s something for everyone – but you must be prepared to ask your questions!
AI/ML will no doubt be on the agenda, so learning about the pitfalls/limitations and opportunities will be interesting. Open Banking promises much, but seems to have the gestation period of a herd of elephants. All while the bad guys are getting bolder and more sophisticated, requiring smarter solutions from merchants.
It promises to be a cracker of a conference!
Rahul Das is one of many key payments and betting stakeholders speaking at the The Payment Expert Summit, part of the upcoming SBC Summit, at the Feira Internacional de Lisboa from September 25-26.