Addressing merchant fraud and the KYC challenge for B2B platforms and aggregators

This article was first published on Medianama, dated December 9th, 2020.

By Asheeta Regidi and Reeju Datta

Many Business-to-Business (B2B) service providers today perform a function much like payment aggregators (PAs), of on-boarding merchants into the digital ecosystem. Whether through easing access to financial services, markets access or resolving any other issue via a range of services, these players enable businesses of all shapes and sizes to explore their potential.

PAs, banks, Business-2-Business (B2B) and Business-2-Consumer (B2C) e-commerce marketplaces, aggregators of offline retailers (like digital bookkeeping apps), non-bank lending to Small-Medium-Enterprises (SME), B2B neo-banks, and others (collectively, ‘Aggregators’) all play a similar role. While these players bring benefits like efficiency and financial inclusion, they also encounter the same problem, the scale of which is fairly unique to India, of tackling merchant fraud¹.

Fraud during online transactions is very often associated with payment processing, and payment processors and PAs consequently. Today, as providers of indirect access to the financial system, effective end-merchant verification is an equally crucial challenge for all Aggregators.

Fraud at the merchant level

Transaction level fraud in payments, such as unauthorized transactions via stolen cards/phishing or false refund/chargeback claims, often occurs at the individual level, and is largely mitigated due to mandatory two factor authentication². However,  merchant level fraud occurs at the business level, and is rampant. The larger scale is because multiple users can be duped at once, also making merchant fraud the major cause of fraud induced losses for PAs.

The fraud itself can occur through multiple means:

• An inoperative business posing as an operative one
• A restricted/prohibited business posing as a lower risk business
• A fake storefront set up to execute bust-out fraud

Different service providers face different types of merchant frauds. For example, while e-commerce marketplaces face issues with sale of inauthentic products or non-delivery, lenders providing business loans can find that these are utilised for personal purposes or were disbursed to shell companies. The aim of the fraud can also vary, PAs, for example, face fraudulent transactions which aim to dupe users, and also money laundering and tax evasion tactics which aim to dupe the authorities. Identity, however, often forms the crux of merchant fraud, whether as a fake business or a legitimate business conducting fraudulent activities.

Challenges and solutions for merchant fraud detection

The means of deception can range from forging identification documents, creating fake business profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall below reportable thresholds and other techniques. To effectively monitor fraud, a holistic approach, involving the merchant’s entire portfolio and proper technological support is thus, required.

Applicable regulatory mandates also require risk management frameworks comprising pre on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of merchant behaviour and transactions. These do however permit risk-based flexibility with actual adopted solutions. Internal risk profiling, periodic updates, and fraud reporting (to the Financial Intelligence Unit of the Government (FIU-IND)³, Central Bureau of Investigation/Police⁴, Reserve Bank of India’s (RBI) Department of Banking Supervision⁵, and others) are also required. Even where there are no mandates, Aggregators carry out these via self-imposed checks. Different checks allow recognizing different fraud indicators, and in the process also encounter specific challenges:

• Digital on-boarding processes: Consider the digital checks backing increasingly digital on-boarding processes, for example the RBI

Regulatory steps to improve fraud management

Along with the above steps that Aggregators can take, regulatory initiatives (that are balanced with ease of business) can also help. Currently, all ‘regulated entities’ (PAs, non-bank lenders and others,) have to conduct merchant due-diligence and KYC as per the RBI’s KYC norms⁶. Applicable regulatory frameworks for specific Aggregators—PA Guidelines⁷, Consumer Protection (E-Commerce) Rules ⁸, 2020, NBFC-P2P Lending Directions⁹, Trade Receivables Discounting System Guidelines¹⁰, among others—also mandate steps to protect end-customers. There are a few further steps that regulators can implement to help ease verification processes:

1. Improving merchant fraud data and access: Existing published data on financial fraud 

Enabling proper fraud safeguards

While fraud primarily impacts consumers, involved entities aren’t spared either, be it through regulatory sanctions/fines, legal action, chargeback liability, or significantly, damage to reputation and public trust¹¹. The Phatak Committee¹² identified on-boarding as the biggest hindrance in bringing India’s 45-60 million merchants (including mom and pop stores and small format merchants) online. B2B services and aggregators play an important role, and the suggested steps work towards both effective fraud tackling and removing on-boarding friction.

Digitisation with proper safeguards are thus essential on both counts.

1. Article by Ron Teicher: Three Types of Merchant Fraud: A Guide For Merchant Acquirers, Finextra, dated November 21^st, 2017.
2. RBI Notification: Security Issues and Risk mitigation measures related to Card Not Present (CNP) transactions, RBI/2011-12/145, dated August 04, 2011.
3. Website of Financial Intelligence Unit – India.
4. RBI Notification: Frauds – Classification and Reporting, RBI/2014-15/85, dated July 01, 2014.
5. RBI Notification: Master Direction – Monitoring of Frauds in NBFCs (Reserve Bank) Directions, 2016, RBI/DNBS/2016-17/49, dated September 29, 2016.
6. RBI Notification: Master Direction – Know Your Customer (KYC) Direction, 2016, RBI/DBR/2015-16/18, updated on April 20, 2020.
7. RBI Notification: Guidelines on Regulation of Payment Aggregators and Payment Gateways, RBI/DPSS/2019-20/174, updated on November 17, 2020.
8. Ministry of Consumer Affairs, Food and Public Distribution Notification: Consumer Protection (E-Commerce) Rules, 2020, The Gazette of India : Extraordinary, dated July 23, 2020.
9. RBI Notification: Master Directions – Non-Banking Financial Company – Peer to Peer Lending Platform (Reserve Bank) Directions, 2017, RBI/DNBR/2017-18/57, updated on December 23, 2019.
10. RBI Guidelines: Guidelines for the Trade Receivables Discounting System (TReDS), updated on July 02, 2018.
11. Media Report by Himanshi and Ashwin: Digital payment firms join Paytm in fight against Trai, telcos over financial frauds, The Economic Times, updated on September 22, 2020.
12. RBI Publication: Report of the Committee on the Analysis of QR (Quick Response) Code, dated July 10, 2020.