SPEAKER_01 0:00

Welcome to this episode of Spence Chat with Jason and Aiden. Let's jump right in to make the payment make sense. Happy Wednesday, Jason. It's another warm morning here in Newport Beach. And speaking of the warmth, we have some heat coming through this weekend, which is perfect because it is Labor Day weekend.

SPEAKER_00 0:31

You know what I've never understood about Labor Day weekend, Hayden? It says Labor Day. People should be in the office working. I'll be excited to see you here on Monday.

SPEAKER_01 0:40

Sorry, Jason, but I am for sure taking my three-day weekend, and I know you can hold it down, so I know we're okay. Let's jump into today's topics. First, California circumvents CFPB, but will they get it right?

SPEAKER_00 0:53

Next, fraudulent fund transfers, frazzle government. Big surprise.

SPEAKER_01 0:58

And last, authorization attrition, how COVID crushes e-commerce. Jason, California is expected to create a new financial protection watchdog agency by the end of August. Under the Obama administration, CFPB was responsible for consumer protection in the financial sector. But under the Trump administration, as well as COVID adding some speed bumps, CFPB has been deemed useless. NPR reports that enforcement is down 80% from 2015, and money returned to consumers has dropped to a whopping 96%.

SPEAKER_00 1:30

Those of you who know me personally know I'm not a big fan of governmental agencies. They're generally expensive, poorly managed, and in the case of payments, have no idea what they're doing. The CFPB was a disastrous organization that played whack-a-mole with merchants only when they received enough consumer complaints. This means they were always operating behind the eight ball with these nefarious businesses that were taking advantage of consumers. And rather than understanding an industry and how to weed out the bad players, they simply targeted them based on consumer complaints. In my opinion, the patterns of these nefarious merchants are so obvious to those of us that are in the payment space. We could see the bad actors a mile away. And if California is going to do anything that actually protects consumers rather than just wasting taxpayer dollars, they better make sure the group has payment professionals with deep industry experience as part of their watchdog agency.

SPEAKER_01 2:24

Well, Jason, since the outbreak, California has seen a 40% increase in financial wrongdoings. And that's why Governor Gavin Newsom proposed the Department of Financial Protection and Innovation. This will make sure Californians are protected from predatory lenders, aggressive debt collectors, credit repair schemes, and other shady practices that in time of despair, that in a time of despair can push somebody over the edge and into poverty. Lawmakers face an August 31st legislative deadline.

SPEAKER_00 2:51

Hayden, as I already said, unless this organization is structured correctly with the right people, it's gonna be a disaster. It should really be the banks and third-party payment providers that are policing this. But the problem for these groups is that the nefarious businesses are also very profitable because the scammers are willing to pay egregious rates for their payment processing services to get them to turn a blind eye. I could tell you from experience that each one of these industries that you mentioned have telltale signs that they're bad actors. And it becomes even more evident after they start processing payments. The best in class banks and third-party payment providers already have controls in place to figure out who these bad actors are. Controls such as monitoring chargeback ratios, looking at authorization to decline ratios, return percentages on ACH transactions, and many others. However, rather than enforcing these types of controls, dishonest TPPs often help merchants circumvent card brand and notcha thresholds so they can continue to profiteer from these bad actors. My perspective on this is that if California actually wants to make a dent in these industries that have a reputation for causing consumer harm, rather than going after them one at a time based on consumer complaints, they need to understand the dynamics of their behavior, how they circumvent card brand and notcha rules, and draft legislation that requires more oversight from the banks and third party payment providers that should be the frontline defense. In addition, creating stiff penalties for payment processing organizations that enable these nefarious merchants to continue to operate, the risk will no longer be worth the reward for them. And these bad actors will die the slow, painful death they deserve.

SPEAKER_01 4:34

Jason, while we're on the topic of government inefficiency, due to COVID-19, it's no surprise the unemployment rate has gone through the roof. But what a surprise it would be if you filed for unemployment just to find out that somebody has been collecting your benefits under your name. Which sounds like fiction to me, but Nigerian hacker ring scattered cannery has successfully lifted millions of dollars through scam unemployment filings in at least six different states. Pennsylvania alone has paid out nearly 60,000 false filings, and that does not include a whopping 4.1 billion in stimulus payments that Uncle Sam decided to send out to the deceased. Although the government claims they are going to be retrieving those funds, opportunistic fraudsters have already cashed in on the government's mistake.

SPEAKER_00 5:14

Hayden, I always say that fraudsters target the lowest hanging fruit when it comes to stealing money. They're going to focus their efforts on the easiest to compromise systems. And it's embarrassing to say that our state and federal government falls into this category. You would think they would have this process so buttoned up that they would be the model that banks and third-party payment providers strive to be. I mean, come on. The government knows more information about people than the banks and credit card processing companies do, but yet they fail to implement even the simplest of identity validation controls. It has been easier for fraudsters to get a PPP loan or unemployment benefits than it has for them to open a credit card in somebody else's name. And this is why we've seen such a drastic shift to fraudsters targeting governmental agencies. I also highly doubt the government is going to get a fraction of those funds recovered. The money at this point is already out of the bank and most likely already out of the country.

SPEAKER_01 6:10

Jason, the global pandemic did not break the public payment system, but rather expose the already broken system. Banks need to update how they mitigate risk and fraud as well as update their systems. In most states, there is no codified verification system for authenticating who they are sending money to, which is crazy to me. But Jason, in your professional opinion, where do you think a good starting place is to better update these systems in order to prevent fraud like this?

SPEAKER_00 6:36

Hayden, there are already so many tools that exist that would have prevented lots of this fraud. And it's up to the entire supply chain to make sure that we're providing the best technology, solutions, and most importantly, educations to the merchants and the government. The merchants are ultimately the entities that have direct interaction with the consumers or fraudsters. And we need to make sure they're using the appropriate tools to verify identity in accounts. Government agencies should be doing out-of-wallet identification when new accounts are being created, going above and beyond just asking for a social security number and date of birth as a form of identification. They should be implementing out-of-wallet identity validations when accounts are established that asks consumers to verify information that the government already has or is on a credit report. You have to remember, it's not about being perfect in detecting identity theft and fraud, but being hard enough that the fraudsters are not going to spend the additional time to circumvent the controls. Sure, they could go obtain a credit report or dig on social media for answers to these questions, but it makes it hard enough that they're not going to waste their time. They're going to move on to easier prey. And additionally, I've talked about this a hundred times. Any system that enables financial transactions should require multi-factor authentication to prevent account takeover so that once an identity has been validated at the time of account creation, somebody can't compromise the account and simply redirect funds.

SPEAKER_01 8:04

Jason, the Financial Crimes Enforcement Network issued a press release warning FIs and consumers about scams that are related to the global pandemic. Bad actors are currently engaged in fraudulent schemes that exploit the unexpected flaws created by COVID-19, as well as all around confusion created by the pandemic. The release shed light on malware phishing schemes in which fraudsters talk about COVID-related aid like the CARES Act in an attempt to extract payments.

SPEAKER_00 8:28

You know, Hayden, Bank of America does a horrible job on both of these. I was recently watching a friend who receives California unemployment transfer money to their bank account, and the number of attack vectors to compromise that system and redirect funds is insane. The truth of the matter is none of these flaws are unexpected. The vast majority of the attack vectors being used have been around forever. It simply goes back to a lack of urgency for them to remedy them. Oftentimes, banks and third-party payment providers are aware of these exploits, but until they become the target of one of them, they let it slide by. Just about all of these attack vectors, from malware to phishing scams, are solved by multifactor authentication and out-of-wallet identity validation. And these organizations just need to stop procrastinating and get it done.

SPEAKER_01 9:16

So, Jason, I understand that in the past, selling an EMV 3DS product to a merchant hasn't always been an easy task. Merchants either weren't willing to hear about it or they weren't willing to learn about it. But now with COVID-19 driving the digital commerce shift into sixth gear and the invention of EMV 3D secure 2.0, that will no longer be the case. Retailers have begun to find out that fighting off fraudsters in a physical store is a lot easier than fighting off fraudsters in an online ecosystem. With 3DS 2.0, beating the bad actors is a lot easier and actually works in the retailer's favor. Instead of having to rebuild authorization rails, 3DS 2.0 will facilitate the information to decide the legitimacy of a transaction.

SPEAKER_00 9:57

Yeah, Hayden, like many of our topics today, it's hard to convince an industry to tighten up security until they become a victim of fraud. And this is just another example of how the supply chain could have been better for COVID-related attack vectors. This technology has actually been around for quite some time. In fact, it's the rails that Apple Pay is built on top of. And the whole premise of it is to ensure that the cardholder is authenticated before making the purchase. What's new is the added buzzword of EMV in front of it. 3D Secure and 3D Secure 2.0 are nothing new. But merchants tend to run for the hills as soon as they hear the word 3D Secure because of how the initial versions were implemented. Initial implementations were not based on biometric authentication, but legacy solutions that required an e-commerce shopper to be redirected to their bank to log in and approve the transaction. And this implementation certainly deferred fraudsters, but it also created significant friction for real customers trying to make purchases. Oftentimes, consumers were not familiar with the process and thought it was an attempt to compromise their banking information. So it had resulted in higher payment page abandonment and lost sales to the merchants. So much so that it was worth letting a few fraudulent transactions through the cracks to not lose hundreds of legitimate sales.

SPEAKER_01 11:14

Well, Jason, EMV3DS will be an industry standard in the coming years. It's already a requirement of the EU's Payment Service Directive 2, meaning any merchant that wants to transact in the EU needs to have EMV3DS ready to go by January 1st of 2021. The card networks have also confirmed that 3DS 2.0 will be mandatory worldwide on their networks for issuers this fall. But the gateways and processors still have work to do in order to get EMV3DS certified and ready to go, meaning there is still some integration work to come.

SPEAKER_00 11:46

Yeah, hey, I personally love this technology. And at this point, if it's properly implemented, it has little impact on the checkout experience. Most wallet-based payment methods already use this solution. And any e-commerce merchant should be supporting at a minimum these wallet-based payment methods, such as Apple Pay. With the number of new cards that have been added to the mobile wallets based on COVID, there is a massive increase in the number of consumers who are making e-commerce transactions with biometrically authenticated wallets. For the simple reason it's quicker than having to key in the card information. Browser-based adoption for this technology is also growing rapidly, and solutions like the FIDO Alliance, which are building identity validation directly into the browser, will propel it even further forward. Any player in the payment supply chain that doesn't already support transmitting this additional data needs to get it on their roadmap yesterday, because not only does it make a significant debt in fraud, but it also has a big impact on authorization rates. The presence of this additional data with the authorization ensures to the card issuer that the purchase has been authenticated by the card holder, thus reducing traditional fraud checks that may have resulted in the transaction being declined. All in all, it's an amazing tool for reducing fraud and increasing authorization rates.

SPEAKER_01 13:06

Alright, Jason, you know what time it is. It is time to make payments. Make sense. Give me those takeaways.

SPEAKER_00 13:12

Governor Newsom, if you need help building a team of payments experts for your new Department of Financial Protection, we're here to help. Supply chain. Enough is enough. Let's start educating merchants and our government on how to protect their consumers. If you're not already strongly embracing 3D Secure 2.0, you're putting your merchants at a huge disadvantage.

SPEAKER_01 13:37

Thanks for joining us today. And if you've got a topic you would like us to discuss, follow and message us on social media at SenseChat. And as always, we would love your feedback.