Payments Risk Management: From Phishing to Exchange Rates

The evolvement in payment forms, from cash to electronic non-cash channels, is progressing rapidly via online and telecommunication commerce (e-commerce and mobile m-commerce) solutions. Treasurers and financial Institutions (FIs) are exploiting this evolvement to penetrate the market and aid efficiency by launching cost-effective, convenient solutions. Large-scale operations to process payments in short periods are also underway, which can serve thousands and potentially millions of clients both time and money. On the other hand, firms look towards estimating risks beyond processing payment transactions, where failures in controlling and mitigating these risks can lead to the adverse impact of financial losses and market rejection.

There are various risks attached to payments and the most widely-discussed in the media, particularly in recent years, relate to risk from financial crimes such as fraud, money-laundering, and refunding requests. Fraud typically results from a breakthrough in privacy using illicit access to the account holder’s confidential information and breaching data security using different patterns for attacking accounts.

Emerging payments risk management is not linked to FIs only. As money becomes a commodity, small and medium-sized enterprises (SMEs) and other non-financial institutions and large corporations have various significant payment risk concerns, ranging from fraud to the potential financial losses from the exchange rate exposure resulting from devaluation of used currencies. Multinational corporations (MNCs) accept that risk mitigation cannot be achieved by eliminating the use of foreign currencies, as this would adversely affect their operations and businesses.

Combating Fraud and Phishing

It is recognised that sophisticated fraudsters have a good understanding of technology and payment processors such as automated clearing house (ACH) debit, wire transfer, card acquirer, and/or credit bureaux and the ability to keep evolving and developing tools and methodologies to attack their victims. However, fraud attackers do not differentiate when targeting customers’ account balances, whether they have large amounts or not.

According to RSA, the security and risk management division of IT group EMC, estimated global losses caused by ‘phishing’ amounted to US$1.5bn last year; a 22% increase from 2011. The figure indicates that few people are aware of phishing crimes, whereby an attacker sends an email or short message service (SMS) to the victim(s), containing a file or a link that has malware Trojan keylogging software. This enables the fraudster to capture the victim’s confidential information, such as credit card information and login credentials of a payment website, and then to re-use the stolen data in acts of fraud. To help customers protect their computers, tablets, mobiles, and other devices used for processing payment transactions against viruses – which harvest their confidential information – ask or even compel users to use anti-virus and anti-spyware software with automatic updates. Corporates should also use regular schedule scans to detect viruses and spyware.

Social Media

Today, social applications have become a significant part of communication and socialising. Both individuals and companies have accounts on Facebook, Twitter, and YouTube, so inevitably attackers attempt phishing more over the social networks rather than targeting victims through the traditional emails or SMS. Anti-virus and anti-spyware providers have already kept a few steps ahead of the fraudsters by providing malware fighter solutions to social application service providers.

Phishing is one of several increasingly widespread means to commit fraud. In recent years the incidence of electronic crimes targeting automated teller machines (ATMs) has been accelerating. Criminals use ATM skimmer devices that capture the user’s credit/debit card data and personal Identification number (PIN), which are transmitted instantly to the fraudster. This costs firms, FIs and their customers substantial losses from withdrawing the accounts and reissuing cards. A comprehensive assessment was undertaken to mitigate the risk by using cardless ATM solutions, which eliminate the needs for cards, and use advanced technologies through Iris scanners or one time password (OTP) along with a registered mobile phone number.

Sometimes, catching fraudulent activity depends on monitoring payment activities such as withdrawing only modest amounts within short time intervals until reaching the daily limit, performing the same transactions frequently in terms of time, item, amount and shipment address, or performing many transactions from different geographical regions using the same credit/debit card within illogical time duration. There is also the possibility of internal fraud, or employee fraud, occurring within the institution, where the fraudulent employee is able to explore and access customer account information and start doing transactions on behalf of the customer.

Fighting Financial Crime

Monitoring suspicious activities aims to achieve more than simply catching fraud attacks. Money laundering and terrorist financing activities are also part of financial crimes, which need monitoring and extensive investigation of suspicious activities. Once the suspect activity is attached with evidence for violating financial regulations, compliance officers directly block the transaction and/or the customer account, and report that activity to the financial regulator in a certain country. Suspicious activity risk management therefore is not a choice today, but a necessity and will help companies and FIs to avoid losses caused by non-compliance fines – and for the latter save their reputation in an increasingly tarnished industry. FIs have an obligation to carry out due diligence and to estimate the risk scores of their customers based on data obtained during the Know-Your-Customer (KYC) process.

Another payment risk may occur on electronic fund transfer (EFT) payments when a customer requests the cancellation of a transaction and a refund of the amount involved. While such a request might not appear risky, the element of risk arises where it is made frequently since the merchant covers all refunding charges, which could lead to financial losses and requires further monitoring and investigation as a suspicious behaviour activity.

Exchange Rate Risk Management by the Treasury

For both FIs and non-financial entities alike, exchange rate risk management has become an integral part of the firm’s decisions on overseeing treasury strategy for exchange rate management and the consequences from foreign currencies exposure.

The exchange rate risk is measured by the value-at-risk (VaR) model, which is the most widely accepted method for firm’s risk estimation. VaR is a probability of maximum loss value from the exchange rate exposure over a given time horizon. Therefore, firms need to decide whether or not to use a hedging strategy to protect against exchange rate risk exposure.

Selecting the appropriate hedging strategy depends on the period required to process a transaction, either short or long-term, as well as the firm’s treasury future view based on the movement of the currencies used. However, the most famous hedging strategy used is forward/future contracts. Treasurers may decide not to hedge the exchange rate risk, then transactions will be calculated depending on the current spot market rate, and settlement should be completed within a limited time not exceeding one or two business days.

Finally, risk mitigation has a set of fundamental processing steps that are performed iteratively. They start with identification of the potential risks that will be reviewed to assess the consequences, costs of implementation, operational performance and financial losses. Assessment criteria have different ranks and scores that assist institutions analysing and prioritising risks. Critical risks need quick implementation of tools and/or processes to be managed. This implementation should be followed by a monitoring process, which may in turn identify new potential risks.



Related reading