People of WePay: John Canfield, VP Risk and Compliance Product
For companies unfamiliar with the many types of business risk, what forms of payment fraud do businesses experience today?
If you are a merchant selling directly to consumers, you need to worry about payers using stolen credit cards to fraudulently buy your goods or services. There are many risk vendors focused solely on this problem.
When you are a platform that facilitates transactions between merchants and payers, the risk problem becomes much more complicated. There is payer risk, merchant risk, collusion risk and account takeover risk. In addition to financial risk, you also need to screen for compliance risks like illegal transactions and money laundering.
What is the most challenging aspect of managing risk in the payments industry?
Risk management, especially in the fraud prevention area is like a war. Fraudsters are intelligent opponents, so you cannot fight them with a static set of defenses. Whatever you built to protect yourself, they will reverse engineer and attempt to breach.
You are not fighting lone fraudsters, but an entire ecosystem. The fraudsters trying to defraud you are using tools they purchased on the dark web. They purchase identities and credit cards that were stolen by sophisticated hackers. They have mules that are able to reship items that they steal through e-commerce.
Every dollar you lose to fraud makes your opponent stronger. Not only is it your monetary loss, but it is profit that they can invest in building more sophisticated tools and hiring more employees to defraud you even more. It is much easier to stop fraudsters up-front than it is to dislodge them once they are making significant profits from you.
Why do you think that some businesses in need of risk management don’t see a need for it?
A classic example is when a somebody starts a new business tool or marketplace. The owner’s focus is almost always on their market. If you are just starting off and are not well known, fraudsters won’t know that your business exists. You can go your first year and not experience any significant fraud.
This grace period will not last. When the first fraudster successfully steals $500 from your site using stolen credit cards, they will ramp up their attacks and tell their friends. You can go from zero fraud to significant fraud losses in a matter of days if you do not have adequate controls.
What advice can you offer startups or businesses working on managing risk?
From a technology point of view, it comes down to data and decisioning. If you have the right decisioning capabilities, the more data about payers, merchants, and transactions the better. You could always ask for data through a web flow, but that can cause friction. Ideally you find passive or painless ways to collect data.
A good example of a painless data source is an invoice. This is a wonderful piece of data because it tells us the transaction, agreement, names, contact info, terms, and more. Invoices are not submitted for risk, but they are submitted so that the seller can collect money from the payer. So, the seller is already motivated to provide an invoice. If you can take something like that and pass it into your risk system, you can piggyback on an activity that is already essential to the transaction, while also getting great risk insight.
What aspects of your role enable WePay to delight its customers? Or at the very least help WePay better its customers businesses?
Risk management and risk decisioning are integral to payments. Many complexities in payment systems come from the need to support risk use cases. As you develop better and stronger risk systems, you enable a more seamless user experience.
WePay offers instant on-boarding for merchants and this is a big point of differentiation compared to traditional payment processors. This improved customer experience is possible because WePay’s risk system collects so much data passively or later in the merchant lifecycle.
In 2013, WePay was applying a one-week settlement delay on a sizeable fraction of the payments it processed. WePay competitors at the time imposed a delay on almost all of their transactions. As we improved our risk systems, we were able to waive almost all of our settlement delays so that merchants could be paid out immediately.