October 20, 2017
October 16, 2017
Posted April 1, 2015
This year marks my ninth year in the fraud prevention space. Having been a consultant as well as running fraud departments for various e-commerce businesses, I always wondered why it seemed so difficult for corporations to do the right thing.
Many companies have been notoriously stingy when it came to giving me the technological and staffing resources I needed to do my job. The general response was that chargebacks were well below the obligatory 1%, making resources unnecessary. The fraud operation was seen as a revenue drain and hardly ever got the attention it deserved – until all hell would break loose.
Once the fraudsters found their way in, the losses were merciless, the chargebacks increased and the next thing the company knew, it was put on one, or many of the excessive chargeback programs enforced by both, Visa and MasterCard. Fraud prevention was always reactionary, always after the fact and sometimes when it was almost too late. Trying to recover and save the business or stop the losses often cost thousands, if not millions of dollars.
Fraud and breaches do so much more than just cause chargebacks. Fraud will cost you revenue from legitimate customers, which you are turning away, because now you have have stringent rules in place that aren’t fine-tuned yet. In addition, fraud will cost the company dearly in reputation and will truly damage the brand in ways most will never truly be able to comprehend or predict – until it happens. Lastly, you can and, in some cases, will get sued and that will often drive the proverbial nail in the coffin, as some smaller companies may never recover from that or even go under.
Not doing the right thing and deliberately ignoring a potential issue or looking the other way can and will have consequences. And although it is difficulty to solve for something you haven’t seen (yet), it is necessary to anticipate fraud and understand that fraud is never a question of if, but always one of when. The examples I outline below focus on the payment processing/banking space this time, in order to not single out specific e-commerce businesses.
FTC vs. Wyndham – filed in 2012
Three security breaches in two years led to fraudulent charges on consumers’ accounts and more than $10.6 million in fraud losses.
Primary allegation: Wyndham violated Section 5 of the FTC Act, which prohibits unfair or deceptive practices, by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information.
Deceptive: Statements on web site privacy policies that Wyndham used commercially reasonable efforts to safeguard information using industry standard practices
Unfair: Wyndham failed to employ reasonable and appropriate measures to protect personal information against unauthorized access, which caused injury to consumers that they could not reasonably avoid themselves
Wachovia Bank – 2008
Background: Telemarketers obtained bank account info over the phone by offering questionable products and services (grant writing kits, identity theft certificates, medical discount plans, discount travel and groceries); many elderly victims; use of remotely created checks.
Bank Regulatory Action: OC directs Wachovia to make $125 million restitution to consumers harmed by the bank’s relationships with telemarketers and third party payment processors.
First Bank of Delaware – 2012
Background: Department of Justice (DOJ) allegations: bank knew, or turned a blind eye to, the fact that authorizations obtained by fraud; banking industry had been explicitly warned by federal banking regulators after the 2008 Wachovia case; while many banks heeded the guidance, First Bank of Delaware recognized RCCs as a source of new revenue. They knew the risks and determined the profits outweighed the risks.
Bank Regulatory Action: $15 million penalty by FDIC and FinCen, because bank failed to implement an effective AML compliance program with internal controls to report evidence of money laundering or other fraud. Settled DOJ charges that the bank violated the Financial Institutions Reform, Recovery, and Enforcement Act (FIRREA) by originating withdrawals totaling more than $138 million from consumers’ accounts on behalf of the fraudulent merchants. Lost its state charter to operate!
FTC vs. IRN Payment Systems – June 2014
Background: Allegations that IRN knew, or deliberately avoided knowing, that the merchant was selling debt relief services in violation of the FTC’s Telemarketing Sales Rule
FTC: IRN ignored facially deceptive telemarketing scripts, 20%-40% chargeback rates, poor Better Business Bureau report, past state investigations; advised merchant on defeating chargebacks through deceptive document; broke up sales transactions into pieces, assisted in challenging chargeback disputes
Settlement: $3.48 million judgment (suspended with $400K payment); ban on processing for debt relief services; screening requirements; immediate termination if certain merchants exceed 1% chargeback rate; investigate other merchants that exceed 1% chargeback rate
There are many more examples, but as we can clearly see here, ignoring chargebacks, opting for revenue over doing the right thing and thinking that it may all work out has its price. I would argue that having proper fraud and security controls in place would have been a mere fraction of the price than what the fines, penalties, chargebacks, lawsuits and loss of trust in your brand amounts to once fraud hits your system.