CrossCheck Blog

CrossCheck Blog

Check Processing & Payments Information

Protecting Merchants with Payments Industry Security

Posted by Brandes Elitch | Thu, Mar 30, 2017 @ 10:11 AM

payments industry security

At CrossCheck, we are vitally interested in payments industry security while identifying and uncovering schemes to defraud the merchant. After all, our core business is managing risk and protecting our merchants by guaranteeing a stream of payments to be deposited in the future. This is a risky business to begin with, and we always want to be aware of what is going on around us in the financial and payments ecosystem.

Today, it seems like there is a never-ending stream of ways that fraudsters and criminals can penetrate the banking system to steal credentials, identities and of course, funds in a merchant’s bank account, to say nothing of ransomware and other newly invented categories.

There is a flip side to this, which is what the criminals do with their ill-gotten gains. Where do you put the money after you have stolen it? … The solution, of course, is a clandestine funding system.

Global Payments Industry Security

To give you an idea of how big a problem this is, the United Nations estimates that illegally moved funds represents 2 – 5% of global GDP, or the equivalent of the fifth largest economy in the world and bigger than the California economy! Another interesting and related statistic to payments industry security is that in OECD (Organization for Economic Cooperation and Development) countries  from 2010-2012, it is estimated that the value of bribes was around one trillion dollars a year!

payments industry securityWe used to say criminals are not the brightest people in the world, but now can see that it is sometimes the best and brightest who are involved in cybercrimes.

Criminals are diversifying their portfolio to spread their risk and avoid bank and regulatory scrutiny. A recent study by BAE Systems called “How Dirty Money Moves” found that criminals are moving into peer-to-peer lending, casino gambling, abuse of diplomatic pouches, real estate, trade finance, fraud, fake invoicing and other forms of laundering.

Security in the USA

The U.S. government started a serious effort to combat illegally moved funds in the early 2000s, including enforcement against banks found to have been negligent or complicit in the laundering of illicit funds or tax evasion. During the period 2007 – 2008, for example, the U.S. government had two actions that generated $25 million in fines. In the 2013 – 2014 period, there were 18 actions generating almost $15 billion in fines!

Today, banks are spending enormous amounts of money on anti-money laundering (AML), but now there are new threats to payments industry security. These include deception technology, business email compromise, DDoS for extortion, cybercrime as a service, ransomware, destructive digital attacks and more.

Perhaps the most sobering breach happened at well-known retail chain where 40 million payment cards were hacked, and an additional 70 million customers had their personally identifiable information compromised. This gives you an idea of the scope of the problem.

Offshore Activities

Since the banks have strengthened their AML efforts, criminals have had to be innovative and look elsewhere to deploy the money. Where do they go? Well, there are three main conduits.

First, they will work with real estate agents to buy property, both as an investment and as a way to avoid currency controls, since they are just paying with bags of cash. There are also currency exchange institutions that facilitate moving funds from one country to another. Finally, there is a huge industry of what is called Trust and Company Service Providers. In 2011, the British newspaper Financial Times investigated “fiduciary service companies” in the Cayman Islands. This is a network of law firms, accountants and real estate agents that have acquired the trappings of legitimacy by being gatekeepers to the banking system.

Writer Nicholas Confessore wrote a brilliant expose of this system in an article published in the New York Times Magazine on November 30, 2016, called “How to Hide $400 Million.” He quotes former McKinsey Chief Economist James S. Henry describing the offshore financial world as “the economic equivalent of an astrophysical black hole” and holding at least $21 trillion of the world’s financial wealth — more than the entire U.S. Gross National Product.

The article cites an impenetrable array of shell companies catering to the very wealthy, whose purpose is to detach assets from their actual owners, through complex layers of ownership and legal planning, often hiding them in countries with less regulation.

The legal systems in these jurisdictions are arranged to provide privacy and protection against enquiries from U.S. attorneys. The various gatekeepers can provide near-invisible entry to the financial system by disguising the ultimate owner of assets or cash — the beneficial owner. These entry points (lawyers, real estate agents and TCSPs) are smaller, more numerous and harder to regulate than banks, and they are the gatekeepers through which dirty money and criminals can gain the trappings of legitimacy.

When it comes to concealing identity, we have seen similar behavior with certain merchant category codes where the merchant will find it difficult or impossible to get their own merchant account or bank account. In such cases, the merchant will sometimes find another merchant to process their transactions. Typical “high risk” categories include inbound telesales, outbound telemarketing, mail order/telephone order, call centers, subscription and membership services, adult and travel.

Security at CrossCheck

CrossCheck has been managing risk and maintaining payments industry security for our merchants for 30-plus years. In our world of domestic payments, we work closely with merchants in categories that we know well, such as auto dealers, auto aftermarket and building supply.

While we do not underwrite or “credit score” the consumer who is writing the checks to our merchants, we do underwrite our merchants and we must conform to the guidelines that our banks use. We look long and hard before processing payments for “high risk” merchants, not because these merchants are inherently doing anything wrong per se, but because we focus on managing risk we can understand.

When you figure that we will guarantee millions of transactions this year, equaling billions of dollars of risk, that is a lot of transactions! It takes many years of experience to do this well — in our case, decades of authorizing payments and managing losses and paying claims.

Here at CrossCheck, we have written all of our own proprietary software and we have a fully staffed IT department to update it to customer requirements. All data is encrypted and we do not store consumer information, so our system is quite secure. While we feel pretty confident about our ability to manage risk and exposure, we are always alert to what is going on in the background at our merchants to ensure that everything is on the up and up. That helps us sleep at night.

CrossCheck’s Standard Check Guarantee is a cost-effective approach to maximizing sales and reducing risk for merchants across the country. Learn more by downloading our free guide.

 

Check Guarantee Insider's Guide

Topics: Brandes Elitch

Written by Brandes Elitch

Brandes Elitch is Director of Partner Acquisition for CrossCheck Inc. A certified cash manager and accredited ACH professional, he garnered a Master of Business Administration from New York University and a Juris Doctor from Santa Clara University.