Online marketplaces revolutionized shopping experience with remote and friction-free transactions available through multiple payment options. It also opened a new platform for cybercriminals. The absence of fundamental user verification made online marketplaces a hotbed for fraud, money-laundering and chargeback scams.
The information on the topic is plenty, but it doesn’t paint the picture of the merchant risk assessment clearly. For a while now, we have been helping businesses to figure out their merchant verification flow. Here is what we found out works best.
- Marketplace merchant: the basics
- What do regulators think? Applicable laws.
- How frauds take advantage of merchant accounts (fraud types)
- A guide to merchant onboarding
A merchant is a company or an individual who sells a service or a product online. To give you an example of such merchants, these are individuals and legal entities trading on e-commerce marketplaces such as Amazon, Airbnb, eBay, etc.
Merchants use e-commerce platforms to do business, and, as any other business dealing with financial transactions, they have to be regulated by the payment processor or a bank the marketplace is partnered with to handle the money-side of each deal between a vendor and a purchaser. Only after the platform makes sure that there are honest people behind these accounts, users can receive the payouts.
All e-trade hubs aim to build a safe, compliant and frictionless environment for users to do business. And for that, they employ verification as a part of the user onboarding.
So, are merchant check and ongoing monitoring obligatory or just recommended to have as good practices? To answer that, — merchant check is strictly required by the applicable legislation.
The main regulation that guards the payment environment is The Payment Service Directive (PSD) — a European Union law aimed to regulate payment collection and payment services in the EU and EEA. According to PSD2, marketplaces are identified as ‘commercial agents’ — facilitators between a seller and a buyer, having to process third party funds to the same standard as a bank or any other payment service provider.
Therefore, identification, as well as KYC, KYB and AML processes, have to be implemented and made routine practices of all marketplaces. If businesses don’t want to have money laundered through them, there is also anti-fraud — a necessary measure that monitors unusual user activity, exposes graphically edited documents and more.
It is vital to think of defense when any noncompliance will put you under the strict penalties of at least PSD2 and AML4 (The 4th Anti-Money Laundering) directives. So, what are these fraud attacks, that cause trouble for marketplaces?
You can’t solve fraud once and for all. Same as weeds that grow wild and can’t be eradicated for good, fraudsters persistently bombard marketplaces, requiring to be constantly surveilled and cut off. Here are some of the cases illustrating the problem.
- Chargeback fraud
A fraudulent merchant registers on the platform, makes a purchase and then denies it, claiming their card was stolen or lost. The bank gives them the money “back”, and the marketplace, together with the payment processor, receives a fine.
AML laws of any county demand all money-laundering prone platforms to be compliant with their demands and fine those who fail to prevent criminal activity at any cost. Frauds take advantage of marketplaces in many ways and here are the two most popular scenarios.
First is when a wanted criminal creates a company merchant account to provide for themselves while hiding from the authorities. If marketplaces fail to catch them and later on they will be exposed by the authorities, the platform will receive a fine.
Second — an individual merchant continuously buys items worth a fortune from the same vendor, which can indicate to a money-laundering scheme.
- Purchase fraud
A merchant puts a product or service for sale on the marketplace, somebody buys it and makes the payment. However, when the money reaches the merchant, instead of delivering the promised service or product to the purchaser, they don’t. The merchant gets it all, the purchaser stays with none.
If a marketplace allows any of these scenarios to go undetected, not only the criminal will be punished, but the platform and the payment provider or bank will be given a fine starting from hundreds up to millions for each unregulated case. It affects businesses budget and the trustworthiness of the service itself.
For that, marketplaces need to onboard their users properly and err on the side of caution. Here you have all the reasons to why. Now, let’s move on to how.
Fighting marketplace fraud is easier with automation. Verify merchants the way a certain case and applicable regulation demand it.
Merchant verification is a complicated subject to tackle as every case can demand its own approach. Here, we have put together a short checklist of how we advise marketplaces to keep track of their users:
Step 1. Identity verification (KYC)
If your merchant is an individual, perform the necessary KYC/AML check and anti-fraud with behavioral patterns monitoring, graphic editors intervention detection, biometric anti-spoofing, etc. Additionally, KYT (transaction monitoring) will help better understand where the money is going and coming from.
If your merchant is a legal entity, add KYB check to the list. It is a robust set of checks that help to understand the company’s structure, operational model and the hierarchy, as well as to identify business’ UBOs, directors and important figures. Why do you need this information? It exposes the ones who benefit from the business the most and can pose a higher level of risk.
Step 2. Due diligence and the level of risk prescription
Apart from standard requirements to apply, such as KYC/AML practices that depend on the applicable regulator, there are fluctuating levels of due diligence.
Enhanced Due Diligence depends on each case separately and can require additional checks for certain merchants. It can be an inquiry about Proof of Source of Funds and Proof of Source of Wealth (often requested from PEPs from high-risk jurisdictions or accredited investors) or a selective transaction screening.
Businesses define risk levels for certain merchant types which require EDD — gambling, pharmaceutical and tobacco merchants, etc. National legislations have their own guidelines as well.
EDD measures are assigned according to the situation when all or some of the regulatory measures prescribed by law can be applied. Examples of such laws and what they demand can be found down below.
Customers from high-risk third countries and PEPs have to submit additional information on themselves and their beneficial owners (in case of a corporate client), the nature of the business relationship, the source of the funds and of the wealth involved. They are asked for the reasons behind the transactions, the approval of the business relationship from the senior management and other documents that will help indicate at their risk level. PEPs in their turn, have to also perform ongoing monitoring of the business relationships.
- Switzerland FINMA Anti-money Laundering Ordinance
EDD cases require the disclosure of the beneficial owners and the origin of the deposited assets, the intended use of withdrawn assets, the background and plausibility of larger amounts deposited, the occupation of the contractual party and the beneficial owner of the assets, the disclosure of PEPs if there are any involved in the business relationship.
EDD in the United Kingdom is required when a party is a politically exposed person (PEP) or from a high-risk third country, in the case of unusually large or seemingly purposeless transactions and any other case with a higher risk of money laundering or terrorist financing.
Step 3. Ongoing Monitoring of the merchant accounts
Risk management doesn’t stop after onboarding. Merchants tend to change, offer more services and increase the number of transactions. As they change, their risk level fluctuates as well. Watch out for exceeding thresholds, suspicious activities, change in products and adverse media mentions.
To go on, businesses need to look out for themselves, assess the risks and automate routine processes, making them more accurate and using advanced data analysis tools.
And although for some cases manual check may be enough, if you are interested in growing, embracing new technologies might be a better idea. With automation, companies can drive costs down and generate greater returns while managing the risks.