A Finer Filter Lets Banks Save Fraud-Finding Steps

First in a series

In detecting merchant fraud, sometimes less is more.

RBS WorldPay has observed that philosophy in upgrading its system for identifying potentially bogus transactions.

The Atlanta payments processor is in the midst of installing a program to help it flag payments within merchant categories. Its current system, which the company built in-house, requires that rules be applied across its entire merchant portfolio.

Fraudsters seek out such technical limitations to determine just how much they can get away with before anyone notices. Banks and processors try to adapt every time a weakness is found.

"Right now our environment is … all hard-coded," said Billi Jo Wright, the vice president of transaction risk and collections at RBS WorldPay.

That requires someone to change the program itself to add new flagging rules.

"If we want to implement a rule for one type of fraud trend that's really just hitting … the petro arena, I've got to implement that rule, and it's going to go across every merchant type today," she said. This means many transactions are flagged for review that actually are valid, requiring the processor to spend more time than necessary sifting through payments, she added.

To solve its problem, RBS WorldPay decided last year to upgrade to a product called DataView360, which manages banks' and other users' connections to third-party credit data sources.

RBS WorldPay, which is being acquired by Advent International Corp. and Bain Capital LLC from Royal Bank of Scotland Group PLC, is close to finishing installation of the program, which was developed by the Dallas technology vendor GDS Link LLC.

Once the installation is complete, the processor expects to be able to apply rules by geographic region, merchant category or another criterion, Wright said.

"It really just gives you the flexibility to … drive down to where the fraud is really occurring," she said.

RBS WorldPay and other processors establish rules based on common merchant characteristics such as average transaction size, monthly transaction volume and charge-back activity.

Transactions that fall outside expected levels typically are flagged for review to determine whether fraud is involved, Wright said.

In the past, RBS WorldPay has had requests from individual merchants to apply instructions only to their transactions, which is virtually impossible, she said.

The new software lets a processor segment online merchants, brick-and-mortar retailers and other categories, which often see different transaction trends, said Paul Greenwood, the president and co-founder of GDS Link.

Processors are interested in DataView360 to help assess merchant risk, especially as it relates to charge-back levels and merchant attrition, Greenwood said.

"If these banks can actually spot that … clients are growing and offer them a better rate, … it can really help prevent attrition," he said.

Alternatively, if RBS WorldPay notices a merchant posting a sudden increase in transactions, it could be a sign that the customer is holding a liquidation sale because of financial problems, Wright said.

Merchant processors are a natural extension for a company like GDS, which focuses on the lending space, said Julie Conroy McNelley, a senior analyst of fraud and risk at Aite Group LLC in Boston.

"They're looking to expand their market," McNelley said. "It's still a decisioning type of environment."

Managing rules for assessing the risk that merchants pose to processors can be difficult because data is not as readily available as it is for consumers, she said. Many traditional business data sources rely on self-reported information.

"That's always been one of the big points of pain," she said.

GDS' lending-market clients use DataView360 to manage connections to credit bureaus and other third-party data sources. In addition to making it easier to connect to those sources, DataView360 also lets users manage instructions for which data sources to refer to first when making a lending decision.

"They've already done all the coding that can facilitate all those if-then statements, whereas someone who is doing it themselves will have to do all of it from scratch," McNelley said. "That's not insignificant from a technology perspective."

Another benefit RBS WorldPay expects to get from DataView360 is the ability to change instructions more quickly, Wright said. It now takes up to several months to implement a rules change.

"If I want to make a change to a particular rule or even add another rule, I can do that within a day," Wright said. "It just allows you to be more flexible in a fraud environment. That's really what you kind of need."

If RBS WorldPay looks at "a particular section of their portfolio, a group of merchants they might deem to be high-risk, they can go in and do the analysis and weight it correctly," Greenwood said. "Those merchants that hit the rules will now be pushed to the queue to be looked at as well."

GDS has a library of more than 30 data connections its customers can plug into.

"We basically just code or script to the third-party data sources' " application programming interface, Greenwood said.

GDS is not the only vendor with products for managing data access for financial companies. McNelley compared what GDS is doing to Zoot Enterprises Inc., a Bozeman, Mont., vendor that sells credit-decision tools drawing on numerous data resources.

Companies like GDS and Zoot provide value by averting a significant amount of integration work that their customers must do when maintaining their own connections, she said.

"In financial institutions, an initiative that forces you to do some coding on your new account origination system, be it for DDA accounts or loan origination systems, usually has a pretty significant lead time," McNelley said.