How to build a risk program for your payments product
October 17, 2023
Software companies are increasingly offering embedded financial services on their platforms in order to become a one-stop-shop for their SMB customers. This gives merchants greater access and control over their transactions, while decreasing the number of software tools they need to run their business.
Embedded payments are typically the first “wedge” product in this space, and represent a significant business opportunity: they’re projected to generate $21B in revenues in 2026, up from $12B in 2020 (source). However, offering embedded payments is easier said than done. The moment a software platform enters financial services, it needs to start proactively thinking about managing its risk exposure. Risk can come in many different forms, from managing credit card information securely to monitoring for fraud and reputational risks.
We’ve partnered up with Basis Theory to outline key areas of payment risk that teams need to keep in mind from day 1, and best practices for addressing these risks head-on.
Fraud risk arises when a business / consumer claims to be someone they are not (identity fraud), or has malintent. It can come from merchants, consumers, or both parties simultaneously.
There are two main types of fraud risk:
First-party fraud: This occurs when an individual or entity intentionally opens a merchant account to commit fraud, or provides false information for their own financial benefit. For example, an individual might open a merchant account and set up an online store selling non-existent goods/services. Alternatively, two or more individuals might participate in “collusion fraud”, where they work together to defraud an e-commerce platform.
Third-party fraud: This occurs when a third-party creates a fake merchant account impersonating a real business, or they hack into a legitimate business’s account and engage in fraudulent activity (this is called an “account takeover”).
Credit risk refers to the possibility that a merchant may not be able to deliver the goods/services promised to their customers. This is the primary source of risk for many payment processors and vertical SaaS companies offering embedded payments.
Oftentimes, credit risk arises due to a merchant’s financial or operational mismanagement; it is not usually associated with malintent or fraud. For example: a merchant accepts credit card, ACH and other payment methods through their software platform, but they might go out of business before delivering on products / services that were paid for. This can arise from issues with the individual merchant, issues within the merchant’s sector, or an industry-wide economic downturn. Regardless of the context, software platforms need to take this risk seriously – they’ll ultimately be on the hook for any customer disputes / chargebacks that arise.
Security and Compliance Risks
Security and compliance risks refer to the possibility that a company’s data or systems could be compromised, often due to non-compliance of regulated security standards.
Not maintaining compliance can have substantial impacts on a company. In 2022, IBM estimated that the average cost of a data breach in the United States was over $9.4M, against a global average of around $4.35M. For a smaller company, that could be an existential amount. The ripple effects of such a breach would also impose many other impacts on the business, from a loss of customer trust, to potential increases in rates of payment partners like gateways and processors.
Failure to manage any of the key risks above can lead to serious financial harm for software platforms, and damage their brand, thus introducing another type of risk for the SaaS company: reputational risk.
Key mitigants and risk management practices
While there’s no way to completely eliminate risk, SaaS teams can implement processes and controls to keep bad actors and fraudulent activity at bay.
Strong KYB practices can be a significant deterrent for fraudulent merchants from joining a software platform. When conducting KYB, make sure to investigate the business as well as the management team behind it. Sometimes, illegitimate businesses are set up by individuals who have a track record of fraudulent or criminal activity that is documented in government filings. Coris’s Merchant Profiler makes it simple to gather all of this information via one API. It aggregates information across government filings, social media, and other data sources to make the identity verification process accurate and efficient.
Savvy fraudulent merchants might not commit fraud upfront. Instead, they might try to develop a positive first impression before engaging in more suspicious behavior. Ongoing monitoring helps software platforms develop a picture of a merchant’s status quo behavior and set up automated alerts and actions for any significant changes that might indicate fraudulent activity.
Fuzio, Coris’s risk platform, makes it easy to keep tabs on merchants. As the world’s first merchant risk operating system (OS), it allows software platforms to set up custom thresholds for chargeback rates, disputes, payouts, and general payments volume. If a merchant surpasses these thresholds, software platforms can set up unique rule-based alerts and actions to mitigate risk. For example, if a merchant is experiencing higher chargebacks than usual, the software platform can temporarily halt payouts while it reaches out to the merchant for more information.
New merchants are inherently risky given the lack of data on file. Strong Know Your Business (KYB) practices are not only required for regulatory reasons but will also allow software platforms to verify the legitimacy of any merchant, and evaluate the merchant’s risk level before allowing them on the platform.
During any KYB process, be sure to collect the following information about a merchant:
Business registration details
Operating history on other similar platforms
Consumer feedback on 3rd party review platforms
These data points will help you assess the operational health of the business, and proactively identify any credit risks upfront. Coris’s Merchant Profiler consolidates these data points from sources like government filings, merchant websites, social media platforms (Facebook, Twitter, etc.), review platforms (Google, Yelp, etc.), and more. This gives software platforms a real-time understanding of merchants.
Once a merchant is on the platform, it’s important to monitor them proactively for any signs of volatility in the business. If a merchant has newly joined the platform or is high risk, consider implementing temporary controls on payment volume until you better understand their activity and growth profile.
At steady state, keep monitoring merchants for any material changes in their business. Spikes in payment volume, website shutdowns, changes in regulatory standing, and changes in consumer sentiment can help software platforms identify any trouble upfront. It can be difficult for software platforms to analyze these data sources internally, which is why we built these capabilities into Fuzio.
Security & Compliance Risk
Onboarding & Monitoring
All payments companies will want to achieve and maintain PCI DSS compliance to ensure all sensitive cardholder data is stored securely. This standard establishes the right ways to project data in-motion and at-rest, and provides a standardized approach for merchants to test and demonstrate the effectiveness of their compliance. Even if a business is not actually storing or touching any of the sensitive data, they are on the hook for ensuring downstream vendors that have access to this data also maintain compliance.
While the rules of PCI DSS compliance can be cumbersome, many providers on the market today can significantly reduce a company's efforts to achieve and maintain PCI DSS compliance.
Use a third-party tokenization provider that stores the information in a fully secure token vault and provides you with an undecryptable token to use. You may then use that token to submit payment information to your choice of payment processors and gateways, without ever bringing the sensitive information into your own environment. Not only does this drastically reduce the risk of a data breach, it strongly reduces the cost of PCI DSS compliance: when the sensitive data simply isn’t present in your own system, the processes needed to manage it are way simpler.
Risk management options with Coris and Basis Theory
Building a risk strategy for your embedded payments product is complex, but you don’t have to go it alone. Reach out to the Coris and Basis Theory teams to learn more about risk management best practices and how our solutions can help you keep fraudulent actors at bay.