Addressing merchant fraud and the KYC challenge for B2B platforms and aggregators —By Asheeta Regidi and Reeju Datta

By Asheeta Regidi and Reeju Datta

Many Business-to-Business (B2B) service providers today perform a function much like payment aggregators (PAs), of on-boarding merchants into the digital ecosystem. Whether through easing access to financial services, markets access or resolving any other issue via a range of services, these players enable businesses of all shapes and sizes to explore their potential.

PAs, banks, Business-2-Business (B2B) and Business-2-Consumer (B2C) e-commerce marketplaces, aggregators of offline retailers (like digital bookkeeping apps), non-bank lending to Small-Medium-Enterprises (SME), B2B neo-banks, and others (collectively, ‘Aggregators’) all play a similar role. While these players bring benefits like efficiency and financial inclusion, they also encounter the same problem, the scale of which is fairly unique to India, of tackling merchant fraud.

Fraud during online transactions is very often associated with payment processing, and payment processors and PAs consequently. Today, as providers of indirect access to the financial system, effective end-merchant verification is an equally crucial challenge for all Aggregators.

Fraud at the merchant level

Transaction level fraud in payments, such as unauthorized transactions via stolen cards/phishing or false refund/chargeback claims, often occurs at the individual level, and is largely mitigated due to mandatory two factor authentication. However,  merchant level fraud occurs at the business level, and is rampant. The larger scale is because multiple users can be duped at once, also making merchant fraud the major cause of fraud induced losses for PAs.

The fraud itself can occur through multiple means:

• An inoperative business posing as an operative one
• A restricted/prohibited business posing as a lower risk business
• A fake storefront set up to execute bust-out fraud (for utilising fraudulently obtained credit lines)
• Transaction laundering, or utilising a legitimate merchant’s credentials without its knowledge to process illegal transactions
• Straightforward identity theft assuming an existing merchant’s identity, or creating an altogether new identity
• Approved, legitimate merchants allowing fraudulent activities, like factoring (allowing unapproved affiliates to use their payment credentials), or engaging in money laundering/tax evasion.

Different service providers face different types of merchant frauds. For example, while e-commerce marketplaces face issues with sale of inauthentic products or non-delivery, lenders providing business loans can find that these are utilised for personal purposes or were disbursed to shell companies. The aim of the fraud can also vary, PAs, for example, face fraudulent transactions which aim to dupe users, and also money laundering and tax evasion tactics which aim to dupe the authorities. Identity, however, often forms the crux of merchant fraud, whether as a fake business or a legitimate business conducting fraudulent activities.

Challenges and solutions for merchant fraud detection

The means of deception can range from forging identification documents, creating fake business profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall below reportable thresholds and other techniques. To effectively monitor fraud, a holistic approach, involving the merchant’s entire portfolio and proper technological support is thus, required.

Applicable regulatory mandates also require risk management frameworks comprising pre on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of merchant behaviour and transactions. These do however permit risk-based flexibility with actual adopted solutions. Internal risk profiling, periodic updates, and fraud reporting (to the Financial Intelligence Unit of the Government (FIU-IND), Central Bureau of Investigation/Police, Reserve Bank of India’s (RBI) Department of Banking Supervision, and others) are also required. Even where there are no mandates, Aggregators carry out these via self-imposed checks. Different checks allow recognizing different fraud indicators, and in the process also encounter specific challenges:

• Digital on-boarding processes: Consider the digital checks backing increasingly digital on-boarding processes, for example the RBI and Insurance Regulatory and Development Authority’s Video KYC norms, or  the Securities and Exchange Board of India’s (SEBI) recent e-KYC permissions. One issue here is the ease of faking a storefront online via seemingly professional business websites, regardless of whether an actual brick and mortar storefront exists. Therefore, steps like verifying domain name purchase dates, actual site visits and social media activity, can help spot shell companies, for instance. Business authenticity also needs to be verified through licensing/registration checks, credit checks and examining balance sheets. Here, progress in digital crime capabilities (for example, the deep-fake threat to Video KYC) also needs to be tracked.
• Merchant website checks: A merchant’s website also provides indicators to Aggregators, like reviewing product listings and online customer reviews to help identify the sale of prohibited/fake products. This also helps reassess merchant risk levels post on-boarding, like identifying merchants who maintained an artificially low-risk profile at the time of on-boarding. One challenge here is of merchants themselves being unaware of their website’s misuse, be it a crime like pagejacking or an end-merchant enabling an illegitimate sale.
• Money laundering/tax evasion detection: Detecting money laundering or tax evasion is challenge given the payments chain’s complexity, which can involve multiple intermediaries or variations in payment cycles. For example, the merchant can route customer funds through multiple payment intermediaries, to enable a direct disbursement to fraudulent recipients thereby, enabling laundering, or so the funds never reach the merchant’s legitimate bank account. This helps in concealing revenue and avoiding tax obligations. A beneficial owner check can also help identify money laundering/terrorist financing concerns, say an investor identified from the company’s filings with the portal of the Ministry of Corporate Affairs, whose name matches one on a sanction, Politically Exposed person (PEP) or international Anti-Money-Laundering/Combating Financing Terrorism list.
• Payments innovation: Fraud detection strategies also need to keep track of vulnerabilities arising out of payments innovation itself (for instance wallets, Unified Payments Interface, fintech participation through open banking/Application Programming Interface access and other new payment channels that are opening up). Internet Protocol (IP) whitelisting for instance is necessary to ensure only authorised access takes placethrough open banking channels. A banks’ transaction monitoring algorithms also would need to become more intelligent for transactions routed through such channels, for example, the data points to be assessed would differ.
• Real-time fraud detection at scale: Further, instant on-boarding and instant settlement today, requires real-time fraud detection. The proliferation of digital payments and numerous new merchants (like micro-merchants) also requires effective fraud prevention at scale. New age anti-fraud technology can offer the requisite tools here, including:
  • Automated alerts for transaction anomalies (Merchant Code Category violations, URL mismatches, unusual transaction/refund/chargeback frequencies/patterns, or exceeding permitted limits, to name a few,
  • Artificial Intelligence based document and identity authentication,
  • Automated web monitoring for identifying illicit merchant websites or payments processing through unreported/ shadow sites,
  • Automated underwriting

Regulatory steps to improve fraud management

Along with the above steps that Aggregators can take, regulatory initiatives (that are balanced with ease of business) can also help. Currently, all ‘regulated entities’ (PAs, non-bank lenders and others,) have to conduct merchant due-diligence and KYC as per the RBI’s KYC norms. Applicable regulatory frameworks for specific Aggregators—PA Guidelines, Consumer Protection (E-Commerce) Rules, 2020, NBFC-P2P Lending Directions, Trade Receivables Discounting System Guidelines, among others—also mandate steps to protect end-customers. There are a few further steps that regulators can implement to help ease verification processes:

1. Improving merchant fraud data and access: Existing published data on financial fraud doesn’t distinguish between transaction and merchant fraud, which is data that can help identify fraud/risk patterns. While the Central Fraud Registry and the pilot Central Payments Fraud Information Registry—with its focus on real-time data sharing for preventive action and identification of suspect beneficiaries—are welcome steps, their focus on merchant fraud is unclear. Positive indications nevertheless come from reports of the Payments Council of India’s efforts to develop a merchant fraud registry. A common negative database of customers defrauding several merchants is also proposed, and an equivalent fraudulent merchant database would be welcome. Additionally, reporting obligations prescribed under the Prevention of Money Laundering Act, or the RBI’s KYC Direction, for example, currently focus on fraud detected via irregular transactions. Fraud detected via due diligence and KYC goes unreported, even though these can also be a valuable source, for a scam discovery for instance. At present, pre-transaction reporting happens only when a name matches terrorist/sanctions lists. A second factor is improving current reporting mechanisms—for instance bringing in faster FIU-IND on-boarding and enabling fast-track handling for escalations, particularly when the fraudulent transactions’ quantum is high. This includes implementing FINnet 2.0 plans (the tender for this was awarded recently).
2. Digitising business verification: Digitising business checks needs steps like permitting API-based document verification and on-boarding. The RBI for example currently only permits KYC documents as ‘certified copies’ (signed, verified physical copies) or ‘equivalent e-documents’ (digitally signed using eSign, Digi Locker documents or official e-documents like National Securities Depository Ltd’s e-PAN or Ministry of Corporate Affairs’ e-AoA/e-MoA). The RBI appointed U.K. Sinha Expert Committee (which first suggested current video KYC norms) advocates for a API based verification for ‘entity-proof’, via MCA, Goods and Services Tax, Service Tax, Tax Payer Identification Number, Importer-Exporter Code, Professional Tax, Shops & Establishments certification, Institute of Chartered Accountants of India, and others. Another recommendation is a ‘Universal Enterprise ID’ or the PAN/GST Identification Number acting as such. Such an ID is to enable all ‘entity-proof’ verification and to directly fetch details like name, registered address, and other details, from databases. The proposal for mandatory PAN for non-individual KYC also serves as groundwork for this. Further, The proposed Public Credit Registry will also allow digitised merchant credit checks. Where required, frameworks for Aggregator access to such data (directly, via intermediaries, or other means) should be created.
3. Simplifying business KYC for micro-merchants: On-boarding rural and micro merchants, by B2B and B2C marketplaces, is a challenge due to the lack of proper business KYC documents. The Wattal Committee report recommended flexible KYC for small merchants, like substituting individual KYC for business KYC when necessary. In particular, the Committee noted the ability to monitor transactions and account activity, even without official business documentation, thus allowing even small merchants to benefit from the formal financial system.
4. Enabling KYC sharing The RBI’s KYC norms permit entities to rely on third parties for KYC, much like the one-time KYC seen in the securities industry. Among the key challenges for such KYC sharing however, for banks for example, is the lack of ‘digital’ KYC data and inefficient sharing mechanisms. Though the C-KYC registry is in place, it has been facing issues with adoption. Additionally, C-KYC for business verification is not yet operational. For PAs specifically, KYC relaxations are being brought in by distinguishing between account-opening (banks) and on-boarding (PAs) relationships, allowing reliance on the former’s already completed KYC checks. Liability, nevertheless (here), remains with the PA, requiring and assessment of the KYC checks’ adequacy without relaxing other checks. These are welcome safeguards, considering the differing due diligence checks required based on the Aggregator’s service/ the merchants (a PA for instance conducts these checks from a business legitimacy and payments purpose perspective). Alternative solutions for KYC have been proposed, like blockchain based KYC sharing. The Account Aggregator (AA) framework can also be utilised post a KYC relaxation, allowing consent-based sharing (banks for example are prohibited from sharing KYC data except under a law or with customer consent), followed by API based verification. This would allow sharing of KYC identifiers (PAN numbers, GST-INs, Corporate Identification Numbers among others.) via the AA schemas, together with KYC data like business names, address, beneficial owner details, for example. The actual documentation records however cannot be shared under the AA framework.
5. Regulatory frameworks: Legal ambiguities also add to on-boarding challenges. Consider the gaming/gambling conundrum, virtual currencies or even crowdfunding platforms. Clear regulatory frameworks would aid for example assessing the legality of servicing them or verifying compliance/licensing, and from a scams perspective, understanding user verification responsibilities (SEBI’s Crowdfunding Consultation Paper for example recommended project vetting by the platform). Additionally, under the upcoming data protection law, unless exempted (say ‘reasonable purposes like fraud), self-adopted KYC practices can run into consent issues. With the proposed amendment to the Information Technology Act, basic Aggregator regulation comprising basic consumer protection norms, applying (only) in the absence of specific regulation, can also be explored, providing legal backing to self-regulation.

Enabling proper fraud safeguards

While fraud primarily impacts consumers, involved entities aren’t spared either, be it through regulatory sanctions/fines, legal action, chargeback liability, or significantly, damage to reputation and public trust. The Phatak Committee identified on-boarding as the biggest hindrance in bringing India’s 45-60 million merchants (including mom and pop stores and small format merchants) online. B2B services and aggregators play an important role, and the suggested steps work towards both effective fraud tackling and removing on-boarding friction.

Digitisation with proper safeguards are thus essential on both counts.

Asheeta Regidi is the Head of FInteh Policy and Reeju Datta is the Co-Founder of Cashfree, a payments and banking technology company.

Edited by Advait Palepu