We're very excited to have welcomed Gill Wells to the podcast this week to talk about how and if merchants can work together to combat fraud. Gill is the Revenue Assurance Manager at Just Eat and is the Co-Chair of the European Advisory Board for the Merchant Risk Council (MRC).
Gerry: Hi Gill, welcome to the podcast.
Gill: Thanks for having me.
Gerry: I think it’s going to be an interesting topic today, to my mind at least, the fraud fighting industry in the last couple of years has done a reasonably good job of combating fraud but doing it as individual companies, offering individual solutions, bought from individual vendors. Fraud has evolved over that time and seems to be getting smarter, so I’m wondering is the next step to move beyond these individual solutions and start to collaborate as an industry to fight fraud. What are your thoughts on that?
Gill: Yes, I think collaboration, certainly for me has been important in combating fraud and I think one of the big takeaways in terms of pushing collaboration is that you don’t know what you don’t know and by speaking to other merchants or people with similar experiences, you actually get to understand the fraud a bit better because when you first come into the sort of fraud fighting scene, typically a company who starts taking payments will start seeing chargebacks and they need to understand why they are getting those chargebacks. I think you can do a certain level of root cause analysis but there comes a point where you need to learn more and by speaking to people you get to learn from their experiences, you get to kind of fast-track your own learning by instead of struggling on your own and I think there’s a lot of value in that.
Gerry: Do you think that people are generally receptive to sharing information with each other on what’s happening and some general advice on what to do best against fraud, or do they tend to keep that information to themselves?
Gill: Yes, it’s a tricky one. I think once you get in a comfortable environment and you trust the people you are with you do tend to share more and I think creating those environments is quite important. There are organizations that create those environments, you can have discussion tables or intimate workshops, those sort of things, and I think you get a lot more value out of that than just being talked at by an expert because at the end of the day, or say at the end of that session, I think you do see a lot of the audience members going up to that speaker and asking about their individual problem because yes, you’ve learnt about some high-level sort of fraud strategies that fraudsters are using but you want to learn more about how that applies to your business. So, having those connections and speaking to someone that you trust, you know, I think you can get more out of it and creating those environments is really important.
Gerry: I mean, it seems logical, right? No matter what business you’re in, as a company, a common enemy is the fraudster, I don’t think it’s a case of competitive advantage. But, I mean, what sensitivities do you think people have in sharing advice?
Gill: First of all, you know, from a data perspective you have to run the gamut of all the rules and regulations around data protection and data privacy and PCI and that gets very complex very quickly. You’ve got country-specific regulations that you have to take into consideration, especially if you’re a global merchant, and yes, I think it becomes really hard and I think trying to find a way to share that information, you need to have, I think, an understanding from your lawyers or your legal teams about how you can do that without breaking any rules or not putting your company in peril. We want to mitigate those vulnerabilities, so I think it’s a difficult one but I don’t think it’s unobtainable. Sometimes, it’s not just sharing the data, it’s just sharing the experiences and learning from what other people have done.
Gerry: I mean let’s imagine a wonderful world where there are no legal difficulties or PCI compliance or those problems at least were solved. What information or data do you think companies should be sharing with each other in order to mitigate fraud?
Gill: Well, I think some of the obvious ones, and some of the easier ones, I know you want me to disregard regulations, but what comes to mind is fraud notifications. We have TC40s from VISA and safe notifications from MasterCard, these are confirmed fraud alerts that merchants can receive from the acquirers or even straight from the schemes if you like, that can be received before a chargeback has been issued. So, that information, it’s obvious fraud and you can work with that data to refund a transaction before it goes to a chargeback and you can also share that information because it doesn’t come under PCI. Ideally, it should be cards that have been cancelled because they’ve been used fraudulently, so it should be…one, it’s easier to obtain and it’s free to obtain and getting into a position where we can share that should be easier and I think because it’s confirmed fraud there’s no issues with the integrity with the data. I don’t see why we shouldn’t be sharing that.
Gerry: I mean it’s a big concern in the industry that a fraudster in one vendor or merchant is not a fraudster in another merchant and blocking them as a potential false positive, is that, do you think, holding back this collaboration?
Gill: I think the integrity of the data is a real concern. I mean, if you want to share parameters pertaining to chargebacks, not all chargebacks are issued because a transaction is fraudulent, sometimes it’s because you’ve had reason codes like service not rendered or product not as described, you know, I don’t want as a merchant in the food delivery business, I want to…if I’m going to receive data from another merchant in the food delivery business, I want it to be because a stolen card was used to make payment for a pizza not because the pizza was cold. So, I think that’s where it becomes important to get the right data and having that understanding across merchants collaborating and sharing is really important.
Gerry: But these are I guess hard problems, they’re knotty problems, they’re complex, but they sound like there worth solving, right? Let’s assume we can do that in some way, we can decide on a set of parameters that are legitimate, that are fraud-related, that are useful across merchants. I mean, would you encourage merchants to join into a scheme like that where there is this ability to share information?
Gerry: And come together and solve those problems even though they are hard?
Gill: Yes, and you know, knowledge is power. You know, the more information we have the better decision we can make and the more we can mitigate fraud so if we could ensure that legal and technical issues are not a problem, why wouldn’t you?
Gerry: I want to talk a little bit about one of your other hats, which is the MRC - the MRC is the Merchant Risk Council, for people that don’t know, it has been around for a few years, I’m not quite sure of the history of it.
Gill: Yes, it’s five years in Europe and 15 globally.
Gerry: Right, so it’s newer than I thought. When should a merchant consider joining the MRC and what sort of benefits would they get from that, and does it cover some of the things we’re talking about in terms of this collaboration, I think mostly on the education side if not the data sharing side?
Gill: Yes, I think the MRC caters for a number of different arenas. There’s the networking element, the benchmarking you can get, the education piece, there’s a lot of value that the MRC offers and that is across people in their careers. So, I think when you first come across a fraud problem in your company, if you’ve just started taking card payments and when you start seeing a problem, I think as a first port of call, go to your PSP, and get them to put you in touch with people who you can collaborate with. And a lot of PSPs have joined the MRC because they see the value that the MRC can give to the PSP’s merchants and they think it adds value as an entry-level analyst, for example, to someone who’s running a fraud strategy. The MRC offers 101 education sessions to people new to chargebacks. I mean the complexities of chargebacks and fraud is not rocket science but you need to know all the basics and you need to know how to go about things like root-cause analysis or the regulations and just get a basic understanding. And then from there you get to a point where you can actually speak to other senior fraud professionals, discuss different MOs that fraudsters are using and collaborate that way, learn that way but also build a strategy. I mean it’s not necessarily a fraud analyst’s role to build a fraud strategy but also fraud analysts need to know just how to split out chargebacks according to their reason codes and do root-cause analysis. So, you’ve got opposite ends of the spectrum in terms of fraud management and I think the MRC caters for that whole spectrum. So, when should you join? Now!
Gerry: Okay, thanks very much Gill, I think that’s a great point to end it on.
Gill: Thanks very much Gerry.