And we're back! This time with James Nurse, Head of Fraud and Payments at Pockit, which provides straightforward and fair alternative accounts to traditional banks for their customers. He and CMO Gerry Carr sat down this week to chat about issues around fraud in the prepaid card industry. You can listen below, find it on iTunes or visit our Soundcloud page. Enjoy!
Gerry: We are going to continue our look into the world of fraud and payments. This week we have with us James Nurse who works for Pockit. James, do you mind telling us a little bit about yourself?
James: Sure, I’m kind of from a gambling background, but I’ve been at Pockit for the last 18 months, setting up a lot of the fraud stuff. We had kind of a blank canvas when I came in and then that’s it really.
Gerry: That sounds very interesting. Just for people, and there probably are a few left in the world, who aren’t familiar with Pockit, could you tell us what Pockit are, what they do, what sort of market space they are in?
James: We are essentially a prepaid card. So we run off the MasterCard scheme. We are trying to be an alternative bank account to people that can’t necessarily get one. If you compare us to someone like Monzo, they try to cater for people who are served and they find it very easy to get banking facilities, whereas we are really much going for the people who the banks don’t facilitate at all. They have no interest in because they have no value for money and make no money from them at all.
Gerry: So opening up new ways of banking to a whole new market must have its own fraud characteristics. Is there anything in that market space that is unusual from a fraud perspective or trying to get people onboard who are legitimate?
James: Yeah, obviously we are trying to be the world’s most inclusive bank so with that comes its own risks; kind of onboarding process might not necessarily be as tight or as strict as the normal bank accounts that you’d be open with your high street banks. So we certainly do have complications and different risks that come with that.
Gerry: I suppose the whole reason for you guys existing is to be able to get people onboard who don’t pass all the normal checks, is that right?
James: Pretty much, yes. Our whole slogan is, ‘we offer cards for everyone’ so regardless, you are going to get a card of some sorts, whether it’s a lower limit or higher limit depending on your KYC or verification status.
Gerry: So which checks do you use? There is terms in your industry which are KYC, which I think is ‘Know Your Customer’, is that right? You have anti-ML, which is ‘Anti-Money Laundering’ legislation.
James: Yes which I’m actually right in the moment. It’s a hefty piece of work; it’s a good 40 page document that I have committed to. That’s got to be done by the end of next week which will be fun. In terms of KYC, you are correct; it’s ‘Know Your Customer’. Upon registration, any website you go on, you fill out registration form. As soon as they press submit, it sends us a call to our third party and we do an e-KYC, an electronic verification process. It looks for 2+2 match on two data sources. It’s usually your name and address on things like where your bills are paid, postal registration. It does a general deceased account check as well to see whether you are deceased because we don’t want to be onboarding any customer that’s dead, which is obviously good.
Gerry: What sort of fraud patterns do you tend to see there?
James: A lot of recycling of data. What fraudsters do a lot is re-use information especially names. I think you can buy an individual’s details on the darknet for only 5 pounds or something ridiculous like that. We do things like sanctions checks and also PEP checks, politically exposed individuals. People will say they’re David Cameron; they come in tiers so you can do a tier one check. These are like your Obamas and people like that which is what we’re mainly looking out for, but you can also do the later on tiers which are tier III which are kind of Barry at Rotherham local council or someone like that.
Gerry: It’s obviously databases out there, but how key is your own data to this? Is this something you develop? Is it a core competency for Pockit to have these rich databases of your own information?
James: Yes massively. So we’re obviously on an onboarding process as well as the standard regulatory checks that we do, we obviously do our own data checks. This is as simple as looking for duplicate accounts and also looking at past fraud trends, linking accounts, maybe accounts that we have previously suspended. Our data is really key on what we do. So we have some general logic in the background at the onboarding process again that kind of rejects or we make a risk-based decision on whether we are going to approve or reject them. We also use third parties. We are always looking at other companies which can enhance and enrich our onboarding process and layer it as best as we can. We apply a Swiss cheese approach, where you layer as many prevention tools as you can at your onboarding. Obviously, there is always going to be some fraudsters that get through at a certain stage, but you try and minimize and mitigate that risk from that perspective.
Gerry: If I am a typical Pockit customer, how long does this process take? It sounds like it might be arduous to go through this Swiss cheese approach. Is it a fast or short time?
James: From the customer’s perspective, they actually see nothing at all. They click the registration button and everything is going on in the background. As soon as they click it, as far as they are concerned, they have the card’s enroute. We have that cushion of a couple of days delivery time so it allows us that 24 to 48 hours’ time to review any ones that we flag as high risk and we make that decision to approve or reject that application accordingly.
Gerry: When I was looking into Pockit, one of the interesting things from a Ravelin perspective, one of the things we are also looking for is payment card fraud and I think it’s true that you guys allow people to deposit funds from a card. Is that right?
James: Yes, that’s right. I think about 30% of our loads source come through cards. So we obviously quite a lot proportion of the money comes through card loads.
Gerry: I don’t need to tell you or listeners that there is an awful lot of stolen card details out there. It’s easy to get stolen card credentials from the darknet. It doesn’t cost a lot of money. How do you prevent that particular type of fraud at Pockit?
James: From our perspective we take quite a strict approach. We offer 3-D Secure for all of our payments. That is prevention tool and it deters fraudsters and not everyone has anything in these kinds of line and thus we can’t prevent everything but it also moves the liability shift away from Pockit. So we’re not financially liable which is really good. We also have a rules engine in our payments gateway. What that does it sets in velocity rules to pick up certain trends that we flagged previously which is quite easy. We can determine whether we are going to accept or not. We also do things like name and address checks with the issuer to determine if the card is in fact the person whose name is on our account.
Gerry: Do you get many attempts of fraudulent people trying to – but I guess the fraud here is stolen credentials and trying to put them into your account. I then [07:06] my money and I can take that money out just to clarify what the potential fraud risk is.
James: Yes, we do. The kind of trend you will see is they will test an account with cards. They will do a small deposit of 10 pounds just to see if it works. Then they’ll do what we call stacking; they will then put say, 100 pounds followed by another 100 pounds and a 100 pounds and so on.
Gerry: To test what the daily limits are.
James: Exactly. So rather than not just our limits, it’s to see if the bank will flag it as well. They will try to go under the radar with the first transaction and then they will stack the other transactions that are coming at to see if they can get through, and then until the card declines basically.
Gerry: So for you guys it’s a daily occurrence. This is something you see frequently?
James: Quite a lot. Yeah if you go onto our gateway review, some of our transactions coming, you see people trying like large transactions, 10k, 20k. Other than that, the clever ones try to go under the radar.
Gerry: Speaking of 3-D Secure, one thing we hear a lot about 3-D Secure from most of the people we’re dealing with are merchants who are selling goods and services. 3-D Secure has a pretty severe conversion hit. This can vary from industry to industry. I am just wondering if you guys see it, if legitimate customers get discouraged to continue with the deposit or credit card creation because they have to go through this.
James: It definitely affects conversions. If we compare it to the gambling industry which I obviously know reasonably well, they approach it very differently from a 3-D Secure. They do a dynamic 3-D Secure so they’ve don’t offer it to everyone or they decide depending on the risk whether they want to push that customer through 3-D Secure or not. That works really well. From our perspective, we’re not quite ready for that because we are a financial institution. From a gambling perspective, their margins are quite high and they are happy to take the risk on board. But from a prepaid industry and a regulatory perspective, we can’t really do that. We have to be sure that the money is coming from a legitimate source.
Gerry: One of the things we’re discovering the value over or trying to push the agenda from at Ravelin, is this idea of collective sharing of data, particularly within the industry where a fraudster will tend not to try and hit just one example of that. To go to food delivery, they will try multiple food deliverers in order to maximise their chances of getting free goods. It’s probably similar I’m guessing in disruptive banks where people can put deposits from cards, they’re probably going to try, your competitors and other people in the industry. Do you think there’s something that you guys can be doing collectively that would be and maybe are doing things collectively that you think there are one of those and think there are other things you could be doing collectively?
James: Yes definitely. As I mentioned earlier like data sharing or fraudsters recycling data I mean that happens all the time. What you’ll find is they’ll go from one program to the next program. It was the same in the gambling industry as well. They would just go from one merchant to the next merchant and so on. Unfortunately there are certain problems with data sharing. Regulations don’t always allow it which makes it obviously complicated. There are a lot of third parties who are getting around that by flagging emails, IP addresses, serial numbers for devices. We’re looking at, I don’t know if you have heard of CIFAS before? They’re basically a non-profit organisation started up by the government. They are a big data centre and they flag lots of things, account numbers, sort codes. That kind of facility is really useful.
Gerry: You mentioned gambling a couple of times, gambling and gaming. That’s your background before you joined Pockit. Gambling and gaming are one of the originators of dealing with online fraud. I am just wondering, is there anything from that industry that you think these newer disruptive industries can learn and what differences or similarities there are between the two?
James: Yes. The main aim for the fraudster is always the same thing; using the company as a vehicle to harbour the proceeds of crime. So applying that principle is very similar from the prepaid to the gambling industry. The way they go about is slightly different. With the gambling industry, what you’ll find is they obviously load the funds with the risk in the gambling industry there are so many different payment methods as well. You’re not just looking at cards; you’re looking at e-wallets, virtual cards, interbank systems, and bank transfers. There’s a high risk in itself. It’s quite a high risk industry. But then, they are trying to hide the funds - they will try and get rid of them through poker for example. Chip dumping is quite a big thing, and then they will withdraw the funds via their bank account from a different merchant.
Gerry: Are there things specifically that banking could learn from the approach that gaming takes, the precautions that they have in place?
James: They are a lot better in terms of sharing data than the prepaid industry. It’s quite a close-knit community in that industry. One thing that we mentioned earlier dynamic 3-D Secure is a big thing. In terms of conversion on the transactions, they do a lot of things with tokenisation of CVA numbers. They tokenise it when the customer deposits and that really helps for a smoother customer journey.
Gerry: We’re hearing a lot about biometric identification and I’m wondering, do Pockit use it?
James: We don’t use it to a full extent at the moment. In the simplest of terms, we use it to allow them to log into their app on their iPhones and things like that. That’s very simple. It’s certainly a new technology that we’re looking into. It can save a lot of money and costs for small companies like Pockit. Certainly, I think the technology has moved along a lot in the last five years. So where a lot of these companies that we’re talking to at the moment are using it for selfie recognition and ID as well. Rather than having the customer, at the moment like we do, for due diligence, they submit copy of their passport or proof of address or whatever in a file and upload it to us via a secure tool.
They just do a selfie on their phone or their camera or on their laptop and hold the passport or driving licence alongside the selfie and the logic behind the scenes will try and match those details together to trying to determine whether that individual is legitimate or not. With that, there are still the user cases where there is always going to be exceptions that require manual review. With that 15% you’re still going to need a body at the other end to review those exceptions. But it’s certainly something that’s moving on, and it’s definitely a cost-cutting exercise for small companies.
Gerry: One of the things we look to from our banks these days is actual protection from fraud. Pockit customers, I assume, are no exception in that. What measures do you have in place to protect your customers from the nefarious actors that there are out there?
James: We’re constantly monitoring our customers, whether it’s on on-boarding as we discussed previously, or their transactions in general. We could be talking of a transaction and actually what’s going on on their cards, so their point of sales transaction when they’re buying from W. H. Smith or somewhere like that, and looking out for suspicious transactions in a foreign country, that’s one of the ideas we actually see. So a customer usually transacts in one particular area in the UK and then you see a transaction in South America. It immediately flags to us on our monitoring system and we will review it, contact the customer and determine whether this transaction they attempted is legitimate or not. We’ll also know if there’s been a compromise from their end, maybe online merchant or something, and obviously we have to re-issue cards and take the individual through standard malware practice and resetting passwords, making sure they run antivirus and things like that.
Gerry: This might be a false assumption, but I am guessing there might be language challenges with a lot of your customers – things such as it might not be native language. So when you’re calling them up that might be more difficult. Given your user profile or customer profile, are there differences do you think in the level of protection that you need to give- differences in experience or providing a different service catering to that market?
James: Yes, definitely. Particularly our customers, if we compare them to the gaming guys again, they tend to be less sophisticated. We’re giving them a bank account that they’ve not necessarily had before. So they’re not used to transacting online. They are previously withdrawing cash from the ATM or going into the bank to withdraw cash. So they’re suddenly getting exposure to a new product that they’ve not had before. There is definitely a learning element that we should be helping with, and that’s something we should be looking at going forward.
Gerry: Thanks. It sounds like a really interesting space, a really interesting problem to solve. If anyone listening is interested in getting a Pockit account, how would they go about getting one?
James: If you just go to our website and go to our registration page, it’s a really simple process. It will take you a couple of minutes and then it will be in the post in a couple of days.
Gerry: Okay great and fully secured.
James: Yes, fully secure.
Gerry: Thanks James.