23 July 2021
Fraud in the Buy Now Pay Later Industry
Contributed by Niall Whelan from Ekata
Ekata is a member at Bridge+ 79 Robinson Road. This is part of a Bridge+ Members Thought Leadership series on topics such as Finance, Tech and Sustainability.
Buy Now, Pay Later (BNPL) is not a new idea, but with the boom in e-commerce during the Covid-19 pandemic, BNPL has exploded onto the payments scene as a major industry. The idea is essentially a simplification of the credit process by providing ‘instant credit’ at the point of sale. This means that when the buyer makes a purchase online (or in-store, as the industry expands) they have the option to split their payment over installments without the fees or complexity of a traditional credit card. Providers in this space include Afterpay, Humm Group (Australia), Split (Malaysia) and Affirm (US).
Companies providing this service are essentially leveraging two key market segments:
- Underdeveloped Credit Markets: People who lack access to traditional credit channels. This can be due to the systematic failure of these channels – particularly in markets where the credit industry is not as developed. Examples include Malaysia and the broader South East Asian Market where credit card usage is not common.
- Mistrusting Millennials and Gen-Z: These groups mistrust traditional credit channels (such as credit cards) or don’t wish to pay the credit card interest rates. This happens particularly in the more developed credit markets such as the US and Australia.
Are the risks the same as traditional credit lenders?
Not quite. BNPLs face all the same credit and fraud risks as traditional lenders but face two additional risk factors:
- Speed of Decision: Instant credit means the BNPL provider needs to make a credit decision in the time it takes a customer to complete a transaction. In contrast, traditional lenders can take minutes, hours or days to make this decision. This speed factor makes this process a target for fraudsters equipped with fake and stolen identities as they can access tangible goods with a lower likelihood of initial detection.
- Chargeback liability: Many BNPLs take on the liability of chargebacks from the merchant. This offers an additional incentive for the merchant to drive customers through this channel as the chargeback can be viewed as a guaranteed service on top of a payment mechanism.
How do BNPL companies quantify these risks?
- Credit Risk: Someone who wants to repay a loan, but can’t. For example, the consumer has inconsistent work and may not have enough income to make a BNPL repayment each month.
- Fraud Risk: Customers attempting to purchase goods or services using stolen identities and credit cards, with no intention of making repayments. These materialize in chargebacks and “Never Payment” defaults.
It’s important to note that the end result is often the same – a loss/writeoff for the BNPL. However, several BNPLs have worked with customers with economic difficulties to provide alternative schedules of repayment. These actions help reduce revenue loss and build loyal customers. The same avenues are not available for fraud as perpetrators are rarely brought to justice and thus, the revenue is never recuperated.
How do fraudsters operate in BNPL?
Once separated into these two risk categories, the next step to target fraud risk is to clearly define what actually is a fraudulent event. The first and most obvious is identifying fraudulent chargebacks from non-fraudulent ones. Someone filing a chargeback because the received goods were faulty or were never delivered should not be identified as fraud and put in a separate bucket of customer service type chargebacks. These should generally be passed onto the merchant because the cause is within the merchant’s control, not the BNPL provider.
Those chargebacks that are truly fraudulent will come from two sources:
- Stolen credit cards where the true owner has realised their card details were stolen.
- Opportunistic fraudsters using their own credit card and denying they made the transaction.
As a rule, the first category of chargeback will be in the majority and requires the most focus. It’s important to note that chargebacks generally occur when the BNPL requires a payment immediately as part of the transaction.
“Never Pay” Frauds
The other key fraud risk subtype is the “never pay” fraud. This is where the fraudster uses a combination of their own identity data, stolen, synthetic and/or fake data to pass through both fraud and credit checks, but with no intention of making the repayments on the purchase. The fraudster’s aim is to give away as little of their own data as possible, and that personal data that they do provide is disposable or untraceable.
A simple example of this would be providing a phone number (from a prepaid, disposable phone) to pass a one-time password check, a dropoff address for delivery (don’t want any link to an actual, traceable address) and providing a neighbor’s details for the remaining identity data. The credit check completed by the BNPL will naturally look at the neighbor listed as extremely likely to make the repayments because of their great economic circumstances. The card used for any initial payment or check will often be a virtual or burner card that can be disposed of quickly before any repayments are due. Some particularly organised fraudsters will create a card in the name of the person they use as the identity on the application to try and align the information and reduce likelihood of detection.
A key difficulty in identifying this fraud is separating it from credit risk scenarios where the customer has been unable to repay. Initially, BNPL providers may be able to validate whether a default is credit or fraud-related by individually contacting each defaulter. This approach does not scale though and over time categorising fraud vs. credit risk can be a challenge.
How do I stop these types of fraud?
Check to ensure all data elements that are being provided are indeed valid. A simple example would be to ensure the email is in fact a genuine email or that the address is a private residence and not a dropoff point. These simple types of checks can reduce the potential for more costly and thorough checks.
Authenticating the Data Elements Match
Getting 3rd party validation that the name on the application is actually the resident at the delivery and billing address provided is a no-brainer in identifying fake or synthetic identities. The same applies to the phone number and email. If the phone number you send a one-time password (OTP) isn’t the person whose name is on the BNPL transaction, then you’re giving the fraudster an opportunity to provide a positive data point (i.e. passing the OTP) without proving that there is any link to that phone number.
A standard practice with BNPL user flows is to check the phone number and/or email using a one-time password. This helps to prove ownership of the data elements provided. It’s recommended to do at least one of these elements, if not both.
3D Secure (3DS)
Let’s start simple – stolen cards. Reducing chargebacks by applying 3DS on high-risk (or indeed all) transactions is a common practice for most BNPLs. It passes the liability on chargebacks to the issuing bank and allows a BNPL to focus on the population where the likelihood of purely stolen identities is lower. 3DS does however come with a cost associated with it, as banks require a fee for this service. Applying simple validation (e.g. MOD10, address validation) and matching rules (e.g. Name to Phone Match) prior to sending these transactions for 3DS can help to reduce costs for obviously fake information. One of the pushbacks often seen on 3DS is the friction it adds to the customer journey (particularly on standard e-commerce transactions). But given that the customer is receiving an installment plan, the feeling is that there is an acceptance of this friction for the convenience BNPL provides.
Rules-Based Risk Assessment
Using historic fraud trends to help predict future patterns of chargebacks and never pay frauds is a good way to reduce fraud risk over time. Leveraging simple rules to place transactions in reject, accept or manual review buckets allows for easy classification of next steps in terms of action. One key area to note is that this should be done before or in parallel with a credit risk decision. Combining both credit risk and fraud risk decisioning in the same ruleset has the potential to create noise and therefore impact performance on both. A key element to effective rules is data – and more specifically the right data to separate good transactions from fraudulent ones. Leveraging internal data (transaction amount, type, and velocities) is a good starting point. However as fraudsters become more aware of how the rules system works, the focus will probably turn to 3rd party data sources that provide a more holistic network of activity in a given vertical, region or globally.
Machine Learning-based Decisioning
This tends to be the final step on the fraud development journey of any BNPL (and many other industries). The key to a good machine learning model is quality data inputs. A strong data strategy is curating and generating these inputs, as there are many 3rd party data sources with many different types of data. Some of the types of data that many BNPL providers use for this are device data, identity data and behavioural biometrics.
Principal Field Data Scientist, Singapore
Niall has supported fraud teams as a data scientist in a range of fields from travel to financial services. He loves thinking about how to experiment, optimize and innovate processes both when it comes to working with our customers and his own endeavors.