building compliance programs for emerging...
TRANSCRIPT
Building Compliance Programs for Emerging PaymentsJuly 30, 2015
Presentation Overview
2
CONTENTS
Background –
WePay’sBusiness Opportunity
Demo –
A Typical WePay Implementation
Controls -
Innovative Risk Management
Conclusion –
Emerging Payments and Compliance
3
01____
Background
The WePay Payment Service
4
BACKGROUND
The WePay API enables platforms to provide payment services to their customers.
Presents Risk
“API” means application programming interface.
“Platform” means a website for crowdfunding, business tools, or marketplace, such as GoFundMe, FreshBooks, or CustomMade.
“Payment Services” are credit and debit card acceptance as well as bank transfer (ACH).
”Customers” are the platform’s users. The platform makes the purchase decision to integrate WePay, but WePay provides payment services to the platform’s end user customers.
BACKGROUND
What is a Platform Customer?
6
BACKGROUND
Platforms Provide Benefits to End User Customers
Web-hosting, website editing tools.
Business services in the cloud – recordkeeping, pay as you go.
Marketing – drive traffic.
Tools for connecting to social media, tips on conversion.
7
BACKGROUND
WePay connects to the platform’s end users.
WePay’s Compliance Structure
8
BACKGROUND
WePay Provides Benefits to Platforms
No merchant aggregation under the Card Network Rules.
Anti-money laundering, PCI-DSS, and other compliance.
When there are refunds or chargebacks, WePay must recover from the submerchant or take a loss.
No money transmitter licensing risk.
9
____
Demo02
DEMO
DEMO
DEMO
DEMO
DEMO
DEMO
DEMO
DEMO
DEMO
DEMO
WePay’s Key Differentiators Are Invisible
20
DEMO
Platform Branding
“White label” branding.
Integrated navigation.
Risk Management
Minimized end user data requirements.
Optimized for the online environment.
Leveraging data collected by platform.
21
03____
Controls
22
CONTROLS
Challenges
Risk Controls Apply Primarily to TransactionsSupplement data collected upon account creation:
Payment Transactions Disbursement Transactions
Data actively provided to WePay by users
Data input by payers (name, email, card number, CVV, zip code, transaction amount).
Transaction amount.
Data provided to WePay by the platform
Description of fundraising campaign or business.
Social media accounts (Facebook), comments, sharing.
Data passively provided to WePay by users
IP address.
Threatmetrix device id.
Data independently collected by WePay
Card network authorization.
Account linking based on email domain, CC number, etc.
Additional data actively provided to WePay by users
CIP: Legal name, physical address, TIN, date of birth, telephone number.
Bank account number; bank routing number.
Additional data provided to WePay by the platform
More comments, sharing.
Additional data passively provided to WePay by users
More IP addresses from additional logins.
CC failures, Card Network lists.
Additional data independently collected by WePay
Experian check on CIP data.
OFAC check on CIP data.
Account linking based on bank account and BIN.
Traditional AML Is Included
23
CONTROLS
But traditional controls are of limited utility.Presents Risk
OFAC name check.
Much traditional identity information is compromised (name, TIN, credit card number).
CIP validation.
Solution: active risk management to leverage the wealth of online data.
24
C O N T R O L S
1.
Machine learning algorithm scores transactions for risk.
3.
Risk analysts approve or deny transactions.
2.
Rules engine flags transactions by risk and compliance category.
WePay’s Risk Management Process
4.
Loss results are used to identify new signals and rules and to train the model.
WePay Risk Control Innovations
25
CONTROLS
WePay supports GoFundMe, a crowdfunding platform that is bigger than Kickstarter and Indiegogo.
Presents Risk
Use social media, such as Facebook, for identify verification (US Patent No. 8918904 issued December 23, 2014).
Use Risk API to pass risk data from platform to WePay (patent pending). For example, FreshBooks passes invoice information.
Generate reason codes from machine learning algorithms so that human risk analysts can better analyze flagged accounts (patent pending).
Use risk data modeling to assign a risk score based on hundreds of fraud signals, including strength of social media footprint, MCC, device characteristics, etc.
WePay’s Machine Learning Model
26
CONTROLS
Train the model, analyze results, re-train, and re-deploy < 1 day per cycle. Signals used include:
Presents Risk
Multiple accounts logged onto one device, multiple withdrawals to one bank account.
Practices the people use to hide their digital footprints, like VPN tunneling or the use of virtual machines and TOR.
Velocity variables, such as transaction volume by user, device, IP, credit cards, and bank accounts.
Transaction size, rapid withdrawal, email domain, user country, hours of the day.
WePay’s Risk Analyst Review Process
27
CONTROLS
Flagged transactions are queued for manual review.Presents Risk
Review of accounts flagged for one reason (for example, OFAC) can uncover other risk factors (location discrepancy).
Human judgment and intuition are irreplaceable ingredients for continuous improvement.
Research additional online resources such as LexisNexis to validate date of birth, address, SSN.
Search Facebook, Twitter, Pinterest, Google for a consistent story. “Known good” can be easier to establish than “known bad” – and equally predictive.
28
____
Conclusion04
29
C O N C L U S I O N
Emerging Payments Require Innovative Controls
Identity is at the core. Supports account linking to combat fraud. Also essential to anti-money laundering compliance.
It’s an online arms race. Rapid iteration is essential as data is compromised and techniques evolve.
The human element is essential because fraudsters are human, too.
WePay Is Hiring!
30
CONCLUSION
Chief Compliance Officer - Worldwide
Manage WePay’s AML program.Document processes; provide training.
Support expansion to Europe, Australia, and beyond.
Lead compliance initiatives in the areas of Privacy and Card Network Rules.
Respond to audits and requests from law enforcement.
Minimum 5 years experience; ACAMS credential.
Apply at www.wepay.com/careers
31
Questions?