While AfterPay might still ruffle some feathers, when it comes to fraud risk, it really is sticking out its neck out for the little guy, argues ClearSale’s Rafael Lourenco
It seems like everyone wants to sink the boot into buy-now-pay-later services these days.
Whether it’s UBS' latest note saying AfterPay shares could halve in a year due to increased regulation, bewildered reactions to Afterpay’s AUSTRAC submission last month, or outrage over Millennials preference for delayed budgeting, these controversial layby companies are generating some heated debate.
But when it comes to managing cyber fraud risk for online retailers, AfterPay is actually one of the safer methods for dealing online, both for merchants offering installment payment plans and their customers using them.
It might feel counterintuitive, but it comes down to two main factors. Firstly, Afterpay bears all the credit risk itself, taking responsibility for reimbursing both merchant and customer should a fraudulent transaction take place.
And secondly, the platform often requires too many data points for criminals to bother with.
For online retailers operating in the tricky ‘card not present’ world, this kind of approach should prompt a deep sigh of relief, as no Australian bank offers any such protection, and the battle with online fraudsters is only getting more ferocious.
Card-not-present fraud erupts
Alongside the explosion of eCommerce, card-not-present transactions account for the largest number of credit card frauds in Australia, that is any digital purchase made without scanning a card chip.
Using sophisticated malware and convincing phishing techniques, criminals scoop up credit card details online and then on sell those details in shady marketplaces or use them directly to begin purchasing goods anywhere in the world.
In 2018 alone, criminals stole almost $478 million from Australian businesses and people, intercepting data as it changed hands from customer to merchants both online and over the phone.
Despite the speed at which financial institutions can now detect fraudulent behaviour, both small and large eCommerce retailers are rarely able to recover redirected or stolen goods.
And sadly, they’re often on the hook to reimburse defrauded customers, as banks only protect the chip-enabled cards, used mainly face-to-face in brick and mortar stores.
AfterPay, on the other hand, extends its protection to include both card-present chip transactions as well as any card-not-present fraud, both on the merchant side and on the customer side.
As the expansion of Shopify and Amazon take hold, and the ease with which individuals can start small online retailing businesses, this kind of protection is invaluable, particularly given the cybersecurity literacy of Australian business is still quite low.
It’s also worth noting however that AfterPay’s processes for both retailers and consumers may change as a result of its external audit into its antimoney laundering and counter-terrorism financing practices.
Too much data to bother
The other cybersecurity perk AfterPay enjoys, though perhaps not by deliberate design, is the amount of data it requires from customers at sign up.
Fraudsters generally don’t care about the payment method itself, they’re happy to scam from any kind of payment method.
But what they do care about is the amount of information necessary to complete these payment methods. The more data points required, the harder it is to build a complete financial profile.
If they just need an email and credit card number, that’s a simple straightforward fraud. But shipping addresses, phone numbers and other data points all introduce room for error and increase the risk of detection.
We’ve noticed that AfterPay, and several of its buy-now-pay-later peers, require too much information for cybercriminals to risk targeting and we’ve watched them instead hunt for data goldmines elsewhere.
Of course, even if AfterPay is less risky than some online transaction methods, the risk is far from zero.
Should criminals collect all the customer data points it becomes very difficult to completely stop their fraudulent impersonation, and consumers are often affected for the long-term.
While it may be an inconvenience to reestablish new credit card details, a credit history thoroughly destroyed by a pervasive and vicious fraud can sometimes take years to rectify.
It’s also worth noting however that AfterPay’s processes for both retailers and consumers may change as a result of its external audit into its anti-money laundering and counter-terrorism financing practices.
This is currently underway. Austrac demanded this audit last July on its suspicion that AfterPay does verify its customer’s name, address and date of birth in two separate sources before providing services.
It’s unclear however whether this change will impact the way it manages data, or what it requires from customers to sign up.
As new technologies and payments methods evolve to support eCommerce as it solidifies as one of Australia’s new powerful economic engines, any opportunity to unite and push back on cyber fraud is to be applauded.
And while AfterPay might still ruffle some feathers, when it comes to fraud risk, it really is sticking out its neck out for the little guy.