Author: Ady

Categories
General

What is Third Party Risk Management?

third-party risk management best practices

Third-party risk management (TPRM) is a type of risk management program that focuses on identifying and reducing risks that come with the use of third parties. Third parties that open businesses to risk are vendors, suppliers, partners, contractors, or service providers.

The risk management program aims to give organizations an understanding of the third parties they use. TPR programs are dependent on the type of organizations, the industry they operate in, and several other factors. But, several TPRM practices are universal and applicable to every business.

Third-party risk management often encompasses all the practices that help businesses prevent third-party risks and fraud.

In this guide, we’ll go over what is third-party risk management and common TPRM practices businesses can use.

Importance of Third-Party Risk Management

Third-party risk management has been around for a long time. However, l with recent growth in third-party fraud cases has increased the need for third-party risk management.

Disruptive events have impacted thousands of businesses globally. Moreover, several data breaches have been directly related to poor third-party risk management.

Some of the most common ways businesses can be impacted are:

  • Internal outages and slowing down operational capabilities.
  • External outages affect areas such as the supply chain.
  • Vendor risks that make your business vulnerable to supply chain fraud. 
  • Operational shifts that affect data gathering, storage, and security.

Almost all organizations today use some kind of third-party provider to keep their operations running smoothly. So, when there’s an issue with your third-party suppliers, your business suffers greatly.

Let’s say you’re using a cloud platform such as Amazon Web Services (AWS) to host your website. If AWS goes down for a couple of hours, your operations also go down.

Outsourcing is crucial for the success of modern businesses, it not only saves businesses money, but it also helps in getting help from experts.

Unfortunately, there’s a downside. If proper third-party risk management programs aren’t in place, the use of third parties can leave your business open to several risks.

Best Third-Party Risk Management Practices

Businesses can use several third-party practices that help you build a better program, regardless of where your business currently stands. Here are the 3 best practices that apply to almost every company.

1. Prioritize Your Inventory

Not all vendors are equally important for your business, this is why you need to determine which third-party vendors matter the most. To improve the efficiency of your third-party risk management program, you need to segment your vendors. 

You can segment the vendors into 3 categories:

  • Low risk, low criticality – Tier 3
  • Medium risk, medium criticality – Tier 2
  • High risk, high criticality – Tier 1

Generally, organizations will focus their time and resources on tier 1 vendors first, as they require more stringent due diligence and evidence collection. Tier 1 vendors are subject to the most in-depth assessments, which often include on-site assessments.

A lot of times, during the initial evaluation, these tiers are calculated based on the inherent risk of a third party. Inherent risk scores are generated based on industry benchmarks. These include:

  • Sharing proprietary or confidential business information with the vendor
  • Sharing personal data with the vendor
  • Serving critical business functions
  • Sharing sensitive personal data with the vendor
  • Sharing personal data across borders

The impact of a vendor can also be a determining factor. Let’s say a third-party vendor is unable to deliver their service, how much impact will that have on your business? When there is significant disruption in your operations, the vendor will also be higher. Businesses can figure out the impact by considering these factors:

  • The impact of unauthorized disclosure of information
  • Impact of unauthorized modification or destruction of information
  • Impact of disruption of access to the vendor/information

Another way to determine the impact of a vendor’s inability to deliver their work is by grouping based on contract value. Vendors that have huge budgets may automatically be segmented as tier-1.

2. Leverage Automation Whenever Possible

Efficiencies only happen when operations are consistent and repeatable. There are several areas in the third-party risk management process where businesses need automation. Some areas where businesses can use automation include:

  • Intaking and onboarding new vendors

Businesses can add vendors to their inventory by using an intake form or via integration with contract management or other systems.

Solutions like DIRO online document verification can help businesses in verifying vendor identity during onboarding. This helps in reducing vendor risk significantly.

  • Calculating inherent risk and tiering vendors

During the vendor onboarding process, businesses need to collect vendor information that helps in calculating the level of risk the vendor poses for the business.

Based on the level of risk, businesses can set up different levels of due diligence for vendors. This helps prevent fraud that comes with poor third-party risk management.

  • Assigning risk owners and mitigation tasks

Whenever a vendor is flagged, route the risk to the correct individual and include a checklist of mitigation action items. 

  • Triggering vendor performance reviews

You need to set up automation tiggers that conduct reviews of vendors during specific times of the year. The reviews could be each quarter, every 6 months, or once a month.

  • Triggering vendor reassessment

Businesses should send an assessment based on contract expiration dates. Businesses should also save last year’s assessment answers so vendors don’t have to start completely from scratch.

  • Scheduling and running reports

Businesses should set up automated reports that run every day, every week, or every month. These reports must be shared with the right person.

Every third-party risk management program is unique, so as a business, you need to start by looking internally at the small processes that can be automated.

3. Think beyond cybersecurity risks

Whenever businesses think of third-party risk management or vendor risk management programs, they think of cybersecurity risks. But, third-party vendor management is far more than cybersecurity risks.

While it is important to focus on small things and consider cybersecurity risks, there are other types of risks that businesses should prioritize, such as:

  • Reputational risks
  • Geographical risks
  • Geopolitical risks
  • Strategic risks
  • Financial risks
  • Operational risks
  • Privacy risks
  • Compliance risks
  • Ethical risks
  • Business continuity risks
  • Performance risks
  • 4th party risks
  • Credit risks
  • Environmental risks

How Can DIRO Help?

DIRO online document verification solution can help businesses strengthen their third-party risk management practices. Third-party fraud risks start from the moment a business onboards a vendor without proper verification.

DIRO online document verification solution helps businesses verify crucial vendor information that can help in fraud prevention in the long run. DIRO can verify these documents:

  • Proof of address
  • Bank statements
  • Vendor documents
  • Incorporation documents and more.

Learn more about how DIRO can enhance your third-party risk management program by requesting a demo today.

Categories
Fraud

Hyper-Personalization for Fraud Prevention

Hyper-Personalization in Fraud Management

Hyper personalization is a game changer for businesses looking to improve customer lifecycle and fraud management. 7 out of 10 consumers expect a personalized experience from businesses. But, the current personalization methods are full of gaps.

Businesses that use digital marketing to acquire and serve customers are the ones moving towards hyper-personalization. Hyper-personalization is a supercharged version of personalization that uses real-time customer data, AI, automation & predictive behavior analysis. The results are different for companies that use real-time personalized customer experiences.

Several banks, financial institutions, and other finance businesses are also looking to step up their personalization program. 

If done right, hyper-personalization is the key to fraud management and fraud prevention. Hyper-personalization has the power to transform the consumer’s experience of fraud controls. As it uses a data-centric approach, banks, and other businesses will be able to implement strong fraud controls across the customer journey.

This is essential as fraudsters have become a part of every single customer-business touchpoint. There are thousands of ‘moments’ in a customer journey where a decision will be able to figure out whether a fraud, a scam, or a legitimate activity is taking place.

Using Data To Take Right Decisions

Whenever businesses come across an event that can be fraud, several decisions can be made to determine whether the activity is legitimate or fraudulent. The series of decisions can be:

  • Is it a new device?
  • Is an OTP needed?
  • Is there a risk of a SIM swap?
  • Is a biometric check needed?
  • Is the customer moving money using a unique channel?

To find answers about these decisions, there are multiple datasets about the customer, their accounts, their email, their mobile, their biometrics, etc. To deliver a hyper-personalized experience, the right data and insight must be delivered to the right decision, at the right time to enhance the customer experience.

Current fraud prevention methods tend to focus only on the negative indicators from the database and these negative indicators point towards a potential fraud or scam event.

Getting Rid of Functional Silos

For businesses to achieve hyper-personalization, the context needs to be available across all points through the customer journey. Fraud solutions with banks and financial services are too often deployed in isolation from other touch points in the customer journey. While the fraud prevention journey should be a part of the entire customer journey, the current methods are separate.

The decisions that need to be made and the treatment paths that are taken should be interlinked and consistent throughout the customer journey.

This will better inform the next best decision, whether it is about declining or holding payment, and how they communicate with the customers often.

Make Your Customer a Part of the Fraud Department

Customers play the biggest role in the fraud prevention process. Having clear & consistent communication is a crucial element for this hyper-personalization to work. 

With the rise of communication channels, more and more customers have received a communication that they believe was a scam. Traditional strategies such as post-transaction verification checks delivered via message is delivered through SMS are usually ineffective.

During a scam, the person initiating the transaction is a legit customer, and a simple “Is this you?” can only met with an affirmation. There’s no option to highlight if the legit user is under the control of a fraudster who may be telling them to ignore such messages.

Every bank and financial institution should have ‘moments’ of intervention where a customer has the opportunity to change a customer’s course of action. The channel, clear messaging, and the timing of the intervention have to be right. 

According to data, customers respond better to a series of timely conversational messages that are clear and relevant, instead of a single ‘Yes or No’ text. 

By delivering the right message at the right time, through the right channel, hyper-personalization will help organizations get rid of noise and deliver customers exactly what they need.

Categories
Fraud

5 Types of Subscription Fraud

subscription frauds

Subscription fraud is one of the least common types of fraud faced by communications service providers. Even if the problem is small, it has a huge impact. The problem has grown by nearly 6% from $1.92B to $2.03 billion.

In this guide, we’ll outline the 5 most common types of subscription fraud that communications businesses face.

What is Subscription Fraud?

Subscription fraud can be a symptom of a gateway to other frauds. For example, fraudsters can create a synthetic identity to create a fraudulent subscription. This also helps fraudsters build a fake identity associated with a phone number.

These identities are then used to defraud banks, financial institutions, and other entities.

Apart from this, subscription fraud also continues in traditional ways, such as people who subscribe but don’t intend to pay. Or a type of fraud that seeks to acquire incentivized devices falsely just to sell them online.

Types of Subscription Fraud That Communications Businesses Face

1. Fraud Shown as Bad Debt

There is a type of fraud where fraudsters show themselves as bad debtors. More than 40% of the experts CFCA surveyed say less than 10% of the bad debt is actually due to fraud.

However, whether the Communications service providers have a way to differentiate between bad debts from scams may challenge this statistic. 

If a fraud is categorized as bad debt, it won’t be investigated or stopped. This means scammers can return over and over again to different service providers with different types of frauds with little concern of being caught.

2. Fraudsters Hide Among False Positives

Fraudsters take advantage of the fact that CSPs don’t share fraud data among themselves. While the financial industry has started sharing liability data to prevent a single fraudster from tricking the system again and again, CSPs are yet to do that.

No company wants to share insider information with its competitors, but to prevent fraud, collaboration is essential.

While Communication Service Providers have managed to reduce the number of false positives, others are struggling. According to reports, fraud management systems tend to detect fraud with an average false positive rate of either 13% or 88%.

26% of the fraud management systems spend an average of 20 hours per week on researching false positives. What makes things even worse is that around 52% report using no third-party data to help gain insights required to differentiate between real fraud from false positives.

3. IoT Based Subscription Scams

The risk of fraud in the Internet of Things (IoT) is clear from CFCA’s survey. Only 41% of service providers are actively checking for fraudulent activity in IoT data. The survey reveals that Distributed Denial of Service (DDoS) attacks, misuse of unlimited data services, and SIM swaps are the most common methods used for IoT-related fraud. This indicates that criminals have a relatively easy time exploiting the growing IoT landscape, as it lacks adequate defenses. This vulnerability can lead to serious crimes, such as using SIM swaps to gain control of personal bank accounts.

4. Back-Office Inefficiency-Based Subscription Fraud

Inefficiencies in the back-office and the use of isolated systems are causing an increase in fraud losses. Various departments, such as sales and marketing, credit risk, fraud, and collections, often operate on separate systems. 

Although each department collects valuable information, they rarely share this data. This presents two problems for fraud teams: they may make poorly informed fraud decisions, and they might create inconvenience for customers by requesting information that another department in the organization already has.

Fraud teams are also taking on broader responsibilities. According to CFCA, 39% of fraud teams now handle customer service tasks, and 20% are involved in sales and marketing. This expanded role for fraud managers becomes challenging when they have limited access to information due to siloed systems.

This issue is exacerbated when different departments have conflicting goals, as is often the case for sales and fraud management. Salespeople are motivated to close deals, while fraud departments aim to prevent fraudsters from exploiting the sales process and marketing incentives to steal subscriptions and devices. 

Since it’s impractical to turn salespeople into fraud experts, it’s crucial to implement built-in real-time fraud controls in the sales process to maintain a balance between maximizing sales and minimizing fraud.

5. Streaming-Focused Subscription Fraud

For many years, Communication Service Providers (CSPs) worldwide have been striving to offer a variety of services, moving beyond traditional communications to focus on broadband and content. However, the landscape of content consumption has evolved, with streaming becoming the preferred method for accessing video content.

Major streaming services, with Netflix being a prominent example, have often turned a blind eye to customers sharing passwords with non-subscribers. This leniency was understandable during the phase of acquiring customers and building brand awareness. However, as these markets mature and approach saturation, the focus shifts to revenue assurance, highlighting the issue of subscription fraud.

While being lax about password sharing may have made sense in the early stages, it can now pose a barrier to revenue growth. This shift in attitude toward password sharing can have negative repercussions on stock prices and valuations, especially when streaming services fall short of their subscriber addition targets.

Categories
Bank

Common Bank Account Data Errors and Solution

bank account data error

Bank account errors can be costly for both the institute and the customers. Financial institutions, banks, and other businesses must ensure that all accounts and reference numbers are formatted correctly before any payments happen.

Bank account errors happen when there are any issues with this information. Sometimes they happen because financial institutes and banks fail to comply with compliance standards. The most common one is the BACS requirement, to ensure the bank account details exist and are associated with the payee.

To make sure payments happen without any errors, there have to be no mistakes in the input data. Even the smallest error in a bank account number can lead to payment failures, wrong transactions, and more.

Fortunately, banks, financial institutions, and businesses can significantly reduce the amount of banking errors with a series of checks.

In this blog, we’ll be going over the root causes of transaction errors, and how businesses can take the first steps toward reducing them.

What Are Bank Account Errors and What Causes Them?

Businesses that want to minimize bank account errors need to understand what type of errors are mostly impacting payments, and how commonly they happen.

Here are the most common bank account errors, this allows businesses to investigate the root causes of failed transactions.

Businesses that want to minimize bank account errors need to understand what type of errors are mostly impacting payments, and how commonly they happen.

Here are the most common bank account errors, this allows businesses to investigate the root causes of failed transactions.

1. Account number & sort code errors

Errors such as invalid bank account numbers or sort codes typically happen when customers mis-enter data into payment systems or company forms. This also happens when customer reps mis-hear or mis-key account information.

One of the most common reasons for this type of error code is if data is being migrated or copied between systems, especially if teams have to manually enter information.

These kinds of mistakes have serious consequences, ranging from failed transactions to misdirection of funds. Both of which lead to financial losses for both the consumers and organizations.

2. Reference number errors

There are some cases where the bank account number and sort code are correct, but the reference number (supplier number or invoice number) is wrong. In these cases, payments may be suspended pending investigation by the payment provider.

As an additional challenge, the failed transaction may not be marked to the person or organization making the payment. On the other end of the failed transaction, the recipient will not receive the funds.

3. Changes that Result in Invalid Bank Codes

The financial industry is prone to changing regulations. Sudden changes such as bank mergers, acquisitions, or restructuring can result in changes to the bank’s routing numbers.

When these changes happen, customers need to make sure that the latest details are used for all payments and transactions. The direct debits and other automated payments and deposits and other information are updated with their new details.

This is essential in ensuring that transactions can be verified correctly and there’s a low risk of failed transactions and misdirected funds.

How do Bank Account Errors Impact Businesses?

Common bank errors can have serious consequences for both businesses and consumers.

As bank errors that result in failed transactions require additional investigations are also time and costly. Moreover, these kinds of incidents lead to poor customer experience and poor brand reputation. A lot of businesses have also found out that failed transactions are directly related to a high rate of customer churn.

For consumers, failed transactions and misdirected funds can also be super frustrating. Customers are left waiting for funds for a long time, the consequences can be even more severe, preventing the use of the funds for essential items and bills.

How are Bank Errors Usually Handled?

Every organization across the globe handles bank account errors differently. In the US, for example, invalid accounts with no corresponding account lead to a transaction being rejected instantly.

In Europe, payment providers try to resolve the transaction, generally without informing the payee. This can help fix the problem in the short term, but it can result in serious consequences if funds are misdirected.

These mistakes can come to light over time, causing long-standing resolution challenges and major inconvenience for consumers.

How Bank Accounts Minimize Bank Account Errors?

There are different ways to minimize bank account errors. Let’s go over them one by one:

  1. Ensure Bank Accounts are Genuine

First, banks need to use automated checks to verify bank accounts are genuine and exist or not. This immediately reduces the risk of failed payments due to mis-typing bank account information, either by consumers themselves or by customer support teams.

  1. Make Sure All Bank Account Information is Formatted Correctly

The formatting of bank account details needs to be checked consistently and appropriately to ensure that information is correct. The information should be presented in a way that payment systems can recognize.

This check also helps in getting rid of account errors before they result in failed transactions or misdirected funds.

Categories
Fraud

Phishing Email Attacks – Common Techniques and Prevention Methods

phishing emails

Phishing scams are becoming more and more common. Every day hundreds of people around the globe face many problems with phishing emails. Understanding how phishing emails work can go a long way in helping you prevent phishing attacks. 

In 2014, Sony Picture Entertainment became the victim of a major phishing attack. During that time, hackers sent phishing emails to top executives of Sony Pictures, the emails that looked like they appeared from Apple, contained a malicious link that prompted users to enter their Apple ID information into an online form. 

Over time, criminals stole over 100 terabytes of sensitive information. The overall attack cost Sony more than $100 million. 

Phishing scams gained traction in 2021, over 83% of all organizations experienced similar attacks. 

In this guide to anti-phishing, we’ll take an in-depth look at what phishing is, how it works, and the different techniques used for phishing scams.

What is Phishing?

Phishing is a type of social engineering. It happens mostly in emails. In phishing emails, the primary objective of scammers is to trick legitimate users into revealing confidential about themselves or their organizations.

In a phishing scam, attackers may trick victims into clicking a link that will lead them to a fake website. The website will ask you to enter sensitive information. Other types of scams involve directing victims to download attachments that will infect their devices with dangerous malware or ransomware.

Any domain can become the victim of a phishing attack. This is because a huge number of people use the same username and password on multiple accounts. 

According to Google’s 2019 security survey, 65% of people reuse passwords for multiple accounts. Over 60% of people keep using the same password even after a data breach.

Most phishing attacks happen with fake email messages that pretend to come from a legitimate company. Attackers also use text messages, social media platforms, or phone calls to achieve the same goal of accessing sensitive information.

How Does Phishing Attacks Work?

Based on the FBI’s 2020 Internet Crime Report, phishing was the most common cyberattack type in 2020. By 2021, it had become one of the biggest concerns for IT professionals.

Modern phishing attacks have become highly sophisticated. You may have heard of the Nigerian prince scams, it’s one of the oldest phishing scams. The scams of today use several skillful social engineering tactics to manipulate victims and steal personal information.

The best scammers impersonate legit organizations, make lookalikes of their email addresses, and send emails to look like they’re from the real organization. 

The fake emails often contain a malicious link to track the activity of the victim and to steal the user’s personal information. 

The links can also lead to malicious websites that can infect the victim’s device and track all user activity.

Commonly Used Phishing Techniques

Here are some of the most commonly used phishing techniques that are commonly used by scammers.

  1. Bait Creation

Scammers create messages, and emails that look and feel legitimate and trustworthy. They often mimic well-known companies, government agencies, or businesses to trick recipients into thinking that the text is genuine.

  1. Social Engineering

Phishers use psychological techniques to manipulate the recipient’s emotions and push them to take action.

They may also create a sense of urgency, curiosity, fear, or excitement. This surge of emotion is what compels recipients to take immediate action without thinking.

  1. Deceptive Content

Phishing emails contain links or attachments that when clicked and opened can lead to malicious websites or infect the devices of victims. On first look, these links and attachments look real, but they’re designed to steal login credentials and personal information.

  1. Fake Websites

Scammers make up fake websites that look like the real websites of big brands. For example, a user receives an email from john.amazon@gmail.com about a discount offer with a link to the product. Once the user clicks on the link, they’re redirected to aamazon.com, when they should be led to amazon.com. This is a common scam that happens to thousands of users every year.

Once the victim places the order and enters their banking information, all the information is stolen and the money is lost forever.

  1. Credential Theft

Fake websites prompt victims to enter the usernames and passwords of specific accounts. Once this information is added, the scammer steals the information and uses it to conduct scams.

Types of Phishing Attacks

The most common types of phishing techniques include:

  1. Standard Email Phishing

The scammer shares several fake emails asking the receiver to share personal information or login credentials. These attacks are aimed at large organizations as most employees have limited phishing awareness.

  1. Spear Phishing

This particular attack targets specific individuals. Attackers assume the identity of a real organization. The attacker then sends personalized emails to the target. As the text often includes specific details about the victim, it appears authentic. Over time, the victim trusts the email sender.

  1. Whaling

A whaling attack targets ‘big names’ such as high-level executives. It involves sophisticated social engineering methods to trick the victims into transferring large amounts of money into the attacker’s bank account. 

  1. Business Email Compromise (BEC)

The attackers send fraudulent emails by building a lookalike email of the account owner’s email address to attempt and steal money from the company.

  1. Malware Attacks

In a malware attack, the attacker tricks the victim into downloading an attachment or files that contain malware. As soon as a user downloads and opens the attachment, it installs malware on the device.

How to Mitigate Phishing Scams?

Businesses can protect their people and information assets from phishing attacks by simply following these simple practices:

  • Implement email security software to protect devices from malicious domains. Also, use anti-virus software to scan all emails and attachments.
  • Use training and phishing simulations to teach your employees common phishing techniques and how they work. 
  • Make sure that you always use strong passwords and multi-factor authentication to secure accounts and devices.
  • Discourage users from sharing or reusing the same passwords to minimize the possibility of credential theft.
  • Ask users to use a password manager to generate and store their passwords. 
  • Prevent users from opening emails and attachments from unknown and suspicious senders.
  • Educate users on the common “red flags” that are a sign of a phishing attempt.
Categories
AML

Trade-Based Money Laundering

Trade-Based Money Laundering

The AML landscape is evolving continuously, so fraudsters come up with new ways to launder money. One of these new and unique ways to exploit the financial systems and launder money is cross-border trade.

Trade-based money laundering is becoming an issue. To prevent trade-based money laundering, new steps are being taken.

In this guide, we’ll dive into trade-based money laundering, and how it works.

What is Trade-Based Money Laundering?

Trade-based money laundering is when a fraudster moves illegal funds through the international trade system to clean them. TBML practices often include:

  • Falsification of original price.
  • Quantity and quality of the imported/exported goods.

TBML takes advantage of the complicated system of the trade system. Especially the international trade system where multiple parties and jurisdictions are involved. Multiple jurisdictions mean overlapping KYC, AML, and CDD rules and regulations.

TBML is slowly becoming a major concern for governing bodies around the world. It rose to its peak during the COVID era when supply chains and the regulatory landscape were disturbed.

Since then, several global firms have embedded supply chain risk management into their AML programs. Over 45% of global businesses claim that they’re focusing on improving the management of supply chain risks in 2023 and beyond.

How Does Trade-Based Money Laundering Work?

Fraudsters use trade-based money laundering in a number of ways, but the most common ones include:

  • Over-invoicing – The exporter submits an invoice that’s overpriced to the importer, generating a payment that exceeds the value of the goods shipped. Importers often transfer the stated amount on the invoice instead of checking for the real value. 
  • Under-invoicing – The exporter sometimes submits an invoice that has less value than the products. They ship the goods with greater value and then transfer that value to the importer.
  • Multi-invoice – The exporter sends an invoice to the importer multiple times for the same product/shipment. The exporter then transfers greater value from the importer to the exporter. 
  • Over-or under-shipment – The exporter ships more goods than they previously agreed on. They end up transferring greater value to the importer. Or, the exporter ships fewer goods than agreed on. The importer often pays the original amount without checking the goods.
  • Misrepresenting the Quality – Goods shipped to the importers are purposefully misrepresented as being of higher quality. The importer pays for the high-quality goods but receives cheaper quality.

Examples of Trade-Based Money Laundering

There are some examples of trade-based money laundering that every business should be aware of. Prevention can only happen when businesses are aware of the latest trends.

Here are the biggest examples of trade-based money laundering:

  • A letter of credit for a high-value cross-border import is highlighted to have anomalies when it is examined by the routing bank. When the bank investigates deeper, it reveals missing and unrecognized documentation with the import agents. The bank then rejects the transaction and returns the drawing documents.
  • The first beneficiary of a multi-million dollar letter of credit has to supply medical goods for another country’s Bureau of Health. However, the second and ultimate beneficiary of the credit issues invoices that don’t match those submitted by the first. It’s shown that the first beneficiary has the invoices marked up by 300% and is additionally revealed to have a connection with the firm acting as the agent to the Bureau of Health.
  • Several shell companies purchase electronics with funds derived from criminal activities and later sell the goods to buyers in high-risk countries that don’t have any due diligence. The shell companies receive the money. The banks that handle the transactions notice a number of red flags. The biggest red flag is that the companies are registered in high-risk countries.

Steps to Identify Trade-Based Money Laundering

Businesses may have an easier time spotting TBML activity if they’re familiar with the methodologies associated with it.

Here are the indicators of TBML:

  • Unusually complicated or illogical corporate structures, such as the use of shell companies or companies registered in high-risk countries. 
  • Trading entities registered at mass registration addresses with no reference to any specific unit.
  • Trading businesses that have addresses that don’t reflect the businesses in which they’re engaged. 
  • Missing, counterfeit, or fake trade documents. 
  • Trading businesses that don’t have an online presence or that have an online presence that doesn’t match their business’s stated services. 
  • Trading activities that don’t reflect a stated line of business, for example, car dealers trading in textiles or precious metals. 
  • Payments for imports that aren’t made by parties other than the account holder.
  • Trading entities that purposefully complicate the use of financial products.
  • Inconsistencies or discrepancies across trade documents such as contracts and invoices. 
  • Trade documents with values that aren’t consistent with market values or other comparable transactions. 
  • Trading entities that make very late changes to payment arrangements. 
  • Frequent cash deposits are just under the reporting thresholds.

How to Prevent and Detect TBML?

Since TBML can involve multiple parties and jurisdictions, and some of the schemes are very complicated to detect. To mitigate the risk of TBML, compliance teams need to have an understanding of business-wide risk assessments to determine their risk exposure.

Here’s how to prevent and detect TBML:

  • Robust CDD

To uncover TBML, businesses of all kinds should implement CDD measures that use a combination of technology and expertise.

Businesses need to obtain a clear picture of all entities they do business with. To able to do that, businesses need to verify documents, ownership documents, address documents, and more. Compliance teams should ensure they have access to real-time document verification solution that helps them verify the identity of every entity they have to verify.

  • Reputable Adverse Media Screening

Since adverse media can be a TBML structural risk indicator, businesses need to make sure their negative news screening solution can differentiate between true adverse media content at scale.

Categories
Business

Flaws in Knowledge-Based Authentication (KBA)

Flaws in Knowledge-Based Authentication KBA

Knowledge-based authentication (KBA) has been the industry standard for over 20 years as a method of identity verification. KBA has been an outdated mode of verification for a long time. This is a flawed approach to verifying identities as it uses stagnant data. The same data has been breached and accessed by thousands of users worldwide. Personal data and knowledge-based question’s answers are readily available on the dark web. 

Fraudsters have become more proficient in answering all the credit-based questions than the people who have to rely on the quizzes. 

This flaw was first recognized in 2015 which led the National Institute of Standards and Technology (NIST) to limit the use of KBA in their latest version of Special Publication. The latest publication is the most widely used ID verification standard in the United States.

However, KBA is commonly used by state and local agencies to verify identities. The most common uses include motor vehicle registration, online portal access, and notarization. 

KBAs are considered to be the backup for manual identity verification. But it’s still not a good enough solution as KBA data has been breached multiple times. Personally identifiable information goes as low as $1 on the dark web.

Current Problem with KBAs

The biggest problem with KBAs is that the data is available with ease almost everywhere on the dark web. Once fraudsters have answers to questions, they’re easily able to bypass security measures and gain illegal access to user accounts. 

Fraudsters often find methods of least resistance to gain access to illegal access to systems. If businesses choose to use knowledge-based authentication to verify identities, they are only using a flawed method.

To properly identify identities and verify users with ease, businesses need to move forward from Knowledge-Based Authentication (KBA). Solutions like DIRO document verification tool, and other verification solutions can help businesses verify the identities of users ideally.

DIRO’s document verification solution can quickly and accurately verify identities and prevent the risk of fraud while ensuring the integrity of user accounts.

Why Businesses Shouldn’t Rely on KBA

Hackers and fraudsters have exploited the breaches and data thefts to quickly bypass the login systems. Using solutions like DIRO document verification can help businesses with far more accurate verification and huge cost savings.

1. Flaws in KBA

The biggest flaw in KBA lies in its reliance on static and outdated information. Information like Social Security numbers, addresses, and personal details, are easily stolen.

Hackers and fraudsters have exploited these beaches regularly to collect necessary information. Moreover, the easy availability of personal data on the dark web and social media has significantly reduced the effectiveness of KBAs.

2. NIST Non-Approval of KBA

The NIST has made KBAs a non-approved technology in their latest version of Special Publication 800-63-3. This highlights a growing acknowledgment of KBA, which highlights how ineffective the knowledge-based authentication process is.

KBA’s deprecation signifies a need for more secure and sophisticated alternatives to make sure accounts are verified properly.

3. Risks of Relying on KBA

Businesses that solely rely on KBAs are at a serious risk of hurting their business. It makes sense that state agencies use KBA for verifying the identity of users as it’s easy to use and familiar.

With modern cybersecurity threats becoming increasingly sophisticated, businesses and governments need to use a more secure solution.

4. Adoption of Biometrics

Using biometric verification in the identity proofing process can enhance the security of the process. As biometric data is unique to each individual and cannot be easily replicated or stolen.

Technologies such as fingerprint recognition, facial recognition, or retinal recognition can provide a more robust and secure way of verifying identities.

5. Behavioral Analytics

Instead of using biometrics data, businesses can use behavioral analytics data to verify if a user account is hacked. By using a user’s behavior patterns, such as typing speed, mouse movements, or smartphone usage habits are unique to each user. 

Any sudden change in the patterns of a user can be an indicator of fraud.

Final Take

Relying on Knowledge-based authentication (KBAs) for identity proofing has been flawed for a long time. Relying on data that has been beached and stolen countless times to identify a user isn’t a great idea.

By using more secure options like the DIRO document verification solution, businesses can quickly and ideally identify user identities.

Categories
Compliance

iGaming Regulations and KYC

iGaming regulations

Latin America is quickly becoming a fast-growing market for iGaming operators. According to reports, over 70% of iGaming operators plan to expand to Latin American and Central American markets in the next couple of years.

The iGaming market in Latin America is highly diverse and entertaining and it has been growing in recent years. One of the biggest factors behind this is the growing availability and affordability of high-speed internet smartphones. Another driving force is the increasing love for online gaming in Central and South America.

As Latin America represents a complicated map of jurisdictions with 34 countries and union territories, regulation has been a problem. But recently, there has been a positive shift in the regulatory space as well.

To help out both the iGaming operators and the players, we’ve created this guide for iGaming regulations and KYC in Latin America.

iGaming Regulations in Argentina

In Argentina, the gambling regulation is controlled by the country’s 23 independent provinces and the autonomous city of Buenos Aires. Several provinces in Argentina and Buenos Aires have legalized online gambling.

The authority that acts as a watchdog for AML regulations is the Congreso de la Nacion Argentina. It keeps an eye out for all the operators to see which ones aren’t following the regulations.

The regulatory landscape and the licensing regulation vary from province to province. All the operators have to screen players to prevent money laundering and make sure that gaming transactions go through state-owned banks.

iGaming Regulations in Brazil

With a population of over 200 million and a huge fan following for all things sports, Brazil has a quickly growing gambling market. Unfortunately, there’s no regulatory framework right now. Without a regulatory framework, it will be next to impossible for the iGaming industry to thrive.

Brazil has a history of high taxes, and if sports betting is subject to similarly high rates of taxation, it could discourage the investment in the market.

iGaming Regulations in Chile

The future of regulated iGaming in Chile is currently unclear as it attempts to both regulate and prohibit offshore online gambling companies. There’s a land-based gaming industry that’s riddled with lawsuits because of grey market operators. 

If there ends up being a regulatory framework in Chile, the platform will be directly under Superintendencia de Casinos de Juego (SCJ) and operators will have to maintain strict security standards. 

iGaming Regulations in Colombia

Colombia was the first Latin American country to regulate online gambling. All types of iGaming are allowed and regulated in Colombia, including, casinos, bingo, poker, and sports betting. 

Colombia’s national regulator, Coljuegos has built a strong regulatory framework that ensures operators follow all the rules. Coljuegos also allows operators to apply for licenses and submit reports digitally, making the entire process fairly seamless. 

This entire framework has led to reliable data and regular reports on the performance of the industry. 

iGaming Regulations in Mexico

Mexico is one of the most popular markets for iGaming operators. 95% of the online casino operators are looking to expand to Mexico in the span of the next 5 years.

Mexico has a population of over 120 million and a mobile penetration rate of about 60%. This makes Mexico one of the largest iGaming markets in Latin America.

All the land-based casinos in Mexico are completely regulated. However, the online gaming market is in the grey area of regulations. Online casinos and sports betting operators don’t require digital licenses. They operate in partnership with a land-based license-holder casino.

iGaming KYC Compliance in Latin America

The requirement for financial transfers and the risk of fraud is always a factor of concern for the iGaming industry. To successfully manage fraud, the iGaming industry needs to have proper regulations.

Local compliance is continuously acting as a key barrier in Latin American markets. Businesses are also aware that they are likely to incur additional scrutiny in Latin American markets.

Newly regulated markets attract both wanted and unwanted attention. As iGaming markets open up, it’s more than likely that national regulators will implement strict rules on KYC and ID verification.

iGaming operators will need to adapt to these regulations and implement sophisticated measures to ensure compliance and build customer trust.

FAQs

What is KYC?

Know your customer (KYC) is a requirement for regulated industries. In KYC, businesses have to verify the identity of customers before onboarding them. Businesses must carry out continuous monitoring to ensure customers are legit and they don’t pose a threat to the business.

What KYC checks are available in Latin America?

KYC checks include data, documents, biometrics, and PEPs sanctions list checks. Each business uses a different method of verification. Some businesses combine verification methods to enhance due diligence.

Categories
Fraud

Third-Party Fraud – Definitions and Examples

Third-Party Fraud

Third-party fraud is when a fraudster uses an individual’s or company’s information to commit fraud. Third-party fraud is more commonly known as identity theft. It is the type of fraud that impacts most individuals across the globe every year.

In 2023 alone, over 1.4 million cases of identity theft were reported to the FTC. The number is expected to double by the next year.

Third-party fraud is committed by all types of criminals – from individuals trying to use a stolen credit card or take out a loan in somebody else’s name.

While third party fraud usually involves using someone else’s personal information to commit fraud, some fraudsters also use synthetic identities.

The primary victims of third-party fraud are financial institutions, retailers, eCommerce stores, and, of course, the people whose identities have been stolen.

Difference Between Third-Party, First-Party, and Second-Party Fraud

If you want to know how third-party fraud differs from first and second-party fraud, it helps to understand the other types:

  • First-party fraud is committed by a person or a company in their own name. Most common examples of first-party fraud include falsifying information for credit applications, claiming dishonest refunds, or disputing legal transactions to claim chargeback fraud.
  • Second-party fraud involves using an individual’s or company’s details. But the fraud is committed by someone who has given those details voluntarily. Someone may allow their account to be used for money laundering, or they may work with a fraudster in a “fake merchant” scam.

In both first-party and second-party fraud, the legit holder of the details (or accounts) is involved in the fraud. In third-party fraud, the individual or the company whose details are being used has no idea that their information has been stolen.

Types of Third-Party Fraud

Third-party fraud comes in all shapes and sizes, and fraudsters constantly work to find new and inventive ways to commit the fraud.

Some of the most common types of third-party fraud include:

  • Account takeover fraud – As the name suggests, this type of fraud involves criminals gaining access to individual bank accounts. Then, they use the bank account to make purchases or divert funds.
  • Credit Card Fraud – Credit card fraud involves all kinds of frauds that happen due to stolen or cloned credit cards. Once a fraudster illegally obtains a credit card, they use it to make purchases or take cash loans.
  • New Account Fraud – This type of fraud involves fraudsters opening new accounts using stolen personal details. New account fraud can also happen with synthetic identities or by combining fake and legitimate information.

Examples of Third Party Fraud

Here are some of the best real-life examples of third-party fraud:

  • In 2017, a fraudster named Kenneth Gibson opened around 8,000 false PayPal accounts in the names of employees of a company he worked for in the past. He kept moving money around in small amounts, which he withdrew via an ATM. It was the repeated trips to the ATM that led to the discovery of the fraud.
  • Anthony Lemar Taylor stole the identity of golfer Tiger Woods, initially by fraudulently obtaining a driver’s license in his name. He used the stolen identity to purchase goods worth $17,000, which included a car and a 70-inch TV. Eventually, he was caught and sentenced to jail.
  • In 2018, fraudster David Matthew Read went on a $169,000 “shopping spree” using a replacement American Express Black card that he managed to obtain in the name of the actress Demi Moore.

While these fraudsters got caught, a huge number of third party fraud goes undetected and unpunished. However, a vast amount of third-party fraud goes unpunished.

Third-Party Fraud Trends

Businesses like banks, credit reference agencies, and card providers are the ones who report new trends in third party fraud.

In January 2023, Experian reported that third-party fraud was growing in relation to current accounts, savings, card, and loan accounts.

One particular trend is an evolution in fraudster’s methods to collect personal data they need to carry out the scams. Trends include:

  • Fake job advertisements
  • Messages pretending to be family members
  • Fake investment schemes
  • Message about fake government assistance grant schemes
  • Emails pretending to be businesses.

Some other fraudsters look to take advantage of the popularity of crypto investments and use underground fraud as a service.

How to Prevent Third Party Fraud?

Preventing third-party fraud is becoming more and more important for both individuals and businesses.

The basics of preventing fraud, such as using complex and unique passwords, installing cybersecurity software, and being vigilant when using public WiFi networks, are important. Educating your user base on how to stay vigilant is also important.

A huge number of third-party fraud happens due to human error. People need to be trained to recognize spam emails and fake websites.

Businesses should think about investing in third-party software that helps verify the identities of businesses and consumers.

Categories
Compliance

DAC7 Compliance

dac7 compliance

The COVID-19 pandemic boosted the digital commerce space like never before. The gig economy also saw a boost as companies all over the world looked towards remote workers. The gig economy has always been outside the traditional norms of business. Allowing delivery drivers, vacation property owners, and similar businesses to avoid paying taxes on these transactions. 

Due to this, the IRS made new rules for gig economy tax evaders. IRS has made it compulsory to provide reports of income generated from on-demand services and goods and digital platforms. 

The EU has also had the same legislation in the works for a long time. If you’re a digital platform owner in the EU or if you have sellers on your platform from the EU, you should be aware of the DAC7 directive. 

Let’s dive a bit deeper into DAC7 and what it means for EU businesses.

What is DAC7?

In March 2021, the European Council released the DAC7 directive. DAC7 aims to extend the scope of existing tax transparency laws for digital platforms. The directive requires platform owners to collect and report personal and business information on income realized by sellers using their platforms for commercial services.

The goal of the directive is to ensure that all taxes (income tax & value-added tax) are reported and assessed. The gig economy and sharing economy have been evading tax. DAC went into effect on January 1, 2023. It applies to everything from ride-sharing, food delivery apps, online jobs, and other digital marketplaces. 

Even businesses in traditional industries may come under the scope of DAC7. That is, if they connect third-party sellers and users through their website for commercial activities. 

Payment processing platforms such as PayPal, Venmo, and Stripe that allow users to only advertise goods or services and platforms that redirect or transfer users to another platform don’t have to comply with DAC7.

Businesses that Have to Comply with DAC7

DAC7 applies to digital platform operations incorporated or managed in the EU. It also applies to tax residents in the EU who engage in commercial activities that don’t fall under general tax rules. 

Digital platform owners/operators located outside the EU who host sellers who are EU residents or facilitate the rental of property in the EU have to comply with DAC7 as well. 

Here’s a complete list of those who have to comply with DAC7:

Business TypesExamples
Sales of GoodsSecond-hand items
Collectibles
Real estate
Rental of Immovable PropertyCo-working spaces
Parking spaces
Vacation homes
Delivery or Performance of Personal ServicePaid live streaming
Food delivery services
Ride-hailing
Rental or Any Mode of TransportScooters
Cars
Bicycles

Whose Information Has to Be Reported?

Under the DAC7 directive, any platform that hosts EU resident sellers who conduct business on the platform has to report the seller’s information. Businesses must also report information about non-EU residents who rent immovable property.

On the other hand, government and publicly traded entities are exempt from complying with DAC7. Casual sellers that have less than 30 sales whose amount equates to less than 2,000 euros. Smaller hotel chains and tour operators that have conducted less than 2,000 transactions in a reporting period are also exempt.

What Information Has to be Reported?

If you’re a digital platform operator, you’re obligated to start identifying and collecting specific information from sellers on your platform as of January 1, 2023:

  • Seller’s identity – full name/legal name, primary address, DOB
  • EU member state of residence
  • Financial account information
  • Tax identification number
  • VAT/Business registration number (for entities)
  • Consideration is paid or credited per quarter, along with any fees, commissions, or taxes withheld by the reporting platform operator.

If you’re operating a platform that deals with immovable rental property, you’re required to report additional information, including:

  • Address and land registration number of each property listing.
  • Total number of days a property was rented.
  • The total amount paid in the reporting period.
  • Any fees, commissions, or taxes withheld or charged by the platform in the reporting period.

You, as a business, have to inform the seller in advance that their information will be collected and reported. If the seller doesn’t share their data, you, as a business, are obligated to send 2 reminders. If the seller fails to provide the data for 60 days, the business has to remove the seller from the platform and close the account.

How to Comply With DAC7 Reporting Obligations?

Businesses can comply with DAC7 reporting obligations by submitting all their EU seller information in one member state. If you’re a registered business in the EU, you’ll have to submit your information in the state in which you’re registered. 

As a business, you have to submit your reportable information no later than January 31 of the year following the calendar year in which you identify a reportable seller. The final deadline for the reporting period is January 31, 2024. 

Once the information is submitted, the member states’ tax authorities will distribute the information among themselves. EU member states are required to exchange information within 2 months of reporting. 

You can submit the information yourself or find a service provider to do that for you.

How to Prepare Your Business for DAC7?

If you’re a business operating in the EU, there are some steps you need to take to prepare your business for DAC7. It’s all about how you collect data and how you report the entire process. Here are some initial questions to answer as reporting requirement dates come closer:

  • Does your business already collect all the data you need from the sellers for reporting? If not, what should you do to collect data? Process and systems-wise, to collect the data?
  • Do you need to make any changes to the terms and conditions or posted consent policies to facilitate data collection from sellers?
  • Which steps do you need to take to keep the collected data safe from hackers and data breaches?
  • Which systems and processes do you need to upgrade or implement to validate the seller’s information before reporting?
  • Is your business subject to other regulations or laws that require you to collect similar information and have similar reporting requirements?

How DIRO Can Help

DIRO document verification can help businesses comply with the EU’s DAC7 directive.

Our online document verification solution can help you verify businesses and onboard them quickly. You can collect and verify a business’s bank account information, address, incorporation documents, and other valuable data.

DIRO verifies documents directly from the issuing source, eliminating the use of fake and stolen documents.