Buy Now, Pay Never?: Fraud and Financial Crime Risks in the BNPL Sector
March 14, 2022
During the Covid-19 pandemic, ‘Buy Now Pay Later’ (BNPL) services allowing consumers to spread their payments over several interest-free instalments, enjoyed exponential growth in developed markets such as the UK, the US, the EU and Australia. However, the uptick in adoption, started to expose a range of risks and vulnerabilities associated with BNPL short-term finance products. This, in turn, led to increased regulatory scrutiny. To date, the UK authorities have primarily focussed on assessing potential customer risks associated with unregulated interest-free BNPL products and ensuring that they do not promote harms such as excessive borrowing. Indeed, following the February 2021 Woolard Review into BNPL services in the UK and proposals for the sector to be regulated by the Financial Conduct Authority (FCA), a HM Treasury industry regulatory consultation recently concluded on 6 January 2022.
However, while the regulatory and media attention has primarily focussed on potential risks of consumer detriment, relatively little has been written about financial crime risks that may manifest in relation to BNPL products.
BNPL fraud is on the rise…
One of the drivers behind the rapid adoption of BNPL products by consumers has been the ease of sign-up characterised by near-instant customer onboarding and credit acceptance process. This is largely possible due to BNPL firms’ reliance on available data and internal algorithms for approving new clients and assessing their creditworthiness.
Working with FinTech clients over the past few years, we have observed a correlation between how easy a particular product or service is to access, and how attractive it is to malicious agents. To sign up for many of the BNPL platforms available in the UK, a customer needs to provide only their email, phone number, address, DOB, and debit/credit card details. They do not necessarily need to produce documents or undergo the same type of stringent electronic identity verification checks, they would if they were signing up with a bank or a credit card company. Unfortunately, these onboarding and approval processes that were built with ease of check-out in mind, appear to also be fraud enablers.
While sector-specific data is still relatively limited, there is growing evidence that criminals have been increasingly targeting BNPL providers, trying to exploit potential vulnerabilities in the firms’ controls to commit fraud and other financial crimes. Already in early 2021, Australian media reported that cases of identity fraud involving BNPL products have doubled nationally in 2020 compared to 2019. The three most prevalent forms of fraud relevant to the sector are:
- Synthetic identity fraud – using false credentials which mix real data (targeting children and people without credit history) with fake information, to pass the provider’s checks;
- Account takeover (ATO) fraud – hi-jacking genuine accounts using stolen password lists and credential-stuffing bots; and
- Third party fraud – using stolen credit card details at check-out, fraudsters are able to secure in-demand goods and re-sell them before the transaction is spotted and chargeback procedure initiated.
To minimise their fraud risks, BNPL providers should review their identification and verification (ID&V) and broader Know Your Customer (KYC) processes as well as transaction monitoring arrangements. While there currently exist different views within the UK market as to whether BNPL is a form of credit, the JMLSG Guidance for Credit Cards and Consumer Credit Providers offers providers a view on how they may fulfil requirements laid out in the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended) should the UK authorities decide to extend the consumer credit regime to include BNPL products.
… but is not the only financial crime risk relevant to the BNPL sector
Some of the features that make BNPL products attractive to fraudsters are likely to appeal to other financial criminals as well. The limited due diligence around customers’ funds and financials creates a potential money laundering (ML) risk related to the source and means by which repayment of the borrowing is made. Requiring that the instalment payments are made from an account or card registered in the customer’s name minimises the risk of third party payments, as do controls such as account ownership verification.
BNPL providers may also unwittingly facilitate a ML methodology known as Transaction Laundering. This happens when an undisclosed business uses an approved merchant’s credentials to process payments for another undisclosed source selling unknown products and services. The most effective mitigants BNPL firms can adopt to protect themselves against it, are robust merchant due diligence measures and transaction monitoring.
Futureproofing, how strengthening their anti-financial crime controls may help BNPL providers meet potential regulatory requirements around affordability checking and preventing customer harms
As noted earlier in this article, the ongoing focus on BNPL products suggests that the sector is facing increased regulatory intervention. This in turn creates a risk that, unless they proactively act now, BNPL firms may find themselves playing regulatory catch-up and required to undertake large scale remediation efforts.
BNPL providers have a range of choices in how to strengthen their controls and protect themselves against fraud and money laundering risks. One potential opportunity is around making greater use of electronic ID&V solutions to verify and authenticate new users during the onboarding process. This would help ensure that a firm’s customers really are who they say they are.
Another avenue that may be worth exploring, relates to ongoing monitoring of customer and merchant activity and increased use of behavioural analytics and transactional triggers. These may vary from automated prompts to re-verify a customer trying to make a high-value purchase or change their delivery address through to link analysis where the BNPL provider may be using data collected from merchants to identify connections to known malicious agents through to using machine learning to assess transactions and identify unusual and potentially suspicious activity in real-time.
The fact that more robust identification measures and smarter monitoring may not only minimise BNPL providers’ financial crime risks but also help them identify users that may be spending beyond their means and are at risk of problem debt is a further argument in favour of firms revisiting and strengthening their anti-fraud and financial crime control frameworks.
One example of where this synergy may manifest is affordability assessments. Electronic ID&V providers use a range of data sources including from credit reference agencies, this data could also be utilised in performing creditworthiness checks that could consider the user’s credit score or average property values for the area they live in.
March 14, 2022