Ohad Samet - Introduction to Online Payments Risk Management

Ohad Samet is an entrepreneur and executive in the financial services industry, having worked as a manager, founder, and executive in various companies. Ohad started his career as manager of the fraud analysis group for FraudSciences, a fraud prevention startup for high risk payments. After FraudSciences was acquired by PayPal in 2008, he worked in various roles for the company, among them the manager of the new ventures risk team, in charge of risk management for PayPal's Digital Goods, Mobile and Adaptive Payments products. Ohad left PayPal in 2010 to work on two projects; one of them, Signifyd, is now a leading fraud prevention vendor working with Fortune 500 companies to reduce payments fraud. The other, Analyzd, was acquired by Klarna, an up and coming European payments company, in 2011. At Klarna, Ohad served as Chief Risk Officer, in charge of granting real-time short-term credit on Klarna's $2.5B of annual payments volume. In 2013 Ohad left Klarna to focus on new projects in the financial services industry.
Ohad maintains a risk management and payments blog at http://www.ohadsamet.com.

Risk management in payments is a peculiar practice. Generally, risk management is focused on the analysis and reduction of risk in various types of activities. Specifically, it regards analysis (in its simplest definition: understanding a problem by dividing it into the smaller parts it is comprised of) of those activities, identification of potential risks (from operational through regulatory ones), and the design and implementation of controls in order to identify, understand, and mitigate those risks when they occur. As such, risk management in general can be and is carried out by business and policy analysts, dealing with the best way to impose controls on operating business units. The term risk management therefore refers to many parctices, most of them unrelated to the topic of this book. For ease of typing and reference, since this book only refers to risk management for online payments, hereafter I will use the acronym RMP.

Opposing my description of risk management as a supporting corporate function, RMP is a much more holistic activity. At its best, RMP includes several activities that broaden its scope significantly compared to what standard risk management means: it includes the actual operation of controls, monitoring and reporting of performance, product management for tools used in the implementation of those controls, and much more. It is also treated differently in various organizations, from being a part of Operations, through Finance, to a unit in its own right. When we joined PayPal, risk reported to the CTO; at Klarna, to the CEO. Accordingly, the heads of RMP in these teams vary frommost commonlycustomer care professionals to financial analysts or, rarely, product people. All this creates confusion as to what RMP is and what it should be in charge of, as well as how we should think about its operation and performance.

Is RMP different when done for a retailer versus a payment provider or an issuer? In essence, no: all are dealing with similar fraudsters, in a similar space, and the range of tools and customer behaviors they see are similar. There are differences, though: losses are driven by different factors, since retailers mainly deal with consumers, and payment providers deal with both. Available data are different since retailers can see browsing patterns, and issuers dont know what the product is. Even the ability to react is different, since issuers can only block a card from transacting, but payment providers can block individual purchases or block a customer completely. Their ability to implement real-time detection, scale of available data, and tolerance to loss vary. Still, this book isnt separating retailers, issuers, and payment providers in any meaningful way. Historically, retailers could be slightly less concerned with cutting-edge technologies, since their margins were higher and a lot of their business was done offline. As many online businesses mature and start worrying more about margins, as well as increasingly become targeted by organized fraudsters, we see more convergence in the knowledge and tools required from all types of businesses.

There are two guiding principles to the way RMP should be thought of:

The two guiding principles above dictate a specific structure and set of activities that should be carried out by the RMP team. This means that the team should be separate as a part of a data, analytics, or data science team. Setting the team up this way will not only drive higher success in controlling losses but also improve other value-creating activities that a data team can initiate and lead in your organization.

Actively going after further detection and analysis of problems, trends, and phenomena in your data and system is what drives the daily improvement that supports your strategy; it is a cycle where you identify your top issues, understand what causes them, and solve them so that other issues become your top concern. However, when you go after these issues, or when you find them, you need to deal with terminology;. How will you describe your findings? What is it that youre trying to solve?

We are trying to optimize our risk, according to our risk appetite, measured as a balance between our losses and rejections. Lets look at it step by step: