A Step by Step Guide to Fraud Risk Management Strategy

It is essential to have a clearly articulated risk management strategy that is understood across operations and finance rather than just a collection of tactics for any loss prevention programme.

Hi, name is Duncan Malcolm. I convene First Six Last Four to help us understand more about fraud threats and the things that we can do to reduce our risk in the face of highly motivated adversaries.

In this post we are talking about how to effectively quantify how much fraud risk you are exposed. We also cover how to categorise that risk so that you can better manage it which should help you reduce your losses.


Fraudulent transactions can often seem like they come from nowhere. At first glance appearing to be random and completely unpredictable often many weeks after sales have happened.

The reality however is that fraud exposure can be predicted and managed effectively.

I’ve included all of the working below in a spreadsheet that you can copy and download.

All card payments = extending credit

Whenever you accept a card payment you are extending credit to that customer.

I’ve worked through the scenarios below and I can’t think of one time where this is not the case.

Most would agree that when you take a card payment without liability shift that as a merchant you’re taking a higher risk but how does that equate to credit?

Credit is defined as:

…the ability of a customer to obtain goods or services before payment, based on the trust that payment will be made in the future.

When you take a card payment you haven’t actually been paid…

…lets stop and think about that for a second.

The money might be in your account but it can be taken away from you at any time for up to and over a year via chargebacks. It is essentially a liability on your balance sheet.

It takes 30-45 days on average for merchants to get a reasonable chunk of chargeback alerts. Usually with the rest trickling through over the following 12 or so months, especially with US issued cards.

What about transactions with liability shift?

Surely you’re not extending credit then…

…I’d completely disagree.

If you have too many chargebacks or fraud alerts you could be put on a remediation programme by say VISA or Mastercard.

This will cost you money and so even if you were protected with liability shift you’ve incurred a cost of time and possible a fine (fee) from a card network.

Worst case you can completely lose your liability shift.

Manage card payment risk like credit

The way that a bank or mortgage lender manages their risk is through interest rates. If the applicant is high risk, they will get a higher interest rate on their credit. That helps the lender hedge their risk.

For merchants we’re usually price bound so charging more isn’t always an option…

…we can however apply different controls.

One of the least optimal approaches is to get stuck in the mindset that you need to apply the same controls to all products.

Whether it’s something as simple as only sending some physical products to the billing address or more sophisticated approaches which we’ll cover another time.

The additional controls usually come at a cost. Sometimes a conversion cost so loss of sales, or an actual cost.

If for example we ask for a photo ID that might reduce conversions and cost per check from a vendor. Double pain.

The end result we are looking for here is:

  • {quantify} What do our risk buckets look like?
  • {monitoring & alerting} Watching exposure across each of our ‘portfolios’ of risk and doing something if it exceeds our risk appetite;
  • {controls} Applying appropriate controls to the higher and highest risk groups of products;

Quantifying risk

This part is completely dependent on your business. But it’s probably fair to say all businesses sell products. Whether a service or something physical in the post.

When you look at your products you will likely find that depending on the product or category that you have different fraud to margin ratios on each.

I’ll go into why fraud to margin is a better metric than fraud to sales another post but here’s an example:

  • Product: iPhone X
  • Buy price: €240
  • Avg. Sale price: €300
  • Margin: 30%
  • % Fraud CB sales: 5%
  • Fraud to margin = Fraud sales % / Margin % = 20%

If we do this for a full selection of products it could look like this:

Here we can see that there are three products that are particularly higher than the others and one where we’re actually losing money on each sale.

Note: If like here you have any products with very high or over 100% fraud to margin, you should come up with a separate strategy for them by adding an additional row to the examples below.

This gives a good initial picture and I could create a very simple risk matrix:

You can choose to split these groups however you like. I tend to use quartiles because they’re easy to generate in a spreadsheet. See below for the calculations.

The limitation here is theres no indication of the amount of losses. Are these 3 key products or do they have minimal sales?

To get that we need to pull in the total number of sales per period.

Then plug them into a 3×3 which will show us how many products we have in the low, medium and high and critical risk groups.

I’d recommend a 3×3 over a 2×2 as it makes it easier to show the highest risk products.

Plugging this into a table gives us something like this:

Note: that I’ve included the over 100% as a separate line under the table. This is sensible for products that need immediate attention. The example spreadsheet has these banded by whole numbers instead.

We can now easily see in one place that around 60% of our products aren’t causing too many issues but that there are three products of concern.

The next thing you can do is change the values from counts of products to total fraud losses. While this doesn’t impact much of the process it’s good to know and report on.

Monitoring & alerting

Now we have our risk groups defined we can start to keep an eye on them. As our risk of getting a chargeback subsides over time we should treat the ‘credit’ we’ve offered differently.

Lets create a couple of groups of ‘days since transaction’:

  • 0-45 days – This is our highest risk time, so any sales in this group could go bad;
  • 45-90 days – Still possible to get a chargeback here;
  • 90-365 days – Much less likely but still possible;

Now lets combine some made up sales numbers for each risk category:

Finally now we have our risk categories we can monitor how much ‘credit’ we have issued in the form of card transactions by risk category.

Risk appetites

The last step is to decide what and how you are going to monitor the risk on a rolling basis. The simplest approach is to set a fixed number.

There are two obvious approaches:

  • {rolling monitoring} Rolling monitoring of the factor of increase;
  • {fixed amounts} Fixed amounts per category for the 0-45 day period;

I would recommend both.

Rolling monitoring

For rolling monitoring you need to set a baseline of what normal activity looks like. An easy way to do this is to choose a period sufficiently in the past not to impact the current spike.

Lets take average sales in category per day between 90 and 365 days in the past:

For our low category this would look like:

= ((90-365 sales amount)/(275 days)) * 45 days

= (602 / 275) * 45 = 99

So if we’re significantly above €99k of sales in the last 45 days for our low risk category we know that something has changed.

Within the fraud area of the business you should monitor these carefully and have a plan for when it goes higher than you’re comfortable with.

Fixed amounts

This one is very simple. Agree a maximum amount per risk group for sales in the last 0-45 days.

If you exceed that number have an agreed process to call an emergency meeting with the relevant people i.e. your management team and discuss how to proceed.

You could:

  • Reduce the marketing of the highest risk products;
  • Accept the risk;
  • Apply some additional controls and monitor the situation;

It all depends on how much risk your business is willing to take.

Final thoughts

The key to making the approach work is close collaborations with fraud, operations and finance. Marketing should also be involved in conversations as your spikes could well be driven by a new campaign and not an eager adversary.

This approach to managing risk can be furthered. If you are selling in multiple regions you could look regionally or perhaps simpler look at transactions with and without liability shift.

I hope you found this post useful.

How do you currently monitor your fraud exposure today?

Let me know in the comments that are only accessible to our pre-screened and logged in members below.

Leave a comment

Your email address will not be published.