Welcome to Payments on Fire® and to our third, now annual, discussion with Steve Ledford, SVP Products and Strategy at The Clearing House, and the leader of his company’s Real Time Payment Network initiative.

As in prior conversations, Steve and George discuss the growth of the RTP Network both in terms of transactions and dollar volume as well as an important metric, the growth in the number of financial institutions and FI processors who are already or in process of connecting to the network.

The evolving set of use cases supported by a new payment system is often surprising. Few expected Zelle’s leading use case to be rent payments. While the RTP Network is in its infancy, Steve shares a number of use cases already in flight.

Changes to the network’s rules also position it for expanded use. For example, the network’s recent increase in transaction size limit to $100,000 positions it far better for B2B transactions.

Like all bank services, strong user authentication is critical and firmly out of scope for the new network. Banks will have to improve their authentication processes because account takeover is a real risk.

As Steve says in this discussion, banks can also reduce the risk of accountholders sending money to bad actors simply by well-timed messaging. Financial institutions can adopt best practices that have evolved in the UK and other markets with similar systems in place. For example, the bank should ask the accountholder if they personally know the recipient of the funds and if they have been pressured to make the payment within a certain timeframe. Both questions are meant to caution the accountholder before pressing Send.

Steve also addresses the announcement of FedNow and its ripple effects on the RTP Network.

New national payment rails are a once in a generation event. New rails, better data representation techniques, and mobile devices make for an innovator’s playground. Take a listen.

Be Safe. Be Well. Help Out.

This is our era’s unprecedented event. I hope you’re staying safe, your family is all well, and you’ve got what you need for what looks to be a pretty long time. On the upside, I’ve seen and experienced people helping one another like never before. That gives me confidence we’ll be able to mitigate COVID-19’s impact on our healthcare system - and on all of us. The downside is obvious. The weight of the pandemic is going to come down heaviest on those with the fewest resources. Helping out is our best response.

Among the Exploiters of The Pandemic

There are characters out there, however, who are bent on taking advantage of this global challenge because the corona virus has only added gasoline to the growth of e-commerce and online fraud of all kinds.

While e-commerce volume skyrockets as so many hunker down, online credit applications are rising at traditional lenders, challenger banks, and fintechs. Responding to the pandemic, some fintechs are making it easier than ever for sole proprietors to get loans in the hopes of having their business survive the pandemic. For similar reasons, others are encouraging government action in support of their SMB customers.

These laudable efforts will attract fraudsters in droves. What could be better than overburdened systems (Robinhood anyone?) and modified onboarding and underwriting processes?

Socure is an identity management company serving financial institutions old and new, fintechs, and marketplaces that extend credit via online applications. Socure’s service operates right at their front door, at “day zero,” when the applicant first appears at the provider’s digital door. The company promises to reduce fraud, reduce the manual review of questionable applications, and onboard more customers through its KYC services.

In this Payments on Fire® episode, George speaks with Rivka Gewirtz Little, SVP Marketing & Strategy at Socure on a range of topics, from the what and how of Socure’s service to the larger concerns of fraud rates, model governance, and the definition of identity.

Socure’s Own Digital ID

Socure is working on its own version of a digital identity, essentially taking all that it knows about each individual and creating a profile that is updated based on the individual’s behavior, system changes, etc. This “Socure Identity” then can be used beyond the Day Zero identity proofing step but for subsequent authentication when the individual returns to Socure’s customer’s website or app.

FI Internal Collaborate on Identity

An encouraging evolution in enterprise organization is the growing collaboration of the produce line leadership within traditional financial institutions in the areas of risk management and marketing, teams with traditionally conflicting goals. Marketing wants as little friction as possible; Risk wants to keep the bad actor out. In the past, each product line fought its own battles and chosen its own solutions. Now that the digital channel is firmly established even among incumbent and with more flexible tech available, coordination and alignment is taking place.

Data Minimization

“Data minimization” has achieved buzzword status. And its meaning varies depending on who you are. Essentially, it means a provider should hold only that data that’s necessary and no more. For a Socure that lives on massive data resources, data minimization is meaningless. Socure has to be an exceptional custodian of all of that data.

George and Rivka discuss another connotation for that term, the ability of the accountholder or user to release only the data that’s relevant to the transaction. Showing a driver’s license to prove you’re over 21 is a classic case of over-sharing.

So, take a listen. Stay safe.

For more on digital identity and synthetic identity in particular, check out Episode 115 – Finding the Phantoms – Synthetic Identity and the Issuer – with Naftali Harris of SentiLink.

Sometimes events delay things. Other times, they hasten them. At Glenbrook, the corona virus has sped us along a path we’ve been traveling for some time. The path is digital delivery of the Glenbrook Payments Boot Camp®.

In this Payments on Fire® episode, Russ Jones, partner in charge of Glenbrook’s education team, talks with George about two major changes in our payments education program.

1. Digital Delivery - what it looks like, how it works, and when we will launch it for our public participants
2. Curriculum Update - how Glenbrook maintains the currency of our training and some of the major updates made recently

As you’ll hear Russ say, we’re excited by the capabilities of today’s teleconferencing capabilities, how we can use them to inject a high level of interactivity into each session, and the challenge of bringing the Glenbrook Payments Boot Camp® magic to the digital medium.

Join us April 7-9 for the Glenbrook Payments Boot Camp® digital edition. No travel required!

All of us at Glenbrook wish you the very best of experience and outcome as each and all of us navigates the corona virus threat. Be calm, carry on, and keep your social distance.

Fraudster innovation is a constant. As the defenders of payment transactions thwart one fraud vector, these innovators, playing offense, switch tactics.

Today, the problem of knowing who you are, that you are who you say you are, in the digital domain demands stronger authentication techniques. Many of those rely on the attributes, the data, provided by the user or by the applicants in the case of credit extension.

In turns out that even the data supplied by applicants can be both entirely bogus and sufficient to convince a credit issuer to onboard the applicant and extend credit. This is the problem of synthetic identity.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

First, let’s define synthetic identity using the Fed’s Synthetic Identity Fraud in the U.S. Payment System Payments Fraud Insight white paper as the source:

“The generally agreed-upon definition of synthetic identity fraud is a crime in which perpetrators combine fictitious and sometimes real information, such as SSNs and names, to create new identities to defraud financial institutions, government agencies or individuals.”

Now we’re looking for phantoms. Uh-oh.

There are terabytes of personally identifiable information for fraudsters to use because of data breaches and our own over-sharing of our personally identifiable information. Knowledge-based authentication based on static data like SSNs, birthdays, and the name of our hometown isn’t hard to break. Nor is this static data generally protected by tokenization or encryption in any way.

The fraudsters know what we know. Uh-oh.

And because the real data presented by the fraudster creating a virtual identity is often that of a child or an elder or even the deceased, well, it’s super hard to detect. That comes from my Glenbrook colleague Yvette Bohanan who has years of risk management experience at Amazon, Google, eBay, BofA and others.

Of course, the fraudster’s goal in making up a new identity is to open a credit line in order to subsequently defraud the issuer, perhaps by carefully using a credit line carefully for years to build up a high credit limit before busting out with a lot of spending and then disappearing to a beach somewhere.

Multiple Types of Synthetic Identities

A startling aspect of some synthetic identity fraud is that it doesn’t take advantage of purloined PII. All of the data used by the credit application is made up out of whole cloth and thin air. The proper format of a social security is well known so why not generate a random one? After all, the federal government doesn’t operate a central SSN repository with realtime validation. A variant approach relies on real and fake data, combining, for example real names with made-up SSNs.

To explore the synthetic identity challenge, take a listen to this conversation with Naftali Harris, CEO of SentiLink, a company focusing on detecting synthetic identities. Coming from years at Affirm, Naftali and the SentiLink team serve credit issuers struggling with this new fraud vector.

On Payments on Fire® we’ve talked with gateway operators, processors, tokenization specialists, fraud management firms, and others - all providers who help payment acceptors handle their payments.

The range of services and business value they deliver varies a lot. Some providers do everything. Others, like Spreedly, the subject of this Payments on Fire® podcast, focus on a narrower set of functions and business outcomes.

Payment Flow and the Payment Service Provider (PSP)

When we talk about merchant acquiring in the Glenbrook Payments Boot Camp, we highlight the following transaction flow:

1. The merchant or its ISV, perhaps running as an PayFac, accepts the customer’s payment
2. They connect to a gateway or a processor
3. The gateway routes the transaction to an acquiring bank or its processor OR the merchant connects directly to one of these entities
4. The transaction is routed by the acquirer or processor into the payment network and on to the accountholders’s financial institution

That picture oversimplifies the tasks at hand. Depending on what kind of merchant you are, the set of payment-based services you need can vary substantially.

If you answer yes to any of the following, there are payment service providers ready to help you with specific tools:

• Are you an e-commerce merchant
• Is omnichannel commerce important?
• Are you strictly a bricks-and-mortar operation?
• Are you a biller or a heavy user of invoicing?
• Do you operate unattended devices like vending machines and kiosks?
• Are you global or have global aspirations?
• Are you an SMB or enterprise-class payment acceptor?

Some payment service providers (PSPs) are owned or captives of larger upstream entities. Their role is to capture an ever widening stream of transactions to flow on to their parent company. CyberSource, owned by Visa, may not care a lot about who the acquirer is but the company's transaction handling drives revenue for Visa.

Other independent PSPs like NMI and, in today's podcast, Spreedly, focus more on the needs of the merchant. NMI anchors it many other talents around its core gateway. Spreedly might be considered is a gateway to gateways. It connects to processors and has developed a broad set of connections into domestic systems around the world. Spreedly is a also payments tokenization provider.

Given that range, Spreedly refers to itself as a merchant-facing payments infrastructure provider. More casually, Spreedly is a layer of glue between the payment acceptor's operations and the payment systems that the acceptor needs to support. Payment orchestration is another in vogue term to describe what Spreedly, and others, do.

This is an evolving story and marketplace. Definitely worth a listen to Justin Benson, CEO of Spreedly, as we talk about what his company does and a range of industry topics including tokenization, risk, and more.