By Kevin Mendizabal
Frates Insurance and Risk Management
The Merchant Acquirers' Committee held its annual show March 21 to 23, 2017, in Las Vegas. Among the many topics discussed were risk, underwriting, hacking and breaches, regulatory actions, and compliance. A number of speeches focused on continuing and evolving cyber-threats and the scope of cyber-liability for businesses operating within the payments industry. Discussions made it clear that payment companies are learning the hard way that data breaches encompass far more than credit card data.
Companies such as acquiring banks, payment facilitators, gateways, ISOs and customer relationship management (CRM) specialists manage their clients' data. If they are compromised, all parties involved could suffer substantial losses, experts at the conference noted. Because of this, indemnification provisions are typically included in contracts between two organizations, such as between a CRM and an ISO or between an acquiring bank and an ISO.
However, the potential inability to provide this indemnification could render such clauses as worthless as the paper they are written on. If an ISO contracts with a CRM, gateway or any other provider, what assurances does the ISO have that the provider is financially capable of indemnifying not only that ISO, but also all other affected ISOs utilizing that provider?
In addition to contractual indemnification, best practice requires evidence of insurance that backs this indemnification, naming the indemnified party as an additional insured. If a provider is unwilling to do this, it would be prudent to find another provider. Accepting what is equivalent to a parking garage liability disclaimer is not by any means sound risk management.
Speakers also pointed out that ransomware has been increasing exponentially, causing companies to face losses in the hundreds of thousands and even millions of dollars. Ransomware gives hackers the opportunity to extort an organization by holding its systems hostage. Ransom demands are always paid in bitcoin in exchange for passwords to restore the compromised databases.
However, one has to ask if criminal hackers will in fact keep their end of the bargain. These bad actors have a great reputation for customer service, which is evident by the price of bitcoin. Simple supply and demand illustrates just how in demand bitcoin is. Bitcoin is primarily linked to the rampant use of the digital currency to pay said ransoms.
If that isn't scary enough, one of the presenters at the conference demonstrated how easy it is to bypass every anti-virus and malware program designed to prevent such attacks. Fortunately, ransomware payments can be covered by cyber insurance, provided the policy is properly written. This is one of the most important and complex policies a company will maintain, and not all policies are created equal, so it is critical to understand the terms and conditions of a policy before accepting it. Further, any company involved in the payments industry will find cyber insurance polices very difficult to attain because insurance carriers view the entire industry as high risk. The best practice is to ensure your broker understands the payments industry and doesn't think PSP stands for Playstation.
The MAC show wouldn't have been a payments conference without discussion of acquirer chargeback liability. This risk can be mitigated by due diligence, reserves and rate. However, acquirers are now increasingly accepting insurance and other financial products in lieu of loss reserves, reducing the financial burden on their processing channels while still maintaining underwriting integrity.
Leveraging financial products and insurance is not only less costly; the revenue from additional capacity and verticals can also pay for the cost of the policy. In this scenario, freed up capital is now put to use, and letters of credit are no longer an issue, giving acquirers a further competitive edge without the additional exposure. A simple opportunity-cost calculation is to take the return on assets, or ROA, that is lost by being tied up in reserves that bear zero interest. By reducing or replacing the reserve requirement with insurance, it is easy to see how the cost is substantially less, and the insurance essentially pays for itself.
Experts at the conference confirmed it is no surprise that card-not-present (CNP) fraud has and will continue to increase. Fortunately, many strong front- and back-end solutions can combat such losses. These solutions present partnership opportunities to add additional value to merchants by reducing losses from both friendly fraud and fraud perpetrated by outsiders. Coupling these solutions with an insurance-backed transaction guarantee could present a significant additional revenue source for acquirers.
CNP merchants can already attain insurance that will pay losses stemming from fraudulent transactions. However, what would an additional 10 or 20 basis points in revenue on a CNP portfolio mean for an ISO or processor? While a strong front-end solution can reduce the risk, the revenue will be found in eliminating the risk for the merchant.
Kevin Mendizabal, Director of Financial Institutions at Frates Insurance and Risk Management, specializes in the electronic payments industry. Prior to joining Frates, Kevin was part of the Financial Institution division at AIG. Previously, he held underwriting and leadership roles in the mortgage banking sphere, as well as at Bank of America. Kevin has a degree in computer science from Rutgers University. You can reach him at firstname.lastname@example.org or at 405-290-5610.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next