Fraud Protection & Compliance
Invitations to buy even the smallest items on an installment plan seem to be everywhere online, and in-store, too: called “buy now, pay later” or BNPL loans, these offers let consumers buy what they want, now, and pay for it over time in four equal payments.
Led by a plethora of high-visibility providers including Klarna, Affirm, QuadPay, Afterpay and PayPal’s “Pay in 4” option, BNPL allows consumers to take 100% of merchandise value with them while paying a fraction of the price, or even nothing, up-front — a formula that’s catnip for fraudsters. In this post, I’ll provide a quick overview of how BNPL works, and share my thoughts on how BNPL fraud can occur and where the financial liability lays.
A BNPL Primer
Like the layaway plans of yesteryear, today’s point-of-sale loans lets shoppers break their purchases into equal installment payments. Consumers around the world have flocked to BNPL payments which, unlike layaway, allow them to receive their purchase immediately while spacing out payments over time.
Some BNPL providers don’t charge interest or fees, but others do; for example, Affirm charges interest. For many options, borrowers first create an account with each BNPL firm they want to use, providing their debit card or bank information as the payment mechanism. They can then choose the BNPL option at checkout.
For these reasons, BNPL loans, which are convenient and fast, can be an excellent spend management tool. The Motley Fool offers a useful tutorial on how BNPL works, and a comprehensive list of pros and cons for consumers. Notably, one of the pros is that BNPL loans typically don’t involve a hard credit inquiry, helping to protect the user’s credit score. As you’ll see below, this step (or lack of it) can open the door wider to fraudsters.
Younger Consumers Flock to BNPL
BNPL transactions are rapidly growing. In this excellent round-up article in The Wall Street Journal, Worldpay from FIS, a FICO business partner, forecasts that buy now, pay later options are expected to grow to 4.5% of North American e-commerce payments by 2024, up from 1.6% in 2020.
BNPL saw significant growth in the U.S. during the pandemic. As reported by Reuters, Australia-based Afterpay said it saw active U.S. customers more than double to 6.5 million in the fiscal year ended June 30, 2020, and its sales more than tripled in the July-September quarter from a year earlier. The company says that over half of Afterpay’s customers in the United States are millennials, aged 25 to 40 years old.
Afterpay’s growth numbers are consistent with those contained in the Journal article, which says that roughly one in five millennials used a buy now, pay later service in 2020, about double the rate of Gen X. Younger-still Generation Z customers, ages 18 to 23, are candidates as well, with only 52% of Gen Z’ers holding at least one credit card, compared with 83% of Boomers who do, according to CreditCards.com. Separately, research released in September 2020 by youth marketing firm YPulse said that 22% of 13-39-year-olds say they have used a BNPL or payment installment service, and 29% say they haven’t but are interested in using them.
The BNPL Business Model
BNPL providers lay out the money for consumer purchases so that retailers are paid in full upfront. Many of these firms collect income from merchant fees, which can run double or triple what retailers pay to credit card processors, according to industry executives. Other providers, such as credit card companies, operate differently; those offering BNPL typically charge a fixed monthly fee instead of interest.
Late fees from consumers are a major revenue source, as well. For instance, Klarna charges a late fee of up to $7, which is capped at 25% of the total purchase price, after the second missed payment. For Afterpay, late fees accounted for about 9% of its income in its most recent quarter. Tellingly, the Journal notes that nearly 40% of U.S. consumers who used buy now, pay later missed more than one payment, according to a survey conducted in November 2020 by Credit Karma.
Who Shoulders the Risk?
BNPL companies themselves typically don’t bear the risk of losses from defaults or fraudulent loans; for example, Affirm and Square loans are issued through Celtic Bank, a Utah-chartered industrial bank. However, traditional banks are launching their own BNPL offerings, a situation that entails a distinctly different set of fraud risks compared to traditional point-of-sale credit and debit transactions.
In the U.S., Citi, Citizens Bank, Regions Bank, Fifth Third and Synovus are the largest banks currently participating in point-of-sale financing. In November 2020, JPMorgan Chase launched My Chase Plan, offering consumer credit for fixed monthly payments for purchases worth more than $100. Similarly, American Express offers PlanIt, allowing customers to choose up to 10 purchases of $100 or more to combine into a plan in their online account.
Banks’ BNPL business model means that they will bear the losses of any fraudulent loans. Because banks pay merchants up-front for the consumer’s purchase, they stand to lose up to 100% of loans’ value through third-party fraud––for example, merchandise bought on plan using stolen credit card information and "muled” by unsuspecting intermediaries. In an application fraud scenario, a criminal could open a new account at the bank under a synthetic identity and acquire a credit card (from the same bank) to establish the plan and quickly load up on merchandise. After that, the fraudster defaults on the payments, resulting in a 100% loss.
Testing the Limits
While it’s true that many criminals use card application fraud to cash out with advances or buy high-value merchandise that can be easily liquidated, BNPL plans offer a lucrative new avenue for enterprising fraudsters, who will almost certainly probe the limits to find vulnerabilities. These are the same caliber of criminals that, pre-EMV, hired a small army of helpers to test out stolen credit card numbers on the Domino’s Pizza mobile app. In that case, if a stolen card number worked to make an indirect pizza purchase, it could also be used to make bigger-ticket fraudulent buys.
With BPNL, fraud rates may rise because merchants may loosen their fraud countermeasures for the sake of acquiring the sale. Criminals will gravitate toward merchants that have less fraud protection to find the path with the least resistance.
Strategies and Tools for Fighting BNPL Fraud
For banks with their own BNPL offering, a multi-layered approach to risk management and fraud protection is critical. The first step is to address BNPL fraud strategically by establishing an explicit understanding of the bank’s risk appetite for this offering—what is the tolerance level for customer offer/acceptance versus fraud risk? Going a layer deeper, that includes clear differentiation between BNPL bad debt and first-party or synthetic fraud and abuse. This extends to an operational level, at which account-based operations are segmented from transaction-based monitoring; if first-party fraud is suspected, it must be addressed separately from standard third-party suspicious fraud transaction verification queues.
BNPL fraud presents yet another powerful incentive to implement enterprise fraud defenses. As my colleague Matt Cox recently blogged, an enterprise fraud approach delivers a composite view of a customer’s inflow and outflow activity by breaking down traditional silos of credit, debit, deposits and payments (person-to-person, mobile, wire transfers, ACH and more), adding application fraud detection to that view. In this way, banks can assess the totality of customer behaviors to better flag potentially fraudulent BNPL loans applications at the point of sale, denying the credit request before the fraudster walks off with the merchandise. Furthermore, link analysis plays an important role in the application process, ensuring there are no ties or known correlation between applicants and organized fraud rings or prior fraud cases.
Banks can deploy additional sophisticated technology measures to reduce card fraud. They can implement well thought-out customer journeys that include robust identity proofing and verification during customer account onboarding, especially through digital channels. In the absence of a hard credit inquiry, smart orchestration of external intelligence is necessary — device telemetry, behavioral analytics, telephony and contact intelligence all can indicate the likelihood of fraud without creating undue friction. Machine learning models provide the analytic horsepower to assess all purchases/transactions in real-time, correlate that data with the ID proofing, authentication and customer behavior data.
In sum, BNPL fraud presents a new fraud challenge for banks— in certain instances it’s essentially an instant loan application, at the point of sale, without the benefit of a credit check.