The changing face of risk management
Both regulators and businesses have a much better idea of what risks are key to address, Ben Jordan says.
Having exposure to risk management in numerous business sectors, verticals and jurisdictions over the past 20 years has been a journey of learning to play both good cop and bad cop with my professional thinking caps.
The proverbial wisdom that fraud and risk are like water in that they follow the path of least resistance is accurate. Governments, regulatory bodies, merchants, and financial institutions are essentially caught in a cat-and-mouse game with fraudsters – putting controls in place while understanding that in the dark there is an army of well-versed experts looking to exploit the next lucrative vulnerability.
My greatest mentor once told me: “Everyone can have no fraud, but they won’t be a successful business”.
This has stuck with me through the years. While this is obvious, balance is key. If user experience suffers greatly from your controls in an online B2C environment, you lose money. If your controls are inadequate or ineffective, then the issues will only snowball as you become known in carding and fraud circles as a weak target.
So, what has changed?
First is regulatory understanding. Both regulators and businesses have a much better idea of what risks are key to address. As a result of a reasonably unified best-practice approach being in place, customer understanding and a culture of KYC/EDD as a necessary evil for B2Cs have been somewhat established.
A business peer who I heard speak at a conference, said publicly that close to 50 per cent of his customers, in a Scandinavian market, actually provided their KYC documents before being prompted to do so. To the 2005 online business this would be thought of as an unreachable nirvana. However, this is probably due in part to the ease through which the KYC process can now be conducted – if the process is easy and frictionless it becomes the norm.
With the introduction of more stringent regulations, there are numerous global turnkey compliance providers that have been flexible in shifting with the regulatory and compliance environment and have worked with businesses to minimise abandonment due to their understanding of UX. Personally, I love to sit with new clients and map out their customer journey and help them establish the best-fit user experience for them to get their customers over this hurdle.
There is a disparity between KYC for banking and KYC for other businesses. The long and the short of it is that banks are perceived to have the right and have the trust of the general public to ask for sensitive data. Furthermore, people statistically rarely change banks – so there normally is a long- standing relationship and little churn. Someone once told me that less than one per cent of customers who threaten to close their accounts follow through with it. Comparing this to iGaming, unless a client has a significant balance to withdraw, if they are very unhappy with a brand, I believe that percentage of change would be significantly higher. Factor in the prevalence of attractive sign-up bonuses for customer acquisition and you have a very migrant and fickle customer base.
Regulation has been sluggish for many reasons. In turn, the market has become used to the idea that cryptocurrencies are free from due diligence
To summarise, players know they can migrate to more attractive brands and offers easily. With the lifetime value of a casino player being much higher than in many other online businesses, player retention is, as anyone who has even had meetings with a CRM team knows, vital. Savvy turnkey solution providers know this and have invested huge amounts of both time and money into user experience to minimise abandonment.
Cross-jurisdictional harmonisation and AMLD4 have also changed. While there are some differences, for the most part, in the EU, we are all playing the same card game with some quirky house rules here and there. If you were compliant with the third AML Directive, being compliant with the fourth (after painstakingly reading through it) could be summarised very succinctly. It would require minimal operational changes and doing away with standardised due diligence.
I am, of course, grossly over simplifying this, but it shouldn’t have been a major staller for your business operationally. Each jurisdiction pretty much had the same interpretation save for a few markets who historically like being difficult.
Having a mostly harmonised format and approach facilitates entering new markets with a confident board and MLRO. This is a good thing.
Cryptocurrencies are a game-changer. Let us look at this at a high level: pretty much everyone has heard of bitcoin and cryptocurrencies. However, there is a gross disparity between those that have heard of them and those who understand what they really are. With a rising number of BTC and crypto new-money guys shouting get-rich-quick advice from every parapet, it is not hard to see why many would have an automatic distrust.
For every genuinely solid ICO, there are many trying to make a quick buck with little regard for future sustainability. However, those that do adopt are loyal, and in my experience, vocal advocates of decentralised currencies.
With many regulators still unsure of how to address and audit a decentralised ledger, it is my opinion that – much like what occurred in the early days of iGaming – the real big players out there will assist in developing the regulatory framework through establishing commercially viable procedures for them and the ideology, and then asking the regulators what more they should be doing.
This understanding of social responsibility, before it becomes an operational show-stopper has historically worked well for those who were willing to invest in it before they had to – specifically in iGaming. This is an essential comparison as at the inception of online gambling industry, the same distrust prevailed and it was through the understanding of social and regulatory responsibility and the forethought of working with regulators to ensure best- practice approaches, that it has become a cultural norm.
Are cryptocurrencies going to replace fiat currency in the near future? I was asked this question on a conference panel last year, and given my audience were crypto enthusiasts and I was speaking through my background in risk, fraud and compliance, I don’t believe my response was well received by many. Regulation has been sluggish for many reasons, and in turn, the market has gotten used to the idea that cryptocurrencies are free from due diligence.
When assessing key risk differences, the primary points of concern are, most likely, the same – money in, money out. Whether regulators decide the onus for due diligence lies with crypto exchanges, merchants, or both, having a provider such as Aristotle Integrity to ensure you future-proof your business with a turnkey, scalable solution is essential to safeguard you against punitive measures and ensures business continuity should the worst-case scenario come to fruition.
There is a widespread belief that cryptocurrencies are anonymous. This is not completely true. Just because a currency is vaguely anonymous doesn’t mean your customer has to be. Just ask the Finnish gang that thought paying for their drug shipment in BTC was untraceable – although I don’t know the address of the prisons they are currently being held in.