Stefan Kuhn is the Director of Risk and Compliance at 2C2P. For more than 20 years, he has built an illustrious career in finance, with a strong focus on governance and compliance.

Before 2C2P, Stefan held leadership positions at Citibank, Standard Chartered Bank, Credit Suisse, and Cake DeFi. He continues to serve as an advisor with consulting firm Singapore Consultancy alongside his role at 2C2P.

He joins the fourth episode of the Payments Powerhouses podcast to discuss the evolution of risk and compliance in payments, and to share insights on how merchants can keep payments secure amidst emerging fraud risks.

Listen to the podcast below, or read on for the highlights of our conversation with Stefan.

Hi Stefan! How is the Risk & Compliance space evolving?

Stefan: When we look at the payments industry, we have two main areas of compliance. The first is industry compliance, which includes card schemes and security standards. Industry compliance has reached a certain level of maturity - something we’ve had for several years.

The other area is regulatory compliance, which continues to grow as more countries introduce new regulations and licenses.

Do you think compliance is too stringent?

I think this is an evolving topic. We have countries that have just started putting out regulations or licenses, while others have already matured on this front. So I think it's too early to say that compliance is too stringent. It’s essential that regulators are willing to have dialogues to define meaningful standards. And I think this is already happening in most jurisdictions.

How can compliance impact innovation?

While compliance can stifle innovation, what we’re seeing in Southeast Asia is the opposite. Here, some regulators impose policies to drive innovation and competition as they see much room for improvement. In Singapore, for example, the Monetary Authority of Singapore (MAS) has explicitly issued digital bank licenses to encourage more innovation and competition.

The other way regulators have driven innovation is through sandboxes. Supervised by regulators, these sandboxes provide room to play with new ideas, technology, and processes. The regulators look at these experiments to determine which ones to bring into the overall landscape.

What can be done to make regulations more effective?

The key thing is dialogue, beginning from conversations between regulators. Specifically, mature countries that have achieved a high level of regulatory experience should get into discussions with countries that are still finding the right balance.

Dialogues between regulators and the overall industry also have to happen - regulators have to be proactive in inviting companies for consultations to ensure they’re on the right track.

Finally, groups can be formed to voice our interests within the industry. In Singapore, we have the Singapore FinTech Association (SFA), which provides a vital avenue to express our views to regulators.

Give us a snapshot of payment fraud and security issues in the past two years.

As a result of the ecommerce boom brought on by COVID-19, we have seen an uptick in fraud across all industries. Across all the cases we’ve looked at, we’ve identified two distinct types of bad actors.

The first of these is first-party fraud, where your customer turns against you. To illustrate, let’s say I order a bottle of wine online and have already received it. But there’s no proof of receipt, so I called the wine company and told them that I did not receive it. When I trigger this process, my money has to be paid back. This process is called friendly fraud, although there’s undoubtedly nothing friendly about it!

The merchant has no choice but to take responsibility in this scenario. When they cannot provide evidence that they have dispensed the product, they would have to bear the cost out of their pocket. This process can become very long and draggy, so merchants often choose to refund the money. When people find out they can do this and get away with it, the process repeats again and again to create a snowballing effect.

The critical issue here is that when you make the checkout process easier for the consumer, it becomes more susceptible to fraud. For example, if you order something from a supermarket and return it, most employees don’t have the time and resources to manually verify the claim. It’s also easier for the employees to simply discard whatever is returned to the supermarket. So what happens is that no one does the counting, but the customer still gets a full refund.

The fault then lies on the customer, as they abuse the system the moment the opportunity presents itself. The merchants have to bear the cost, and it’s concerning when the amount they spend every year increases because of these frauds.

The other kind of fraud we’ve identified is third-party fraud, where an uninvolved third party hijacks the transaction to commit the crime. This is also known as account takeover (ATO), where someone uses your credentials to make fraudulent transactions.

What is the key thing merchants should look out for to tackle friendly fraud?

Buyer’s remorse is the crucial thing to look out for. This is when consumers purchase something but later realise that they don’t want it. In turn, they'll decide to ask for a refund. This scenario plays out often in friendly fraud cases, where the dispute process is abused for refunds. Of course, there’s no one-size-fits-all solution, so the methodology for tackling this problem will not be the same for different companies.

Ultimately, friendly fraud is a problem that will persist for a long time. It’s also further complicated because there is no ready one-size-fits-all solution available; individual strategies are needed to resolve each case.

Would broader industry regulators need to get involved with friendly fraud?

I don’t think they would need to get involved. Regulators would look at the merchants and say: “Well, you have all the means and choices. It’s your responsibility.”

That aside, merchants themselves would also opt not to get the regulators involved, given that the process to do so is too expensive and time-consuming. This is something regulators can’t rectify as it’s ultimately the merchants’ choice not to follow up on their fraud cases.

On top of all that, merchants also handle tens of thousands of transactions daily. With such a high volume of transactions on their hands, they require a lot of time to follow up on fraud cases - even then, this wouldn’t necessarily prevent frauds from happening.

Tell us more about third-party fraud. With more people staying home during COVID-19, what tactics are used against them?

In cases of third-party fraud, fraudsters go through a trial-and-error process to figure out how to assume someone else's identity. And this is an unhealthy, worrisome trend that has taken root more recently.

In the past, we would always make sure that the consumer involved in a payment authorisation process was the consumer. No other parties were involved. But this has changed with the prevalence of ATOs.

What would you say are some of the more sophisticated payment fraud attacks?

I don’t like to refer to these attacks as ‘sophisticated’ as it makes the criminals look good. What really scares me is people’s lack of integrity when they abuse weaknesses and don’t feel bad about their actions.

From the consumer’s perspective, I can see the rationale behind wanting easy processes that give them good returns. Yet such fraud cases are problematic and should never be encouraged. I foresee this integrity issue becoming more dominant in the next couple of years.

What can merchants and payment processors do to protect themselves from fraud?

The first thing to do is consider the cost of fraud. Many merchants who haven’t grasped how much fraud costs them - this is a growing problem. And if they don’t start tackling this issue now, it could become untenable further down the road.

Timely intervention can mitigate the scale of damage. I am astonished when fraudsters repeatedly use the same identity to attack the same merchants, and nothing is done to stop them. So to me, this is a key thing that’s easy to fix.

The other thing to consider is customer experience. If you build a robust loyalty programme into your customer experience strategy, your risk of friendly fraud will usually go down. The benefits and privileges that such an experience provides to consumers would discourage them from abusing the system.

Furthermore, through the loyalty programme, you’ll be able to keep records of your customers’ profiles, including their locations, addresses, and payment methods of choice. This information will serve as a strong signal that your customers are relatively safe.

Sephora is a very good example to highlight here. Their loyalty system is simple: they award you points for every purchase. Consumers can exchange points for products offered on a tiered list. Sephora’s risk of friendly fraud is significantly reduced with this reward system, as consumers are less likely to dispute their transactions.

Sephora could still potentially struggle with fraud when dealing with new customers who are not part of their loyalty programme. A typical scenario goes something like this: the shopper makes a purchase but later claims that they did not receive their products. And there’s no way for Sephora to verify the truth of the shopper’s claim since their transactions are not tracked via the loyalty programme. The disputed products remain missing, and Sephora has to bear the cost of the refund.

If you’re a growing business, you don’t have the luxury of falling back on trusting what your customer has done. You have to look at the transaction and make the call yourself: Is this a trustworthy transaction or not? Here’s where the payment authorisation safety net comes into play.

I also strongly encourage merchants and payment processors to proactively participate in industry forums to gain insights from other players. Over at 2C2P, we are part of the Merchant Risk Council (MRC) Asia Pacific Advisory Board, a beneficial platform that helps us figure out ways to combat fraud.

The MRC brings merchants together, offering them a platform to discuss fraud and risk. This is very different from when you’re alone in your office, racking your brain over what to do about fraud. It’s much more fruitful to get involved in a space where other people have faced similar issues and figure out the best ways to tackle them.

How has fraud affected different industries?

For digital goods, fraud rates are higher, but ticket volumes are smaller. This is different from the airline industry, where fraud rates are lower but ticket volumes are much, much bigger - with airline tickets costing $4,000 on average, we’re talking really enormous sums here!

But ultimately, all these industries are dealing with fraud one way or another. It’s high time for all of them to relook their business models, as fraudsters constantly come up with new ways to commit fraud. Here’s where the MRC comes in as a vital platform, as it gives you the avenue to talk to other people in your industry to work out the best solutions.

What is the one thing that causes fraud vulnerabilities?

Automation. Where technology is involved in any business, many necessary processes and decision trees have to be formulated. However, merchants are generally tired of manually setting up these processes, so they opt to automate instead.

And herein lies the problem. Automation is a double-edged sword. While it’s fantastic for streamlining clunky processes, it also makes people complacent and does not monitor their backend processes. This makes merchants open to fraud vulnerabilities.

Will a greater shift to remote and hybrid working impact fraud incidents?

We can expect fraud incidents to increase when there’s less personal interaction. So with more remote work, third-party fraud risks like phishing and impersonation will increase. These risks will naturally decrease when everyone returns to their offices to work.

What would you say is your worst nightmare in terms of risk and compliance breaches?

Trust and integrity breaches keep me on my toes, as the answers to these problems don’t just come from us. They also have to come from all other stakeholders. As a compliance officer representing a payments facilitator, I am responsible for keeping data safe by deploying the most up-to-date safety standards. This helps to keep fraud numbers as low as possible.

Let’s wrap up on a lighter note! Tell us how you ended up working in Singapore.

I wouldn’t say I “ended up” in Singapore, as I love the country very much! I first came here after my two-year stint with Citibank Tokyo ended. I remember it was a weekend, and I had texted a recruiter. We met for a coffee, and while I was en route back to Japan, I heard that I had been hired for a new job! I then formally came to Singapore to work in 2008.

Who is the one famous person you’d like to spend time with and where?

I would like to take a walk around the Singapore Botanic Gardens with Elon Musk on a Sunday morning.

. . .


Payments Powerhouses is a monthly editorial series interviewing the movers and shakers of the payments and wider fintech industry in Southeast Asia and beyond. If you’d like to be featured on Payments Powerhouses, reach out to us here.