Úna Dillon is the Vice President for Global Expansion and Advocacy at the Merchant Risk Council

Based in Dublin, Ireland, Úna has a wealth of experience in payment regulation, fraud prevention and financial services strategy. Since 2016, she has worked with the Merchant Risk Council (MRC), a global not-for-profit organisation providing a platform for eCommerce fraud and payments professionals to come together and share information. She is also a special advisor on the European Commission Payment Systems Market Expert Group.

Welcome to Payments Powerhouses, Úna. As someone who frequently travels for work, do you speak many languages, and have you got a favourite word or phrase?

Úna: I actually speak five languages! We speak English and Irish in Ireland, and I studied French in school. Irish is very similar to Latin, so Italian and Spanish came easily. I think the most important phrase in any language is “Thank you”, and we need to say it more. I actually study the phrase and am up to 55 languages at this stage. Turkish took me a while to learn, it's “Teşekkür ederim”, which is longer than most, and I like Thai’s “khaawp khun ka” as well. It’s always a good phrase to learn when you're travelling.

Besides your impressive language skills, you also have 27 years of experience in payments. Tell us about your professional journey and what led you to MRC.

I studied mathematics, physics, and economics at university and then applied for a job at the Bank of Ireland, and thankfully it was fairly easy to land that role. I went straight into the chargebacks department and was exposed to both sides of the business: issuing and acquiring. Twenty-seven years ago, we didn't really have computers, so we’d have the Visa and Mastercard scheme rules on our desks, and we had to know them front to back. It was a good start in payments; I got to understand the relationship between the issuer, acquirer, merchant, and consumer.

Later on, part of the Bank of Ireland was bought out by an American bank, and we got the option to move some people into the acquiring business. I spent a few years there before taking up a general manager role with a national debit card scheme - the only one of its kind in Ireland at the time. Then, I set up my consulting business, connecting new payments companies with VCs, who were especially interested in new payments products and Irish companies.

Before joining the MRC, I was deeply interested in what they did in their network. The company had been around for 22 years and was looking to develop the business across Europe and emulate what they were doing in the US. So, about seven years ago, our current CEO, one of the founding members of the MRC, brought me in as a Managing Director, and we did just that.

Over the last couple of years, our members have been saying, “We need you to be in APAC.” And so we entered this market in July 2021 with a goal of getting 50 new subscribers in the first year – we got 430 new subscribers in the first three months. It really took off!

I think a big part of why people like the MRC is that we're a nonprofit organisation with a passion for payments and fraud; we're happy to call ourselves payments nerds! Our organisation is about getting people within the payments ecosystem to talk about payments, fraud prevention, risk, and network and learn from each other.

What does your current role as the VP of global expansion and advocacy entail?

I guess I've several roles outside of the title. Because I've been the longest-standing staff member, I have a finger in every pie within the organisation. I look after our boards and get involved with events, marketing and memberships.

On the expansion side of things – I look into what we need to do and who we need to talk to in order to develop in a particular market. 85% of the biggest e-commerce global brands are members of the MRC – Netflix, Google, Microsoft, Amazon, Adidas – and a lot of our target companies and customers have a presence in APAC, so building a base in Singapore just made a lot of sense. But we don't want to just come in here and do exactly what we're doing in the States; we want to talk to the people's needs here. We’ve hired two co-leaders who work for our member companies and contribute a few hours of their time each week to advise us on topics that are of interest to this region. We’ve also built an APAC advisory board with eight merchants and eight solution providers and have monthly discussions about the plans for the region.

Beyond SEA, we’re starting to expand in LATAM, launching in Miami and focusing strongly on Brazil for the first year. After LATAM, we'll be going to India and Africa.

People talk about my role being a global domination role. With our passion for payments and fraud prevention, we aim to bring the MRC everywhere and develop that community into a global community with a physical presence.

On advocacy – it’s about bringing the collective voice of our merchant members to the policymakers, standards makers, and regulators, and we've been building that up over the last two years. We have a seat at the regulators’ table by being part of the Payment Systems Market Expert Group (PSMEG), which advises the European Commission on regulatory policies on payments and payment fraud prevention. Our Merchant-Issuer Executive Committee brings card issuers and merchants together, and they meet every month to talk about things that are important to them, such as regulatory compliance and card scheme rules. For example, we’ve been working with Visa and Mastercard around the issue of friendly fraud, which we now call first-party misuse. Visa recently announced that they would be introducing a rule change next April that will give merchants the ability to represent and dispute chargebacks coming to them.

There are many issues out there. We want to help e-commerce merchants understand what's going on and what they need to do and change the world of payments for the better and the greater good of the consumer and merchant.

What industry gaps or needs does MRC aim to address?

Recently, when I spoke with one of our merchant members here, they referred to MRC as family, and I think I got a little bit emotional about that! We love seeing people come to our events for the first time and just being in awe that everyone’s speaking the same language.

So that's what you're going to find – you're going to find a community that understands payments and fraud, to the extent that people from some of the biggest brands in the world would say that they learned everything about this industry from the MRC community.

We’re very much about education. We have various modules around fraud, payments, chargebacks, and new ones like Buy Now Pay Later (BNPL) and cryptocurrency. Many of our companies send their new hires to the MRC RAPID Edu training because, by the end, they’ll know all they need to know about whichever area they're working in. We also launched the first-ever industry-standard Payments & Fraud Prevention Certification program that helps merchants understand what they need to do to ensure their business is competitive and efficient. Most of us don't go to school to study payments, risk, or fraud prevention – many of us get into the industry almost by accident. This is specifically for people working in or interested in getting into the payments and fraud industry.

Our global community is hugely important for the payments industry; there is so much going on and so much opportunity. They’re there 24/7 and serve as a source of information and education about payments and fraud. We have online community forums and Slack channels, with representatives from regulators, issuers, merchants, solution providers, and card schemes, and our members can tap into conversations that are relevant to them.

We also have many events, with five big conferences each year. Our flagship conference has a global agenda and is held in Vegas every March, and we have dedicated regional conferences.

We have the MRC Singapore conference coming up at the end of October; it's a two-and-a-half-day event where you taste what the MRC is all about. One difference between our conferences and other industry ones is that we don't allow selling onstage. We have a lot of really big brand names going on stage, but they’re there to educate the audience, not pitch or sell. (And if they do, they get put on “the bad list”.) There is space for sellers at an exhibit hall, which is a great place for those who want to learn about vendors or talk to other merchants about the solution providers that they're using.

Speaking of which, we’ve partnered with 2C2P for a report this year – a deep dive into payments and fraud in the APAC region – that we’ll be launching at the conference, and we're very much looking forward to that.

What types of merchants are the MRC trying to attract in APAC?

We’re open to all sectors and anyone that’s accepting payments. In APAC, consumers use many different local payment methods. More businesses are looking for and becoming accustomed to using alternative payment methods, especially since card payments can be quite expensive. We focus on e-commerce only, merchants that have over 50 million US dollars per year in revenue, but a lot of the information we provide through our member resource centre could also be available to smaller brick-and-mortar merchants.

Generally, what issues or pain points are merchants facing right now?

Oh, that is an interesting question. One of the biggest challenges, especially in e-commerce, is authenticating the customer. We need to ensure that the person transacting is the bonafide card holder, and sometimes even if they are, they're not necessarily a good customer. There's a lot of fraud out there; we see a lot of phishing attacks, smishing attacks, and account takeovers, and these all lead to criminals using user data to purchase goods and services online that they can resell for cash. We have around 58 law enforcement agencies within our membership, including FBI Secret Service, Interpol, and Europol. They’ve shown us that much of the money raised through payments fraud generally goes to funding more serious organised crime.

A lot of people are now using authentication tools, and there are regulations to help with that as well. However, regulations and new scheme rules bring in further costs and changes, which could also be big issues for merchants.

In an ever-growing market with so many different payment methods, especially with all the local payment methods across APAC, it’s also important for merchants to be competitive by being able to accept all of the payment types that consumers want to pay with.

How are companies managing concerns around data privacy and keeping a balance between leveraging and protecting data?

Over the last few years, customers have become increasingly aware of merchants collecting their data and finding out what they're using it for. Leveraging data can work positively for the consumer, where merchants use it for marketing purposes to directly show customers what they’re interested in and want to hear about. On the flip side, merchants may be sharing data with other organisations or third parties and using it in ways the consumer isn’t aware of.

There's a lot of regulation around data; for example, the General Data Protection Regulation (GDPR) gives merchants a clear overview of what they need to do to keep their customer data safe, and it’s very much in favour of the consumer. Customers now have to opt-in to have their data collected, the merchant has to let them know why they're collecting their data, what they're using it for, and where it’s going, and the customer also has the right to have all of their data cleared from that merchant.

There can be challenges. Everyone uses the Internet now, and consumers are more likely to patronise merchants they not only like but trust. Such merchants show that they’re complying with GDPR or clearly explain to the customer what data they’re collecting and what they’re doing with it. There are also hefty fines if merchants are found not to be compliant; a fine from the regulator could even close down a business.

Do you see new risks emerging with every new development and evolution in the industry?

We have seen a lot of change, especially in the last 10 years, with so many new alternative payment methods arriving on the scene.

With every new trend in payments comes new risks. You'll always have the mom-and-pop criminal, but there are also organised criminal gangs who would take every opportunity possible. More traditional methods like card payment have been around for so long, and we've looked at all the risks and fraud solutions. There aren’t the same security measures for things like cryptocurrency, open banking, or BNPL; measures will probably be put in place very soon and over the next five to 10 years. However, at the moment, criminals are leveraging all the current loopholes and gaps, and there’s certainly going to be a growth in financial crime, especially with the recession affecting various parts of the world; recession always sees a lift in fraud.

Unfortunately, they're very innovative, and we see something different every day. Old-fashioned methods like phishing emails still exist. With merchants using email and SMS more to contact their customers, criminal elements are utilising those methods to obtain consumer data for fraudulent activity. We're certainly going to see new trends, especially around the authentication part.

What can merchants do when they are exposed to such risks?

Come and join the MRC, of course! The first step towards fraud prevention is knowing the risks that are out there. If you know someone could break into your house, you put a lock on the door or an alarm on the house, and you could have different levels of security. It's the same with payments; there are different levels of security that you can put in place to make sure that your business is secure. There are umpteen solution providers out there, both for payments and fraud prevention.

Twenty years ago, when we started bringing issuers, merchants and law enforcement together, there was a lot of silence; no one wanted to put their hand up to declare or report that they had a fraud issue. It's becoming increasingly important to do that. Talk to your peers in the industry, especially to similar merchants, because you can guarantee that the criminals targeting you are also targeting them.

You also need to know about the tools that you can use. Criminals tend to know who doesn't have the security; they will always attack the weakest link. Coming together with solutions, advice, and best practices is key. With the MRC community, you learn about the issues and risks faced and what you need to have in place to manage them.

When it comes to your advocacy work at MRC, are there any notable milestones or achievements that come to mind?

We're very proud of our various achievements over the last couple of years. For one, becoming the trusted party within the industry and recognized as the voice of the mMerchant, representing all merchants to regulators, standards, bodies, and policymakers. We’ve been working more closely with regulators around the world, such as the Federal Reserve in the US. On the European side, we’ve been appointed to the EMVCo Board of Advisors and get to talk directly to the European Commission and the European Banking Authority.

What we aim to do with regulators in every region is to provide them with information. With the rollout of SCA, for example, we’ve been able to crowdsource information on the rollout of EMV and SCA readiness in different regions, providing real-time data from our members to regulators, to show what's happening on the ground and the impact it has on the consumer. In the coming months, APAC-specific documentation on this will be available on our website, so keep a lookout for that.

We’ve been engaged with the Reserve Bank of India (RBI) about the e-mandate on recurring transactions. Getting a foot in the door with the regulator has influenced several changes to that e-mandate beneficial for merchants. But we can't do it alone. We work with other organisations, like the MPAI (Merchant Payments Alliance of India) in India, but we don't compete with any of these organisations. It just makes sense to work together to have a greater collective voice when talking to regulators.

The Visa rule that came out around Compelling Evidence (CE) 3.0 was huge for us because MRC had redefined friendly fraud, and one of the biggest schemes in the world brought in this rule change. There was a lot of dancing going on the day that that announcement came out! We did a webinar with Visa to answer questions about what that meant and the change that would bring about, and we started getting other schemes calling us after that.

Looking ahead, how do you see payment regulations evolving?

Payments regulation is going to keep evolving as payments grow. For example, there aren’t true regulations for BNPL and cryptocurrency yet, but we need to have an industry standard that people can work towards. As different regulators in different regions treat these kinds of payments differently, it's good for a central organisation like the MRC to talk to regulators around the world about payments definitions, which then helps them to regulate.

We look forward to continuing to work with regulators, especially in APAC. The regulators are getting easier to work with because they are talking to us. They recognise MRC as a source of good information and education, and we open doors for them to speak directly to some of the biggest merchants. Although implementing regulations can have huge costs for organisations, regulations shouldn't be something to be afraid of. Ultimately, regulators aim to create a safe environment for payments, especially for e-commerce.

The inaugural MRC Singapore event is coming up at the end of October. What can we expect at the conference, and how will it differ from other MRC events?

We're very much looking forward to this! We'll be in the Shangri-La Hotel, Singapore, on 30 October, with a networking welcome event on Sunday. Over the three-day event, you can expect to learn about all things payments and fraud prevention – we’ll have a lot of panel discussions, fantastic moderators and amazing speakers, including a lot of big e-commerce brands and key decision makers.

There will be plenty of opportunities to meet and engage with peers. Nearly all of our APAC board members will be in attendance, and we’ll be there to make introductions and ensure that people are engaging within the industry. It's very much about building your network in the industry – having those conversations and getting answers to the questions you may have about payments and fraud – and being part of the MRC community.

Finally, what advice would you give career seekers looking to jump into the fast-changing world of payments?

It's a fantastic industry, and it’s certainly changed a great deal in the 27 years I've been in the industry. There is no time to get bored; there's always something new to do.

For those looking for a job or career in payments and fraud – everyone is looking for people at the moment, so it’s undoubtedly an employee market. There are many different places you can go and different sides of the business you can work on. It's very exciting.

At the MRC, we're very passionate about payments and fraud, so I highly recommend looking at this industry and exploring all of the different kinds of businesses that might interest you.

. . .


Payments Powerhouses is a monthly editorial series interviewing the movers and shakers of the payments and wider fintech industry in Southeast Asia and beyond. If you’d like to be featured on Payments Powerhouses, reach out to us here.