In a far ranging discussion with Carlos Palma, Product Manager at dLocal, we take a look at how merchants can sell in high-risk markets without incurring huge amounts of chargebacks or false positive declines.
Carlos discusses incredible tales of eCommerce fraud in high-risk markets. Join us for a far-ranging conversation on how merchants can move into, and thrive in, markets such as Brazil. We get into the details of what to look out for and what steps to take to confidently enter markets where the hesitancy is often just as high as the opportunity.
Bradley Chalupski: Carlos, thanks for joining us on the podcast, man.
Carlos Palma: Thanks, Brad. Nice to be here.
Bradley Chalupski: So, we’ll get all the good stuff out of the way. Tell us who you are, where you are from, who you represent. And then we’ll jump right in.
Carlos Palma: My name is Carlos Palma. I am a Product Manager for dLocal, it’s a payment processor from Uruguay. And my areas of focus include our fraud prevention solutions amongst other projects as well. So, let me just give a quick intro about dLocal because people might not be familiar with us. We are a payments processor that focuses on emerging markets. And we are a fairly new company, we started operations in 2016, five years ago. So far we have expanded into the whole of Latin America, Africa, and Asia as well. So, we have a basic premise is that we have a single API, where merchants can process payments with us, and also try to give them a full solution with regards to the services, which includes also fraud prevention.
Bradley Chalupski: Amazing. Thank you so much for joining us, we really appreciate having you. And this is a huge topic in our community – getting into emerging markets. It’s something that merchants have a lot of pain with, it can be really scary, but there’s a lot of opportunity there. And as we all know, false-positive declines are a killer to merchants. So, this is definitely a huge issue, so we really appreciate you being here to shed some light on it. So, let’s jump right in. Tell me some of your craziest fraud attempts and stories. What do you got for us today?
Carlos Palma: So, I have an interesting story to tell about some of the atypical payment methods. We might be very familiar with the types of fraud committed for cards, mostly because cards issue chargebacks, and that’s what often merchants are most concerned about. But there are other ways to pay as well. So, in some markets, say, for example, in Brazil, there’s a very popular payment method called Boleto, which is the cash payment method. So, there’s one type of fraud that we started seeing in 2020, right after COVID started, that affected this type of payment method. So, the translation of Boleto is actually a ticket. And what a Boleto looks like is it looks just like an invoice with a recipient barcode and the amount that the person has to pay. And the person that receives a Boleto when they want to purchase a good, the merchant would send them a Boleto, and they would print that ticket, and go out to an ATM, a branch of [03:36 inaudible], a post office, supermarket, and just pay that to get there and then. So, being a push payment method, it’s generally considered to be very safe for a merchant because there’s no chargeback mechanism. And it’s the payer themselves who pay with cash.
Carlos Palma: So, we started seeing this type of fraud that affected a very particular type of merchant, which is the advertisement platform. So, merchants that sell ads in the platform, they would issue those Boletos for somebody to credit their accounts in these platforms. And the way that the scheme worked is that a fraudster would sell an item in these platforms, let’s say a set of pots and pans for 69.99. And what they would do is, when their victim wanted to buy that item from them, they would send a Boleto to them so that they could pay in cash at the supermarket. And when that Boleto was issued, it, of course, had as a recipient, the name of the advertisement company. So, the person knowing that they’ve seen the ad there, they thought it was legitimate, or some of them did. And when they went to pay, of course, they were crediting the fraudster’s account and not actually paying for the items. So, the fraudster had a way of getting that money to fund other activities in that app platform.
Carlos Palma: So, it was a tricky one to find out as well because at the time, of course, when these people paid for those products, and they did not receive their products, very few of them reported that issue at the time. And we started hearing about that issue, mostly because of our partners, the banks that we work with sent out some notices saying, “Hey, we’re observing this type of behavior.” So, we worked very closely with our merchants to try to find out what the parents were in this case. And there are definitely some patterns that merchants can see in this case. For example, when those Boletos were issued, they were generally issued with prices that reflected typical prices for an item, 69.99 would be an example. And it’s not a normal amount to credit if you’re crediting your own account just for credits. So, you would normally top up your account using like 50 or 100. Whereas in this case, the number was very different. So, we started looking into patterns like that – people issuing a lot of Boletos with these odd numbers – and working closely with the merchants to explain this behavior to them so that they can take actions on their side as well and detect related fraud like behavior on their side so that we can bring these actors down.
Bradley Chalupski: I want to jump in here real quick on this idea of culture. Because I think when merchants are talking about selling to high-risk environments, one of the things that really worries them is that the countries or the areas, the jurisdictions, they don’t have strong what we would call rule of law, cultures. There’s not the same respect for going by the book in general. Obviously, there are fraudsters everywhere. But as a general societal rule, you’ll see countries that are considered to be lower rule of law countries, and Brazil is always at the top of this list for some reason. It’s interesting to me when you’re talking about this, because to me when you were originally describing this method, I was thinking, “Oh, what could go wrong with this.” Because it just seems like when you start to detach and you have extra steps, you’re just creating more access points for nefarious activity. So, if you could speak a little bit to the merchants out there about this idea of rule of law countries, because it’s definitely a thing, certainly a thing in merchant’s mind. I think it’s certainly fair to say that we do see some of these crazier payment schemes going on. But at the same time, I know that the vast majority of orders that are coming out of Brazil are perfectly legitimate. So, can you talk to the merchants out there listening, how they should be approaching this idea with caution that when you go into these markets, it is true to say that they are higher risk than, say, the UK or Canada? But at the same time, that it shouldn’t be an overriding concern that keeps them out, and how they can square that circle in their own emotional mind?
Carlos Palma: So, there are certainly ways to approach this problem as that’s what we try to help our merchants with because they always have the same concerns. So, you mentioned that very well, these markets are generally known to have much higher fraud levels, particularly if you’re talking about Brazil, Mexico, and Latin America. These are countries with there are huge opportunities. But at the same time, they’re very well known to have a higher fraud rate. So, a typical fraud rate in some of these countries might be above 3%, which is very high in comparison to other countries, in let’s say, the US, UK, Canada, and so on. The reasons for this, of course, are multiple; there’s much higher poverty and social inequality in these regions, and higher levels of criminality. And at the same time, there’s a very lack of regulation and enforcement. So, there’s a general sense that people tried to scrape by on the day-to-day and if you tried to get and swindle something out of somebody, some people might take that with a certain level of pride. So, that’s kind of what drives these higher fraud levels. But at the same time, we’re talking about the remaining percentage of transactions that are perfectly legitimate.
Bradley Chalupski: 97%, which is a lot.
Carlos Palma: Yes, exactly. And these are very, very big markets. So, what we try to do with our merchants is to work and collaborate in explaining to them how to approach these markets; taking a look at their business, and trying to figure out what’s the best solution for them in terms of their payment mix, in terms of what payment methods are they going to offer, the types of controls that they need to have in place. And also, we need to work closely with them, especially if they have their own fraud solutions in place.
Bradley Chalupski: So, best practices there that you tell people. Obviously, every case is unique, every merchant is unique, I understand that. But in general, what are some of the things that you tell people in a concrete way that they can do to sell safely in these jurisdictions?
Carlos Palma: So, the first one, which is the general and very essential recommendation for all merchants, is to make them understand and see that they can work with us as a partner to control fraud, and that they should try to send us as much information data as possible – data that they collect – and in some markets, even ask them for additional data that they can request in some cases so that we can work using our own internal methods, and our analysts can also help out in working with fraud. We also do give some recommendations to merchants who have their own fraud prevention solutions. So, merchants often have their own fraud teams and have tools in place. There are a lot of great tools out there. But some of these tools or their configurations may not be well adapted to entering these new countries. So, it’s always very useful to take a look together at what they have configured on their end and see if there are any points that we can complement on our site or any recommendations that we have so that they can have a good configuration, especially if they’re considering launching in a new market with an important marketing campaign, for example. Just taking a look and making sure that there’s nothing on their end that might leave them out of a large segment of the market.
Bradley Chalupski: So, can you give me some insight into the types of conversations that you have with people? And I’m getting specifically at the merchants out there that are listening, that are hesitant to get into these markets, and they have their reasons. And as we said, the fraud rates are higher than others. But if you can get to some of the emotional, maybe anonymously, behind-the-curtain conversations that you’ve had with people for anyone who’s out there listening that’s on the fence and needs some convincing. When people come to you and they say, “Yeah, you know, Carlos, I hear you, man. I know Brazil is a huge market. I know people have a lot of money over there. But I can’t risk my business’s ability to process credit cards on selling to that market. I’ve worked real hard to get to where I am right now. And so I just would rather not.” What do you tell those people?
Carlos Palma: What we usually tell is there are definitely ways to get around this. So, for example, if you’re thinking about credit cards, why don’t you consider alternative payment methods as well, because it is true that these payment methods would have less fraud rates, such as Boleto, for example. I mean, it’s with the exception of that case that I mentioned, in general, these are much safer methods than using credit cards for payments. So, if your model allows for that, then definitely, that should be top of your mind, have the ability to offer alternative payment methods. And then you can control on the credit card side if you want to offer credit cards you can have. You can control fraud controls so that you’re comfortable with that level and have those alternative payment methods as a fallback to capture if there are any false positives, you can capture some of those using these alternative payment methods. So, that’s the essential recommendation.
Carlos Palma: And the other recommendation, we often have a lot of discussions, especially with some merchants from the States which are not very familiar with this concept, which is around the document, which, of course, is the personal ID. So, this is a data point that’s considered personally identifiable information. And companies are very sensitive about asking this to their customers. Especially for a company that works in the United States, who are familiar with the issues around Social Security Number, not everybody wants to share their Social Security Number online. Now, there’s a very big difference between the Social Security Number in the US and document IDs in some of these countries. So, for example, in Brazil, for merchants who want to operate within Brazil and need to do cross-border payments, the document is actually a required information for that payment to be made. So, that’s actually required; a merchant needs to ask for that document so that they can process that payment. And Brazilian customers are actually used to that. It’s very common for a person in Latin America to share their document when they’re making a purchase. So, we do have some conversations with our merchants about this topic because they might have some policies on their side that when they go into Latin America, they need to understand that in these markets, it is possible to request for this data point, and it’s a very useful data point especially to detect trustworthy transactions from people who have provided the right details and have positive payment information from other sites or other merchants, we can use that information to allow these payments to go through.
Bradley Chalupski: I think that’s really good advice. Because oftentimes, we find that merchants don’t do all the homework that they need to do on that end, because you just make certain cultural assumptions. And I think that that’s normal for most people, if you’re operating, born, raised your store, everything is in the United States; you just assume that that’s the way that the world does business. Certainly, Americans are notorious for thinking that everybody operates the way that America operates. I think [16:11 inaudible] even some other cultures. So, it’s definitely a good point to make sure, as a merchant, you’re understanding what the jurisdiction is like that you’re going to. And it’s very simple to think, “Oh, well, Brazil has a lot of fraud in it.” But that’s only the surface, you really need to get down and do the same thing that you would do in other areas about what different industries experience, what different areas of the country experience, etc. You can’t just treat it as a monolith and you really have to understand where you’re operating. I think that’s [16:45 inaudible] good advice. So, next story. Let’s move on. Let’s hear the next story.
Carlos Palma: So, another story that I have. And this is kind of a mixture between credit card and alternative payment methods is another scheme that we found happening in Colombia. So, this was for a merchant in the ride-sharing space that had a business model where the drivers would pay for credit, and use that credit in their account to get rides. So, the drivers would need to pay upfront for the merchant’s fee, and then the merchant would allow them to get right. So, they will be paying to work, essentially. And, of course, because of that model, it’s generally a low-risk model because the drivers are workers. So, in most countries, this merchant has very low chargeback rates.
Bradley Chalupski: So, the model here is that the driver, I guess, is paying this company a set amount of money, and then that company is bringing them customers through their app, and then they’re charging those customers separately. Like the drivers are charging those customers.
Carlos Palma: Exactly. So, it allows the drivers to ask for cash for the rides. So, it’s a very different model to what we’re used to for Uber or other companies. So, in this case, what was happening is that the merchant did successfully launch in a lot of countries. But then, when we looked at Columbia, the merchant was having a bit higher chargeback rates than we would see in other markets. So, we eventually found out what was going on in this case, which is that there’s a very popular scheme in Latin America, which is a reseller model where somebody would resell services or resell products using a stolen credit card, and then that those products would be charged back. In this case, what was going on was that in Colombia, it’s not very common for somebody to have a credit card, there’s a large segment of the population that does not have access to a credit card. So, if a driver wanted to credit or top up their account, they would go to somebody who had a credit card, and that person would then top up accounts for multiple drivers. Of course, that person could use that credit card and could be perfectly legitimate, or it could be a stolen credit card or that person could then later charge back the company for that amount. So, it was actually very simple to detect. Of course, we’d see a pattern where the same credit card was being used to top up multiple accounts. So, we identify those credit cards and those users and could easily blacklist them and set up velocities to control for that. The good thing about this is that, in the end, there was no impact on sales traffic because drivers would still need to drive and they still earned money through this company. And in the end, the restrictions that we put up in place did not affect the sales traffic for that merchant. And it also highlights the importance of having that alternative payment method. So, the driver is good.
Bradley Chalupski: What’s interesting to me there is… Take us down the rabbit hole, a little bit, of analyzing the data points in these types of markets that are maybe operating in a bespoke way, where everything is not exactly the way it would be other places. Do you recommend merchants try different data point combinations? Not at random, but to think of different data point combinations and try to figure that out and move along that way? How do you suggest that you change your data analytics in order to maximize your protection in these types of scenarios? And then also, I’m curious, this one seems that it was fairly basic as these things go, but we are all in favor as a publication of the idea of the human fraud analysts still being a thing. And so I’m curious to hear from you, what you think the balance is between having machine learning algorithms look at these kinds of things, and just set it, and run it, and let it go; and having a human behind these things, trying to put themselves in the minds of a human being trying to get around the system, and say, “Why don’t we actually see what happens if we look at this, and this, and this?” And what that whole process looks like?
Carlos Palma: So, our perception is that the human analyst plays a very big role in this. So, the industry, in general, has been moving towards machine learning, and so have we in that sense. We’ve been working with machine learning models over the last three years, more or less, when we started our first machine learning models. But we still rely on analysts especially if you’re looking at launch, when the merchant is entering a new scenario, they might not have enough data to perform their models on their side. And perhaps, we might need to gather some information before our models can actually perform for that merchant. So, we strongly rely on analysts and we recommend that the merchants have an analyst on their side as well to have a closer look and to explore data – the data that they can collect in many different ways. So, for merchants that don’t have their fraud teams, they essentially rely on us to do that work for them. And that’s what our team does, especially for launches – our team analyzes all the information that that merchant processes through us. And we tend to look at different combinations of data points. So, we always stress with our merchants that the more data that they can share, the more effective will be our team, especially helping them out navigating, these new scenarios.
Bradley Chalupski: Now, I think we completely agree, it is definitely important to continue to build machine learning, it’s amazing technology without a doubt. At the same time, we also feel that humans still remain the best source for outlier cases where maybe something’s getting through the machine learning and you’re just seeing rates that you should not be seeing of chargebacks, or you’re seeing sales decline more than you should because you’re turning away a lot of perfectly valid orders. And sometimes you just need good old-fashioned human sleuthing to go in there and say, “What’s going on here? Maybe we could think of something that we would do if we were a fraudster that would slip by, and let’s try to find it.”
Carlos Palma: And that is what would be missing from the machine learning side. You don’t have the explanation of what’s the underlying fraud that’s happening and understanding the factors that are going to take place. So, that’s what the analysts really help out in understanding what’s going on, in the end.
Bradley Chalupski: I’ve said on this podcast before, “I am human and I know many humans.” So, it’s usually easier for me to think about all the terrible ways that people can try to operate than a computer would possibly do. So, hopefully, someday that won’t be the case. But until that happens, I guess that’s where we’re at. You got another one? How many stories do you have? You’ve got a ton here. This is great.
Carlos Palma: So, maybe I can share another one that also shows some of the things that we are seeing in these emerging markets as well that have shifted through the years. So, again, I’m looking at Latin America. And maybe a few years ago, there was a lot of difference between the country. So, Brazil would traditionally have a very high chargeback rate. Even before e-commerce, Brazil was notorious in that there was a lot of physical credit card fraud happening. I’m an Uruguayan. I’ve lived in Uruguay for a very long time. And for us, it was very well known that if you went to Brazil, you really had to be very careful about your credit card being stolen or being cloned. And that’s something that did not happen in my country. There are a lot of countries in Latin America where fraud levels are really low in comparison. And what we’ve seen is that through the years as merchants started moving into the online space, the level of fraud and the fraud activities that are happening in these countries, that the practices are being spread out. So, some practices that used to be common in Brazil are now very common in Chile and other countries that were previously considered to be safe. Take, for example, one of the things that happened last year, there was an incident where Anonymous published some personal details and credit card details of some politicians in Brazil, like Bolsonaro, the president of Brazil and some very high-ranking politicians. Of course, the moment that that was published, everybody started seeing a surge in transactions with these details. But the interesting thing here is that we actually started seeing more transactions coming through Chile than in Brazil. The first transactions arrived from Chilean merchants. And actually, even that was the highest volume of transactions. So, you see a lot of collaboration between gangs and between individuals in countries in Latin America. And the schemes that are happening in Brazil are quickly being spread out to other countries, even Uruguay that’s relatively safe.
Bradley Chalupski: I’m interested on that topic a little bit more, even though it’s maybe a slightly off from what we’ve been talking about – how you see the collaboration going on between these groups? We know that it goes on on the dark web. And we know that sometimes, even offline, people are collaborating. But I’m just curious to get your thoughts on that and how you go about trying to maybe stay one step ahead of these people or do you monitor their conversations? And if you do, how are you doing that? What are you looking for? It’s not a concrete question, maybe, but anything that you can talk about with this collaboration?
Carlos Palma: So, one thing about collaboration in these markets is that since there’s very little regulation on the topic, it’s not even necessary to go into the dark web. Many of these gangs operate in plain sight. So, you can log into Facebook or they would have a WhatsApp group or Telegram group, but the information on how to get to those groups is open and public. So, I think that’s kind of a difference in what you see from other countries in that, in these markets, the fraudsters would reach out to a larger audience if they kept their communications and their marketing in plain sight. So, it’s not very difficult to reach out to the services. And on our end, well, we tried to follow, as much as possible, all the information that’s being shared, but we mostly focus on what’s going on in the open space. Because that has the highest likelihood of having an impact on your operations, rather than looking into what’s going on the deep web. Of course, the deep web might have some more details on the specifics of each fraud scheme that might be going on. There are a lot of professionalized fraudsters working in that space. But in most cases, the typical frauds that we are seeing are openly communicated in social networks and so on. So, that’s where we tried to focus our attention to.
Bradley Chalupski: So, I feel like I would be remiss in this discussion if we didn’t dive more into the idea of false-positive declines. And I feel like this has been a topic since I came into the industry. And so in some ways, it’s very depressing that we have to continue to talk about it because I wish that merchants would get the message that the false-positive declines are worse to your bottom line than the chargebacks are. And from our end as a publication, we try to spread awareness that chargebacks feel like theft and they’re painful. But if you’re really looking at it clinically and analytically on your bottom line, you are almost always going to be losing more money from over-adjusting to the chargeback pain and turning away good customers. So, I want to hear from you, since you’re in these emerging markets where this problem is the most acute, what you tell merchants about this, how you try to get them to understand that it’s a bigger issue than chargebacks, and how you suggest to them that they go about becoming more comfortable with the idea of allowing themselves to sell more and take some of those chargebacks within reason with the understanding that they’re actually making more money by processing more good orders.
Carlos Palma: Well, actually, what we’ve seen is it’s happened in a different way for us. In general, most of our merchants, or the merchants that we work with, are very aware of this concept that they want to maximize sales as much as possible. So, they want to try to keep that chargeback levels low, but they are in for high conversion. So, the way we approach it is that we try to work with our merchants to get approvals as high as possible while trying to keep chargebacks restricted because we, of course, don’t want to have too many false positives. But at the same time, we don’t want to be too lacks in our controls because that eventually has an impact on their approval rates as well. So, the merchants need to think about this in a long-term situation. Because of course, if you’re too strict with your controls, you will have a lot of false positives, or your chargebacks will be low. But at the same time, the effect that that has on the acquires, on the other hand, is that the acquires will not set up blocks to prevent transactions from going through. If he can’t control for fraud, if the merchant does not control for fraud and the processor is not able to control for fraud, then what will happen is that the acquirers and the issuers will do that in your place. So, you definitely want to avoid that type of scenario.
Bradley Chalupski: So, I guess, to finish off, I want to get to that issue of, I’m sure you’ve worked with merchants who are at that line where they were in the high-risk category and they were in danger of not being able to process credit card transactions anymore. Give me some of your war stories there. What do you tell people to do? What’s the first step when you have an issue that’s become that severe? How do you not overreact? I’m curious to hear how you handle those types of scenarios.
Carlos Palma: It’s difficult. It really is. When you have a problem merchant, of course, you do try to take as much action as possible to try to block those fraudulent transactions. And what we do in those cases, we really work closely with them to try to get in as much data as possible. What usually happens with these merchants is that often they’re not sharing as much data as they could in that scenario, so we try to work with them to, first of all, try to get that information on our side so that we can improve the way that we can block transactions on their end. And try to remediate as quickly as possible once the situation has been taken into control to try to speak with our issuers and acquirers and say, “Look, these are all the steps that we’ve taken with this merchant and tried to push for improved approval rates on their end.” So, it’s kind of those two steps. But it really takes a lot of work, and we really don’t want to get to that point without —
Bradley Chalupski: Do you find that the issuers are actually open to the idea of discussing it with you? Because that’s actually new to me. I always thought that it was extremely clinical, that if you’re over the threshold, that’s it, you’re done. But it sounds like you might be able to advocate on people’s behalf. I’ve never really heard that before.
Carlos Palma: It is difficult. And we try to get the communication flowing with as many issuers as possible. But in any case, you have to make a good case for that. So, having that conversation with them, and explaining the type of merchant that’s processing through these accounts, and the controls that you currently have set in place will definitely unblock some situations where issuers have set up very restrictive controls because, on their side, they also don’t want to block their customers from using their credit cards on these sides because they will essentially go to another bank and use another bank’s credit card or payment methods. So, they’re in for it as well in terms of making sure that their customers have a good experience.
Bradley Chalupski: So, we talked a lot about Latin America here. Before you go, I feel compelled to ask you if you see a lot of different still between different jurisdictions, not necessarily in kind of the same geographic area, but if there is truth to the idea that what goes on in maybe a high-risk jurisdiction, even in Europe or in Africa, is similar or different? If it’s a monolithic enterprise to try and prevent these things if you are seeing different things across different jurisdictions?
Carlos Palma: So, the answer is really a mixture of both, I would say that the types of fraud that you see in these regions are not very different from the ones that you see in other markets. Certainly, there are slight differences and you might see specific variants to some of these schemes that happen in a particular country. But overall, the types of frauds that you see are very general. So, if you have a fraud solution in place that works for another market, it is still likely that it will work for new markets as well. But there are some details like, for example, if your solution or your approach relies heavily on address verification, you need to be aware that that doesn’t work in emerging markets, that’s very specific to some markets. And if you’re too reliant on that, or if you’re reliant on solutions 3DS, which in Latin America, in most cases, is not a really viable option, then definitely, the approach needs to be different.
Bradley Chalupski: Well, why don’t you tell everyone where they can find you on the web, Carlos? Thank you so much for joining us. And then we’ll sign off.
Carlos Palma: You can definitely reach out to me through LinkedIn. And as well, you can also reach out to us through our dLocal website.
Bradley Chalupski: And we’ll have all the links and everything in the show notes so that everyone can just get it at one click. Well, we really appreciate you being on the podcast, Carlos. And it’s such an important topic for, especially, small and medium-sized merchants. And we love to make sure that we’re providing help to those people as well. It’s very emotional, I think, for people – this subject – because when you have merchants that are more attached to their business, they’re not as corporate and they are trying to do this on their own, and trying to grow their business. It’s a very exciting time. And I think that there’s a lot of pain surrounding this topic of getting into these high-risk markets where there is a lot of opportunities but also a lot of risks. So, I really appreciate you coming on the podcast to give everyone some great information about how they can do that more safely and grow their business.
Carlos Palma: Thanks, Bradley. It’s been really great to be here.
Bradley Chalupski: All right. Take care.
Carlos Palma: Bye