Tuesday,21 May 2024

EverCompliant’s Rambaud: “We are a cyber-intelligence company”

5 min read

Interviewed By The Asian Banker Live

Alasdair Rambaud, chief revenue officer of cyber-intelligence providerEverCompliant, discusses the main purpose of the company, how it aims to be more relevant in today’s online world, and how it will grow through electronic know your customer (e-KYC) and data analytics.

  • Rambaud explains that the company provides cyber-intelligence to its clients, with the information being used for risk and opportunity assessments
  • EverCompliant validates the merchant, regardless of the transaction
  • Rambaud also stated that the company has a mitigation system in place, allowing clients to dispute its findings

Here is the transcript:

So, I’m responsible for the revenues of the company, which is sales and marketing functions - globally.

So, we’re a cyber-intelligence company. What we do is we crawl the entire internet and catalogue it in a way that’s relevant to our clients, to find information that they need. That information is used for two main purposes: risk assessment, and opportunity assessment. So, on the risk assessment side we really have two pieces of it: the on-boarding of merchants, what we call e-KYC, for determining the true country of operation, true country of MCC code of those merchants, and what are they really doing. And then on the on-going monitoring side, monitoring them on a daily basis to make sure they’re not doing bad or start doing something that will be illegal, where that will expose our client and fire up the process of the gateway to find other brands, or even worse federal prosecution, if found to be doing money laundering, drug trafficking, or terrorist financing.

In 2017 it has been quite a prolific year, there’s been a number of PSPs, gateways, and acquirers involved in money laundering, what we call transaction laundering, which is where they think they are dealing with a flower shop, but really, it’s an illegal website – hiding behind that flower shop. They are selling weapons, drugs or whatever finance terrorist activity. There could be no plan to it, it could be just a way to launder money through the internet.

So, if you think about ten or 20 years ago, the way people laundered money is they bought a business that is very cash rich, and they infiltrated that cash into that business, and made it seem like that business was just doing a lot better than it was, and that’s how they laundered money. That required a lot of overhead and money. You need to find a place, buy a place and etc, unaccounted. Now, a person can stay at home, build 1,200 websites one evening, flow a number of transactions through them, and they’ve laundered their money. It looks like they’ve just had a very successful website, when all of their proceeds are not where they’re from. Drug trafficking, human trafficking, you name it, anything bad you can think of. And so that’s how they launder money today.

It’s much more efficient, much quicker, and they can do it at borderless. So, if they want to move money from one border to another they could do it very easily. Like if I will, to move money to China, like if I said I want to move my money into China all I need to do is pretend to be a Chinese merchant, and sell to US that are cloud members. The US buys my sites, the money gets deposited in a bank account in China, but really what I’m really doing is moving my money cross-border. So, it’s very common for example with Mexico, for instance for moving drug money back into Mexico.  So, like Mexican artefacts. They’ll sell a wooden spoon for $2,000, nobody’s going to buy it, but all it is, is that it seems as though website is doing really well, but all they’re doing is bringing money back to Mexico.

Validating the merchant

So, we’re really not in the payment stream, we try and grab stuff before it actually happens. We try to really validate the merchant itself, and what is the merchant doing regardless of what hyper-transactions they’re going to do it. Is it going to be card transaction, ACS transaction, cryptocurrency transaction, to us that doesn’t matter. It’s really all about vetting. Is that merchant who they say they are, and are they doing what they say they’re doing, are they actually selling flowers or are they selling guns? We can determine that because we find the gun site, linked to the flower shop. We do a transaction, we got an auto shopper to automatically go into a decline transaction and then we look, where do the authorisation come from, and 99% of the time, bingo! It came from the flower shop.

So, the problem with registry is that they’re stale by the time you put them together, especially with the internet growing so fast. So, we always give access to our customers to a live solution, which is they’ll be able to do live scans of their merchants.  So, when someone uploads the merchant or request a scan, where should I go out and request a website at that moment, at that time, and once they go in on-going monitoring, not only are we going to monitor them, but at least every 20 to 30 days we’re going to visit that website for sure. All the time. No questions ask, we’re going to consistently monitor that website.

Whatever the client’s looking for. So, it can be, some clients don’t want gambling websites, other clients that are outside the US don’t mind gambling websites because they’re okay with that, but they don’t want marijuana websites. Depending on the legality of whatever you’re trying to do, some high-risk PSPs don’t want airlines because they specialise in gambling, and entertainment, and all those. So, they don’t want vanilla merchants. My mistake. Hotels. Something ends up in their portfolio and they don’t want that so they consider that to be high risk, and the rest is fine. Everyone is different and the nice thing about our solution is that totally customisable. We’ve got what we call a matrix, where you can decide what level of risk do you want to put in. We’ve got 155 parameters, that can be anywhere from all the variations of add out, to all variations of drugs, to all variations of gambling, to payment brands. Some people consider that if they’re accepting cryptocurrency, that’s a risk. Everybody assesses risk differently, and they can completely customise the solution. More than that, like they have two portfolios, so like one high-risk portfolio and another regular portfolio they can have a completely different matrix for both, so otherwise it’s not alerting you. If you put in a highrisk, it will alert you in everything, and then when you use that for the regular merchant, it may not be granular enough. So, you use different parameters based on what portfolio you’re trying to analyse and keep going.

The acquirers, the processors, the payment brand themselves, even secondary brands, all of the lending brands, there’s a number we call it alternative payments or wallets. They are also gateways, PSPs, shopping carts; anybody who’s setting up a merchant, anybody who’s got a hosted payment page is going to be one of our clients. And then completely different rim on the positive side, data companies. They would buy, and I talked about, assessing risk opportunity. In some cases, a lot of these data companies have a very strong data set for offline data, but they don’t have a good data set online. They don’t really know what these merchants are doing online, so we provide them with online data. We are going to supplement their offline data with online data, so we do that for a number of companies as well. We also do lead generation, competitive intelligence, all of those things. As I say it can be used for positive or negative. If you’re a new wallet for instance, you may want to know, instead of selling to any merchant, instead you may say to me “Hey I’m setting up a new phone-based wallet can you tell me all the merchants that suscept Apple Pay today.” That might be an easier target, because you’re know they already accept wallets versus going to a merchant who only knows credit cards and don’t really know anything about wallets, that’s going to be harder to sell. So, we can do those type of things for monetising.

EverCompliant’s growth plans

Absolutely, we have offices in Tel Aviv, we have a headquarters in New York, we have a headquarters San Francisco, and then Shanghai.  We have customers in all continents. We are growing very fast. So, we’re twice the size of what we were, no actually more like three or four times the size we were a year ago, and next year we will be twice the size we are today. So, we’re growing very rapidly. So, we started selling in the US about a year ago, and obviously will become our largest market, but we have a very strong business in Israel, Middle East, as well as in Asia, in China. Israel is where we started, or at least in Tel Aviv, and then we migrated our headquarters to New York to be a US-based company. Most of our growth today is really in the KYC. B2B EKYC, what are these websites doing online. More importantly, what websites are they associated with. If I have a website that sells t-shirts, I may want to know if the other person also owns a website that’s a hate-crime website. That might be an indication, that they might be something you’re not comfortable doing business with. Other people asses their risk very differently. I think today, the expansion might come from the e-KYC, and then data analytics. We started as a single-product company, what we call “merchant view”, it was really about transaction laundering, and we’ve expanded in the last year into e-KYC and data analytics, and those are very quickly becoming a very important part of the business. Not to say to the other one isn’t, it’s will still be the majority of our revenue for these next six, seven months, but other pieces are moving faster because the domain you’re dealing with is our product. Everybody wants online data, especially fresh online data, not stuff could be from the database, like what we talked about earlier, or a back-end source, something that’s fresh, refreshed constantly. If I give you a website that I know that it was up in the last 30 days, I’m not going to give you a website that’s offline, I’m not going to give you a website that’s no longer functioning.

Crawlers and more accurate catalogues

Absolutely, and the nice thing is that we have a mitigation in our system, so our clients can dispute a finding; we’re fully automated, because the internet is so vast, it’s full of information, but our crawler is in intelligence. We have few and few false positives as we go, and have a decline of adjusted parameters.

We try to understand why it was a false positive, and typically a false positive is always linked to a human reason. Like you can’t ignore this or that, so that’s why it has created a false positive. So, we change it in the crawler parameters and typically it won’t become a false positive the next time around. When you’re doing such a broad operation, you know visiting four billion digital entities every thirty days, of course you’re going to have stuff that maybe miscatalouged, but it’s a very small minority. Our data is more accurate that way, than catalogued by human beings. It’s faster, we’ve got image recognition, and so even if the website doesn’t have a text, or like the phone number is an image, we can still read that, we can read images.

Exactly, so, what we hear the most in-house is that they give up after a while. They get caught, thirty days later because they didn’t do full QAC because they were too many new accounts coming in, it slows down their sales, it takes them longer to on-board merchants, because they have too much of a queue. So, those are the things we hear, it tends to be very manual today. We’ve literally got analysts visiting those websites, and now I’m finding it hard to stop to what the crawlers can find because the crawler can analyse the code in the website; something that as a human being we’re not doing.

You know when your little bar is coming out on the top, calling APIs and all of that, and you don’t know what’s happening, but the crawlers know exactly what’s happening. Its reading now, its calling out to stripe, it’s calling out to square, it’s calling out to a host of payment to be chased. We catalogue all of that, all of that information to be used. It may not be visible to the human eye, but we as meta-data have decided we can find it.

We’re not looking for the transactions that are not fraudulent, we’re looking for the website not to be fraudulent. We can. So, we do transaction monitoring at a microscale, so if the client gives us a batch of transaction with TII, we can analyse and see if they fit with the industry trend. We do that to see if they fit with the MCC code, like if they give us a batch and say these are from a flower shop we can tell them these transactions don’t look like a flower shop. We can do that, but we don’t certify or account to local transactions… there are protocols to do that. We do not do that. We are not in the payment stream. We’re looking at the validity of the website, where is it hosting, who is the owner of the site, what else does the owner own, what is their link to, which phone number are they using to contact me, why is it the same as this other site, why does this marijuana website use the same number as the flower shop that’s trying to contact me. All of those things are what we’re looking for, but because there’s no physical link between those two, if you were trying to crawl one without crawling the entire internet, you would never be able to find the second one, and that’s the beauty of what we’re doing and the reason why a lot of the frauds today are obsolete today because they start crawling the website, and start crawling to see what’s behind it. Frauds have become really smart, they don’t put in anything behind it. This other website is out there, but all they start doing is paying that transaction through another website. We look at everything, every website. So, we find that other website and go “Oh! Same phone number, how come?”, and “90% of the code is the same, looks like a clone website, from this website”. Then what we do is if it’s a gun website or whatever, we do a transaction with our auto-shopper. We have an auto-shopper mechanist, tooler goes in, puts something that can’t log, and check out the entire experience, then declines the transaction because we don’t want to go through. We don’t want to buy it, and then we see where the authorisation for that decline end up, and typically bingo! The flower shop.

That’s how a suspicion becomes a verified transaction launderer. Then we immediately report that information and typically when they acquire that information that PSPs will shut down that merchant immediately.

Like why did that gun store end up in your flower store, you don’t want any mention of that. And we log everything, because a lot of the time they press delete when we call, “oh there’s nothing there” so we log everything. We have all the evidence stored in our system. They can go back to last night and say “see when it was crawled, they did a transaction, and here it is, and here is that transaction in your flower shop.

So, one thing I want to say is that our solution is completely agnostic, one of the difference of what we have from some of our competitors is that we are completely agnostic, on whether it’s a website, whether it’s an app, or whether it’s a mobile web, we can run through all three, or crawl all three it’s really not an issue for us. Unlike a lot of others who are limited to the web, and or mobile. We have an offering right now we call “Basic”, without mobile, just so we can compete with our competitors and compare price, but I wouldn’t recommend it to anybody, because to your point mobile is going so fast. You want to be able to do all your transaction monitoring and all that on mobile, because obviously they can create a fake mobile app, right nothing is stopping them from doing that, and so it is very important to be able to do all the aspects.

As far as trend goes I would say the biggest trend is, the internet is going really fast, fraudulent websites, is going faster than the internet. They’ve figured it out. It’s like going underwater to count icebergs. You can do that, but you can stop at the top of a ship and count the top, it’s the same with the web. A lot of these websites need a lot of service web presence to be able to commerce because so few people are commerce-ing in the dark web, if they want done any meaningful traffic. They going to pop up somewhere in the regular web and that’s where we catch them. We don’t need to go into the dark web.

If we have a request we’re exploring it. Today it’s so much information, because it’s bigger than the regular web. If we gave that kind of information it would be useless to anybody because it’s so much information. And they have so many ways of blocking crawlers and all of that. All this stuff if listed in the surface web would appear to be fraudulent, its normal behaviour on that web, on the dark web. So today we find that we’re efficient enough that we find the bad stuff on the regular web, that we don’t need to go to the dark web. That may change in the future, we’ll continue monitoring. But today we’ve gone back-and-forth, we’ve tested it, we’ve tried it, everything we found in the dark web, we also found in the regular web, a piece of it, we detected the actual transaction website. If you want to go buy cocaine online, you’re not going to go to the dark web, some people will, majority of the people they’re not going to find a website “Oh they take Visa MasterCard, I can buy cocaine, oh great!” In times of an issue “Oh for the sake of your privacy you’re going to get flower store on your bill, don’t worry about it”. And I’ll be like “Oh great, my wife wouldn’t even know that I bought cocaine online”, and so they do that and this way they can commerce without having to download TOR, or using VPN, and do all that.

So, we finished a series A funding, earlier this year. For now, we’re funded appropriately for the short term. We are going to do a second round at some point, we haven’t determined when yet. I’d say it all depends on the burn rate, you know that. It’s a game to evaluation to delusion, equation. Most likely sometime in 2018 we’ll do a second round of funding. I think it’s hard to tell right now because its so new, but I think that will be enough. I think because revenues are going so fast, that I think that will be sufficient, the reason is because we are expanding so much we have so many new customers coming on board we need manpower, so we need to hire a lot of people.

It is but just sales, account management, and developers because we’re developing so many – we went from one product to multi-product we need multiple debt teams, obviously you know that that’s expensive, regardless where you are today. So, you know, we have a global presence, like next year we are opening an office in Europe, an office in Shanghai, all of those occur…. You know we’re in expensive cities, San Francisco, New York, Telaviv, Shanghai, they are all very expensive cities. Our European headquarters we’re not sure yet where we’re going to put in, most probably Amsterdam, makes the most sense – again another expensive city. So, I think as far as profitability goes I think we’ll make sure that the second one gets to be done. Not to say that we don’t have an amazing opportunity in 2019, but if we do another round we can grow the company into a billion-dollar revenue, of course we’re going to do it. I don’t know because we’re privately held we don’t share that, but it’s a nice number, and as I’ve said earlier it was almost four times the size of what it was at the beginning of the year, and next year it’ll be at least twice the size if not three times the size of this year.

It’s not transaction based, it’s really a license fee model based on usage. So, it’s based on the number of merchants on board, based on the number of merchants you monitor, the amount of data you want, how many websites you want that data on, or how many parameters we typically have a matrix. So, if you want two parameters for two websites, or four parameters for four websites, that’s your matrix and that determines your license fee and obviously you can diverge from that, but that’s typically how we price it. So, their looking typically at the value of the data we give them, a lot of the times. If you talk about e-KYC the value is really getting rid of the manual process, more importantly being able to accelerate the sales or not. Tell the clients “I’m sorry it’s going to take me two weeks to on-board you, and you’re not going to get transaction at the time”. So, they are very wise, it’s evident there.

Much faster on boarding…not only that, but more precise onboarding. Are you going to on-board less bad merchants, because in some cases they look at the merchant and they seem bad at first look, but really if you look closely they’re not bad, they’re just fringe, but they’re not bad; and others they seem okay but they’re really bad. Humans make a lot of mistakes, and so it’s costing them a lot, so having a process is more efficient and effective, and really what they’re going after. It’s a really quick ROI because of that. On the ongoing monitoring it’s really about avoiding the fines, the fines increasing dramatically. At first, we were only really worried about the Visa MasterCard fine, but today the Fed really – they’ve got three cases in August, federal fines. Now they went after a couple of ISOs in Long Island. That was small banks, with a couple thousand merchants, and not only that but they went after personal responsibility. So not only is the bank going to fine, but the chief risk officer of the bank got a personal fine, from their own personal money, like a $25,000 fine for them which could not be paid by the bank.

Very unique to the US, to Europe to see it in France. Massive fines in the France, the UK, Germany, not Asia, only Singapore significant fines, Hong Kong as well, Australia, China not yet, but China it’s all about brand reputation, and it’s all about trusting growth and being able to be a reputable market place, a reputable PSP, a reputable gateway. If you’ve got a ton of counterfeit sites, legitimates sites would not want to do business with you.  

Categories: Financial Technology, Risk and Regulation, Security, Transaction Banking
Keywords: Money 20/20, AML, Risk Management, Security, Technology
Institutions: Ever Compliant
People : Alasdair Rambaud
Leave your Comments
Recent Comments