This week, we sat down with Robert H. Caldwell, Founding Partner of G2, to interview him on cyberlockers and marketplace merchants, and the risk they present to the payment system. Read on for Bob’s insights into where cyberlockers and marketplace merchants fit in the payment system, the risks associated with them, and best practices for payment providers to mitigate risk associated with these entities.

Let’s start with the basics. What is a cyberlocker?

Well, cyberlockers are usually defined as a file hosting service that allows consumers to upload files into “the cloud” to share with others.  While there are dozens of legitimate cloud storage companies, what distinguishes cyberlockers (from legitimate cloud storage) is that their business model incentivizes consumers to upload desirable files so that other consumers can download those files.  This means the cyberlockers are actually paying consumers to upload pirated software, movies, music, and the most horrific types of pornography.

What is a marketplace merchant?

Marketplace merchants are the individual sellers who offer their products or services through a central market platform like Amazon, TaoBao, Ebay or others.  Typically, these marketplaces allow new or smaller merchants easy access to payment infrastructure, large consumer audiences, and a variety of very sophisticated analytic tools.  Not surprisingly, marketplaces offer great value to those new merchants.  However, because there are millions of new marketplace merchants every year AND they are constantly changing what they sell – these marketplace merchants can pose significant risk to the payments system.

How do cyberlockers operate?

It’s pretty simple really.  A consumer creates an account to upload files to share with other consumers.  The cyberlocker creates a link where other consumers can go to download the file.  What is really different about cyberlockers is that instead of sharing a few holiday pictures with friends or family (like in a typical cloud storage relationship), cyberlockers allow and even incentivize consumers to upload files that get downloaded thousands, hundreds of thousands or even millions of times.  These files may include illegal pornography, pirated movies or music, and even the latest software programs.  Like marketplace merchants, cyberlockers can pose significant risk.

Where do cyberlockers fit in the payment system?

Great question – typically cyberlockers allows consumers to access files for free – but their bandwidth is really limited.  That means that downloading large files (like pirated movies, porn, or software) takes a long time.  To make money, the cyberlockers set up a merchant account or accounts and allow consumers to pay for accelerated access to content.  In this way, cyberlockers appear as typical merchants in the payment system.

What risks do cyberlockers pose to acquirers?

The simple answer is a lot of risk.  In a recent review of the top 50 cyberlockers as rated by estimated consumer traffic, all 50 had either child pornography, bestiality, rape videos, pirated movies, pirated music, or illegal software that was easily accessible – and could be accessed under a paid membership.   Essentially, these cyberlocker merchants are taking payment to access illegal content and represent a clear violation of card network brand regulations in every case, and the law in most cases.

Can you share any best practices an acquirer can use to evaluate its cyberlocker merchants?

Sure, there are three key questions that acquirers have to ask around any emerging risks – but they apply to cyberlockers.  First, “Where did the transaction start?”  Acquirers must know what product was being sold and how it was being described.  Second, “Who is the seller?”  For cyberlockers, this means that the cyberlocker has to perform due diligence on the uploader – because ultimately the cyberlocker (and the acquirer) is responsible for the content.  Finally, “What other specific steps can I take?”  This is really the list of cyberlocker-specific best practices.

OK, So what steps can acquirers take to protect against cyberlocker risk?

I suppose that was a leading answer!  In the cyberlocker world, there are 8 steps every acquirer should require of every cyberlocker:

1. Due Diligence:  Make sure you know who is uploading content.
2. Source Content Review:  Cyberlockers should make sure they review the websites from which consumers come to download content (the referring URLs).  Those sites are frequently used to advertise the most illegal content.
3. Site Content Review:  Cyberlockers should review every file uploaded to confirm it does not contain previously confirmed violation content.
4. Velocity Monitoring:  It is important to review the files that are being downloaded most frequently.  The download frequency is a good sign of illicit content.
5. Repeat Infringer Policy:  Every cyberlocker should keep every repeat infringer uploader out of their system.
6. Takedown Notices:  It is imperative that cyberlockers have a secure, easy, and timely process to accept violating takedown notices and confirm their success.
7. Payment Network Reporting:  In order to maximize the protection for acquirers, cyberlockers should be reporting their efforts through payment network approved programs and processes.
8. Point of Contact:  There has to be a real person with a real email and phone number to handle problems.

These are very basic descriptions, but the core principals have been proven to root out illegal activity and confirm cyberlocker compliance and risk reduction.

Let’s get back to marketplace merchants. Can you tell us more about the marketplace model? 

Sure – it’s a great model.  As a seller, I can sign up with a marketplace and for minimal cost instantly begin listing my goods or services for sale.  I get access to world class payment systems, analytics, and a built in audience.  It is easy to see the appeal of marketplaces, which is why these venues have been exploding in the past few years.  At G2, we believe that today’s marketplace merchants are the mega-merchants of tomorrow – but they are subject to the same learning curve of risk as every other merchant.

What are some emerging challenges in the payments system with marketplace merchants?

There are certainly a number of challenges.  The biggest challenge with marketplaces is that acquirers and the payment networks do not have transparency into who the seller really is.  As you might expect, criminals, bad actors, and others looking to exploit the system leverage this lack of transparency to make illicit or illegal gains.

Who in the payment system is responsible for ensuring marketplace merchants are compliant with payment system rules and regulations?

While we hope the marketplaces police themselves, the liability for payment system rules and regulations uniformly fall on the acquirer.  Put simply, an acquirer is responsible for monitoring their merchants.  If their merchant is a marketplace, they are required to monitor the marketplace merchant’s merchants.

How can an acquirer monitor its marketplace merchants?

The best practices that applied to cyberlockers also apply to marketplaces.  Perform due diligence on the seller.  Know where traffic is coming from and what is being sold.  Monitor traffic to identify anomalies. Keep repeat violators out of the system.  Have a take-down process, a reporting process, and contact to address problems.  These aren’t just best practices – frankly, they are good business common sense.

Is it even feasible for an acquirer to conduct due diligence on marketplace merchants? If so, how?

Absolutely.  This is basic KYC – Know Your Customer.  If you are an acquirer and your risk tolerance allows you to take on marketplace merchants (which can be a very profitable book of business), you have to protect yourself by implementing best practices.  Make the marketplace prove they are doing the right things by engaging a reputable vendor, including intelligent reporting, and making smart risk decisions.

Why are these risks emerging now?

We view these emerging risks as the natural result of the changing payments landscape.  There are new ways to pay, new places to shop, and new companies helping accelerate commerce.  Everywhere you look, there are more parties in every transaction. That means there are more potential points of failure, more locations where an acquirer can’t accrue risk, and a higher requirement to create end-to-end transparency.

What challenges do you see in the future for cyberlocker merchants and marketplace merchants?

We think the biggest challenge for cyberlockers, marketplaces, mobile, and other emerging markets is the transparency we just discussed. It is imperative that for every transaction acquirers know where the transaction started, who had access to the data, and who is responsible for the consumer promise (the deliverable).  As an acquirer, if you know these three things, you are positioned to make intelligent risk decisions, to aggressively pursue new markets within your risk tolerance, and to increase your profitability.  At the end of the day that is the goal right?  Let’s capture new markets with intelligent risk decision making.  At G2 Web Services, we are pretty excited about the path ahead.

To learn more about how to mitigate cyblerlocker and marketplace merchant risk, contact G2.