Payments Post #12: Lessons from Change

Justin Pituch

April 12, 2024

At Glenbrook, risk management is a fundamental aspect of our work across diverse clients, spanning merchants, networks, banks, and regulators. While the Visa and Mastercard merchant settlement dominated the headlines recently, we want to draw your attention to several recent fraud incidents that underscore the criticality of effective risk management to your business and the safety and soundness of the payments industry.

In a highly disruptive incident, healthcare payments provider and data exchange Change Healthcare was rendered offline for weeks. As The Wall Street Journal reports, “Change is the largest U.S. clearinghouse for medical claims, processing around 15 billion transactions a year.” This attack’s aftermath, including a reported $22 million ransom payment, brings home Associate Partner Cici Northup’s observation that healthcare is an industry of intricate complexity, with sensitive data and payments exchanged between multiple parties for a single billing. The financial and reputational impact resulting from just one incident can be immense, underscoring the need for robust fraud management.

While the exact details of the Change ecosystem attack remain unclear, there were likely numerous potential entry points. Change’s extensive reach, touching 1 in 3 patients in the US, and its integration with legacy systems across a diverse range of medical providers and third-party service providers create a staggering level of complexity in the financial environment. Partner Yvette Bohanan asserts:

“It’s crucial to identify the key risks for your specific organization and the third parties you rely on, and then create a clear, measured assessment of how well you are controlling those risks.”

We are acutely aware that frauds and scams are targeting individuals at an alarming scale, with the Atlanta Fed highlighting that $2.7 billion in annual consumer losses result from fraudsters impersonating legitimate actors. A report from Visa last month described “increasingly organized, sophisticated threat actors targeting the most vulnerable point in the payments’ ecosystem: humans.” The prevalence of America’s “scamdemic” was underscored by a widely discussed February piece in The Cut, in which scammers convinced a personal financial advice columnist to hand over $50,000 in cash through an elaborate scheme. Cash, the ultimate real-time irrevocable payment system, is a prime target for this nefarious activity. 

But in an increasingly digital world, scammers also take advantage of digital real-time payment rails, leading their operators and regulators to fret over how best to protect consumers. In the UK, for example, regulators announced in March that they would allow banks to take up to 72 hours to review and investigate payments to root out authorized push payment (APP) fraud; historically, they have had until the end of the day. That complements a regulatory requirement to reimburse all APP fraud victims (with limited exceptions) that will come into force in October of this year. More traditional payment rails are also feeling the heat: Nacha announced last month that network participants would require a “base level” of fraud monitoring to curtail credit push fraud.  We expect to see more emphasis from regulators and networks on risk management and control requirements for the foreseeable future.

Are you a payments professional trying to wrap your head around risk management for your organization? Have you had particular success in solving a problematic risk puzzle? We want to hear from you. Until next time –  stay alert!

Recent Payment Views

Payments Post #13: At the Intersection of Tech, Regs, and Business Partnership

Payments Post #13: At the Intersection of Tech, Regs, and Business Partnership

This month, Cici Northup joins regular contributor Justin Pituch to recap positive news in the form of fast payments growth, new fraud mitigation strategies, and evolution in cross-border transfers. All reflect, to varying degrees, the unique dynamic in the payments industry created by the intersection of technology, regulation, and new business partnerships.

read more
Payments Orchestration: What Comes Next?

Payments Orchestration: What Comes Next?

Orchestration providers have certainly come a long way, and can enable powerful capabilities and benefits for the merchants that employ them. This post explores some of the possibilities Glenbrook has been thinking about for where Orchestration (and even orchestration) can go next.

read more

Glenbrook Payments Boot CampTM workshop

Register for the next Glenbrook Payments Boot Camp®

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot CampsTM workshops tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

GlenbrookTM Company Press

Comprehensive books that detail the systems and innovations shaping the payments industry.

Launch, improve & grow your payments business