Opinion Alternative Lending Digital Banking Savings And Investment

Buy now, pay never: why BNPLs should pay attention to fraud protection

Buy now, pay later is here to stay and securing the bottom line and protecting your revenues from fraudsters is the task every BNPL platform must solve on its own.

a man wearing glasses

Aleksandr Khelemskiy

With Buy Now, Pay Later or BNPL popularity skyrocketing since the pandemic outbreak, many online merchants try to drive sales with promises of quick and cheap access to various goods. While the concept in itself is quite good and allows consumers with constrained funds to purchase items they want without putting much pressure on their budget — there are multiple underwater reefs involved, both for vendors, shoppers, and BNPL service providers.

As the core idea of buy now, pay later is lending the buyer some sum of money to make a purchase and collecting it back in several interest-free payments, these transactions don’t fall under normal credit regulation rules — and regulations. This means that no credit score checks are done before issuing what is essentially a loan (and doing them is impossible in certain cases we describe below). Most BNPL vendors ask only for name, email address, phone number, and billing address — which opens a wide field for various fraud scenarios.  

Is buy now pay later regulated?

As of January 2022, BNPL remains largely unregulated in the US, EU, and across the world. This is bound to change, as in many cases, unrestrained purchasing sprees pose significant risks to consumer economies. For example, in the UK alone, buyers spent above 2.3 billion GBP through buy now, pay later platforms during the 2021-2022 holiday shopping season.

Similar concerns are raised across the globe, so we are bound to see some regulations issued in the near-to-medium future. However, as it stands, every buy now, pay later platform is on its own, as it is able to both reap the benefits of the emerging market and has to deal with potential fraud scenarios and risks. Thus said, every company must invest in some kind of risk mitigation, credit score checking, 3DS 2.0 verification, and fraud prevention solution to protect payments they make.

Potential risks of buy now, pay later approach

While no legislation to rein BNPL exists as of the start of 2022, platforms like Klarna,Zip Co, Afterpay, and others are not forced to run soft credit score checks and show leniency in customer validation in favor of streamlining the account creation and checkout process. With as much as 45% of US customers using BNPL as their primary way of shopping during the holiday season, this can lead to billions in additional profit — and thousands of potential fraud cases.

Fraudsters can easily forge fake identities using stolen credit card details and data obtained through social media. This already adds to payment risks inherent to CNP fraud scenarios, which payment service providers are used to, like chargebacks and friendly fraud. This way, any BNPL platform can run into a very complicated type of fraud, where it’s impossible to say whether the delayed payments didn’t’ come for a legitimate reason — or whether such a customer never existed in the first place and said payments will never come.

From the consumer’s point of view, yet another potential danger of using the buy now, pay later lies within an opportunity to lure the buyer into overspending. Where traditional credit agencies would decline a loan, BNPL vendors can approve it — as they don’t do as strict of a credit score check. This might taunt a consumer to overextend their buying appetites and end up in debt much beyond their normal level, leading to unpleasant consequences.

What's the catch with buy now pay later?

Why would you go this route then, if the buy now, pay later approach poses so many risks? Because for vendors it is a way to greatly increase their buyer base and for consumers, it is a way to gain easy access to the goods they need (or want). Most importantly, buyers don’t need to overpay much as an interest, and merchants get their money upfront, so both parties can reap the benefits.

But who bears all the risks then? BNPL service providers, as they provide the required sum to the online trader upfront in hope of gaining it back in small increments from the buyer later. Thus, should the buyer not pay for any reason — buy now, pay later becomes buy now, pay never. Preventing this outcome, whether it happens under any of the fraud scenarios or due to legitimate reasons should be the main task of BNPL vendors.

How do we protect against fraud?

There are multiple frauds and account takeover scenarios possible in the BNPL domain, in case of the absence of mandatory customer checks, credit score checks, and 3DS 2.0 verification. Customers can commit friendly fraud, use stolen credit card details and forged synthetic identities, perform chargebacks to get products for free, etc. 

With traditional finance — credit organizations, banks, etc — you need to check a potential customer’s credit score. In the US, it is done through one or more of the Big Three credit bureaus — Equifax,TransUnion, or Experian. In Europe, every country has one or more national credit score bureaus, and most of them don’t provide information to non-residents. As it stands, should a customer from Sweden decide to buy something in a Polish online store, there is no way for a BNPL platform to check their identity and credit score reliability with conventional methods.

The way to solve this and protect payments for such a company is to use internal risk scoring tools. At first, buyer payment limits are minimal, and only after they pay several credits back, the limits are increased — just like with the usual credit cards, yes? Well, no.

What is fraud prevention?

As we mentioned earlier, the danger here is two-sided. In addition to standard CNP fraud scenarios and account takeover scenarios, BNPL customers can simply create fake identities, pay several small purchases back and defraud you to the top of the limit available. Most importantly, should fraudsters use stolen credit card details, victims of such identity theft will blame you — and they will be in their right. Naturally, this will cause negative publicity, as it happened to Afterpay LTD, the leading buy now, pay later provider in Australia.

This said, the solution to this challenge must be proactive, not reactive. Every BNPL platform must invest in some tools for fraud prevention, be they internal or external. For example, Equifax, which itself experienced a significant data breach back in 2017, has subsequently invested $1.5bn in its own fraud protection and data security.

The global data and credit referencing company also bought Kount in February 2021 to improve ID & Fraud processes for clients. Other market players that want to avoid similar outcomes look towards investing in internal risk mitigation tools development or partnering with independent risk management and fraud prevention platforms, like Covery.

How can you detect and prevent fraud?

In order to ensure timely detection and prevention of fraud, businesses must invest in a proactive, not reactive anti-fraud system. It’s not enough to learn that some account was dishonest after they defraud you — this should be detected and prevented from the start. 

For example, Covery does this through a combination of tools, namely, device fingerprinting, Trustchain, and behavioral analysis.

Fraudsters can invent names and email addresses, but they still have to provide some real credentials or their forged identities will not hold water. Every online account has a variety of unique identifiers — email name and domain, IP address and billing address, name and IBAN or BIC number, etc.

Once such details are exposed as fraudulent, this information is stored within Trustchain, a global database of reputation records shared among all the members of the Covery community. This way, should any identifier be marked as fraudulent, all other merchants will be alerted at once should it be used again. This anti-fraud tool helps detect fraudsters as soon as they try to register an account with you.

Furthermore, every session by every visitor has a unique set of hardware and software IDs — from CPU type, OS and browser version, plugins and add-ons installed, up to screen resolution, IP address and language preferences. Tracking these publicly available IDs using a special JavaScript string allows vendors using Covery to form a digital fingerprint of every device and define normal patterns of its usage.

This way, should anything abnormal happen, the vendor can be alerted and the operation can be declined with an automated risk logic engine rule. This helps prevent account takeover scenarios and other fraudulent activities.

There are patterns many fraudsters follow because vendors usually don’t check every transaction manually, so it is easy for fraudsters to get away with it. However, by deploying a Supervised Machine Learning algorithm that performs behavioral analysis, Covery is able to discern such patterns on the fly and alert vendors of potentially risky customers in real-time. As a result, vendors can configure risk engine logic scenarios with different outcomes based on different factors. 

For example, let’s assume the Trustchain check and the digital fingerprinting check resulted in several matches, meaning this customer is a potential fraudster. In that case, you can make them go through an additional 3DS 2.0 verification or 2-factor verification. Legitimate customers will be able to pass it, while fraudsters won’t, which will protect your business.

Yet another benefit of using the Covery anti-fraud solution is the ability to track customer activity across multiple industries using device fingerprinting and Trustchain. For example, a new customer wants to register an account with you and you can’t come up with a standard credit score check for him. 

However, device fingerprinting identifies the device and Trustchain comes up with all stored records of activity from the said device — and you see this customer is a regular at several online gambling portals and frequently uses services of microfinance and credit companies. This can mean it is a risky customer and allow you to decline to do business with them, or proceed with caution.


Buy now, pay later is definitely here to stay. As there are no regulations in place, securing the bottom line and protecting your revenues from fraudsters is the task every BNPL platform must solve on its own. You can invest in building internal fraud prevention systems or go for a partnership with dedicated risk management and an anti-fraud system. What you definitely can’t do is sit tight and hope to weather the storm, as the fraud wave rises with each passing year — so make sure not to be flooded by it.

Companies In This Article

logo, company name
logo, company name

More Like This