The reality behind platform fraud | Leaders in Payments Podcast

Hello, and welcome to the Leaders in Payments Podcast. I'm your host, Greg Myers. Joining me today is a very special guest, Jess Kirkpatrick, the Vice President of Risk and Fraud at Worldpay, now part of Global Payments. So, Jess, thank you so much for being here and welcome to the show.

Hi, thank you. Thanks for having me.

This episode is part of our signal series, where we are cutting through the noise to reveal what truly matters in payments in FinTech. Often platforms assume fraud is handled by their processor, or that basic KYC checks the box. But in practice, that's rarely enough, especially if they're moving towards a PayFac® model. So today we're going to dive deep into what proactive really means, where the hidden exposure tends to live, and how to protect your brand and your merchants. So, Jess, before we dive deep into this, can you walk us through your professional journey and how you got to Worldpay?

Absolutely. I'd be happy to. My career actually started in community banking, where I worked my way up from a teller to a personal banker at Great Western Bank in Omaha, Nebraska. That early experience gave me a strong foundation in customer service and financial operations. In 2005, I made a jump to PayPal, where over 17 years I held a variety of roles, really focused in risk management, compliance, and operations. I started out as a compliance analyst, filling out SARS and completing OFAC reviews, and eventually moved into leadership positions, eventually becoming the senior manager of risk operations for North America and Global Risk and Compliance Business Partners. During my time at PayPal, I managed large teams, led global risk and compliance initiatives, and developed policies to address emerging fraud and credit risks. I was very fortunate to be part of projects that drove innovation and process improvements across the organization. In 2022, I joined Payrix, which had just been acquired by Worldpay. I came on board as a senior director of risk, fraud, and underwriting for platforms, where I was responsible for managing risk, credit, collections, and onboarding. And one of my focuses was launching a new credit risk initiative and building out enhanced collection strategy, which helped us mitigate financial exposure. Then in January 2025, I was promoted to Vice President of risk, fraud, and underwriting for embedded payments. This role really expanded my responsibilities, not only as I was overseeing our risk programs in the US, but I also began supporting Integrapay in Australia and our expansion into the United Kingdom. It's been incredibly exciting to help scale our risk management strategies internationally and work with teams across different markets. Shortly after my promotion, Worldpay was acquired by Global Payments. So, I transitioned into the broader organization with my team and portfolio. Looking back, my entire career has been a journey of continuous learning, adapting to energy changes, and just always focusing on building strong risk and compliance frameworks to help our business grow globally.

Well, most of our audience will be familiar with Worldpay, which, as you mentioned, is now part of Global Payments. But for context, can you give us just a quick 50,000-foot overview of the company and where your team sort of fits into that?

Sure, yeah. So, at a higher level, Global Payments is the world's leading provider of payment technology. And now Worldpay is a part of that. It's even greater. We serve businesses and financial institutions in over 100 countries, helping them accept payments seamlessly, whether that's in-store, online, through integrated software platforms. Our goal is to make commerce easier, more secure, and more innovative for our clients and their customers. Within this organization, my team sits in the enterprise risk division, which is responsible for managing and mitigating risk across the company. I have a dotted line into the integrated and embedded payments teams so that I'm closely aligned with groups that deliver payment solutions through software and platform partnerships. So, this structure really allows us to support both enterprise level merchants and the unique needs of our platform and embedded payment partners. So, our focus is ensuring merchant legitimacy, preventing fraud, enabling safe, scalable growth as Worldpay and Global Payments continue to expand on its reach and offerings.

Okay, great. Thanks for that overview. So, let's dive into the fraud discussion. What's the biggest misconception that ISVs or software platforms believe about fraud risk? And what does it cause them to maybe underinvest in or maybe even completely ignore?

That's a really good question. Honestly, one of the biggest misconceptions I see is that the idea of fraud is something you can just set and forget. A lot of platforms think they're covered if they've put in some basic controls at launch, but fraud is always evolving. The tactics that worked last year might not work today. And bad actors are constantly looking for new ways in. So, because of that, I see a lot of software partners underinvest in ongoing risk strategy and training. They don't always keep their teams up to speed on the latest fraud trends or regularly revisit their risk controls. That creates gaps that fraudsters are quick to exploit. Another thing that often is overlooked is risk assessment when developing new features or products. So, everyone wants to stay agile and innovative, launching new capabilities and developing these new capabilities is really important for growth. But it's critical to take a step back and really assess the risks that come with those new features. If you don't establish appropriate controls up front, you could be opening the door to vulnerabilities and not even realize it. So, the biggest risk is thinking you can set your defenses up once and walk away. The most successful platforms are the ones that treat fraud prevention as a living, breathing thing, constantly evolving their strategies, investing in ongoing education for their teams, and also making sure new features are properly risk assessed and protected.

So, if I'm an ISV working with Worldpay now, Global Payments, how does shared liability work when it comes to fraud prevention?

In embedded payments, the default is that Worldpay is typically the one that accepts financial liability. When we're not able to recover chargebacks or ACH returns from a merchant, that means we're responsible for covering the loss and making sure everything is handled according to card brand rules and regulatory requirements. There are also some contractual options where our software partners can take some or all of that financial liability, depending on that agreement. But what's really important to understand is that no matter what, things like card brand standards and regulatory requirements always fall back on us as the payment provider. So even if the partner takes on financial liability, we're still going to work closely with them to make sure they're meeting industry standards and best practices. So really, when we talk about a partnership, it really is a side-by-side with our software partners to make sure they're set up for success and meeting industry standards. We don't just hand over the tools and walk away. We're there to support, educate, collaborate, every step of the way. The goal is to create and support, educate, and collaborate all the way through. We want there to be a safe environment for everyone. And that starts with open communication and a shared commitment to risk management. At the end of the day, we're really in this together. And when our partners succeed, we succeed. And we always take an approach that fraud prevention and liability are truly a team effort.

For some platforms, basic KYC maybe gets treated like the finish line, but why is it really only the starting line? And what's the next step up that most ISV should put in place?

That actually is a common mindset. And we see that a lot in some of our platforms where they treat basic KYC, KYB as the finish line. And they think, all right, we've verified the business or the individual, we're done. But really that's the starting point. We know who they are, but we still don't know how they'll behave or what risks they might bring over time. When we monitor merchants, we're really looking at four key vectors: identity. That's your KYC, KYB, making sure you know who you're dealing with. Intent. What are they actually doing on our platform? Business model, how are they doing it? Is their approach sustainable, or does it raise red flags? And then financial stability. Can they afford to do what they're doing? And are they likely to stick around? KYC is just one piece of the puzzle. The real step up is ongoing monitoring across all these areas. You want to keep an eye on transaction patterns, watch for changes in business behavior, and make sure the financial health stays solid. And don't forget, I've already talked about it, but ongoing training for your team so they know what to look for and how to respond if something seems off. The best platforms don't treat KYC as a checkbox. They use it as a starting point for a layered dynamic risk strategy. And that's how you stay agile, protect your business, and keep your customers safe.

You mentioned on the software or the ISV side of the platform that their team and they need to be trained. But at the end of the day, how do they decide who owns fraud internally?

That is something every platform should really think through early on. The reality is fraud prevention works best when there's clear ownership, but also strong cross-functional collaboration. So ideally, there should be a dedicated person or team responsible for fraud risks, often someone in risk management, compliance, or operations. This owner is accountable for setting strategy, monitoring trends, making decisions on tools and processes, and really being the main point of contact if something goes wrong. But it's not just about one person or team. Fraud touches a lot of areas: product engineering, customer support, and even sales. While you need someone to own the fraud and drive the agenda, you also want to make sure other teams are looped in, understand their role, and work together on solutions. So, for example, product and engineering need to consider fraud risks when building new features, and support teams need to know how to spot and escalate suspicious activity. The best setups I've seen have a clear leader for fraud, but also make it easy for different teams to flag issues, share insights, and collaborate on solutions. So, at the end of the day, it's a team sport, and there are people you have watching out for potential risks. And the more of them you have, the better off you'll be.

I'm going to ask sort of a follow-on question to that because you brought up a good point about these software companies adding more products. Embedded finance is a huge topic, right? So, they're embedding lending, which they're often using payments data to do the creditworthiness of the merchant. They may be adding other banking products, payroll. I mean, all these other embedded financial products are happening. How do you, as the processor, as they're adding these things, how do you get involved in that? Are you still kind of just worried about the payments? How does that kind of work from your perspective?

I think it's incredibly important to bring in your support teams early. So, fraud, risk, compliance are all incredibly important in the early initial stages of development when you're ideating or even beginning early development conversations. It really is important to have those key contributors be a part of those conversations to ensure that as you're building, you're building it in a way that helps ensure you're meeting your obligations, not just to your internal shareholders and your external shareholders as well, in the safest and most compliant way possible.

We often talk about friction in the payment space. We always talk about reducing friction. There should be no friction. But in this case, what does good friction look like for an ISV when it comes to fraud?

When we talk about good friction, we mean those checkpoints or extra steps that keep your platform secure without frustrating your users or slowing down the experience too much. That's really the magic. Good friction is about striking the right balance. So, for software partners, it might look like asking for more information during onboarding, maybe verifying a business address or requesting documentation for higher risk merchants. It could also look like additional verification for unusual transactions or periodic reviews of merchant's activity to make sure everything still checks out. The key is to make these steps feel helpful, not like a hassle. So, users should understand why you're asking for something, and it should actually make them feel more secure. When you do it right, good friction builds trust. It keeps fraudsters out, and it helps you stay compliant without turning away good customers. When done well, good friction does build that trust. It prevents fraud, and ensures compliance, all while keeping the user experience smooth for legitimate customers.

I saw something recently where a merchant was on LinkedIn and they talked about how they were seamlessly onboarded. It was fast, they were up and running months later. I don't know how long, but let's just say six months, eight months later, they started being asked all these questions and they couldn't understand what was going on. So, I think it was basically kind of what you're talking about, but it wasn't communicated well, right? It was like they're nagging at them to get these answers to these questions, and they had no idea why they were even asking them. So, I think from my perspective, that communication of that kind of friction is vitally important.

Yeah. And that is really how you can help your customers understand why these things are being asked for, right? When we talked about earlier, if they're running payments, they're now in that intent business model of those four items I spoke of earlier. There are going to be questions. They may be doing something that's a little bit unusual. That doesn't mean it's wrong. We just need to understand it. And when we can understand it, we can move on. But they also need to understand why risk is asking these questions. And it's equally important on both sides of that equation that we're able to be transparent and communicate well with each other.

Even when transaction monitoring, you mentioned that earlier, when it looks solid, what are a few of the compliance blind spots that are still leaving platforms exposed, and how do fraudsters take advantage of them?

That's a great one. Even if your transaction monitoring is top-notch, there are still a couple of sneaky blind spots that can trip a platform up. First, ongoing due diligence is a biggie. A lot of companies do a great job checking out merchants when they first sign up, but then kind of forget about them. The thing is, businesses change, ownerships shift, business models evolve, and sometimes fraudsters just wait until you're not paying attention to start acting up. That is why it's so important to keep tabs on your merchants over time, not just at the beginning. Another spot people miss is in their communication channels that we just talked about. If your support team isn't trained to spot weird or suspicious requests like sudden changes in bank details, urgent demands, or info that doesn't add up, fraudsters can use social media and social engineering to sneak past your defenses. They're getting more creative every day. So, your team has to stay sharp. Then there's keeping up with card brand rule changes. So Visa, MasterCard, all the big brands. They're always updating their requirements. If you're not on top of these changes, you can end up out of compliance, which means you get hit with fines, chargebacks, or even lose your ability to process payments. Fraudsters are actually looking for platforms that are not up to speed because those gaps are easy targets. So even with a good transaction monitoring program, you've got to stay on top of ongoing merchant checks, train your team to catch red flags in communications, and make sure you're keeping up with all the card brand updates. Otherwise, you're leaving the door open for fraud. And sometimes that can mean some really painful losses.

Okay. Well, let's talk about the PayFac model a little bit and about ISVs that maybe want to become a PayFac. What does proactive fraud prevention actually need to look like to satisfy PayFac registration? You mentioned Visa, Mastercard, and ongoing regulatory compliance. And where do most platforms come up short?

Yeah, from moving from being an ISV into becoming a PayFac, it's a huge leap, especially when it comes to fraud prevention and compliance. Proactive fraud prevention isn't just a buzzword here. It means having a comprehensive, ongoing program that goes well beyond the basic onboarding, KYC, KYB checks. First, you need to have a strong KYB, KYC process at onboarding, but that's just the start. Regulators and card brands expect you to keep monitoring your merchants throughout their life cycle. That means regular reviews, transaction monitoring, and being on the lookout for changes in merchant behavior, business models, or ownership. You've got to be able to spot those red flags early before they turn into losses or compliance issues. You also need clear policies and procedures, solid documentation, and a team that's trained to react quickly if something looks suspicious. It is not enough to just have tools in place. You need to actually use them, review the data, and act on what you find. Where most platforms come up short is something we've actually talked about earlier. It's the set it and forget it thing. When a platform focuses heavily on getting merchants through the door, but doesn't invest enough in ongoing monitoring, updating risk models, or keeping up with regulatory and card brand changes, it can be detrimental. Another common miss, is not having a clear escalation path or communication between teams. So, when something weird pops up, it falls through the cracks. It's really important for PayFac registration that you keep regulators happy. You need to show that you're not just checking boxes, you're actively managing risk, staying up to date with industry changes and making fraud prevention a core part of your business.

Okay. So, if fraud is really a merchant retention and brand trust issue, which it definitely is, how should ISVs measure success? I mean, it's not like if we don't have any issues, successful, what should they really be measuring?

That's really an important point. And sometimes I think we forget about that. When we talk about fraud, it's easy to just focus on the dollars lost, but the real impact goes way beyond that. If fraudsters start to take hold, you risk losing your good merchants because they don't want to operate on a platform where they feel unsafe or where their customers are put at risk. Plus, your brand reputation can take a serious hit. No one wants to be known as the platform the fraudsters hang out on. So, when it comes to measuring success, ISVs should look at more than just fraud loss rates. There's really two additional trackers they should consider merchant retention and churn. Keep a close eye on your merchant churn rates, especially among your best or most established merchants. If you see good merchants leaving, dig into the reasons why that's happening. Are they citing fraud or security concerns? A stable or improving retention rate, even as you grow, is a really strong sign that your risk controls are working and your platform feels safe. Another one is brand health and reputation. Monitor your brand reputation through merchant feedback, online reviews, and even social media mentions. Look for how people talk about your platform. Are there complaints about fraud, or do merchants recommend your platform for its security? You can also track net promoter score, or customer satisfaction surveys, specifically around trust and safety. So, really, like you said, success is not just about stopping fraud; it's about creating an environment where good merchants want to stay where your brand is associated with trust and reliability. If you're retaining quality merchants and your reputation is strong, that's a real win in the fight against fraud.

Well, one final question before we wrap up. If a platform wants to get serious about fraud prevention right now, this quarter, what are the first three actions you'd prioritize to reduce risk quickly while staying compliant and protecting your reputation?

I actually really love this question. So, if you really want to make an impact, there are really three things you should do. One is to review and tighten onboarding controls. Start by taking a fresh look at your onboarding controls. Process. We're working in an evolving world with less and less face-to-face interaction. So, KYC and KYB have to be done in new innovative ways to make sure you really know who you're doing business with. Make sure your checks are solid and up to date and consider adding extra verification for high-risk merchants. Catching risky players before they get on the platform is one of the quickest ways to reduce fraud. Number two, ramp up ongoing monitoring. Don't just rely on onboarding. Set up regular reviews and real-time transaction monitoring. Look for unusual patterns, sudden changes in business behaviors, or anything that just feels off. The sooner you spot something weird, the faster you can act and prevent loss. And three, probably the most important one of these is train your team and communicate clearly. Fraudsters love to target gaps in knowledge. So, make sure your staff knows what to watch out for, especially in support and onboarding teams. Give them the tools and training to spot red flags and escalate issues quickly. At the same time, be transparent with merchants about your fraud control, so they know you're serious about protecting them and your platform. If you knock these out, I think you'll be in a much better position to fight fraud, stay compliant, and then also keep your reputation strong. It's really about being proactive and making sure everyone's on the same page.

Jess, I think that's a great way to wrap up the show. So, thank you so much for being on today. I know your time is very valuable, so I really appreciate you being here.

Thank you for having me.

Absolutely. And to all you listeners out there, I thank you for your time as well. And until the next story.