3 Things Banks Can Do to Tackle Push Payment Fraud

The UK’s Financial Ombudsman previously argued that banks were not taking enough responsibility for authorized push payment fraud and should not immediately presume their customer has been negligent. In fact, the Payment Systems Regulator now requires banks to reimburse victims of this type of fraud. This now puts additional pressure on banks to tackle push payment fraud.

While industry bodies have compensated the customer, it should be recognized that the banks are victims as well. Clever fraudsters have a wide variety of increasingly sophisticated techniques and technology to help them commit these crimes. They have access to a real-time payments scheme which means they can access the proceeds of their crimes and quickly remove them out of the reach of law enforcement.

Banks are not powerless to tackle the issue. In addition to the measures suggested by regulators and industry bodies, here are three areas they can focus on:

1. Transaction Risk Analysis 

For many years card issuers have deployed real-time transaction risk analysis for credit and debit cards. There is a wealth of functionality available to them through solutions such as FICO Falcon Fraud Manager. This same technology can be effectively deployed to assess the risks inherent in push payments. While some banks already use transaction risk analysis for push payments, to be truly effective in stopping this fraud they must:

• Work in real-time. Customers expect payments they have initiated using UK Faster Payments to be fast if not instant! Deploying fraud analysis that slows the process is likely to be unacceptable to customers and won’t stop fraud in a real-time payments system.
• Apply risk analysis to payments leaving accounts AND to payments arriving into accounts. Since both the sending and receiving banks are equally liable for reimbursement, it is important to analyze inbound payments or deposits. The proceeds of push payment fraud may also be channeled through mule accounts. Identifying these accounts not only prevents fraud but helps the bank to meet anti-money laundering compliance obligations.
• Have access to the right mix of technologies. Fraud constantly evolves, which means the systems to prevent it must also be agile. There is no ‘silver bullet’ to stop fraud. Traditional methods and analytics are not effective against authorized push payment fraud when it is the legitimate customer making the transaction. FICO’s award-winning scam detection model uses sophisticated analytics to detect the propensity of the transaction being a potential scam payment

2. Standardized Reporting

It is generally true that if you’re not measuring then you will struggle to improve. Even if you are improving without consistent and regular reporting methodologies how will you know?

Reporting authorised push payment fraud was given additional impetus when UK Finance included rates in their 2017 report for the first time. The European Banking Authority has also tackled reporting for authorised push payment fraud in their PSD2 Fraud Reporting Guidelines. They lay out a framework for the consistent and mandatory reporting of fraud and include the reporting of fraud that involves ‘manipulation of the payer’ - in other words, authorised push payment fraud. Banks must continue to focus on how this type of fraud is reported, which now includes specific types of scams, in order to identify trends and satisfy regulators.

3. Mutual Authentication

A significant proportion of authorised push payment fraud happens when fraudsters trick their victims into believing that they are their bank. The techniques used are sophisticated and include spoofing of emails and SMS messages so that they look genuine – even to the wary.

As the Financial Ombudsman notes, it is not possible to lay the blame on customer negligence in such cases. The protocols by which customers authenticate themselves to their banking providers are established and consistency will be enforced through regulation such as PSD2. The protocols that banks use to authenticate themselves to their customers are by contrast inconsistent and poorly understood. This allows fraudsters to get their foot in the door and commit their crimes.

It is not an easy nut to crack, but the proliferation of these kinds of fraud means that it must be addressed. While an effective, industry-wide approach may be the best way forward, in its absence individual banks can still act. They should look to provide consistency in their outbound customer communications and have standard and well-understood procedures by which they prove who they are.

Once they have policies in place to address how they authenticate themselves to customers, it is vital to educate their customers about it and apply it consistently. It is not just the fraud department’s responsibility – unsolicited sales calls to customers that proceed to ask the customers for security information must not happen unless the bank has first reliably proved who they are to the customer.

The pressure to tackle authorized push payment fraud is coming from industry bodies, consumer advocates, regulators and customers. Banks that can tackle it will have a competitive advantage; those that don’t there will be continued bad press, loss of reputation and increased scrutiny from the regulator.

How FICO Can Help You Fight Scams and Authorized Push Payment Fraud

• Read How Scam Prevention and Scam Detection Help Banks and Customers