APP Fraud: Get Ready Now for Global Scams Regulations

The UK Payment Systems Regulator (PSR) grabbed a lot of attention after they announced the 50/50 liability proposal and published their APP Fraud Performance Report. While the UK has had the biggest share of the media focus, this phenomenon is not limited to just the UK and we're seeing several countries across all regions taking regulatory steps to combat the scams that are enabled by real-time payments.

As the timeline above shows, there are multiple countries taking moving towards sharing data to prevent scams. They have not yet gone as far as the UK did with their 50/50 Liability Announcement, mandated customer reimbursement and publication of the APP Fraud Performance Report. However, we think it is only a matter of time before other countries introduce similar regulations. We can already see this with the Monetary Authority of Singapore’s proposed framework for liability sharing between the banks and the customer.

In our discussions with financial institutions around the world, the topic of additional regulation is very much at the forefront of their minds. The head of fraud at a tier-1 bank told us, 'We don't know exactly what the next steps will be, but we know something is coming.' I strongly concur with this assessment. We will see additional regulatory steps being taken, and we will see them continuing to spread to other countries.

So, what are some of the potential consequences of this upswing in scam regulation for fraud professionals? I believe that soon, once all these regulatory changes are in place, the following pros & cons will emerge:

With the increase in data shared, financial institutions (FIs) can make more accurate decisions to prevent fraudulent applications from opening a mule account. Furthermore, there will be increased ability to determine after on-boarding whether customers are a part of a mule network. However, with the associated reporting (such as the UK’s APP Fraud Performance Report) come potential risks that performance in terms of scams refunds and application controls will be completely laid bare, potentially causing reputational damage to those organizations that are not topping certain charts or are topping the wrong charts. Customers will gain greater awareness of how well their financial institution protects them and how likely they are to be reimbursed, possibly causing them to switch account providers.

The other benefit of sharing of information between financial institutions, in real-time, as well as cross-industry collaboration down the line, is that it paves the way for significant reduction in scam losses. The ability to bring in certain event flags leading up to the fraudulent transaction will complement your decisioning with additional data sources. However, the enforced reimbursement of customers opens the door for opportunistic or first-party fraud, as accountholders falsely claim that they were a victim of scam, when in fact they are gaming the system.

As the focus of the regulation is the protection of scam victims, more customers will be safeguarded, as FIs will need to prove that the customer actively participated in the fraud for them to not be reimbursed. At the same time, if the additional data shared is used incorrectly (assuming the centralized data is of good quality with correct fraud definitions), it could mean that innocent folks may be prevented from access to financial services due to poor matching processes. This problem will be amplified if the collected data is of poor quality. 

Where Is Regulation Headed?

I think we’re starting to get a pretty good picture of what the different regulators are currently thinking. So, where is all this focus on regulation potentially headed? I believe that the next big wave is cross-industry collaboration, and we’re already getting a glimpse into this with the Australian Government/Anti-Scam Centre’s recent announcement, which even begins stipulating data distribution for such collaboration for:

• Banks to freeze an account.
• Telecommunication companies to block a call.
• Digital platforms to take down a website or an account.

In my opinion this is truly where the regulation should be heading. The problem of scams is one that cannot solely be tackled by the banks. Telecommunication companies, ISPs and social media companies all need to play a role in sharing data and tackling scams.

4 Tips on How to Prepare for Global Scam Regulatory Change

So, what should you consider to help prepare yourself for this wave of regulations?

1. Flexible Data Ingestion

Evaluate how flexible your fraud solution is in terms of the intake of different data sources. The current sets of global regulation enable FIs to share fraud-related information between themselves. With the next wave of regulation, we’ll see an additional need to ingest data from non-FI sources such as telcos, ISPs, and social media companies. I expect that the number of additional data sources will expand over time. Utilizing this additional data requires having a solution that can rapidly build new data schemas and easily ingest new data.

2. Better Application Fraud Controls

Application fraud controls are often an afterthought for many financial institutions. The changes in scams regulation and especially the 50/50 liability split provide an opportunity for fraud teams to present a strong business case for ramping up controls. As an example, consider the reputational impact of one of the metrics listed on the UK’s APP Fraud Performance Report: value of APP fraud received per £ million of transactions. Gone are the days when your application fraud control issues could be swept under the rug. The transparency of the regulatory reporting means that it's visible to everyone — not only competitors, customers and regulators, but also the fraudsters. The fraudsters will have direct insight into which banks have the laxest application fraud controls.

3. Tools to Build & Deploy Scams-Focused Models

As we all know, transactional fraud models are very effective tools in combatting account takeovers, CNP fraud, and other standard fraud types. However, they begin to be less effective when trying to detect scams, because scams tend to dance in the very grey area between fraud and genuine behavior. This is largely because it is the customer making that transaction, from the device that they trust, from their regular location – things don’t necessarily look as out of place as a genuine transaction.

For this reason, your organization needs to consider utilizing models that focus on scam detection to complement the standard fraud models. The best combination to tackling this problem is a consortium-based model that benefits from a wider sight of threats that perhaps have not materialized at your institution yet, as well as tools that allow you to easily build and deploy a self-built model focusing on all your customer’s data available only to you.

4. Bespoke Communication

FIs frequently use a one-size-fits-all approach to customer communications. In fact, a bespoke approach should be part and parcel of an effective strategy to combat scams.

The traditional approach of sending a SMS to confirm whether a transaction was requested by a client is not effective in getting a customer to ‘break the spell of a scammer’ — in other words, getting the customer to think about what exactly it is that they’re doing before they authorize a transaction. Besides the message that is being delivered, the communication channel should also be considered. Not every customer has the same preferences regarding how they like to be communicated to. Effectively combatting scams requires giving your customers the ability to state their communication preferences and indicate what channels they trust the most; the system should also learn from customers’ past behaviors to identify the channels with the best response rates.

Standing still and hoping that the problem of scams will go away is not an option. Exploring these four tips further and identifying how your organization may benefit from pursuing some of these enhancements to your current fraud prevention strategies will set you on the right path to prepare yourself for the regulation to come.

In an upcoming series of blog posts, we will continue delving deeper into the challenges and best practices for effective scams and application fraud management, as well as taking a closer look at how the scams regulation drive is affecting specific regions around the world.

How FICO Helps You Detect and Prevent Scams

• Explore FICO’s innovative fraud protection technology
• Learn how real-time customer communications can help stop fraud
• Read about FICO’s award winning, machine learning-powered retail banking model with scam detection score
• Download the FICO 2023 Scams Impact Survey