In August, the UK’s Financial Ombudsman joined the debate on authorised push payment fraud. They argue that banks are not taking enough responsibility for this kind of fraud and say banks should not take the default position that their customer has been negligent. This follows the announcement by the Payment Services Regulator that they intend to require banks to compensate their customers in some cases – the consultation paper on their proposal is due out soon.
The pressure for banks to tackle push payment fraud is mounting – and even if liability isn’t transferred wholesale to the banks, the scope for bad publicity and loss of reputation is significant.
While industry bodies look to redress the balance between bank and customer, it must be remembered that the banks are victims as well. Clever fraudsters have a wide variety of increasingly sophisticated techniques and technology to help them commit these crimes. They have access to a real-time payments scheme which means they can access the proceeds of their crimes and quickly remove them out of the reach of law-enforcement.
Banks are not powerless to tackle the issue. In addition to the measures suggested by regulators and industry bodies, here are three areas they can focus on:
1. Transaction Risk Analysis
For many years card issuers have deployed real-time transaction risk analysis for credit and debit cards. There is a wealth of functionality available to them through solutions such as the FICO Falcon Fraud Platform. This same technology can be effectively deployed to assess the risks inherent in push payments. While some banks already use transaction risk analysis for push payments, to be truly effective in stopping this fraud they must:
- Work in real-time. Customers expect payments they have initiated using UK Faster Payments to be fast if not instant! Deploying fraud analysis that slows the process is likely to be unacceptable to customers and won’t stop fraud in a real-time payments system.
- Apply risk analysis to payments leaving accounts AND to payments arriving into accounts. While it is intuitive to analyse payments as they are initiated it may in fact be equally or even more important to apply the same scrutiny to in-bound payments. Victims of push payment fraud have looked to the receiving bank for recompense, this is particularly the case when the fraudster has opened an account using a stolen or synthetic identity. The argument is that the banks KYC processes were at fault when the account was opened. The proceeds of push payment fraud may also be channelled through multiple mule accounts and spotting this behaviour not only stops fraud but also helps the bank to meet their anti-money laundering compliance obligations.
- Have access to the right mix of technologies – Fraud constantly evolves, this means that systems to stop it must also be agile. It is no good looking for a single ‘silver bullet’ to stop fraud. Instead you need adaptive technologies that can be layered to produce the best possible outcomes. For example if dealing with a new scenario where historical data cannot inform your fraud models then unsupervised machine learning technology that can self-learn becomes more important – when data and insight is available then accuracy will be increased by using trained models.
2. Standardised Reporting
It is generally true that if you’re not measuring then you will struggle to improve. Even if you are improving without consistent and regular reporting methodologies how will you know?
Reporting authorised push payment fraud was given additional impetus when UK Finance included rates in their 2017 report for the first time. The European Banking Authority has also tackled reporting for authorised push payment fraud in their PSD2 Fraud Reporting Guidelines. They lay out a framework for the consistent and mandatory reporting of fraud and include the reporting of fraud that involves ‘manipulation of the payer,’ in other words authorised push payment fraud. To stay ahead of the fraud and satisfy the regulator, banks must focus on how they report this fraud as a matter of urgency.
3. Mutual Authentication
A significant proportion of authorised push payment fraud happens when fraudsters trick their victims into believing that they are their bank. The techniques used are sophisticated and include spoofing of emails and SMS messages so that they look genuine – even to the wary.
As the Financial Ombudsman notes, it is not possible to lay the blame on customer negligence in such cases. The protocols by which customers authenticate themselves to their banking providers are established and consistency will be enforced through regulation such as PSD2. The protocols that banks use to authenticate themselves to their customers are by contrast inconsistent and poorly understood. This allows fraudsters to get their foot in the door and commit their crimes.
It is not an easy nut to crack, but the proliferation of these kinds of fraud means that it must be addressed. While an effective, industry-wide approach may be the best way forward, in its absence Individual banks can still act. They should look to provide consistency in their outbound customer communications and have standard and well-understood procedures by which they prove who they are.
Once they have policies in place to address how they authenticate themselves to customers, it is vital to educate their customers about it and apply it consistently. It is not just the fraud department’s responsibility – unsolicited sales calls to customers that proceed to ask the customers for security information must not happen unless the bank has first reliably proved who they are to the customer.
The pressure to tackle Authorised Push Payment fraud is coming from industry bodies, consumer advocates, regulators and customers. Banks that can tackle it will have a competitive advantage; those that don’t there will be continued bad press, loss of reputation and increased scrutiny from the regulator.