Authorised Push Payment Fraud – The Liability Challenge

Last week, the National Board for Customer Disputes in Sweden, after reviewing cases referred to them, have ruled that banks should be liable for so-called "push payment" fraud losses over a certain amount.

Authorised push payment fraud, or APP fraud, is gaining in popularity in the criminal community. Customers are being tricked into authorising payments by persuasive social engineering schemes run by criminals. These criminals have been so successful that this kind of fraud even has a nickname: hypnofraud.

Fraudsters have always targeted the weakest link in the process. As systems become more and more secure, the weakest link has become the customers themselves.

The push payment fraud trend has sparked debate at Payment Services Providers (banks and other financial institutions), regulators and consumer bodies about who should foot the bill when these kinds of schemes are successful. In 2016, a super complaint by the UK consumer organization, Which, was filed which called for the PSPs to do more to stop this kind of fraud, and to take greater responsibility for the losses when customers fall for these scams.

The question of liability isn’t straightforward, as my colleague Sarah Rutherford noted in a recent post. On one hand, customers are being tricked by highly convincing, almost hypnotic fraudsters, often posing as representatives from a bank. Whilst the industry can educate consumers about this, we can’t expect all customers to be experts in identifying whether calls, emails or SMS are genuine or fraudulent. On the other hand, if a customer withdrew cash from an ATM and was persuaded to hand over that cash by a fraudster, no one would expect the bank to foot the bill.

Whilst regulators and consumer bodies around the world make their own judgements, there is something the banks can do to reduce the scale of this problem and make social engineering scams less successful. By analysing the way each customer normally uses their account — whether transactions are authenticated by them or not — they can detect transactions that are out of character and stop them before funds disappear from accounts.

Customer behaviour profiling is a key way to detect and stop fraud from taking place, whilst allowing a frictionless experience for customers going about their daily business. For more on this, see our posts on the FICO Blog: http://www.fico.com/en/blogs/tag/fraud/.