In the past year, three major economies — the Eurozone, the USA and Australia — have gone live with real-time payments schemes, Canada will follow in 2019 and many other countries are on the road to implementing real-time schemes.
Real-time payments schemes are not new – indeed Japan has had a scheme since 1973, Switzerland was the first European scheme in 1987, and the UK’s Faster Payment scheme was launched in 2008 and is currently processing payments of around £140 billion per month. But the global adoption of such schemes, alongside the problems suffered by early adopters, has turned the focus to real-time payments fraud.
Real-Time Payments Equal Real-Time Crime
The ability to send money quickly makes financial crime both easier to commit and more difficult to trace. As discussed in my earlier post, real-time payments make multiple types of fraud more attractive and enable the fast movement and laundering of criminal proceeds. The real-time payments fraud experiences of countries such as the UK provide a lesson to new adopters of what can happen to fraud rates when money can be transmitted fast.
Increased awareness of the fraud implications is coupled with higher values that can be transferred using these mechanisms. In the UK £250K can now be sent in a single, irrevocable payment – and the system has been tested for up to an eyewatering £10 million. In Europe SEPA CT Inst currently stands at a more modest €15K but is expected to increase. Individual banks can set their own limits below this, but even those with lower limits allow people to send (and potentially lose) life-changing amounts.
Fraud Using Real-Time Payments will Impact Businesses
Countries that are recent adopters of real-time payments introduce an additional factor to the fraud landscape. Newer schemes use the ISO2022XML messaging framework, which allows for additional information to be sent with a payment. This is important as it makes these schemes more usable for B2B payments in a way that older schemes, such as UK Faster Payments aren’t yet.
This raises the prospect of increased real-time payments fraud against businesses. We’ve already seen the impact of authorized push payment fraud on them, even when payments are not cleared on the same day. When this kind of fraud takes advantage of an instant and irrevocable payment mechanism, losses will sky rocket.
Who Is Liable?
In September 2016, the UK consumer group Which? launched a ‘super-complaint’ based on the experience and losses of people who have been victims of authorized push payment fraud. The main gist of the complaint concerns consumers that are tricked into transferring money to a fraudster via a “push” payment — for example, when the consumer instructs their bank to send money by a credit transfer such as a Faster Payment. The complaint argues that victims of authorized push payment fraud do not receive sufficient protection from fraudsters in comparison to other types of payments such as cards and direct debits.
The Payment Systems Regulator has responded and while their recommendations don’t transfer liability and put the onus on the industry to police itself, they do offer some protection to consumers who have been conned by fraudsters. It is expected that their recommended code will be implemented by September 2018. Key action points include:
- An education programme aimed at business leaders – this has already begun with a letter to CEO’s endorsing the UK Finance code of best practice.
- The appointment of a steering committee to seek consensus on the details of the code including:
- Pre-conditions for payer and payee on standards that meet the criteria for recovery of stolen money
- The standards PSPs will be expected to follow
- Implementation of the code across the industry
- It is expected that the code will not be retrospectively applied to fraud that pre-dates it.. It will also not cover authorised push payment fraud to non-UK payment service providers, and where there are multiple back-to-back payments from a PSP to a fraudster only the first transaction will be covered.
Meanwhile in Sweden, as discussed by my colleague Gareth Williams, the authorities have taken an approach that is more supportive of the consumer.
The issue of liability still needs to play out and it’s likely that different geographies will take different stances on exactly where it sits. There are additional factors that mean that it’s not simple to address. For example, in the UK victims have looked to the receiving bank for restitution. Their argument is that if it can be shown that the receiving bank opened an account for a fraudster that used a stolen or synthetic identity, then their KYC processes were not sufficient or compliant with regulation.
Regardless of where legal liability ends up, there are compelling reasons why banks need to address fraud in real-time payments now, including:
- A wish to protect their customers and enhance customer experience.
- The protection of their reputation – managing this kind of fraud well could become a competitive advantage.
- Protecting customers now could prevent the regulators introducing more unwelcome regulation that is difficult and expensive to manage.
Taking a Holistic Approach to Real-Time Payments Fraud
The most obvious fraud related to real-time payments is authorized push payment fraud, but real-time payments feed a complex fraud ecosystem, driving other fraud types including account takeover fraud, application fraud and money-laundering. This is a driver for banks to take a more holistic approach to fraud prevention, one that works across channels, payment mechanisms and the customer lifecycle.
The FICO Fraud Platform is ideally suited to helping businesses manage this complex financial crime environment. The same machine learning technology, data management and case management can be used across the customer lifecycle and channels to drive both better fraud protection, anti-money laundering compliance and improved customer experience.
We have taken a more comprehensive look at global real-time payments in our white paper Fraud in the World of Real-Time Payments.