A cross-party Treasury Select Committee has called on the UK government to do more to ensure that the victims of authorised push payment scams are reimbursed. Since May 2019, major UK banks have participated in a voluntary code - the Contingent Reimbursement Model (CRM), designed to provide funds back to the victims of authorised push payment fraud or APP fraud.
Despite preventative measures such as Confirmation of Payee (COP), stories of distraught victims losing large sums to clever scammers have not gone away. In the mid-year update to their Fraud the Facts report, UK Finance say that APP fraud losses increased by a massive 71% in the first half of 2021. Losses of £355 million for the first six months of the year are likely the tip of the iceberg, as victims reluctant to admit they have been scammed are not always willing to report their loss.
The global pandemic pushed more people into running their lives online, and this provided scammers with even more opportunities such as the CryptoRom scam and the so called WhatsApp ‘Hey Mum’ scam (dads may be scammed too!). The risk of losing all has just increased with UK Faster Payments raising the limit for a transaction to £1 million. While most banks will likely not offer consumers the ability to transfer such a large sum, the amounts they can transfer are still life changing.
Whether voluntary or regulated, whether the banks lose out or the customers do, one thing is clear: the contingent reimbursement model shuts the stable door long after the horse has bolted. So, what can banks do to prevent APP fraud?
Deploy AI and Machine Learning – the Scams Model
PSD2 and Strong Customer Authentication have made life a lot more difficult for fraudsters. Extra identity checks on payment transactions make it difficult for them to use stolen credentials to make payments. They have therefore turned their attention to crime where identity authentication is of limited use.
When a scammer has tricked someone in to making a payment from an account they own, then authenticating the victim is not a protection. However, just because it is the legitimate customer making a payment does not mean that their behavior has not been altered by the fraudster, and sophisticated machine learning models can detect this.
In his blog FICO Integrates Fraud and Scam Detection in FICO Falcon Retail Banking 3.0 Model FICO’s Chief Analytics Officer, Dr Scott Zoldi, describes the use of behavior-sorted lists and additional analytic features to detect likely APP fraud, before any payment to a fraudster is made. The results speak for themselves; using targeted profiling of customer behavior to spot scams, 50% more scam transactions are detected.
Look Out for APP Fraud Signals – Develop the Rules
The decisions made in fraud detection directly correlate to the depth and quality of data available. In many instances banks have a limited number of variables that they can consider in a fraud risk assessment. These may be restricted to the specific customer and transaction under consideration. Widening the scope and introducing more contextual data to the decision significantly improves detection accuracy.
Consider this scenario: a customer is making a first payment to a new beneficiary, they have indicated it’s for an investment and the sum is a relatively large £5,000. The bank flags this as potential fraud and stops the payment. The customer however is not happy, they were trying to make a payment into their pension before the annual tax deadline – and now they’ll miss it. With more contextual data the bank could make a different and more customer-friendly decision. Is the payee account one that other customers have paid into on a regular basis? Has this been over a long period of time? Are payments to this beneficiary usually of a relatively large value? This extra context may well alter the decision, allowing the payment to proceed and the customer to meet the deadline and get their tax rebate this year.
Because fraudsters change their modus operandi, the signals for fraud also change. The amounts paid, type of payee account, and profile of customer will be different for a scam that is leveraging a personal relationship such as a romance scam compared to those for an investment scam. These variables constantly change, and sufficient flexibility is required in how the rules that manage risk can be authored and adapted dynamically once the characteristics of a new fraud type are identified. If introducing new fraud rules is a difficult and time-consuming effort for a bank, then fraud can go unmanaged for longer, losses mount and fraudsters realizing they’ve uncovered a weak spot can up their rate of attack. FICO’s expert team of advisors provide a valuable resource for banks looking to make their fraud rules easier to manage and adapt them to emerging fraud types.
Communicate with Customers About APP Scams
Consumer education is an important tool that banks can leverage to help customers protect themselves. The continuing rates of APP fraud and the fact that some banks hold the customer to be wholly or significantly at fault in up to 90% of cases suggests that education isn’t working often enough. Blaming the customer for not understanding the risk ultimately doesn’t help, but communication can be expanded far beyond generic warnings on the payments screen.
Customers can be asked about the transactions they wish to make in real time, with details pertinent to the specific transaction and using the customer’s channel of choice. Offering customers a ‘cooling off’ period during which the payment is held, providing them with friendly advice and asking relevant questions can help them think again, or make further checks. An anxious parent who is trying to transfer money to their child they believe to be in need can be persuaded to phone them to discuss the matter in person, rather than relying on a WhatsApp conversation.
Getting communications right is not only about stopping fraud: holding a customer’s payment impacts customer experience when that payment is legitimate. Some banks are holding payments for a period of time where they believe there is a fraud risk. On occasions they chose not to or are unable to inform the customer that they’re doing so. A customer who is expecting their transfer to reach their intended recipient instantly will be alarmed when it doesn’t – they could miss out on the products or services they wanted to buy and be worried about where their money has gone.
No Silver Bullet for APP fraud
Authorised push payment fraud is a complex issue that manifests in many different forms with individuals, businesses and the banks themselves as victims. A layered approach where all affected play their part is the best way to cut back on losses. Consumers and businesses must be educated and aware, banks must use the tools available to them and the industry and regulators must continue to drive effective policy and where necessary regulation.