Real-Time Payments Fraud: Are New Regulations and Liability Shifts Coming?

History is filled with examples of regulatory intervention and liability shifts when publicly voiced concerns grew loud enough to force legislators and regulators to “do something” about a particular issue. I am of the opinion that we’re close to that point in the financial services industry today, particularly with respect to real-time payments (RTPs) and the growth in authorized push payment (APP) fraud.

Scams and fraud complaints are up; the United States Senate held fraud hearings with the CEOs of America’s biggest banks; and the UK’s Payment Systems Regulator just released new guidance which requires sending and receiving banks to split customer reimbursement 50/50 when RTP scams happen.

Beyond this trail of evidence, I have a strong feeling that changes are in the works for American banks in the face of massive wave of scams. For insights into how that may play out and what the impacts may be, let’s examine other broad shifts in the US market, even outside financial services. 

Seatbelt Laws: Regulation and Automotive Safety

I love old movies with hot rods from the 1960s, but I shake my head when I remember that seat belts weren’t even required to be built into cars in the US until 1968. And it wasn’t until 1984 that New York became the first state to pass a law requiring people to wear them.

For a while after the introduction of seatbelt inclusion and use laws, people complained that government was meddling in things it shouldn’t. Challenges to seatbelt requirements went all the way to the Supreme Court in 1983. But by 1996, all states except New Hampshire required drivers and any other front seaters to buckle up.

The impact of requiring seatbelts, and their use, has been profound. According to the National Highway Traffic Safety Administration (NHTSA), seatbelts saved nearly 375,000 lives from 1975 to 2017, and most of us don’t think twice about buckling up when we get into a car today. Clearly in this case, the regulatory intervention meant improved long-term outcomes, in spite of the initial pushback.

Card-Present Fraud: Liability and Financial Protection

You might think that being free from responsibility for fraudulent charges on your credit card is a perk, but in the US elements of that fraud protection were implemented as recently as October 2015. It was then that our payment networks introduced a liability shift for card-present point of sale (POS) transactions, specifically related to using chip-and-PIN technology instead of relying on swiping the magnetic stripe at payment terminals.

Before the introduction of chip-and-PIN card technology, consumers had to swipe their cards, which left them vulnerable to having their card counterfeited through things like skimming fraud at the POS or a data breach. If there was a fraud claim on a swipe transaction, the card issuer assumed the financial responsibility of fraud losses, making swipe transactions a significant liability for the issuers.

When liability shift rules came into effect in 2015, the payments networks and card issuers prioritized the use of the more secure chip-and-PIN methodology, which encrypts card details in the now-ubiquitous chip component of a credit or debit card. This change incentivized merchants to upgrade to chip-enabled POS readers, or face liability for any fraudulent card-present charges that happened using old POS reader technology.

Today, chip-reading POS terminals are ubiquitous. That liability shift drove significant changes in both infrastructure and behavior, as merchants and acquirers worked to mitigate loss exposure.

Real-time Payments: Looming Regulatory, Liability Changes?

I believe we’re facing the perfect storm of regulatory and liability impacts when it comes to RTP channels. From the regulatory perspective, increasing scrutiny from US lawmakers, as well as the announcement of planned changes to reimbursement policies from RTP providers like Zelle, are setting the stage for a sea-change in the RTP landscape.

From a liability perspective, significant change is happening too. In June 2023, the UK’s Payment Systems Regulator (PSR) announced that when authorized push payment (APP) fraud happens, the sending and receiving firms will both be equally liable, 50:50, for reimbursing the customer within just a few days.

I believe this sets the kind of precedent that we saw when card-present liability changed in 2015. The PSR model is simple and puts the burden of fraud management on both originating and receiving institutions. How to protect the reimbursement process from being defrauded itself remains an open question, but the basic model seems fair enough on the surface to be adopted and implemented by regulators around the world.

If and when that happens, banks will need to be ready because the number of RTP fraud incidents and the losses involved keep going up. The latest data from the Federal Trade Commission (FTC) says US consumers lost almost $9 billion to scams in 2022, which was 30% more than 2021.

The Open Question of “What Happens Next?”

Whether or not we will get the same kind of regulatory intervention and liability shifts in the U.S. as we’ve seen in our counterparts across the Atlantic remains to be seen. But fraud leaders would be wise to begin to shore up their defenses regardless, not only to prepare for any potential changes but also to deliver the best possible scam protection and experiences for their customers today.

The key to minimizing or stopping RTP fraud is to look beyond the technical question of whether a payment is authorized, and look instead at the customer scenario and whether the payment makes sense. This requires sophisticated analytics and a deeply informed view of your customers and their typical behaviors.

If an in-progress transaction shows a high propensity to be associated with a scam, the next step is communicating with customers in real-time via the channel they prefer — text or phone call especially in this case, because they’re immediate and can help break the spell of a fraudster. And finally, if fraud is detected, a transaction can be stopped – either with customer consent, automatically based on institutional risk tolerance, or a combination of the two.

The good news is that customers want better detection and when real-time payment fraud is detected, most would prefer their bank to stop it right away. In FICO’s 2023 Scams Impact survey, we found 77% of banking customers worldwide would like their banks to provide better fraud detection and fraud prevention capabilities.

When scams are detected, 70% of customers say they would feel positive if their bank stopped the payment, and another 21% would feel neutral about it. As a result, banks have much to gain from better detection and prevention of real-time payment scams — the more they stop, more customers will feel better as the bank scams bill shrinks.

How FICO Helps Fight Real-time Payments Fraud

• Explore FICO’s comprehensive fraud protection technology
• Discover how seamless, real-time customer communications can help stop fraud
• Learn more about FICO’s award winning, machine learning retail banking model with scam detection score
• Read the FICO 2023 Scams Impact Survey

For more of my latest thoughts on fraud, financial crime and FICO’s entire family of software solutions, follow me on Twitter @FraudBird.