Fraud Protection & Compliance
The Clearing House Association announced in January 2020 that on February 1st the limit for a single transaction using its RTP scheme will increase from its current $25,000 to $100,000. US payment schemes operate in a uniquely competitive environment. The Clearing House Association’s RTP - as well as The Automated Clearing House - offer same day clearing and the Federal Reserve is looking to launch instant payments with its FedNow scheme in 2023. These schemes compete with each other and want to take business from wire transfer schemes such as FedWire and CHIPS. Users of wire transfer schemes can find them difficult to set up and expensive to use, but higher transaction values are important to them. To compete against them, real-time payment schemes need to offer higher value transactions coupled with ease of use and lower costs. As new schemes launch, there is a land grab for market share. Competitors need to connect as many banks as possible, as quickly as possible, and make their offerings attractive to both businesses and individuals. Operators of real-time payment schemes need to make sure that their drive for market share doesn’t lead to fraud concerns being overridden by competitive instincts.
For many consumers and businesses, the ability to quickly send money directly from their bank account is a win in terms of convenience, but it isn’t without risk, when it comes to fraud and other types of financial crime. Once a real-time payment is initiated it is typically irrevocable – it cannot simply be recalled, something that criminals take advantage of. The ability to move money through multiple accounts quickly, makes it difficult for law enforcement to track criminal proceeds. Increasing the limit to $100,000 makes related financial crime even more attractive to criminals and also means that people could lose life-changing sums if they become a victim of fraud.
How RealTime Payments Impact Financial Crime
Criminals use real-time payment schemes to commit fraud for direct financial gain or to facilitate other crime:
Authorized Push Payment Fraud
This happens when criminals use social engineering techniques to trick individuals or representatives of businesses to send money to them. It has been named ‘authorized’ because the legitimate account holder is initiating the payment. The transaction itself is not fraudulent, but the scam that caused the person to make the payment is the fraud. It is not a new type of fraud, but the speed in which criminals can access the money they have scammed and the irrevocable nature of such payments makes it more attractive. There are several variations on this crime including:
- Scams aimed at consumers: fraudsters trick people into sending money to them, common examples include: romance scams, fake lottery wins and criminals pretending to be from a bank’s fraud department and persuading their victims they need to transfer their money to a new account – which the fraudster controls.
- CEO fraud: in this example, email in a business is intercepted and an employee that can make payments on behalf of the business receives an email that looks like it came from their CEO or other senior employee. The invoice directs them to make an urgent payment, the criminals manage to convey compelling and believable reasons why they must do it immediately, and - thinking the message has come from a senior official - employees may follow the instructions.
- Fake invoice fraud: both individuals and businesses can become victims of this type of fraud. Criminals find out enough about their target to send them an invoice that looks like it came from a legitimate supplier. For example, someone could get an invoice that looks like it’s from their child’s school or a business could get one that looks like it’s from their stationery supplier. In both cases the bank account details on the invoice belong to the fraudster. As businesses generally have the bank account details of their suppliers on record, fraudsters may use a variation on this scam where they send a ‘change of bank account details’ letter that looks like it’s from the supplier. When the organization attempts to pay a legitimate supplier’s invoice, they are instead sending money to the fraudster.
Authorized push payment frauds rely on creating a sense of urgency that pushes victims to act before thinking. Unfortunately, even if they realize their mistake within seconds, the irrevocable nature of the payment makes retrieving lost money difficult if not impossible.
Money Laundering and the Rise of the Money Mule
Real time payments give criminals the unprecedented ability to quickly move money through multiple accounts thus concealing the origins of their funds and moving them beyond the reach of law enforcement. To do this, criminals need access to many accounts to hop their ill-gotten gains through the system. Countries such as the UK that have had mass adoption of real-time payment schemes for many years have seen the rise of money mules; people who allow their accounts to be used by criminals for money-laundering purposes. Unfortunately, people are tempted into this crime without realizing the implications - in some cases they don’t even realize it is a crime. Criminals target those in society who are open to easy money and are perhaps a little naïve – students and school children as young as 11 have been particularly vulnerable. Real-time payments are used in this way not only to launder the proceeds of the authorized push payment frauds previously mentioned, but also to launder money from some of the most serious crimes such as people trafficking, terrorism and the drugs trade.
Account Takeover Fraud
The ability to move money out of accounts instantly makes account takeover fraud more attractive to fraudsters. Meanwhile, constant data breaches mean that fraudsters have access to account details that they can simply buy on the dark web. Financial institutions that are overly reliant on usernames and passwords to protect accounts are particularly vulnerable to account takeover. Unlike authorized push payment fraud, although the customer may have the initial nasty shock when they find their account has been emptied it is the bank that will ultimately shoulder the loss. With the proceeds of the account takeover bounced through other accounts, at other financial institutions recovery of funds is virtually impossible.
Ultimately criminals need access to the funds they have stolen or laundered using the real-time payments schemes. They need accounts they fully control and can use to extract cash or spend from. This need leads to increased application fraud. If their illicit funds are traced, the criminals do not want the accounts they control to be in their own identity, so they open accounts using stolen or synthetic identities. To spread risk, allay suspicion and to deal with the large sums they are moving through the banking system they need many such accounts, and this can lead to mass fraudulent account applications.
Tackling Fraud in Real Time Payments
None of the financial crimes I have outlined are new, but advances in real time payment systems (speed and higher transaction limits) have served to drive criminals to leverage the payments infrastructure and the result is a sharp increase in certain types of fraud. Authorized push payment fraud, in particular, demands an increased focus and a new approach for stronger fraud detection and mitigation. In my next blog I will outline the steps that industry bodies, the payment schemes, and the banks can take to protect customers, financial institutions, and society as a whole.