I often joke that there are 2 questions that are always asked by anyone undertaking their first steps in faster payments. Inevitably, the first is just how big is the problem with fraud in faster payments. And I used to say faster payments means faster fraud.

I don’t now because I’m not sure they appreciate the subtlety of the answer (to be fair, I’m not known for my subtle word play!).

I’m trying to convey that faster payments aren’t necessarily prone to more fraud than other payment rails, though any new rail is always vulnerable until people recognise what is “normal”. Instead it’s the fact that they expose any short-comings in processes much quicker. Or rather, instantly.

The analogy I have used is that it like blaming the manufacturer of the getaway car in a bank robbery when the bank vault uses “Password1” to secure the vault. The analogy is perhaps a stretch or exaggeration, but there is some truth in it. Anything is only as strong as its weakest element – blaming faster payments for inadequate security isn’t really fair. Often these inadequacies are exploited by the fraudsters – they spot something that banks don’t – and use faster payments for a fast getaway.

A good example is a case that doesn’t seem to have picked up much coverage outside of Brazil. In the course of 3 hours, fraudsters drained nearly $140m from the central bank accounts of 6 banks and fintechs. Many press articles have pointed out that Pix was used as the “getaway car”. Yet the fraud was the result of an employee of a banking software provider who was bribed to share his credentials. The fraudsters then used these to spoof being the settlement account holder at the central bank, and initiate payments from those accounts. Reports suggest that all the accounts targeted were emptied. As the central bank believed these were the banks moving the money, there were no transactions limits. Much of the money was then moved into crypto currency. The bribe? The equivalent of $2,700.

There are many lessons to be learned for any faster payments system. Insider fraud though isn’t new. Nor is the timing - the attack took place between 3am and 7am, outside of normal banking hours. It isn’t just customers who like 24/7/365 access! Banks – and central banks – need to be vigilant round the clock. Fraudsters will look for the weakest, wherever and when ever it presents itself.