Fighting Real-time Payment Fraud
A Continual Process, Not A Quick Fix
Recently the New York Times wrote an article entitle Fraud is Flourishing with Zelle: Banks Say it is Not Their Problem. As you’d imagine, it was a well written article, and highlights a very real problem. Yet like many publications that appeal to the mass audience, there are details that may seem picky, but which go a long way to explain the situation. There have been a number of blogs which have muddied the water further!
Key to note is that fraud exists in every payment type, and more importantly, there will ALWAYS be fraud in EVERY payment system. It is simply impossible to remove. There are a number of things that made Zelle standout in this instance – and indeed, launching any real-time payments system. First, it is instant - it becomes much harder to detect and catch. Not impossible, but cetainly harder. Second, they’re good funds – once they hit the recipients account, the money is usuable by the recipient straight away, and it’s rare that they are reversed, so the pressure is on the sending bank to check. See point one! Third, it’s new. For most, this is the first new payment type they’ve launched in over 30 years. While we’ve had 50+ years experience of fraud in other payment systems to hone our tools and skills.
One of the most frequent questions we get at Celent about real-time payments from the US is fraud, and all point to the UK as “proof” that it’s a major issue. Fraud certainly exists. But equally some of the issues highlighted were day 1 learning issues. A number of banks didn’t think the end-to-end process through, and frankly, some paid the price. The analogy I would use is that if you leave your car in the street, with the keys in the ignition, and a big neon sign pointing to it saying steal me, it perhaps shouldn’t be a surprise that, well, someone does. By not thinking through browser security, how you set up and validate new payees, operating 24/7, it’s no wonder fraudsters realised that there were weaknesses in the system. I’m not blaming banks – they didn’t do this deliberately – but highlighting that this is a learning curve for everyone, banks included, and that the learning curve continues for, well, the next 50 years.
The other point is that many, if not most, of these frauds are not to do with Zelle (or indeed any payment system), but use Zelle for the final part of the plan. Social engineering, business email compromise, etc are wide spread and use all payment systems (see my report on this: Stepping Up Against Authorized Fraud: Strengthening Trust In The Payments Process). To use another car analogy, it becomes a little like blaming a car manufacturer for a bank heist because one of their models was used as the getaway vehicle.
There is a certain sympathy then for banks – customers are expecting them to reimburse them for mistakes they the customer have made. While sympathetic in many cases, banks are businesses, and so teh question becomes what is the banks legal responsibility. Here the regulation is both clear…and unclear. Reg E federal laws about electronic transfers specify they cover only "unauthorized" transactions. In scams where victims are tricked into providing confirmation codes to scammers, this is seen as being an authorization. The Consumer Financial Protection Bureau advised banks in 2021 what fraud types they are required to reimburse consumers over. The guidance states that banks must pay for transfers "initiated by a person other than the consumer without actual authority to initiate the transfer". Which implies most scams aren’t covered, and therefore that banks shouldn't reimburse the customer.
So what’s the answer? That in itself is a long complex answer, but can summarized as:
- The regulators need to catch-up – not just regulation, but education of both banks and consumers. The UK has a scheme that both adds a layer of security but also a layer of protection, and continues to work on it - https://www.psr.org.uk/our-work/app-scams/
- The schemes have an opportunity to do more centrally. Given the future success of the scheme will rely on consumer confidence in the scheme, its something all schemes are already working on, Zelle included
- Banks need to work together, sharing data, best practices, etc. While it can be a competitive advantage, equally there is no point plugging most but not all holes. Payments are a two-sided business – it needs to be secure and safe at both ends, and both parties have a role to play
- Finally, using the right tools to detect the fraud. Many of the tools and models were designed for the card world, but there are many that have a depth of experience in real-time payments from around the world. It becomes a false economy simply to re-use what you have because it is cheaper if it means you lose more money.