Fraud continues to challenge the payments industry. In a recent survey of our banking contacts, we asked the participants about their payments priorities, which could be broadly grouped into payments innovation and payments modernisation agendas. Payments fraud management came top of the modernisation agenda and second overall, with 42% respondents viewing it as a priority.
However, as more of the global payments migrate to real-time, the nature of fraud is also shifting. In the US, there are heated debates about how much of a problem is Zelle fraud and what to do with it. And here in the UK, the regulator is tightening the screws on how the banking industry deals with Authorised Push Payment (APP) fraud.
APP fraud has been the fastest growing category of fraud for some time now in the UK, and in 2021, overtook cards to become the largest, with £583.2 million of reported losses. In cards, a fraudster is typically attempting to charge the transaction amount to card numbers stolen from legitimate customers. Here, the customers are tricked into authorising to send money to fraudsters, who might impersonate a genuine third party, such as a government tax authority, or scam the individuals, for example, with bogus investment opportunities. Most such payments are instant and irrevocable, so getting money back is impossible.
To help customers, banks in the UK have been educating people and investing into industry-wide solutions, such as Confirmation of Payee. Many of the larger banks have also signed up to a voluntary Contingent Reimbursement Model (CRM) Code to willingly reimburse the victims. And yet, despite these efforts, APP fraud grew 39% in 2021, with 53% of all losses not being reimbursed.
Now, the UK Payment Systems Regulator (PSR) wants to go a step further and has been consulting the market on proposed changes in legislation. The regulator has set out three important measures on how to prevent APP scams happening in the first place and also protect people who do fall victim to them:
- Measure 1 involves the publication of scam data.
- Measure 2 tasks the industry with improving intelligence sharing.
- Measure 3 deals with wider reimbursement for APP scam victims.
For example, for Measure 1, PSR will require 14 largest payment service provider (PSP) groups (the 12 largest in the UK, plus two in Northern Ireland) to provide six-monthly data on APP scam performance on three metrics:
- Metric A: The proportion of APP scammed customers who are left – fully or partially – out of pocket.
- Metric B: Sending PSPs’ APP scam rates.
- Metric C: Receiving PSPs’ APP scam rates, net of recoveries.
On Thursday last week, the PSR published the proposed revised approach to the process of collecting data for Metric C.
However, the biggest forthcoming change is around Measure 3 and reimbursing the APP scam victims. Under the proposals, banks would be required to reimburse customers in all but exceptional cases on payments over £100, with an excess of no more than £35. Importantly, today the sending banks bear 95% of the reimbursement costs; the regulator is proposing that the reimbursement costs should be shared 50-50 between the sending AND receiving banks. This would highly likely drive an increase of fraud risk and loss exposure for most banks in the UK banking industry.
Making the receiving banks liable for reimbursing customers of another bank might appear strange at first glance. However, APP fraud wouldn’t exist without fraudsters controlling an account on the receiving end, known as a “mule account”. The fraudsters often control a chain of mule accounts, rapidly moving funds between them and ultimately to a difficult-to-track destination, such as a crypto wallet or a foreign account in a different jurisdiction.
Reducing the risk of hosting mule accounts is difficult and there is no silver bullet, but a combination of controls, tools, and techniques can help prevent accounts going rogue in the first place, as well as detect those that have become mules as early as possible.
Identity proofing techniques that deliver strong identity assurance can prevent opening accounts under false identities. Strong customer authentication can also be effective at preventing account takeover. However, the hardest thing is to detect the moment when legitimate accounts become mules, which, unfortunately, happens much too often. For example, some people may lack financial awareness or, worse, might be interested in “quick cash”, especially when economic conditions are tough, and may willingly “lend” their account for illicit transactions. Others might fall prey to fraudsters unwittingly. That is why monitoring transactions in real-time for any anomalous patterns is essential. Banks need to build a full picture of customer’s activities and focus not just on outgoing, but also on incoming payments. Of course, doing it at speed in real-time is impossible with manual reviews and old-fashioned rule-based algorithms; AI and machine learning are key technologies required.
If the regulator proposals are adopted, sophisticated real-time anti-fraud tools will become a must for the UK banks. However, banks in other jurisdictions don’t have to wait for their regulators to act and should also tackle the push payment fraud problem now before it gets out of hand.