This is the first in a two-part series that will explore the fraud threats associated with Canadian Payments Modernisation, the implications, and what FI's can do to address these threats.
Real time payments systems and schemes, often based on ISO20022, are proliferating across the globe. Canada is now joining this group of countries, with an ambitious modernisation plan across its payments systems that is beginning gain traction. This movement will bring in real time payments for the mass market, as well as improve clearing and settlement across batch payments and large value real time payments between banks.
Understanding Canadian Payments Modernisation
There are three main parts to payments modernisation, with
ISO20022 underpinning all of these: a replacement for the Large Value Transfer System (LVTS), called Lynx, which will provide Real Time Gross Settlement (RTGS); updates to the existing clearing and settlement system (ACSS) along with a replacement system, Settlement Optimization Engine (SOE); and a brand-new payment rail, for now called Real Time Rail* (RTR).
The RTR, where the key fraud issues originate, may have the biggest impact on consumer and business payments and have large impacts for fraud. In practical terms, the RTR means that consumers and businesses will have access to real time payments directly from their online or mobile banking service. This approach builds on the current E-Transfer service, which in some circumstances can be real time. Although E-Transfer currently makes up only 1% of payments, it is extremely fast growing, as it grew at average annual rate c45% volume & value over the last 5 years, according to the 2018 Payments Canada Trends Report.
Embedded within the RTR will be the ability to provide alias/proxy services, allowing payments to be made without account details, perhaps with just a phone number or an e-mail address. RTR payments will be irrevocable payments, unlike Electronic Funds Transfers (EFTs) that make up the bulk of online payments, offering benefits to both sending and receiving parties.
What will this mean for Canadian Banks?
All the elements I've described so far produce various types of impact from a fraud point of view. The inbuilt support for alias to account details, when combined with real time creates a potent fraud vector that has been exploited in the case of Zelle in the US. The richer messaging formats and support for services, such as request for payment, offer clear benefits, but can clearly be exploited by fraudsters, especially in the case of social engineering.
The biggest fraud threat will come from the take up of real time payments itself. Once the Real Time Rail (RTR) is in place, there will be a significant move by consumers for many of the current batch (EFT) payments to move to the RTR, as well as organic growth and supplanting cash. This means large volumes of payments will move from revocable to irrevocable, with significant impact for fraud.
It won't just be genuine customers who will take to real time payments, it's almost inevitable that fraudsters will increase their attacks on the RTR as they have in other markets. The combination of these two factors means that it is hard to spot the fraud without impacting lots of genuine customers, either in terms of fraud, greater friction or delayed or declined payments.
This was certainly the UK experience where there was a 132% increase in online banking fraud in the year faster payments was introduced (2007 vs 2008). This has since increased to £152m, according to UK Finance's Fraud the Facts 2019, with preventions of £318m.
As the banks have invested more in prevention, fraudsters switch to targeting the customers with increasingly sophisticated social engineering scams, both to gain credentials and get customer to move the money themselves. In the UK, £354m of authorised fraud, predominantly social engineering, that may or may not have been refunded by banks was lost in 2018.
Now that we know we have a real problem to face as fraud threats mount, we now need to assess ways to mitigate those threats.