This is the second in a two-part series exploring the fraud threats associated with Canadian Payments Modernisation.In this instalment we will outline some of the actions that FI's can take to address these threats.
What are the likely implications of Real Time Rail (RTR)?
The Real Time Rail (RTR) is a significant development for Canada's payment systems, and I think some may be surprised at how real time payments take off once this approach is in place. The UK experience shows, as does Zelle in the US, that there is often a large increase in the usage of a real time payments once the capability is live. This is not only in the early stages, but even in a mature infrastructure, as new use cases come about, along with migration from cash and cheques, and cannibalisation of existing batch payments and those of an RTGS.
For example, the faster payments service (UK) saw 300m more payments in 2018 than 2017, a 17.5% increase, 10 years after launch. Payment value also increased to £1.7tn from £1.4tn. This is in part due to an increase in the scheme limit migrating more corporate payments from slower batch payments (BACS) or more expensive RTGS payments (CHAPS). Q1 2019 is showing similar increases over 2018. This really demonstrates that if you build it, they will come.
It is likely that this could be very fast growth in Canada, as online and mobile banking usage has increased massively in recent years and EFT usage in Canada is high (65% of Remote payments volumes1) and ripe for migration to the RTR.
So recapping, the key impacts from a fraud point of view of the RTR will be:
What can banks do to mitigate these threats?
- Fraudsters will attack fast and hard and exploit silos between rails and channels, increasing losses quickly
- Customers will migrate to faster payments and both volume and value will increase quickly, creating significant impacts on alert volumes and false positives, increasing operations head count and negatively impacting customers
- Migration to social engineering and authorised fraud, brings greater interest from the regulator
There are at least five areas in which Canadian banks must focus to protect their customers and themselves:
- Banks need to profile
all the transactions, both payment and non-monetary along with the extra information that goes with the payment on the ISO message, that may have invoice details.
- Banks must build out a 24/7 fraud operations area, staffed with the right number of people at the right time. This is especially important since Canada's time zones cover 4.5 hours and different fraud typologies happen at different times of day, e.g. Social engineering is during the day. To cope with increasing alert volumes, improve efficiency by using Intelligent Routing, Smart Automation and Visual Storytelling.
- Banks must enrich transaction data with additional information such as device and behavioural biometric data. This can then be utilised by applying advanced analytics to create models to detect both Account Takeover frauds and social engineering/ authorised fraud to protect customers and the bank.
- Multi-factor authentication (though preferably not SMS as this has lots of issues such as SIM Swap to contend with) built in conjunction with profiling, can bring security with the right amount of friction.
- Last, make sure the system has the performance to cope with higher and higher volumes of payments as real time payments take off fast.
My whistle-stop tour of Canadian payments modernisation shows that moving to real time payments brings new fraud challenges to go along with the new business opportunities, payments innovation and improvements in efficiency that it will also bring. However, by making the right investments early on in terms of fraud-focused technology, Canadian banks can make the most of these opportunities, keep losses down and only introducing a modest amount of friction to their customers.