Central bank sponsored real-time payments are proliferating across the globe and with the recent announcement by the U.S. Federal Reserve, this will soon reach the U.S.
This announcement from the Fed promises to provide widespread adoption of real-time payments and not be limited to P2P or be heavily corporate focused. This is great news for consumers, as it will allow further innovation in payments, paving the way for new services, lower banking costs and increased efficiency.
As we've seen in other countries, such as the UK, with real-time payments comes increased fraud losses. It's likely the largest fraud threat will come from the take up of real-time payments itself. Once the new Fed service is up and running, there will be a significant move by consumers for many of the current same-day ACH payments to move across, as well as organic growth and supplanting cash and cheques. This means large volumes of payments will move from revocable to irrevocable, with significant impact for fraud.
For example, the faster payments service (UK) saw 300 million more payments in 2018 than 2017, a 17.5 percent increase 10 years after launch. Payment value also increased to £1.7tn from £1.4tn. This is in part due to an increase in the scheme limit migrating more corporate payments from slower batch payments (BACS) or more expensive RTGS payments (CHAPS). Q1 2019 is showing similar increases over 2018. This really demonstrates that if you build it, they will come.
It won't just be genuine customers who will take to real-time payments - it's almost inevitable that fraudsters will increase their attacks on the Fed service as they have in other markets. The combination of these two factors means that it's hard to spot fraud without impacting many genuine customers, either in terms of fraud, greater friction or delayed or declined payments.
This was certainly the UK experience where there was a 132 percent increase in online banking fraud in the year faster payments was introduced (2007 vs 2008). This has since increased to £152 million, according to UK Finance's Fraud the Facts 2019, with preventions of £318 million. That equates to a 1 basis point (bps) fraud rate.
As the banks have invested more in prevention, fraudsters switch to targeting customers with increasingly sophisticated social engineering, such as BEC and romance scams, both to gain credentials and get customers to move the money themselves. In the UK, £354 million of authorised fraud, predominantly social engineering that may or may not have been refunded by banks, was lost in 2018. This is a further 1.5 bps fraud rate.
Now that we know there are real fraud threats to face, we need to assess ways to mitigate those threats.
What can banks do?
There are five areas in which banks must focus to protect their customers and themselves:
- Banks need to profile all transactions, both payment and non-monetary, bringing as much detail of the transaction as possible into the fraud engine.
- Banks must build out a 24/7 fraud operations area, staffed with the right number of people at the right time. This is especially important when covering varying time zones, as fraud typologies can happen at different times of day, e.g. social engineering is during the day. To cope with increasing alert volumes, improve efficiency by using intelligent routing, smart automation and visual storytelling.
- Banks must enrich transaction data with additional information such as device and behavioural biometric data. This can then be utilised by applying advanced analytics to create models to detect both Account Takeover frauds and social engineering/authorised fraud to protect customers and the bank.
- Multi-factor authentication (though preferably not SMS, as this has many issues such as SIM Swap to contend with) built in conjunction with profiling, can bring security with the right amount of friction.
- Last, make sure the system has the performance to cope with higher and higher volumes of payments, as real-time payments take off quickly.
To learn more about combatting real-time payments in the UK, download our white paper: The Moment for Implementing Real-Time Inbound Payment Profiling is Now: Are you ready to manage the AML issues?