This is the first in a series of three blog posts addressing the changing landscape of P2P payments. Follow-up posts will address the growing trend ACH Fraud through third parties and the effects of data breaches on P2P fraud.
The fast-moving world of P2P has been a whirlwind of changes since the first introduction by PayPal in the 1990s. Payments, like all areas of technology, continues to evolve and improve in speed and convenience for its end users. But with this evolution and change comes risk. As the financial services industry struggles to keep up, fraudsters are exploiting changes and the inevitable risk those changes bring.
One of the challenges of P2P technology is the immediacy of the payment. While that may seem to be a benefit for consumers, it can be a double-edged sword. This immediacy means that once initiated, the payments are virtually irrevocable. Traditionally, this has been a problem only for the issuing bank. The receiving bank had no role in stopping fraud, or even being very involved in these push transactions. This fact did not escape the notice of fraudsters and what is known as "Authorized Push Payment" (APP) fraud became a very large challenge in the United Kingdom. Authorized push payment fraud occurs when consumers or individuals at a business are tricked into sending payments under false pretenses to a bank account controlled by fraudsters. Since payments made using the schemes are unable to be recalled, the victims cannot reverse a payment once they learn of the deception.
These types of fraud, referred to as Consumer Authorized Fraud (CAF) here in the United States, take additional forms and can utilize such P2P services such as Zelle, Venmo and Cash App. A common fraud involves the sale of a phantom item. In these phantom sales, a buyer would make payment through a peer-to-peer payment service to the seller for an item listed on an electronic ad board, and never receive the promised goods. Since these payments are irrevocable, the risk for the fraudster is much lower. In many cases, the fraudster pulls the funds from their bank account and closes that account before the victim can respond. In most cases, banks and service providers recommend only making payments to known parties. Setting up new payees on these services that are unknown creates additional risk. Losses on these services can occur quickly. Timelines can be minutes in which monies are sent, cashed out and bank accounts abandoned.
Other fraud scenarios in the P2P space can include vendor identity fraud where our fraudster redirects the payments from a legitimate account to a fraudsters account. In addition, Zelle payments have driven as much as 90 percent fraud rates in its brief history – not something any financial institution wants to repeat.
The reality is that, in the fight against fraud, our best weapon is working together to fight the risk. To that end, industry data sharing and consortiums, knowledge sharing and developing best practices are critical. We all want to stop the attacks and we must look at the problem more critically than we may have been to date. In the payments world, the burden has been placed on the originating FI and the customers. Working together to help mitigate the risk of these fraud attacks is our best option to stop the escalating number of unique and specialized fraud attacks.
In the UK, the serious nature of payment trends did not go unnoticed by the banks or the regulators. The Payment Systems Regulator (PSR), seeing that consumers were losing money, prepared to address solutions in the way of new regulatory requirements involving contingent reimbursement models. These models addressed several scenarios in reimbursement of funds. The belief of the PSR was that making banks more accountable in these situations would force better standards and focus on reducing the impact of the frauds.
Interestingly, banks in the UK largely agreed with the contingent reimbursement model and the UK is undertaking a CoP model to help reduce consumer risk. The UK model is one that should be looked at in the U.S. market, and used as a model to determine effectiveness and usability in this country. The industry in the UK worked together in addressing this problem. Banks on both sides of the transaction are working together to provide assurances to customers to help curb the rising tide of fraud. Whether the U.S. adopts the same model is not as important as the industry and regulators working toward a workable solution that brings balance to the system.