Fed Fraud Definitions WG: An Important First Step Towards Collaborative Fraud Fighting
September 27th, 2019
Thanks to standardized fraud reporting in the UK, we know that Authorised Push Payment fraud (APP) makes up around a third of all UK banking and payments fraud. At £354.3 million, it’s larger than remote banking fraud by about 2.5 times and increased substantially from the first proper recoding in 2017.
As I covered in my first blog, APP fraud is the main fraud issue in the UK at present. Following a ‘Super Complaint’ by the UK consumer group Which? in late 2016, the scale of fraud targeting consumers led to a new definition of APP.
The key difference from more traditional fraud types is that it is the customer who authorises the payment, not the fraudster. This usually means it’s treated as a scam against the customer, making that customer liable for losses, not any of the FIs involved.
In the UK, authorised fraud is no longer being treated as just a scam, where it’s the victim’s fault for being naïve. Since 28 May 2019, there is a new voluntary code in force for eight banks representing over 90 percent of transactions, to refund victims and making banks liable. In Europe under PSD2, firms must also report on cases where the payer has been manipulated, although it is clear under PSD2 that only unauthorised frauds must be refunded within one business day.
It’s not just the UK – there is plenty of anecdotal evidence of rising authorised fraud in the Nordics, many Zelle and Venmo frauds in the U.S. and Business E-mail Compromise (BEC) and romance scams across the world. Though we don’t have standardised reporting on the U.S., the recent FinCEN report makes it clear that BEC, a type of authorised fraud, is reaching endemic proportions of around $3.6 billion in 2018.
Because authorised fraud is not usually refunded as fraud by FIs, though sometimes there is a refund as a gesture of goodwill to avoid bad publicity, the true scale is not captured or fully understood.
Yet, authorised fraud has large negative impacts on both consumers and businesses. These can be life changing as life savings are lost, for example when completing a house purchase, or through elder abuse scams. For businesses, a BEC can bankrupt them and cause a loss of livelihood for many people.
The Federal Reserve is currently consulting on fraud definitions and appear to be looking to include an authorized typology. This was discussed at the recent Fraud Definitions Work Group meeting, where attendees agreed that there are benefits of moving to standardised definitions.
Such definitions are a great idea and should cover all the payment rails, ACH, Wire and the new TCH RTP. It is also worth providing additional data to cover the split between a direct payment, or for settlement for Zelle, Venmo, PayPal or even checks.
In the first instance, it’s more important to get the typologies agreed upon than having the low-level detail on the split by channel or payment type. These will often indicate where the money leaves, not the point of compromise.
Being able to understand the key areas to focus on and where to add additional controls is key to this type of data. In the UK, sharing intel based on this sort of management information (MI) is important to tackling fraud at the industry level. For example, with the rise of APP, investment was made in the Take 5 Campaign to help customers realise when they are being scammed.
Concentrating on all typologies rather than purely unauthorised frauds will allow better segmentation and use of different predictive variables for each group, e.g. Device ID is good for ACTO, but not BEC, where behavioural bio is strong.
To support this, firms need to start splitting out and recording all the fraud types, even if not refunded, to allow for improved model builds. A simplistic way of splitting would be as follows:
- Account Takeover (ACTO)
- Social engineering (unauthorised)
- Malicious re-direction (e.g. BEC)
- Malicious payee (e.g. romance)
As a prevented fraud takes much less time to deal with than an actual fraud, even where the FSO doesn’t have the liability, this can reduce operational costs, and customers are more likely to recommend, increasing the organisation’s Net Promoter Score (NPS). This could be utilised as a part of the marketing strategy to show that a bank is better protected than other banks for authorised fraud.
However, given banks are not usually liable, why should they be interested in authorised fraud? Regulators will start to take an interest in the U.S., as they are in the UK. They will be interested not just because of the customer and economic detriment, but also the money laundering and FATF impacts, as each of these frauds is money laundering once the funds have moved to another account. The latest OCC Bulletin already shows that fraud is becoming more of a regulatory issue in the U.S., too.
FIs need to think of the negative impacts to themselves if they do not properly tackle authorised frauds along with unauthorised. Along with the potential to be forced to do something by regulators, there are also the significant operational costs of dealing with the frauds, even if these are not refunded. Further, for FIs with corporate victims, there can be a negative impact on bad debt as firms default because of the fraud, if it is not refunded.
This can also impact customers’ perceptions of FIs and the take up of lower cost digital channels, further impacting the P&L.
Standardising typologies helps all parties in the ecosystem to be clear on what is happening over time, with fraud rates for different rails and movement of fraud between rails, e.g. same day ACH to RTP. It also allows resources, tools and education efforts to be directed to the most appropriate places to find out what works and what doesn’t.
Taking these steps will help banks, regulators and the public understand the harm these frauds cause and enable investment cases to reduce the negative impacts. This will also help target the money mules and laundering rings and show the clear link between AML and fraud and the need for more convergence.
To learn more about the convergence of AML and fraud, read this white paper.