The Authorized Fraudulent Transaction Dilemma
October 21st, 2022
Zelle, a network designed to compete with Peer-to-Peer (P2P) fintechs such as Venmo, is owned by six of the seven banks represented at Senate Banking Committee hearing on Sept 22, 2022. Two statements warned against going too far with Regulation E expansion: one from Sen. Elizabeth Warren called the network “unsafe”, claiming Zelle users were defrauded out of $500 million last year. The second came from Jamie Dimon, JPMorgan Chase CEO’s who stated that “Anything that’s unauthorized, we do cover. But consumer-authorized transactions made to fraudsters are another matter.” .
In some ways, banks are in a bind: Under Regulation E (Reg E), which governs how banks handle electronic fund transfers. If a hacker logs into a customer’s bank account and sends money, then lenders are required to provide a refund. But fraudsters have increasingly sought to use the Zelle network to persuade consumers to send them money. In those cases, with the real customer transferring money, banks aren’t required under Regulation E to make consumers whole.
This Authorized Push Payment Fraud (APP) is still not covered by Reg E. APP fraud happens when a consumer is manipulated, through social engineering, into making a payment into an account that a fraudster controls. It comes in a variety of forms: romance scams, investment scams, invoice scams, imposter scams, etc. but it has one common element: the consumer logs into the account and executes the payment.
But what about the Consumer Financial Protection Bureau (CFB) 12/13/2021 saying “Yes, P2P payments can be protected under Reg E”? If you read it carefully, CFBP is stating that Reg E can be applied to scams that lead to account takeovers, not scams that involve authorized fraudulent transactions.
Why It Matters: Shift of Liability to Financial Institutions
In the latest senate banking committee hearing on P2P Zelle, U.S. lawmakers pressed banking executives, and recently consumers have taken to court the banks themselves, triggering a wave of Zelle Class Action Lawsuits hitting banks and credit unions.
The U.S. retail payments system has become increasingly complex, with a decentralized governance structure. Over the years, more non-bank firms and challenger banks (such as merchants, neobanks, and fintechs) have entered the payments market, competing with banks. Fraud liability is shifting to these various participants involved in carrying out the payment transaction.
If you Can’t Define It, How Do You Mitigate Risk?
Following is an example of Zelle fraud scheme that could be protected under Reg E.
This five-step sophisticated scam defeats the two-step authentication (also referred as out-of-band authentication) and leverages the use of a one-time passcode.
- Fraudsters send text alerts to members (appearing to come from the credit union) that warn members of suspicious debit card transactions.
- Fraudsters call members who respond to the text, spoofing the credit union’s phone number, and claim to be from the credit union’s fraud department.
- To verify the identity of the member, the fraudster asks for the member’s online banking username and tells them that they will receive a passcode via text or email and the member must provide it to the fraudster. In reality, the fraudster initiates a transaction such as the “forgot password” feature, that generates a two-step authentication passcode, which is delivered to the member.
- The member provides the passcode to the fraudster who uses it to log into the member’s account using a device not recognized by the host system.
- Upon logging into the accounts, fraudsters change the online banking passwords, then use Zelle to transfer funds to others.
In this P2P Zelle Fraud, the account holder (or the authorized party) was manipulated, through social engineering, into divulging sensitive information. The fraudster successfully took control over the customer’s account and executed an unauthorized payment. This scam isn’t classified as “Authorized Party Fraud”, but “Unauthorized Party Fraud” protected under Reg E.
Two factors to consider about bank liability under Reg E:
- To understand which P2P Zelle Fraud falls under Reg E, you need a definition and a classification so Fraud analysts can start classifying into the according category. This is where the Federal Reserve Fraud Classifier Model developed to classify fraud is crucial.
- Financial institutions need machine learning and behavioral analytics risk factors that can detect account takeover in real-time as part of the chain of events, and when possible, interdict in real-time.
How to classify unauthorized vs authorized fraud
The most intuitive and straightforward tool to classify fraud is the Federal Reserve FraudClassifier™ model.
The resulting model involves a decision tree that has three questions.
Start with “Who Initiated the Payment” decision tree and follow the Authorized Party branch to better understand why authorized fraudulent transactions have always been a challenging issue when it comes to Reg E Fraud Protection. With real-time payments (RTP) such as P2P consumer or retail banking transactions, it’s now becoming an acute issue. Because Reg E does not cover transactions in accounts established for business purposes, RTP business fraud protection is solely dependent on the business protecting itself.
Various payment fraud use cases using the FraudClassifier classification pinpoint the Reg E challenges, such as this Product and Services Fraud example:
The core challenge in the Product and Services Fraud is how Reg E protects consumers from scam and ignorance. protects A typical scenariois the Puppy Scam where scammers offer a non-existent pet for sale. They convince emotionally invested future pet owners to part with either their personal information or money (or both) to buy the pet.
Online fraud was exacerbated by the pandemic, as more people suffered from loneliness or anxiety while also spending more time shopping and surfing online given many businesses were temporarily closed. The Federal Trade Commission (FTC) reported that in 2021, people lost $770 million in social media scams alone, especially romance hoaxes. Those figures are much higher than previous years. According to the Better Business Bureau, more than a third of online shopping scam reports in 2021 involved pets.
To combat it, financial institutions need to make sure their alert and case management solutions enable use of the FraudClassifier.
As a member of the Federal Reserve Fraud Workgroup, NICE Actimize’s Xceed solution enables financial institutions to create such a taxonomy to support the first and second line of defenses in classifying unauthorized and authorized fraudulent transaction.
Technology that prevents authorized fraud
Use real-time AI risk factors to justify Reg E or non-Reg E protection. Reg E fundamentally protects the consumer only when there is an unauthorized transaction. To protect customers, it’s vital that P2P and RTP alerts that start as an authorized transaction via a customer-pushed payment can be justified. The authorized party was manipulated, through social engineering, into divulging sensitive information, enabling a fraudster to take over the customer account and execute an unauthorized payment.
Invest in AI real-time detection and intervention to truly prevent P2P and RTP fraud. Rule-based Fraud detection will not work even if users create a statistical behavioral profile. Only AI can compute hundreds of behavioral signals and learn your digital banking and payments behavioral profile. AI-based solutions detect a deviation in real time. They will trigger an interdiction of progressively increased friction, ensuring that before payment authorization that transfers funds, some key criteria is being met. That’s what the NICE Actimize solution, Xceed P2P Zelle Fraud Detection, does to prevent authorized fraud.
Learn how to overcome the payments dilemma and constraints and understand why now is the time to embrace faster payments as a competitive differentiator. More importantly, how to safely serve your customers and members.