Fighting Fraud Faster: Responding to a Growing Challenge
December 20th, 2022
Rampant inflation, unprecedented energy bills, rising interest rates, and now, at least in some markets like the U.K., rising taxes—to say that many businesses and individuals are feeling the squeeze is an understatement. Many developed economies are either in a recession, or on the brink of it, and the ongoing geopolitical tensions only add to the uncertainty.
This is very much on the minds of bank executives as they look ahead to 2023. At Celent, we recently published our technology trends “previsories”—forward-looking reports outlining bank imperatives in 2023. To help inform these, we ran an online survey inviting our industry contacts to share their views. When we asked which social, geopolitical, and macroeconomic factors have the biggest influence on 2023 technology strategy:
- 64% of respondents chose “cost of living challenges”
- 43% selecting “geopolitical tensions”
- 40% opting for “great resignation and recruitment challenges”
While topics such as climate change, diversity, and inclusion continue to resonate, in the short-term, banks are thinking how to deliver for customers in times of need. Not surprisingly, we called out identifying and supporting vulnerable customers—the numbers of whom we expect to grow over the next year—as one of the imperatives for next year.
Another imperative we highlighted was to address the growing fraud problem. In our survey, we asked the participants about their payments priorities, which could be broadly grouped into payments innovation and payments modernisation agendas. Payments fraud management came in at the top of the modernisation agenda and second overall, with 42% of respondents viewing it as a priority.
Why does payments fraud remain a growing problem? The industry seems to be coming to grips with card-not-present fraud, which according to the UK Finance Annual Fraud Report 2022, declined by 8.7% last year, mainly due to the growing adoption of Strong Customer Authentication (SCA) techniques. However, fraudsters are never stagnant and continually evolve; so, as one fraud vector is starting to close off, another one opens up.
Authorised Push Payments (APP) has been the fastest growing category of fraud for some time now in the U.K. In 2021, it overtook cards to become the largest category, with £583.2 million of reported losses. APP occurs when customers are tricked into sending money to fraudsters, either as a result of a scam, such as a bogus investment opportunity, or by fraudsters impersonating a genuine third party, such as HMRC. The problem is that the account holder has willingly authorised the transaction; the fraudster hasn’t taken over the sender’s account. And considering that most such payments are instant and irrevocable, getting money back can be a problem. You might succeed if you made a mistake with an honest counterparty, but good luck if it’s a fraudster at the receiving end of that transaction!
It’s a big concern for the banking industry. While they’ve had no legal obligation to reimburse victims who fall for these scams, having upset customers is not a good business practice. In the U.K., banks are educating people and investing in industry-wide solutions, such as Confirmation of Payee. Many of the larger banks have signed up to a voluntary Contingent Reimbursement Model (CRM) Code. And yet, despite these efforts, APP fraud grew 39% in 2021, with 53% of all losses not being reimbursed.
Now, the U.K. Payment Systems Regulator (PSR) wants to go a step further and has a consultation in the market on a proposed change in legislation. Under the proposals, banks would be required to reimburse customers in all but exceptional cases on payments over £100, with an excess of no more than £35. Importantly, today the sending banks bear 95% of the reimbursement costs. The regulator is proposing that the reimbursement costs should be split 50-50 between the sending AND receiving banks. This would likely drive an increase of fraud risk and loss exposure for most banks in the U.K. banking industry.
Why should the receiving banks be liable? After all, it’s the customer of a sending bank that authorised the transaction. True. But APP fraud wouldn’t exist without fraudsters controlling an account on the receiving end. Maybe they opened that account under a stolen identity or persuaded another person to participate in their scheme. They might also take over the account without the genuine customer’s knowledge, by gaining access to it using social engineering tactics or dark web data. Either way, such “mule accounts” are often only a staging post before money leaves the account again for an onward journey. Ultimately, funds are transferred to a difficult-to-track destination, such as a crypto wallet or a foreign account in a different jurisdiction.
So, what can the receiving banks do to reduce the risk of hosting mule accounts? Unfortunately, there’s no silver bullet, but a combination of controls, tools, and techniques can help prevent accounts going rogue in the first place, as well as detect those that have become mules as early as possible.
The first line of defence is during the account opening stage: identity proofing techniques that deliver strong identity assurance, making it less likely that the account would be opened under false identities. Early account monitoring is also crucial: is the account behaving “normally”, e.g., does it arrange for regular deposits and what sort of payees get added? Are there any anomalies with the devices being used?
Strong customer authentication can also be effective at preventing account takeover (ATO), but a legitimate account becoming a mule is much harder to detect. Some people might be receptive to promises of quick and easy money, especially when economic conditions are tough. They may willingly “lend” their account to a fraudster to be used for illicit transactions. Others might fall prey to fraudsters unwittingly, perhaps as part of the APP scam. To complicate matters further, the customer demographic is not a reliable indicator: For example, while students and young people may lack financial awareness and might be interested in “quick cash”, fraudsters might target seniors instead, as they are likely to have had their accounts for a longer time period and transacted larger sums of money.
Though mule accounts can be very difficult to detect, monitoring transactions in real time for any anomalous patterns is essential. The key is to focus not just on outgoing, but also on incoming payments. That gives banks the opportunity to monitor a payment’s end-to-end journey and build a fuller picture of each customer’s activities. Of course, doing it at speed in real time is impossible with manual reviews and old-fashioned rule-based algorithms; AI and machine learning technologies are required.
One other weapon in fighting mules and APP fraud worth mention is collaboration. Transaction monitoring needed to detect mule accounts overlaps with anti-money laundering (AML) and other bank risk management activities, so it’s important that multiple internal departments within the bank collaborate on solutions and share information. That collaboration and information sharing should also be extended across banks and other relevant players, such as mobile operators or internet service providers. For example, the U.K.’s cross-sector fraud sharing organisation, Cifas, as well as the UK Finance’s Intelligence and Information Unit can both be good conduits for sharing emerging threats, data breaches, and compromised card or account details.
Many examples and data points explored here focus on the U.K.: its Faster Payments rail is one of the pioneers in real-time networks and in the forefront of many innovations, from open banking to adopting strong customer authentication. It’s also been charting the course in dealing with APP fraud. However, this is not just a U.K. issue. As more of the global payments migrate to real time, other countries will keep an eye on the U.K. for lessons learned in both technology solutions and in legislative agenda. After all, as payments get faster, so does fraud. Anti-fraud defences need to be real time, too, and a fair liability framework is required as a backstop when those defences are breached.
For more information on what steps to take to protect your customers from the bad actors looking to exploit faster payments, download the white paper “Faster Payments For Faster Fraud.”