UK Fraud Losses – What happened in 2019 and where are we headed now?

UK Fraud Losses in 2019

UK Finance recently published “Fraud – The Facts 2020” and as usual the report was full of great data on the UK banking fraud landscape in 2019. In this blog, I’ll draw out the key trends and implications, along with potential impacts from the COVID-19 crisis in 2020.

Here are some key points from the report:

• Total unauthorised fraud is down 2 percent over 2018 at £824.8 million
• Card fraud losses is down 8 percent at £620.6 million
• E-commerce is fraud down 9 percent to £359.3 million
• Cheque fraud is up 161 percent to £53.6 million, continuing the late 2018 rise
• Unauthorised Remote Banking (ACTO) fraud is down 1 percent to £150.7 million
• Authorised Push Payment (APP) fraud is up 29 percent to £455.8 million and now makes up 36 percent of total fraud losses, over three times that of unauthorised remote banking fraud.

It’s a mixed picture of increases and decreases, but case volumes were up almost across the board, driving down average loss per case as preventions increase.

Cheque fraud continues its dramatic rise. What is particularly interesting is that it’s up across the different fraud types this year, not just counterfeits. I’ve covered this in more detail in my recent blog, as this is a trend in the U.S. and France, too.

In card fraud, losses are decreasing by double digits across many typologies, such as Europay, Mastercard and Visa (EMV) take up across the globe. In particular, counterfeit card fraud was down 21 percent in the U.S..

However, this is contrasted with Lost & Stolen losses remaining flat, but increasing as a percentage of overall losses with cases up by 6 percent. This will likely be driven by distraction thefts and contactless fraud.

COVID-19: Fraud Impact

With the impacts of COVID-19, there will be less ability to undertake distraction thefts and to see PINs, as fewer opportunities will occur due to reduced chip and pin vs. contactless/XPays use, as well as the need to stand further apart. This may increase actual theft and violence to obtain card and PINs.

Speaking of contactless, the UK has just increased its limit from £30 to £45 (the maximum allowed under PSD2) to further reduce the need for people to physically touch card readers. We often see press articles about contactless fraud, but the reality is this is the least fraud prone type of card fraud.

Contactless fraud losses increased £1.1 million, while transactions value increased by £11.5 billion. As a percentage of transaction fell from 2.7bps to 2.5bps in 2019, this compares to a 15bps loss for e-commerce fraud and 7.5bps for all types.

The big cards fraud driver is still card-not-present (CNP), and particularly e-commerce. Even with a fall in losses,  CNP was still 76 percent of card fraud, with cases increasing by 5 percent.

Cases are likely to continue, and the COVID-19 situation is already increasing fraud via CNP and will likely increase the opportunity for card and data compromises, with several seen this year e.g. from Virgin Media and Marriot.

Increased Authentication  

3DS 2.2 and increased authentication will help, but this situation highlights the need to move away from clunky authentication processes.

3DS 2.2 is also likely to increase the shift of losses from merchants to issuers. What the data also shows is an Ecomm Fraud rate of 15bps, which is up from last year and well above even the lowest of the PSD2 Transaction Risk Analysis (TRA) Exemptions, so not many financial services organizations will make use of this. This means slick authentication is even more important.

What is interesting here is the reduction in a number of fraud typologies with an increase in others, growing the concentration. In many cases, we can see that banks’ financial crime investments are working, making the fraudsters work harder to get their money.

The numbers show that the success really relates to unauthorised fraud, with authorised fraud continuing to rise. APP fraud now makes up 36 percent of UK banking fraud, up from 30 percent in 2018. Note that this is likely understated, especially with corporates.

Remote Banking Fraud

Remote banking fraud  had a slight decrease, despite a hefty 38 percent increase in cases. The interesting point here is that telephony and mobile losses increased by 7 percent and 94 percent, respectively. Mobile reflects the changing genuine usage patterns, but telephony is now at £23 million, showing that it is still a weak link.

It’s important to remember that these numbers were published before there were any impacts from COVID-19, as they only run to the 31st December 2019. Seeing the trends from these numbers, combined with what we’ve seen in last few weeks, what do we think is going to happen?

Moving Forward

First, we’ve all seen the reports of a big increases in scams and authorised frauds. These have ranged from purchase frauds for things like masks and toilet rolls, to investment frauds for vaccines. We’ve also seen phishing and malware campaigns related to HMRC and COVID-19 maps.

It’s easy to think that fraud attacks are going up across the board. However, there appears to be some nuance to this. There is more e-commerce fraud on cards, as most of the genuine spend is there and some of this is purchase scams. On the payments side, mule behaviour has dropped a bit, and therefore likely so will  the unauthorised and authorised frauds. This makes sense as cashing out is harder, with many financial branches shut down or on reduced hours, and country borders closed.

Another consideration is that we could be seeing Organised Crime Groups (OCGs) sitting on the credentials or access they have captured from recent phishing and malware campaigns to use once the lockdown restrictions have eased. This could mean FSOs are deluged with attacks in just a few weeks’ time. Operations teams could be overwhelmed as this is similar to a distributed denial of service attack (DDOS) as they work to get back to normal. This could result in high levels of losses.

So what can firms do to combat these trends?

• Create capacity and flexibility through automation and a single case manager
• Leverage and increase investments in authentication, including risk scoring enrolment and logins, as well as SMS OTP replacements
• Build out APP-specific models to detect APP fraud, as well as use these scores to drive dynamic in journey messaging
• Look at building inbound payment profiling in real time as liability shifts
• Optimise models for the ‘new normal’ and create the ability to refresh these more often
• Upgrade fraud platform capability of handling the extra data, new channels and running multiple models to detect fraud
• Build the fraud platform into a fraud hub, linking KYC, AML, application fraud and transaction fraud together to really provide customer profiles and make intelligent, risk-based decisions