Real-Time Payments Demand Real-Time Protection
May 22nd, 2019
Real-time payments have finally arrived in the U.S. market after being enabled in more than 40 countries previously. Unfortunately, the extra time to prepare didn’t translate to financial institutions (FIs) being ready; other fraud concerns took their focus away from the possibility of faster payments.
When Zelle launched in 2017, the largest banks in the country quickly began offering it. However, many fraud managers are still reluctant to move forward, believing that faster payments equate to faster fraud. In a sense, that is true. But the key is having the infrastructure in place to detect fraud in real time and to be able to interdict suspicious transactions before the funds leave the FI. These two capabilities—real-time fraud detection and the ability to stop suspicious transactions—are the foundation for preventing fraud in real-time payments. Any FI that offers real-time payments without these capabilities in place can expect high levels of fraud losses to quickly follow.
While Zelle launched first, The Clearing House also launched its Real-Time Payments Network (RTP), initially intended for use by FIs’ treasury services clients. Volume on the network is increasing, and new capabilities will be coming to market later this year. Typically, fraud losses on commercial activity are less common than in the retail environment. However, corporate account losses tend to be for much higher dollar amounts than retail payment losses. Without the proper controls in place, RTP losses may rival business email compromise schemes. The fraud will be the same, but the payment network used to move the funds will be different. Real-time fraud prevention will be necessary regardless of whether the FI is offering person-to-person or commercial account money movement.
Protection Concerns Remain Consumer Focus
Recent research shows that 50% of FIs in the U.S. are very likely to implement real-time fraud detection in the next one to two years, while an additional 18% are likely to do so.1 While consumers demand ease, speed, and convenience, they also expect their accounts to be protected. One recurring challenge with faster payments is that it tempts fraudsters to accelerate their account takeover attempts. Once they successfully take over a customer’s account, they can quickly move the funds to an account they control. Real-time payments are final, so it is essential for the FI to evaluate data in real-time to ensure fraud detection is adequate.
Real-time fraud detection is not only about speed; it must also incorporate data from many sources to detect suspicious activity consistently without too many false positives, which negatively impact the customer experience and cause operational inefficiencies. Nonmonetary transactions should be included in the data sources examined. For example, was the customer’s contact information changed prior to a large transfer being initiated? If so, a fraudster may have taken over the account and changed the contact information so that if the FI contacted the “customer” via text, call, or email, the alert would go to the fraudster. Another example is contact center data: Did the “customer” forget his or her online credentials and have them reset by an agent? A password reset followed by a large transfer may not be fraudulent, but it certainly warrants a bit more scrutiny. Utilizing a number of different monetary and non-monetary data sources (e.g., account maintenance) enables fraud detection to become more accurate and concurrently lowers the number of false positives generated. In handling real-time payment alerts, time is of the essence; large numbers of false positives translate to many customers being negatively impacted for no reason. The power of data should enable greater efficiency as well as lower fraud losses.
Shore Up Authentication Gaps
In offering real-time payments, many FIs will use their core processor to connect with the companies that offer the payments, while others will connect directly. For those that connect directly, all fraud prevention must be performed in-house, while core processors offer some fraud mitigation as part of their product offering. When using a processor, it is vital to understand what fraud mitigation capabilities are offered. Don’t make any assumptions! As one example, the core processor typically won’t detect account takeover fraud; the way FIs authenticate clients is up to them, as is the liability if it is not done accurately. While a real-time payment may be used to move funds out of the FI, the root cause of these losses is an authentication failure. A real-time payment merely becomes the way funds were moved.
The primary lesson here is that all fraud prevention doesn’t fall on the core processor; the FI should shore up authentication gaps if account takeover is already an issue (as it is for much of the industry). If there are gaps in the service offered by the core processor, the FI can consider implementing some fraud prevention steps prior to sending the payment to the processor. For example, a test of the email address or mobile number funds are being moved to can be helpful. (Some payment processors may offer this service.) What is the tenure of the email address or phone number? If it is new, that’s another red flag. Deny or delay that payment until additional measures can be taken to ensure it is authorized.
New challenges accompany faster and real-time payments. Customers are embracing these new payment types, but no payment type is without risk. In fact, 54% of FI professionals predict that real-time payment fraud losses will exceed credit card fraud losses in two years, becoming the leading type of fraud loss. 2 Without the necessary fraud prevention capabilities, this prediction may come to fruition. Be sure your FI is adequately prepared to meet the market demand without incurring significant fraud losses in the process.