Real-time payments and fraud: what can be done?
The USA is likely to encounter more fraud and financial crime problems as real-time payments increase in both value and volume. The answers are neither fast nor easy but there are things that all participants can do.
What can the banks do?
In countries such as the UK, real-time payment schemes have been ubiquitous for many years. Banks have suffered from bad publicity when money-laundering happens, or their customers fall victim to fraud. These can be difficult issues to manage but there are steps that banks can take:
Innovation in analytics
To effectively manage fraud risk, companies should use advanced analytics techniques. The methodologies that underpin transaction risk analysis for cards can be deployed for other payment types, with the speed and volumes needed to assess real time payments. While criminal activity, such as authorised push payment fraud, can be difficult to spot because it is the legitimate account holder making the transaction, there are still anomalies that can be detected by machine learning models trained to spot outlier behavior. Even if the legitimate customer is making the transaction it is likely that there are clues that they are doing so under duress, because they have been tricked, or because they have turned to the dark side.
In recent years financial institutions have advanced in their use of AI and machine learning to detect money laundering. It is natural that they should further extend these methods to look for money laundering and fraud in real-time payments.
Authorised push payment fraud relies on customers making a payment without stopping to think. Banks should therefore look at how they educate their customers. Education shouldn’t only mean sending them materials but also look at how they communicate with their customers during transactions. Integration of the fraud risk engine with customer communications means that highly individualised just-in-time messages can be pushed to the customer when transactions seems suspicious using SMS, telephone call or in-app messages.
Don’t forget in-bound payments
Instinctively, it feels like the onus for prevention sits with the payer’s bank where the payment is being initiated. This is a false presumption and the payee’s bank that is receiving the money could be considered more at fault. The accounts receiving money may be under the control of a criminal and this may be because either the account has been opened using a stolen or synthetic identity or because the account holder is participating in money mule activity. The receiving bank should have controls in place to identify and prevent both crimes. Using transaction risk analysis to assess in-bound payments is a worthwhile safety net for when criminals are controlling accounts.
At a recent user group attended by FICO’s Financial Crime Compliance Community, one phrase really resonated “sometimes it’s fraud, sometimes it’s money-laundering – mostly it’s both”. Yet, banks often have fraud and AML compliance teams operating in siloes. This makes it difficult for them to track the proceeds of fraud as they are laundered and fully understand the network of criminal behavior present in their account portfolio. The convergence of fraud and compliance management activities in banks will challenge both established practices and entrenched fiefdoms – but it has the promise to drive both efficiencies and effectiveness into both.
A particularly nasty variation on authorised push payment fraud is when criminals pretend to be from the fraud department of a customer’s bank. They convincingly persuade the account owner that they are investigating fraudsters operating within the bank and they ask their victim to transfer money in their account to a new account to keep it safe. But of course, the new account is held by the criminals. This fraud is enabled – in part – because of the inconsistent ways in which banks contact their customers. The lack of standardisation in methods and scripts leave room for fraudsters to trick the unsuspecting. While checking the identity of customers is par for the course, the same effort has not gone into making sure that whenever banks contact their customers (even for sales purposes) that it is clear to the customer that it is a legitimate contact by their bank.
What can the industry and real-time payments schemes do?
There are systemic steps that can be taken to protect the payments infrastructure independent of the banks including:
Confirmation of payee
A fundamental issue with payment transfers is that the person you intend to send money to might not the holder of the bank account, but a criminal . Businesses who want to make real-time payments can buy software solutions that verify bank account ownership, but of course that is a cost to them, and it is not available to consumers. Schemes could look to integrate a “confirmation of payee” service into the real-time payments’ initiation process. This is not infallible, but it could prevent many cases.
Fair liability model
Real-time payment schemes give people the ability to send and potentially lose life-changing sums of money. However, they don’t offer the protection that is inherent in other payment systems such as credit cards. There is a difficult balance to be struck; it may be seen as unfair to leave consumers to bear the burden of losses to clever scammers but to expect banks to recompense when customers are negligent or claim fraudulently that they’ve been victims is also untenable. Not addressing the issue of liability leaves banks facing negative publicity when their customers have been defrauded and makes consumers and businesses suspicious about using the schemes.
The different real-time payment schemes emerging in the USA are currently involved in a ‘land grab’ for market share. This must not come at the expense of exposing consumers and businesses to more risk. Continued rises in transaction limits must be coupled with ongoing consumer and business education programs that don’t only focus on the undoubted advantages of real-time payments, but also risks and liabilities.
Transaction risk analysis
As mentioned above, both the payer and payee banks will benefit from implementing transaction risk analysis on payments. Additional protection could come from the schemes implementing risk analysis in the interbank space. Doing this would not negate the need for banks to carry out analysis but could spot additional cases. The schemes have a view on potential fraud and money laundering across all the financial institutions who participate in their scheme. For example, they could detect suspicious payment going to an account not just from the perspective of a single initiating bank, but across all banks sending payments to that account.
What can users do?
It can be easy to talk about the users of real-time payment schemes as if they are passive victims. Whether they are businesses or individuals this does not have to be the case, and given that they may end up bearing the losses there is much we can all do.
Work with your bank or other providers
Scammers can be very persuasive, but victims who feel even the smallest suspicion should act on it. Your bank’s customer-services and fraud departments are ready and willing to help you. Even if you think it is your bank that contacted you, a genuine bank won’t mind if you stop the call and phone them back on the number on your card or their website. If you are suspicious that it isn’t your bank that has contacted you, be sure to make a phone call.
Individuals should also be wary when buying goods from online auction sites, if the seller asks for payment by means other than specified by the site (for example if buying on Ebay using Paypal is recommended). Follow the advice of the website and if it is fraud you will be better protected and the fraudsters more easily traced and stopped.
STOP and think
Fraudsters rely on creating a sense of urgency and panic so that their victims, whether businesses or consumers, act without thinking. Never be afraid to query something that doesn’t feel right, if someone is applying undue urgency to a payment being made, particularly if it is for something you weren’t expecting. You may have good reasons to be suspicious. Your bank will not mind if you query such payments. With real-time payments, once the payment is initiated then the money is gone – so be sure to act on even the slightest suspicion before you press send.
Strong supplier management
Businesses are being defrauded when criminals send change of bank account details notifications or fake invoices. Businesses should have processes in place to check supplier bank account details when they set up new suppliers, when invoices with new bank account details appear, or if they receive a change of bank account notification. Manual processes such as contacting the suppliers accounts department to confirm will help, as will using a commercially available solution that verifies bank account ownership.
Emergency payment policies
To prevent staff acting on CEO fraud, businesses should have policies in place that help staff to understand any circumstances where an urgent request for payment from a senior member of staff could occur. They should have checks and balances in place so that staff do not simply act on such a demand but must make checks first. It is vital that staff feel they can make these checks for legitimate payments without retribution from impatient leaders.
Experience in countries such as the UK where real-time payments have been ubiquitous for over a decade shows that there is real value to being able to move money quickly. Fraud and money-laundering are real issues but there is much that all involved can do to increase security and make the real-time payments schemes a resounding success.