Payments fraud prevention and protection requires action from all facets of the financial services industry.
- Jennifer Lucas, EY Americas Payments Consulting Leader
- Donna Turner, EY Advisor in Residence
- Robert Mara, EY Americas Financial Services Risk Technology Leader
With new payment innovations, including real-time payments (RTP), FedNow and peer-to-peer (P2P), taking hold in consumer and business banking, fraudsters are finding new opportunities to flourish. As a result, fraud experiences push the boundaries of how payments systems operate and require action from those responsible for their safety and soundness — financial institutions, network operators and the regulators providing oversight. Today, the industry is facing some new and some not-so-new challenges in fraud, and is balancing how to protect customers, fight fraud and provide a convenient, seamless customer experience. With fraudsters continually innovating around banks’ efforts to reduce fraud and calling into question decades-old payments regulations and rules of the road, what is not so clear is who should be responsible for each use case and how should the industry respond?
Sophisticated scams preying on consumers’ fears and leveraging the payments systems to quickly move money to, ironically, under the scammer’s guise to protect the funds from fraud are on the rise and grabbing headlines. While the bank-owned Zelle real-time peer-to-peer (P2P) payments service seems to be cited as a popular method for money movement scams, it’s not the only way. These scams use a multitude of social engineering, malware and mental coercion tactics to convince customers that there is a problem that must be resolved immediately or severe financial consequences will result. Fraudsters posing as banks, software providers or even government agencies convince individuals to move money to “safety zones” — but these zones have been compromised and the funds ultimately evaporate, leaving the customer defrauded of their funds.
Scams are not new — but the interesting twist here is that because of the digitization of money movement products and, frankly, bank ownership of these products, there is a growing expectation that banks should do more to protect customers from these scams. Not many people would argue that in a scam where you hand cash over to another individual (say a fake home repair person who has no intention of doing the repair work) that the bank should protect the “buyer,” but because the products and services that are making the transfer are bank branded (and, frankly, branded as “safe and secure”), there is a greater expectation of customer protection. And even though banks spend time and resources educating customers to “treat real-time payments like cash,” it’s not enough.
|Rise in scams||Consumers reported losing more than|
Rise in fraud losses from 2020 to 2021
to fraud in 2021.
Why is this a challenge?
As a result of consumers’ widespread digital adoption of real-time payments combined with heightened protection expectations and the ramping up of sophisticated scams, we now find the rules that govern digital payments liability — Regulation E — in the crosshairs. For nearly 50 years, Reg E has stated that banks must protect customers from unauthorized transactions. That means that if the account owner did not authorize the transaction to be sent or debited, the bank could be responsible. This has led to a significant amount of investment in sending banks to “lock down” the front door to banking and payment applications, while behind the scenes they have controls on dollar values, velocity and sender behavior. Things like digital identity, multifactor authorization (MFA) and passwords help the bank authenticate the authorizer of the payment, but very little has been done to lock down the receiving side of the transaction — where the funds go. If a bank knows it is only liable for the unauthorized send and nothing on the receiving side, its data, rules and protections focus on the sending side.
Possible expanding or reinterpreting Reg E
At present, there is a growing interest among customer protection groups in expanding (or reinterpreting) Reg E to cover transactions that were “authorized” through coercion — that is, the sender actually sent the money, but they were duped as to whom and why they were sending it. This is a logical tract, for if someone impersonating a bank (spoofer) convinces a customer that their financial future is in peril and they need to act now, they’ve been coerced to send funds authorizing the transaction. But questions remain on how to prove coercion to validate a claim for reimbursement.
In addition to potential expansion of Reg E to cover transactions that were authorized through coercion, there has been a general discussion about shifting liability, i.e., having the receiving bank put some “skin in the game” or incur liability, regarding harboring the scammers. Are they allowing funds to flow abnormally to a bank account and not examining the volume, velocity or “unusual activity” from a fraud lens? And do they have to reimburse “ill gotten” funds to the sending bank/sender if coercion is proved? Some payments schemes have suggested that the receiving bank be responsible for reimbursement if their customer is the “scammer.” In the United Kingdom a rule is being considered that would have the receiving bank split the liability with the sending bank on a 50/50 basis.
What should be done about it short-term?
Regardless of where the rules and the liability end up and what drives changes (customer expectations, an overhaul of the regulation, or something in between), banks should prepare and invest in the receiving side of the transaction and put in controls, monitoring and strategies to prevent, detect and respond to (by sharing data within their network) fraud that their receiving customers could be perpetuating.
Additionally, payment types that were developed as irrevocable under the former understanding of Reg E — real-time payments, FedNow and Zelle — will have to consider the irrevocableness principle. Should these payments be truly irrevocable if there is a caveat on receiving-side liability? Processes will need to be put in place for banks to investigate and resolve these fraudulent claims and ultimately rid their customer rolls of fraudulent receiving behavior.
As such, financial institutions and payment providers are rapidly pivoting to improve customer protection and scam prevention, with success requiring tight collaboration between fraud and business teams. Banks need to take near-term and strategic steps to remain aligned with customer expectations and rapidly evolving peer practices.
Below are three tactical and three strategic steps banks can initiate today:
- Improve client education. Design and deploy proactive tailored messaging to customers to increase scam awareness and intercept attacks.
- Apply fraud tools and processes to both the sending and receiving side of transactions. Scoring the risk on both sides of the transactions will serve to better identify suspicious activity, reduce the lifespan of mule accounts (bank accounts that are used by consumer fraudsters to collect ill-gotten gains), and holistically drive to devalue the fraud.
- Using these insights, banks should consider introducing incremental friction in the payment process to slow the transaction and make contact in or out of channel with the consumer to further the efforts to interdict fraudulent or coerced transactions.
- Invest in data: Create a pipeline of new internal and external data sources to enhance proactive identification of risk indicators (e.g., the payment recipient profile; network-generated insights about the recipient). Share data as appropriate with network participants to work effectively.
- Expand artificial intelligence/machine learning (AI/ML) capabilities: Prioritize initiatives to build out real-time risk insights and customer journey selection capabilities based on contextual information.
- Revisit and modify the customer journey with an updated view of financial impacts from projected losses, tool and investments required, and the target levels of friction across the lifecycle.
The need to drive greater industry collaboration
Longer-term, financial industry sector and cross-sector collaboration is needed to engage the broader ecosystem in the prevention of payments fraud and scams. This can be supported by considering the following four actions:
- Have frequent and candid exchanges, coupled with timely reporting, to drive active collaboration between financial institutions about where, how and who is involved in fraud and scams. A single bank’s success in thwarting fraud is a short-sighted solution because it fails to holistically devalue the fraud, which further enriches the coffers for the development of new tools and methodologies used by the fraudsters to commit fraud.
- Build out cross-sector collaboration. Actively working with telecommunications, social media, advertisers and law enforcement will engage the broader ecosystem in the prevention of fraud and scams, along with greater effectiveness for law enforcement agencies in the arrest and prosecution of those involved.
- Ensure that the operating systems or networks are evolving the rules of engagement and liability to drive the optimal behaviors in preventing and detecting fraud and scams.
- Develop sector or even cross-sector investments in education, both to ensure that continued fraud education programs are more comprehensively and aggressively targeted and accepted by consumers, but also to ensure that all FIs are armed with a common level of knowledge and opportunity for success in preventing and detecting fraud and scams.
Just as payments have evolved and will continue to evolve to meet the needs of consumers and businesses, so must the disciplines, tools and processes used to prevent and detect payments fraud and scams. While regulatory and legislative scrutiny and pressures have forced an acceleration of counteractions by FIs, these hard lessons learned will serve these same FIs well as new payment channels and form factors continue to come to market.
The views expressed on these pages are those of the authors and/or the institution they represent, and not necessarily those of Swift.