I recently had a chat with Kjeld Herreman, Head of Strategy Advisory at RedCompass Labs, about the increasing impact of Authorised Push Payments (APP) on the financial industry and its customers.
In case you’re not aware of APP, it’s where a customer authorises a payment to a criminal, typically due to being fooled into thinking they were dealing with a proper institution, such as a bank or post office. It’s becoming much more prominent in certain economies. For example, in the UK, 8 out of 10 people have now experienced APP, and banks have set up compensation schemes that cover 90% of these sort of transactions.
There’s now a clampdown on such scams, with the regulators looking to force banks to realise that it’s not the customers fault when such fraud happens. There’s one particular scheme where a criminal calls you, using the banks’ official fraud telephone number, and tells you that your account has been hacked. You say fair enough, I’ll ring you back. You ring the banks official fraud line and provide all the identifiers needed to find out what’s happening. What you don’t realise is that the fraudster has been holding the line to look like the banks official fraud line … but it’s not.
The issue from a regulatory viewpoint is that around 90% of banks have addressed the issue – which means that 1 in 10 have not – and, for those who have addressed the issue, most do this in inconsistent ways. That is why the UK regulator known as the PSR – the Payment Systems Regulator – is implementing a package of measures to combat the growth in these scams, as explained nicely here by Chris Hemsley.
The aim of the PSR is to ensure that: “reimbursement of victims would – above a minimum threshold – be mandatory and result in more money being returned sooner”; and “places strong incentives on banks and building societies to do more to prevent fraud”.
Similarly, at a European level, there are concerns that scams could take place and the move to confirmation of payee – checking the account number matches the name of the account – has also become a big thing. Specifically, the European Commission announced new regulations for instant payments last month that would force:
All payment services providers (with very targeted exceptions) that offer credit transfers in euro must offer instant payments in euro to all their customers.
The charges for instant payments in euro must be equal to or lower than the charges for non-instant euro credit transfers.
All providers of instant payments in euro must offer the service checking the match between the account number (so called ‘IBAN') and the name of the payment beneficiary and, before the payer authorises the transaction, warning the payer about any detected discrepancy as it could suggest fraud.
All providers of instant payments in euro must follow a harmonised procedure for sanctions screening, based on daily checks of their own clients against EU sanctions lists while on normal transfers checks are carried out on a transaction-by-transaction basis.
On this area, I asked Kjeld what was happening.
Kjeld: I think there is a lot of frustration with financial institutions. They keep on investing heavily in fraud protection solutions and they only work for a brief period of time, because fraudsters go to new methods. For instance, just as consumers and businesses are starting to become aware of the dangers of phone and email spoofing, scammers are starting to deploy deepfake technology to convincingly convice their victims of a false identity.
The phishing emails you are receiving are becomingly increasingly personalized and sophisticated. As soon as banks close one avenue for authorised push payment fraud, the fraudsters go to the next one. There’s this continual battle between the people who are trying to defraud and the banks who are trying to prevent it. Behind closed doors, some banks admit that they don’t want to continue investing in fighting APP, simply because it seems to them to be like mopping with the tap open.
I would argue that just because new fraud methods continue to appear, this isn't an excuse not to invest in fraud prevention. It's like having an antivirus installed on your computer is a no-brainer, you're not going to neglect to do so simply because hackers continue to invent new viruses and trojans. The regulators seem to agree with this thinking, and are pushing for banks to take more and more responsibility, and for them to cover any losses from authorised push payment fraud.
Chris: It’s very difficult for the consumer to know what’s real and what’s not real and then, and if it’s not real, for the bank to be accountable for the fact that the consumer got duped.
Yes absolutely, the scammers are becoming increasingly competent, which also means that they are expanding their customer segments.
Traditionally, when it comes to this type of thing, it is the elderly that have been more targeted, and that have been victims of authorised push payment fraud. Now we also see that fraudsters are trying to go after people during moments of high stress, for example when you’re buying a house. They try to divert the house payment and things like that, so really going after these high value payements.
When people are in a moment of stress, and might not be as perceptive to danger as they otherwise might be, it really is increasingly difficult to detect it. And the threat is ever increasing as real-time payments start to become the new norm.
Chris: How are real-time payments and authorised push payment linked?
We saw that in the UK, APP really started to take off when faster payments became the "new normal." A real-time payment is irrevocable, unlike traditional payments where banks still have a window of opportunity to recall or cancel them, or card payments that have chargeback methods.
This is also why at the European Commission, they are working on pushing back on authorised push payment fraud as well: they simply can't afford to ignore it as they continue to promote instant payments. As part of their efforts to fight authorised push payment, they are mandating that all banks provide a "confirmation of payee" service to their customers.
As part of the recently proposed Instant Payments legislation, the payer's bank is forced to provide a service to their customers that would allow them to verify the match between the account holder name and the account number. This will need to be a pan-European solution. Banks would have a year to implement this, from the time that the regulation is adopted. So that’s heading at banks very quickly, and I don’t know how they are going to manage to put these solutions in place globally. Although there are already some domestic schemes in countries such as the Netherlands, France, Italy, and the UK, and other regions are working on developing them, they are certainly not ubiquitous and interoperability remains a challenge.
Chris: Is it because we are digitalising everything that everything is becoming easier to spoof and, if so, what’s the solution?
The solution is to continue to try to detect what the sources are and to continue to invest in systems that are going to detect that. AI plays an important role there, recognising patterns and giving feedback to the systems to be able to identify trends faster than humans could.
One of the solutions that we were studying is to try to do mule accountant detection through a central clearing system. Obviously if you have an account with incoming payments from consumers, and you can send a trigger warning, you know five payments in one day is suspicious. You get to those five payment transactions much quicker, if you are going to aggregate that across banks, rather than if you are going to look at each bank individually.
In addition the confirmation of payee obligation, there are also initiatives at a European level to share mule account numbers. The aim is to have a central registry of accounts that have been identified as mule accounts. So, those are some of the things that we are looking at.
Now, in Europe, one of the challenges that we are also facing is GDPR. In Belgium, for example, the "legitimate purpose" of fraud prevention is not necessarily always accepted by the regulator as a premise for data sharing, whereas the Dutch regulator is much more relaxed.
There’s also a little bit of a missing legal context as well, that allows banks to share this personal data in the context of fraud prevention. So then there is a role for regulators as well, to make them a little bit more explicit and harmonised across Europe.
The final, and perhaps most important tool to prevent Authorised Push Payment fraud is increasing awareness. The public needs to be kept apprised of new scams as soon as authorities learn about them. There needs to be a joint effort between regulators, legislators, banks, and the media to ensure this information is shared widely and effectively.
Chris: On a final note from my side, I think there is the issue between security and convenience and so faster payments is about making everything real time, immediate and better for merchants and customers and yet, at the same time, it has created this massive opportunity for fraudsters to step in and do things like authorised push payments.
Rather than a trade-off between convenience and security, I see the third leg of that triangle being data privacy. That is a concern as well, right? The more data you have on the subject, the better you can detect things, so you have to weigh that up between being able to detect things and respecting privacy.
Chris: How do you balance the ability for finance to be easy and convenient with this overhead of security and privacy is on top of it?
It’s a difficult balance and there have been different proposals. Some legislators have proposed to drastically decrease the maximum amount for credit transfer, and I am talking about drastically decreasing down to a thousand euros, where the customer would need to call the bank or physically go to the bank, to be able to increase their limit temporarily in order to be able to do a transfer.
If you are doing a large transfer, there’s a large amount of money at risk. This means you need to at least talk to someone from a bank who is informed about APP, and can help spot patterns of these frauds.
So that is one way of doing it, but it causes an enormous amount of unnecessary friction when executing payments. Someone who feels they are better educated on the danger of APP might want to opt out of something like that. However, that once again creates a loophole for scammers to exploit, rendering the whole system useless again. So, I don’t have the answer. I hope you, based on our discussion, do find it but I think it will be an eternal war of setting up mechanisms to prevent it and fraudsters finding new and innovative ways to scam people. As the pace of change in payment methods continues to increase, the development of new ways to exploit them will accelerate as well.
We're living in a time of tremendous change: as irrevocable real time payments become the new norm, finding ways to prevent people from being exploited through them becomes a key priority. I'm thrilled the European Commission has made this a priority, and although the new confirmation of payee obligation will certainly not irradicate APP, it will certainly be a painful and annoying pebble in the shoe of fraudsters, which has to be a good thing, right?
Chris M Skinner
Chris Skinner is best known as an independent commentator on the financial markets through his blog, TheFinanser.com, as author of the bestselling book Digital Bank, and Chair of the European networking forum the Financial Services Club. He has been voted one of the most influential people in banking by The Financial Brand (as well as one of the best blogs), a FinTech Titan (Next Bank), one of the Fintech Leaders you need to follow (City AM, Deluxe and Jax Finance), as well as one of the Top 40 most influential people in financial technology by the Wall Street Journal's Financial News. To learn more click here...