July 6 • 2022
Authorized Frauds & Scams
Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.
The level of losses and, therefore, the level of regulatory response has been driven in the most part by the existence of real-time payments. These have been live in the UK for around 15 years when most other countries are only in the first few years of rollout. Volumes of real-time payments are still increasing (20% in 2021), partly as Open Banking continues to increase in popularity, now at 6m users. With more and more genuine payments, as well as increasing fraud attacks, the volume of fraud and AML alerts to be worked is increasing too.
Authorized frauds are particularly harmful as it is the customer, rather than the fraudster who authorizes the payment(s) which means they are much less likely to get a refund. Given the size of authorized frauds, these can be life-changing losses for the victims. It is for this reason that the regulatory landscape has started to change.
With the strong regulation seen in the UK, there is much for the rest of the world to think about in terms of how other regulators may seek to add to their own regimes.
Last month (May 2022) there were two announcements to increase the UK regulations further. One was a very brief mention in the Queen’s speech as part of a forthcoming Financial Services and Markets bill, and the other from one of the key UK regulators the Payments Service Regulator (PSR).
The first indicated an increase in powers to the PSR to allow it to force banks to refund customers who are victims of fraud, whereas the second was outlining a consultation on increasing the scope of the Confirmation of Payee mandate in the UK.
Whilst there is not much to go on here, it’s worth looking back at what’s happened in the UK previously.
Contingent Reimbursement Model
The Contingent Reimbursement Model (CRM) was introduced for the largest UK banks, in a voluntary fashion, back on 28 May 2019. It focuses on authorized fraud, as unauthorized fraud is well covered under PSD1/PSD2 regulations.
At the CRM’s heart is a desire to:
- Reduce the volume of authorized frauds in the UK;
- Increase the number of customers protected through refunds to victims;
- Minimize disruption to genuine customers.
As a part of these voluntary measures, there are a number of elements that banks (whether paying or beneficiary) must adhere to if they are not to be liable for customers’ losses. This means that the beneficiary bank of a fraudulent payment can have liability, as well as or instead of the paying bank or their customer.
This clearly means there is a business case for both sets of banks to do more to protect customers as they will be liable.
The key elements that the banks need to undertake are:
- Must identify payments at high risk of being an Authorised Push Payment Fraud (APP) and take action to delay the payment
- Apply effective risk-based warnings before and during payment journeys
- Implement Confirmation of Payee (COP, see below)
- Identify high-risk customers and take further protective precautions
- Notify beneficiary firms quickly where there is an APP
- Prevent accounts from being opened for fraud & money laundering, including using sources of intelligence such as shared databases
- Implement COP
- Identify accounts and payments at a high risk of being used to launder APP frauds
- Freeze and repatriate funds, where allowed by law
The above must include undertaking customer behavioural analysis and access to external data sources to identify the highest risk customers and payments for action.
Assuming the customer has not ignored any warnings or otherwise been negligent, where either of the banks has not met the above criteria, they will incur liability. Whether the liability is whole or partial, will depend on a number of factors.
At present this is ‘voluntary’ however, this new bill could move this to full legal status and force firms to refund, similar to PSD1/2 for unauthorized frauds.
What is Confirmation of Payee?
Confirmation of payee is a service to check the name on an account matches the account number and sort code (IBAN or account and routing). The bank sending a payment, sends a message to the receiving bank with the name, account number and sort code of the beneficiary account and wants to know if they match. The receiving banks must send a response message to indicate either a match a non-match or a close match. In the case of a close match the customer is returned the name so they can decide what to do. Confirmed matches are not just exact matches. In my own experience I have seen the following when COP was first introduced: Aimee and Amy are not a ‘close match’, but a ‘non-match’. Rob to Robert is a ‘Match’.
The 6 largest banks in the UK had to implement COP, on both sending and paying sides. There are now 33 payment services providers using COP, and this covers circa 92% pf payments.
Since the introduction of COP many fraudsters are favouring those banks that have not implemented COP. This makes it less effort to undertake malicious redirection scams. As ever, you don’t need to outrun the bear, just your peers!
COP is not a panacea, but does help to mitigate against Malicious re-direction frauds. However, for malicious payee and for many non-UK accounts, COP doesn’t not help. This is because either there will be a match as the whole identity has been set up that way, or it can’t be checked as the services are not in place.
Looking at the potential for PSR to force banks to refund, there are a few key points. The level of refunds under CRM1 in 2021 was around 51%. This ranges from 34% for purchase scams to 61% for invoice frauds and also differs across the banks. Therefore, there is a lot of scope for increasing the level of provisions banks need to make.
Forcing refunds onto the banks, on both sides of the transaction could:
- Force financial institutions to invest more in financial crime systems, particularly on the beneficiary side. Real-time inbound profiling and an increased focus on application fraud.
- Mean that some consumers may not take the necessary care if they believe it’s the bank’s liability rather than their own.
- A further de-risking of accounts by Financial Institutions. While there are many mule accounts that need to be closed, there will be false positives that result.
- See further lobbying to make social media and telecoms firms do more to help prevent scammers from abusing their platforms.
We’ve started to see increased regulation elsewhere, too. For example, the Monetary Authority of Singapore (MAS)3 has taken a number of steps including banning links in emails and texts from banks and lowering default payment limits. One bank has had its regulatory capital increased by $240m4!
The Estonian Central Bank has mandated real-time inbound payment profiling, to reduce the level of money laundering. And in the US we have seen Reg E confirmed as providing coverage where fraudsters scam access to accounts, although falling short on authorized transactions. And the pressure is piling on as recent lawsuits show.
Given the volumes of fraud across the globe, increasing numbers of real-time domestic payments schemes, and cross-border payments speeds increasing too, it is likely that many other countries will start to increase the regulation on authorized fraud and scams. The levels of consumer detriment cannot continue to be ignored, as well as the negative impact on economic growth. Elements of the UK regulation are a great, starting point, as it helps creates the business case for investment. However, this should be built on to ensure that real time payments can deliver for the end consumer.