Lessons in managing Real-Time Payments Fraud: A guide for Canada

The RTR is expected to provide a whole host of new opportunities for financial services providers and consumers in the Canadian payments landscape.

However, along with the opportunities and benefits of speed, finality and always-on payments, there are also new fraud threat vectors that criminals will also be ready to take advantage of.

This puts Canadians at greater risk, as fraudsters’ new tactics will be targeted towards a lack of understanding of RTP’s features.

While the methods of fraudulent activity may remain the same, criminals will come up with innovative derivatives of traditional fraud types to evade detection.

For instance, account takeovers and identity theft may complicate the fund recovery process and the identification of intricate fraud patterns for banks. Increased speed of transactions and reduced clearing and settlement times would leave limited time to review and flag transactions for suspicious activities, resulting in higher than expected fraud rates.

To add to these challenges, the monetary impact of fraud on the end customer is expected to be further magnified. Most of the countries that have moved to RTP have experienced a rise in fraud.

A key example of increased fraud accompanying the launch of RTP is evidenced in the UK, where there was a 132% increase in online banking fraud in 2008, the year RTP was introduced¹. Despite all the measures taken, fraud incidents tripled within three years of launch, highlighting fraudsters’ adapaptaibility to exploit new systems.

The launch of US-based digital payments network Zelle in 2017 further strengthens the sentiment, as US banks reported initial fraud losses as high as 7% of the payment value.⁶

Based on the deployment of RTP networks globally, we see three key influences on fraud.

Time pressure

The increased payment velocity associated with RTR payment messages will present a significant challenge in detecting suspicious transactions in real time due to the limited time available for thorough monitoring and analysis. The real-time processing and settlement of payments will leave a shorter window and limited resources for fraud operations teams to conduct thorough checks and assessments to investigate and block fraudulent transactions, and to recover funds.

Further, fraud trends and metholodogies will evolve in an attempt by bad actors to exploit the new RTR capabilities to their advantage. As a result, traditional methods of transaction monitoring such as rule-based engines to analyze predefined patterns and manual review processes may be inadequate to effectively identify suspicious activities.

Innovative and advanced fraud detection systems that use machine learning, artifical intelligence and big data analytics to process and analyze transactions in real time are required to promptly detect and prevent fraudulent transactions.

System vulnerabilities

New infrastructure, connections and processes with RTR can inadvertently create system vulnerabilities that fraudsters may exploit. These vulnerabilities may present themselves in the form of silos between payment rails and channels, leaving gaps in the fraud monitoring and detection process.

For instance, each payment channel — such as mobile banking, online banking and point of sale — integrated to the rail may have its own set of fraud detection rules and algorithms that may not be synchronized or updated in real time, leading to inconsistencies in fraud detection across different channels. Fraudsters can exploit these inconsistences and gaps to bypass certain security measures.

These vulnerabilities may also present themselves in the form of weak entry points in system architecture or processes, resulting in unauthorized access to sensitive financial data.

Additionally, lax onboarding practices may result in a rise in “mule” bank accounts  scammers use to launder funds. These accounts are often the main tools for the movement of fraudulent funds.

As a result, it will be crucial for RTR participants to actively identify and address potential vulnerabilities with their own systems and those of third parties to safeguard the integrity and security of the overall payment ecosystem.

Workforce capacity

The anticipated widespread adoption of Canada's RTR, coupled with the expected surge in payment volumes, will put significant pressure on the workforce responsible for real-time alert monitoring. Financial institutions must proactively equip their workforces with the necessary capacity and tools to efficiently handle the larger volumes of alerts to ensure timely review and response.

It will be critical for financial institutions to optimize their workforces’ ability to promptly detect and address suspicious activities by investing in automated decision-making fraud engines to reduce manual effort and potentially outsource the monitoring and detection capabilities to lower-cost geographies.

These measures will aid in effectively reducing the risk of fraudulent transactions going undetected, reduce fraud losses and promote cost efficiencies amid the heightened workload associated with increased transaction volume.

Global experience shows that fraudsters will be quick to adapt and exploit the vulnerabilities presented by RTP processing, using various techniques to orchestrate fraudulent activities and increase their chances of success. Therefore, financial services providers have to deploy and continually enhance their fraud solutions to manage their losses.

RTP systems have evolved rapidly since inception, transforming the traditional payments landscape by replacing the slow and batch-oriented payment processing with instant, 24/7 transaction capabilities to equally benefit individuals and businesses.

However, while implementing RTP, regions around the world have faced various fraud challenges stemming from the increased speed and finality of the payments. Fraudsters exploit vulnerabilities in the system, leading to an uptick in fraudulent transactions, account takeovers and identity theft, resulting in unrecoverable fraud losses for end customers and banks.

Additionally, social engineering, coupled with the urgency associated with RTP, makes end customers susceptible to phishing attacks, malware and other forms of cyber fraud. These challenges demonstrate the need for robust fraud prevention measures, collaboration among stakeholders for cross-sector intelligence sharing, and the implementation of advanced technologies such as machine learning and predictive modeling to ensure the security and integrity of RTP systems.

The impact of fraud on RTP globally highlights the importance of proactive and adaptive approaches to security as the payments ecosystem continues to evolve.

Joining forces to share collective knowledge on learnings from global implementation of RTP can be effective in building a resilient ecosystem to combat fraud. During Sibos 2023, Swift’s annual financial services event, the EY organization hosted a roundtable at EY offices with regulators and system operators from around the world to understand the lessons learned from RTP deployments and discuss preventive techniques to mitigate fraud. The following four lessons and key actions were top of mind during the conversations with global market regulators and opertors.

Lesson 1: It’s critical to drive the right financial and reputational incentives

Driving the right financial and reputational incentives for financial institutions is crucial in RTP fraud prevention. Incentives shape behavior and encourage stakeholders to prioritize security. Different countries have implemented and proposed distinct measures to incentivize financial institutions to reimburse their customers for losses.

The UK’s Payment System Regulator has introduced new requirements for authorized push payment scams under the Financial Services and Markets Bill, which is expected to come into force in 2024. These new requirements will require both sending and receiving institutions to split the amount of reimbursement 50-50 through shared liability to cover 100% of consumers’ authorized push payment losses.

The EU has proposed similar regulatory mandates under Payment Services Directive for payment service providers to provide refunds to victims of authorized fraud involving manipulation and coercion.

Tactics around aligning incentives with fraud prevention measures will prompt sending and receiving financial institutions to tighten their fraud controls to prevent real-time fraud from occurring, all while safeguarding their own reputation and the reputation of the wider RTP network.

Lesson 2: Application of advanced technology

Technology plays a critical role in enabling the timely detection and prevention of fraudulent RTP activities. Using advanced technologies such as artificial intelligence, machine learning, data analytics and behavioral biometrics, financial institutions can analyze vast amounts of transactional data in real time, identifying and flagging suspicious patterns or activities. Behavioral biometrics have been shown to work exceptionally well for RTP systems in the UK and Australia to detect unauthorized account takeovers and impersonation scams.¹⁶

In the UK, the implementation of Confirmation of Payee, a name-checking service that allows users to verify the matching of a beneficiary’s name account number, was mandated for the six largest banks and is currently offered by 85 organizations. The goal is to include 400 payment service providers by October 2024, demonstrating the continuous enhancement of authentication and verification processes.

Additionally, partnerships between banks and payment service providers are enhancing real-time anti-fraud measures powered by behavioral biometrics and device profiling capabilities.

In France, the implementation of a centralized database of fraudulent or high-risk International Bank Account Number (IBAN), using Malware Information Sharing Platform (MISP) infrastructure to store data, is under consideration.

In the broader European Union we are seeing legislative proposals for mandated IBAN and payee verification services for all euro-denominated instant payments.

Lesson 3: Collaboration is critical for intelligence sharing

In the fight against fraud, effective collaboration among financial institutions, technology providers, regulatory bodies and law enforcement agencies is essential. Sharing information and insights regarding emerging fraud trends, tactics and patterns allows stakeholders to collectively stay one step ahead of fraudsters.

The UK is introducing provisions to help prevent, detect and investigate fraud under the Economic Crime and Corporate Transparency Bill. Furthermore, the UK has used the National Economic Crime Centre, a multi-agency organization, to share intelligence between law enforcement, government departments and regulators.

Similar proposals are underway in the EU to introduce a new legal basis under the General Data Protection Regulation (GDPR) for payment institutions to share data.⁵

FedNow, the US RTP infrastructure that is available 24/7/365, allows for payment message verification through negative lists that can be enabled by the sending or receiving RTR participant in an effort to prevent the transfer of funds to and from suspicious accounts at other institutions. In addition, participants are mandated to notify the FedNow service of transactions they have investigated and confirmed to be fraudulent; this information is then reported to the other financial institituon involved in the transaction of the fraudulent activity to take action.¹⁵

The National Anti-Scam Centre introduced by the Government of Australia enbles banks and telecommunication companies to share data and collaborate to combat fraud.¹⁰ This sharing of data and information helps warn institutions of potentially fraudulent or suspicious account activity.

French interbank payment Community STET offers instant fraud scoring services to banks based on ecosystem data in accordance with privacy laws and regulations.

Lesson 4: Educating customers and employees

As RTP continues to gain momentum, the need to proactively educate customers and employees becomes paramount. Fostering a culture of security through awareness and education empowers customers and employees to make informed decisions and protect against fraud, further allowing institutions to enhance trust around RTP.

The UK is taking a strong educational stance with respect to RTP. Campaigns such as Take Five and Scamsmart by UK finance, and others by government, technology companies and the Financial Conduct Authority aim to spread awareness around fraud.

Additionally, there are initiatives such as the Banking Protocol rapid response scheme, which has been implemented through collaboration between UK Finance, National Trading Standards and local police forces to help train employees to spot and stop suspicious transactions.²

In the EU, the Cyber Information and Intelligence Sharing Initiative aims to create customer awareness and share cyber intelligence leading practices such as threat-based decisions regarding defensive capabilities, threat detection techniques and mitigation strategies.⁶

Australia employs resources such as Scamwatch, a website run by the Australian Competition and Consumer Commission, to help provide information to consumers and small businesses on how to recognize, avoid and report scams.¹¹

The US Government provides online educational videos and tools to demonstrate different types of payment fraud and how to mitigate the associated risks.^{13, 14} Similar customer awareness campaigns are being conducted by French banks and banking federations.

Education is a cornerstone in building a secure and trustworthy environment for RTP for individuals and institutions alike.

It will be vital for financial institutions, regulatory bodies, technology providers and consumers to take a collective approach to combat the rise of fraud with the adoption of RTP in Canada. Although fraud cannot be entirely eradicated, controls should be implemented to help mitigate fraud risks and losses.

As seen in the US and the UK, fraud losses increased 164% in less than two years after the launch of RTP services.¹⁷ However, resilience is critical: as controls continued to be strengthened after launch, attack rates and fraud losses gradually plateaued. As more data became available to fine-tune controls, the losses stabilized, while methodologies would continue to evolve into a push-and-pull battle with controls.

Bad actors will continue to attempt to circumvent controls. However, jurisdictions with implemented RTP systems have experienced that stronger controls typically lead to reduced fraud losses. A key takeaway from the launch of Faster Payments, the UK’s real-time payment service, was that investment in fraud detection technology ahead of the RTP service launch is critical.¹⁷

Depending on your fraud program’s maturity, certain tools to combat fraud at launch can prove to be more vital, and more effective, than others. It will be imperative to launch fraud controls simultaneously with the launch of RTR, continually enhance the controls post launch and collaborate with ecosystem participants beyond launch to counteract the evolving fraud vectors that extend beyond the ecosystem. This is especially true when considering a cost-benefit analysis, and your organization’s risk approach and appetite.

The following tactics aim to highlight a number of approaches financial institutions can take to better prepare for the launch of the RTR and to stabilize fraud losses post launch.

1. Regulatory framework

1.1 Collaboration with government and regulators

To be prepared for RTR, it’s important for financial institutions to work collaboratively with government entities and regulatory bodies to introduce policies that address and support real-time fraud monitoring capabilities. By aligning the policies with the needs of RTR fraud capabilities, financial institutions can enhance their ability to detect and prevent fraudulent activities. Further, institutions and Canada’s Anti-Fraud Centre can enhance collaboration and data sharing to develop more detailed reporting and enable enhanced knowledge sharing to the public.

1.2. Well-defined transaction liability model

Financial and reputational incentives can be key drivers for participants to actively adopt fraud prevention measures and take responsibility for keeping the payment ecosystem secure. While it is essential to establish a clear assignment of liability for the transaction, considering a shared liability model will encourage collective responsibility for fraud.

1.3. Established data sharing and privacy requirements

Effective fraud prevention relies on a robust network of fraud analytics. To achieve this, it is important to have clearly defined data-sharing and privacy requirements. This promotes the development of advanced fraud detection and prevention mechanisms, employing real-time analytics to identify suspicious patterns or activities.

2. Industry collaboration and intelligence sharing

2.1. Real-time data sharing

It is crucial to establish real-time data sharing between sending and receiving institutions to enable the real-time exchange of transactional data, allowing for immediate detection and prevention of fraudulent activities. It is equally vital to create close collaboration between business and cyber-intelligence teams and establish a joint command centre for the continuous updating of controls and effectively communication of these changes to customers.

2.2. Shared risk list/database

A centralized database for participating institutions to collaborate and share information regarding known fraud incidents, fraudsters’ modus operandi and emerging fraud trends will be effective in combating fraud. By collectively sharing this information, institutions can proactively identify potential vulnerabilities and take preventive measures to mitigate the risk.

2.3. Cross-sector collaboration

Collaboration involving participants such as financial institutions, law enforcement agencies, technology providers and regulators will allow for collective efforts to be made in identifying fraud patterns and resolving vulnerabilities that may span across different sectors. This collaborative approach will offer stakeholders an exchange of experience , resources and leading practices, leading to a more  broad and robust fraud prevention strategy.

3. Operational readiness

3.1. Efficient monitoring and reporting

To cope with the expected surge in fraud alert volumes, financial institutions will need to implement efficient monitoring and reporting mechanisms by using advanced analytics and machine learning capabilities to automate the process of detecting suspicious transactions, generating alerts and escalating high-priority cases for further investigation. By streamlining these processes, institutions can optimize their resources and response times so they can take timely actions to help mitigate potential fraud risks.

3.2. Controls to backstop mass fraud

To be prepared for unforeseen potential mass fraud incidents, it is essential to have controls in place to backstop participating banks and other participants. This entails establishing centralized controls at the network level, contingency plans, response protocols and collaboration frameworks to swiftly address and contain any large-scale fraud events. These actions collectively serve as a safety net and provide assurance for the participants in the event of a significant fraud incident.

3.3. Extended support

To support the implementation of always-on 24/7/365 payments and effective fraud monitoring, it’s essential to provide extended support systems. This includes ensuring that the necessary technical infrastructure and operational teams with the right skills are in place to handle the increased demands of continuous payment processing and real-time fraud monitoring.

4. Real-time analytics and technology

4.1. Strong multi-factor authentication

By implementing robust multi-factor authentication measures, financial institutions can significantly reduce the risk of unauthorized access or fraudulent transactions, providing an additional layer of protection to real-time payments.

4.2. Automated technology

Automation streamlines various aspects of payment processing, including transaction monitoring, data analysis and response mechanisms. By automating these processes, financial institutions can expedite the detection and prevention of fraudulent transactions, reducing the reliance on manual intervention and significantly reducing the time required to address potential threats. By using machine learning and artificial intelligence, banks can analyze transaction data to learn and adapt to new fraud patterns, enabling real-time detection and prevention.

4.3. Real-time fraud engine and machine learning capabilities

By integrating real-time fraud engines that use advanced algorithms and machine learning capabilities, financial institutions can constantly analyze and evaluate transactional data and fraud patterns in real time. This may enable them to swiftly identify and flag suspicious activities, allowing for detection and immediate flagging of RTP fraud attempts.

5. Training and awareness

5.1. Strategy for customer awareness

Financial institutions can create stronger awareness among end users by sharing information on the risks associated with RTP fraud and security tips, including creating strong passwords, being cautious of phishing attempts, regulary monitoring account activities and staying up to date with fraud and scam educational campaigns, newsletters and emails.

5.2. Workforce training and continuous enhancement

Continuous training and professional development initiatives ensure that the workforce remains skilled and equipped to handle the evolving challenges in real-time processing. Providing employees with training on various types of RTP fraud, including common fraud schemes and red flags to spot and stop fraud will ultimately enhance the overall efficiency and security of the payment ecosystem.

5.3. Forum establishment

Establishing a dedicated fraud forum comprising representatives from financial institutions, technology providers, government agencies and relevant industry bodies will serve as a platform for discussion, knowledge exchange and the development of leading practices in real-time processing. It will help enable the industry participants to share details on new fraud patterns and threats and to collaborate on innovative solutions to enhance the security of RTP.

Conclusion

In the ever-evolving landscape of RTP, the battle against fraud remains an ever-present and increasing challenge. As technology advances, so do fraudsters’ tactics, highlighting the need for continuous vigilance and innovation in fraud prevention strategies.

Customers should not be the first line of defence; banks must take a proactive approach and adopt renewed real-time fraud preventions to catch RTP criminals in action. By fostering collaboration among stakeholders, embracing modern technology and employng robust regulatory frameworks, we can safeguard the integrity of RTP.

Fraud will persist, so participants must remain committed to combating fraud to ensure the successful evolution of a secure and trustworthy payment ecosystem, so that the benefits of real-time payments can be fully realized. 

Like what you’ve seen? To learn more about our latest thinking and services, visit our Payments and FinCrime resources.