Fraud: the not-so-clear but ever-present danger in payments

Payments fraud prevention and protection requires action from all facets of the financial services industry.

In brief

• Fraudsters find opportunity with consumer and business payment innovations, including real-time payments (RTP), FedNow and peer-to-peer (P2P) transactions.
• Possible Reg E expansion or reinterpretation may cover transactions authorized through coercion, with sending and receiving banks possibly sharing liability.
• FIs need to educate customers, collaborate, and apply fraud tools/processes to both sides of transactions to protect customers and detect and prevent fraud.

Why is this a challenge?

As a result of consumers’ widespread digital adoption of real-time payments combined with heightened protection expectations and the ramping up of sophisticated scams, we now find the rules that govern digital payments liability — Regulation E — in the crosshairs. For nearly 50 years, Reg E has stated that banks must protect customers from unauthorized transactions. That means that if the account owner did not authorize the transaction to be sent or debited, the bank could be responsible. This has led to a significant amount of investment in sending banks to “lock down” the front door to banking and payment applications, while behind the scenes they have controls on dollar values, velocity and sender behavior. Things like digital identity, multifactor authorization (MFA) and passwords help the bank authenticate the authorizer of the payment, but very little has been done to lock down the receiving side of the transaction — where the funds go. If a bank knows it is only liable for the unauthorized send and nothing on the receiving side, its data, rules and protections focus on the sending side.

Possible expanding or reinterpreting Reg E

At present, there is a growing interest among customer protection groups in expanding (or reinterpreting) Reg E to cover transactions that were “authorized” through coercion — that is, the sender actually sent the money, but they were duped as to whom and why they were sending it. This is a logical tract, for if someone impersonating a bank (spoofer) convinces a customer that their financial future is in peril and they need to act now, they’ve been coerced to send funds authorizing the transaction. But questions remain on how to prove coercion to validate a claim for reimbursement.

In addition to potential expansion of Reg E to cover transactions that were authorized through coercion, there has been a general discussion about shifting liability, i.e., having the receiving bank put some “skin in the game” or incur liability, regarding harboring the scammers. Are they allowing funds to flow abnormally to a bank account and not examining the volume, velocity or “unusual activity” from a fraud lens? And do they have to reimburse “ill gotten” funds to the sending bank/sender if coercion is proved? Some payments schemes have suggested that the receiving bank be responsible for reimbursement if their customer is the “scammer.” In the United Kingdom a rule is being considered that would have the receiving bank split the liability with the sending bank on a 50/50 basis.

What should be done about it short-term?

Regardless of where the rules and the liability end up and what drives changes (customer expectations, an overhaul of the regulation, or something in between), banks should prepare and invest in the receiving side of the transaction and put in controls, monitoring and strategies to prevent, detect and respond to (by sharing data within their network) fraud that their receiving customers could be perpetuating.

Additionally, payment types that were developed as irrevocable under the former understanding of Reg E — real-time payments, FedNow and Zelle — will have to consider the irrevocableness principle. Should these payments be truly irrevocable if there is a caveat on receiving-side liability? Processes will need to be put in place for banks to investigate and resolve these fraudulent claims and ultimately rid their customer rolls of fraudulent receiving behavior.

As such, financial institutions and payment providers are rapidly pivoting to improve customer protection and scam prevention, with success requiring tight collaboration between fraud and business teams. Banks need to take near-term and strategic steps to remain aligned with customer expectations and rapidly evolving peer practices.

Below are three tactical and three strategic steps banks can initiate today:

Tactical steps

1. Improve client education. Design and deploy proactive tailored messaging to customers to increase scam awareness and intercept attacks.
2. Apply fraud tools and processes to both the sending and receiving side of transactions. Scoring the risk on both sides of the transactions will serve to better identify suspicious activity, reduce the lifespan of mule accounts (bank accounts that are used by consumer fraudsters to collect ill-gotten gains), and holistically drive to devalue the fraud. 
3. Using these insights, banks should consider introducing incremental friction in the payment process to slow the transaction and make contact in or out of channel with the consumer to further the efforts to interdict fraudulent or coerced transactions. 

Strategic initiatives 

1. Invest in data: Create a pipeline of new internal and external data sources to enhance proactive identification of risk indicators (e.g., the payment recipient profile; network-generated insights about the recipient). Share data as appropriate with network participants to work effectively.
2. Expand artificial intelligence/machine learning (AI/ML) capabilities: Prioritize initiatives to build out real-time risk insights and customer journey selection capabilities based on contextual information.
3. Revisit and modify the customer journey with an updated view of financial impacts from projected losses, tool and investments required, and the target levels of friction across the lifecycle. 

The need to drive greater industry collaboration 

Longer-term, financial industry sector and cross-sector collaboration is needed to engage the broader ecosystem in the prevention of payments fraud and scams. This can be supported by considering the following four actions: 

1. Have frequent and candid exchanges, coupled with timely reporting, to drive active collaboration between financial institutions about where, how and who is involved in fraud and scams. A single bank’s success in thwarting fraud is a short-sighted solution because it fails to holistically devalue the fraud, which further enriches the coffers for the development of new tools and methodologies used by the fraudsters to commit fraud. 
2. Build out cross-sector collaboration. Actively working with telecommunications, social media, advertisers and law enforcement will engage the broader ecosystem in the prevention of fraud and scams, along with greater effectiveness for law enforcement agencies in the arrest and prosecution of those involved.  
3. Ensure that the operating systems or networks are evolving the rules of engagement and liability to drive the optimal behaviors in preventing and detecting fraud and scams. 
4. Develop sector or even cross-sector investments in education, both to ensure that continued fraud education programs are more comprehensively and aggressively targeted and accepted by consumers, but also to ensure that all FIs are armed with a common level of knowledge and opportunity for success in preventing and detecting fraud and scams.