To move forward, we must look back

In Part 2, Neira Jones continues her analysis of faster payments and fraud with this look into how corporates and fintechs are impacted.

New Expectations on Firms

The more consumer behaviours change and adoption of new technologies increases – such as machine learning (e.g. AI driven financial apps, chatbots), the IoT (e.g. payment wearables, home assistants) – the more criminals find opportunities to exploit vulnerabilities. Indeed, fraudsters benefit from an ideal playground, with the combination of digital interactions, the systemic failure of organisations to keep pace with the security measures needed for new technologies, readily available personal data that can be harvested from the many data breaches that have or have not made the news, and the willingness of many retailers to relax their risk controls during peak transaction times to approve more orders (such as during world sporting events or holiday periods).

The financial services industry is not immune: despite the fact that it has always been heavily regulated, and therefore security and fraud prevention mechanisms are generally stronger than in other industries, fraudsters are still successful through social engineering (e.g. tricking customers into transferring funds to a mule account, or giving away credentials). The new fintechs should watch out, as fraudsters see them as easier targets than traditional financial services companies as they attempt to exploit new and emerging platforms to exploit gaps in process and infrastructure (e.g. “Loan Stacking”[i]), targeting account logins and payments transactions.

In all cases, stolen data (and identities) will be used by criminals for two main purposes: opening new accounts (which can lay dormant for periods of time and then used to make payments using stolen card details) and taking over existing accounts (to purchase goods and services, steal credentials and payment details). In this landscape, organisations should focus on:

Detection:

  • Establish transactional data & customer behavioural analytics
  • Educate employees to identify payments that are at a high risk of APP fraud
  • Monitor new technologies and automate where possible and appropriate

Prevention:

  • Provide their customers with effective warnings (including the appropriate actions for customers to protect themselves against APP fraud),
  • open accounts in line with legal and regulatory requirements on customer due diligence,
  • use available shared intelligence sources and industry fraud databases to screen customer accounts, and
  • implement confirmation of a payee in a way the customer can understand.
  • Avoid regulatory silos (data protection & privacy, money laundering, open banking, etc.)
  • Monitor new technologies and automate where possible and appropriate

Response:

Where APP fraud is suspected

  • delay making payment while they investigate and/or notify the receiving firm,
  • implement best practice communication standards for corresponding with paying and/or receiving firm,
  • freeze any remaining funds and take steps to repatriate funds to the customer as soon as possible.

The Ecosystem Interplay for Fighting Fraud in a Faster Payments World

In our fast moving digital world, regulators are trying to address the multi-faceted challenge of protecting consumers, whilst fostering innovation and economic development. And whilst the regulators grapple with their long regulatory cycles and try to make regulations future proof, the world moves on. As the socio-economic landscape evolves and consumers adopt more and more technologies, and share more and more data, they also demand safety and privacy. So we are faced with an ever growing attack surface as well as a complex regulatory maze.

In conclusion, do Faster Payments mean Faster Fraud? Well, it depends on whether you learn from the past or not…

[1] Where new loans are applied for using an infiltrated account, using one loan to pay off the next until the loan value is inflated to the maximum amount available, which is when the criminal defaults on payment.

Posted by Neira Jones

Neira Jones is an independent advisor and international speaker, partner for the Global Cyber Alliance, and ambassador for the Emerging Payments Association.