To move forward, we must look back

An Example from the UK: Faster Payments (FPS)

Those who cannot remember the past are condemned to repeat it[i].

Never truer words when applied to real-time or faster payments! And to prove it, let’s examine the journey of the UK Faster Payments System(FPS), probably the oldest implementation of real-time payments worldwide. FPS was launched in May 2008 (yes, that’s 11 years ago!) and allows customers to make electronic payments almost instantaneously, 7 days a week, 24 hours a day. The payments are typically made by internet banking (but can be done by phone) to transfer money between accounts, to other people, pay bills, or make regular standing orders. In mid 2009, Direct Corporate Access was introduced, enabling corporate customers to submit bulk immediate payments and agency banks to join. This was a major driver of FPS volumes as it enabled a number of improvements in corporate payments:

  • Contingency for late BACS payments where value date is critical (e.g. salary payments)
  • Weekly payroll
  • Staff expenses
  • Customer service refunds
  • Access for financial institutions that were not FPS members but required FPS capability for their online & telephone operations

So far so good, and by the end of 2009, about 300,000 payments were processed through the scheme. But a fly in the ointment suddenly appeared: online banking fraud increased by 132% in 2008, with losses totalling £52.5 million, compared to £22.6 million in the previous year:

One can be forgiven for thinking that, on the surface, this massive surge in fraud was attributable to the introduction of FPS. However, this was not the case, as the UK FPS implementation body confirmed that there had been no increase in fraud as a result of FPS’ introduction, nor any new types of fraud. Indeed, one of the significant factors was the rise in online banking usage:

This was also combined with:

  • Nearly 44,000 phishing websites specifically targeting banks and building societies in the UK at that time;
  • The economic recession causing more fraudulent activity.

As fraud levels before FPS compared to fraud levels in the second half of 2008 remained consistent with previous fraud trends, there was in fact no evidence that FPS was to blame (and let’s not forget that only 300,000 payments had been processed at that time).

So in the early days of FPS, the answer to the question “Do Faster Payments Lead to Faster Fraud?” was most definitely no. Evidently, as the fraud increase in 2008-2009 could not be attributed to the launch of Faster Payments, the transaction limit was increased from £10K to £100K, this being further evidence that fraud was not much of a concern.

However, as FPS volumes rose (4 billion payments in 2014), a number of factors became conducive to fraud:

  • Transaction limits had been the main fraud risk mitigation tool;
  • There was no equivalent of the card “authorisation” message (as when using the card rails), and no payment guarantee to the recipient;
  • Until funds are received (3 days for BACS, up to 2 hours for FPS) there is no certainty of payment;
  • There is no guarantee that a payee’s account has sufficient funds to be able to honour a direct debit;
  • AML regulations, whilst in place, were not as strong as they are today;
  • Cooperation on threat intelligence in the financial services sector was lacking;
  • Only sort code & account number were checked for processing a payment (no Confirmation of Payee);
  • Once processed, payments are non-refundable. (or involve costly manual intervention);
  • The continuing increase in online & mobile usage;
  • Criminals have now had sufficient time to understand how the system works, and what its vulnerabilities are

2014: Authorized Push Payment Fraud (APP) Starts to Emerge

At that time, fraudsters remained largely unpunished, and consumers faced painful processes to recover missing funds. By the end of 2015, this remained an issue. In September 2016, APP scams are still raging, as the environment is conducive as risk management approaches and fraud prevention mechanisms differ across the board. This was when UK consumer protection group Which? challenged the regulators via their Super Complaint.

A year later in November 2017, the UK Payment Systems Regulator issued a statement in reply to the Super Complaint, and a year later in September 2018 an Industry voluntary code of conduct for Contingent Reimbursement was adopted, for implementation early 2019. And in October 2018, the Confirmation of Payee functionality specification was released (not available in the original FPS) for deployment in 2019, although, this has now been delayed until 2020.

Lessons Learned

As the UK is in the process of overhauling its banking rails, those geographies planning to implement new real-time payment schemes should take advantage of the lessons learned from FPS and organisation should pay particular attention to:

  • Preventing the creation of or disabling mule accounts
  • The increase in phishing, leading to Business Email Compromise, leading to APP fraud
  • The increase in ID Theft, leading to Account Takeover (ATO) fraud
  • Developments in authentication and digital identity solutions
  • The increase in cybercrime (e.g. new types of malware targeting banks and vulnerable customers)
  • Consumer education (e.g. APP fraud awareness)
  • Industry cooperation (e.g. threat/ fraud information sharing)
  • Making sure that payment beneficiary details can be checked before any instruction is made (Confirmation of Payee)
  • Automated background checks, fraud prevention and threat intelligence, etc.
  • The creation of a fair Contingent Reimbursement model for payments sent in error, or for victims of fraud

Read Part 2 as Neira Jones continues her analysis of faster payments and fraud with this look into how corporations and fintechs are impacted.

[1] George Santayana-1905

Posted by Neira Jones

Neira Jones is an independent advisor and international speaker, partner for the Global Cyber Alliance, and ambassador for the Emerging Payments Association.