A joint post by Joanna Wisniecka and Bethany May
Rise in instant payments systems incites rise in fraud
Instant payments systems (IPS) are proliferating globally, conferring benefits to economies and ultimately, end users. These systems are making digital payments faster, easily accessible, and in some countries, more affordable than other existing payments methods. As IPS have gained traction, fraud schemes have increased – fraudsters are savvy, and relish the opportunity to attack a novel payments system where payments are instant and irrevocable.
IPS are facing increasingly sophisticated and ever-changing fraud schemes that can be classified into two categories:
- Unauthorized push payment fraud: Fraudulent payments initiated by fraudsters after gaining access to legitimate end-user accounts. These payments appear as having been initiated by the rightful account owner.
- Authorized push payment fraud: Fraud which materializes when an account owner authorizes a payment as a result of social engineering tactics, most often a scam.
Authorized push payment fraud is an especially troubling trend which is on the rise globally. As a result, IPS stakeholders are responding.
Advancing IPS fraud mitigation techniques
For end users – consumers and businesses – to benefit from these systems it is imperative that they are able to trust that their funds are not at risk of being stolen. To create and preserve trust we are observing a multi-pronged approach, with regulators, IPS participants (referring in this post to banks and non-banks that provide transaction accounts to end user and are eligible to participate in the IPS), IPS network operators, and third-party providers working towards the shared goal of increasing the safety and security of these systems.
Regulators are playing a more active role
Regulators tasked with overseeing financial institutions and consumer protection are taking note of the acceleration of fraud incidence and loss as IPS adoption increases. In response, we are seeing regulators take a more prescriptive approach towards IPS participant accountability and controls.
Recently, the UK government proposed to reclassify fraud as a national security threat reflecting its status as the most commonly experienced crime in the country; authorized push payment fraud due to social engineering in particular is a major and growing problem. The UK is also evaluating new regulations that would place more liability on financial institutions in cases of authorized push payment fraud. Specific to IPS, the Central Bank of Brazil, which is responsible for payments regulations and Pix system’s operating rules, has taken a highly prescriptive approach to participant requirements around authentication and fraud reporting. Even in the U.S., which tends to take a more principles-based approach to regulation, the calls are becoming louder for increasing consumer protections in cases of authorized push payment fraud and strengthening requirements and oversight of participants’ risk management practices.
Payments systems are enabling participants to mitigate fraud
As pressure on IPS participants to better manage (and prevent) fraud increases, we are starting to see IPS increasingly incorporate risk management tools directly into their core system. IPS are doing this carefully, balancing the need to strengthen controls across all participants without the IPS itself taking on the decisioning responsibility and the potential liability that comes with it.
The approach to risk management at the IPS participant level varies, but typically involves monitoring transactions to identify suspicious payments and prevent the processing of such transactions. If tools are provided by an IPS, participants may be able to do this more effectively. For example, Brazil’s Pix system requires stakeholders to report information on confirmed fraudulent transactions and makes the data available to other stakeholders, who can use this data to monitor their transactions (e.g., participant B learns of a bad actor identified by participant A and uses the data to prevent a fraudulent transaction by the bad actor). The U.S. FedNow system, expected to launch this summer, will enable participants to screen transactions against negative lists. We anticipate this approach to continue, with more IPS playing a similar role and offering fraud mitigation tools to participant.
IPS participants must mature their capabilities
Not all IPS participants are the same. They vary in type (e.g., financial and non-financial institutions), size (e.g., community banks to large, global financial institutions), and in their ability to manage payment risk. With increasing regulatory pressure, however, all participants will be required to achieve a higher level of minimum risk mitigation requirements. Given the sophistication and persistence of fraud rings, these minimum requirements will result in controls that will continue to increase in both sophistication and speed.
Savvy participants are improving their ability to identify, manage, and respond to fraud incidents with the goal of moving from a reactive posture to prevention. We expect a continued focus on and need for effective transaction monitoring solutions, proven end user fraud education strategies, customer authentication, and reporting capabilities. This spells opportunity for solution providers with innovative risk management solutions.
Risk management trends in instant payments are consistent with evolution of other payments systems (e.g., card systems). Looking ahead, we believe various parties will take on a greater role to reduce risk of fraud incidents in IPS.
In spite of this growing awareness and requisite need to take action, there is belief across all stakeholders that the benefits of IPS outweigh these risks. In order to realize the benefits, we expect to see:
- Regulators develop more prescriptive requirements in regulations
- Instant Payments Systems expand their fraud mitigation services to support participants
- Participants invest in controls that are effective in a 24/7/365 push payment environment
- Providers continue to emerge with innovative payments risk management solutions
To all the stakeholders out there, we’re rooting for you.