2022 may well go down in financial history as the year that everything changed for bank fraud prevention. It was the year that saw a seismic shift in the evolution of scams and the way that banks are expected to deal with them.
Scams are everywhere
I first heard about Authorized Push Payment Fraud in the UK in 2015. At the time it looked like an unnervingly clever yet anecdotal one-off scam that couldn’t possibly be scaled up to become the number one threat… But over the past 7 years, authorized push payment (APP) fraud has mushroomed into an international scam movement.
By now, everybody has heard of social engineering scams, and it seems like they are everywhere. The problem has spread out from the UK to cover most of northern and western Europe, hit the shores of Australia, and is now becoming a common issue in the US too. Today there are multiple “types” of APP scams, including romance scams, crypto scams, investment scams, and many more.
Losses to APP fraud have outstripped those to “traditional” online banking account takeover (ATO) fraud by a massive margin; in the UK, approximately $250 million were lost to APP scams in H1 2022, while a relatively low $65 million went to ATO fraud. Not surprisingly, financial regulations are changing in response, and so are the expectations that people and financial services bodies have from banks.
Fraud detection and prevention rules are changing
As losses to APP fraud mount up, financial regulatory bodies are adapting the requirements they impose upon banks to help prevent fraud. In the UK, the Payment Systems Regulator (PSR) is proposing that banks will now need to refund 100% of losses to APP fraud, unless they can prove gross negligence by the account holder. It’s a big departure from the current reality of voluntary reimbursement.
What’s more, the newly proposed regulations require the bank hosting the account that receives scam moneys to bear 50% of the cost of reimbursing losses, which was an even bigger shock to the banking system. The wake-up call is particularly loud for challenger banks. Because they tend to be entirely digital, they are more attractive destinations for fraudsters to open an account, but they have so far escaped exposure to APP fraud and haven’t had to give it much attention.
But spotting these scams is a new level of challenge
There’s a reason why APP frauds used to be considered unpreventable. It’s incredibly difficult for banks to spot them because they seem authentic. After all, the legitimate account holder is entering their real identification credentials to make a payment they agreed to make.
Initially there were very few signals and very little context to help fraud prevention teams detect the scam. Nowadays the situation is far better: Anomaly detection using transaction monitoring is now supplemented by micro-behavioral biometric modeling, and data sharing with the originating bank is taken seriously and has ambitious plans. Still, all these signals combined are likely to throw up an enormous amount of false positives, pushing the rate to somewhere north of 98%. Banks would annoy the vast majority of their customers if they followed up every anomaly that could possibly be hiding APP fraud, and most mules running an account for criminals would have been coached to present a convincing cover story.
Yet both banking customers and financial regulators expect banks to know their clientele well enough as individuals to be able to spot fraudulent behavior, even when it’s as subtle as APP fraud. In other words, the entire liability framework is based on the assumption that the bank really, really knows the customer.
Banking relationships have moved on
Expecting banks to really know their customers is deeply rooted in the centuries-old role that banks played in the economy, but the last 25 years have made this perception of banking-customer relationship a bit, well, outdated. Sure, once upon a time each customer had a personal banker who knew them by name and was familiar with all the details of their financial history, but that’s not the case any more. How well do banks really know their customers today? I’ll leave you with that thought.
I wrote about this in more detail on Finextra - read the article.