Instant payments and fraud
How banking institutions are fighting against fraud in a real-time world
With the advent of instant payments and the 24/7 availability and interconnectedness of numerous payment issuing channels, additional avenues have been opened to fraudsters for criminal activity. A world of instant payments means criminals moving money and extracting it immediately, making bank accounts fraud a very attractive business in both the retail and corporate space.
Fraudsters use a range of different methods to commit fraud. The below are some of the most commonly used:
- Application Fraud:
A fraudster can open an account using a fake or stolen identity which will be used for a number of illicit purposes such as applying to new banking products or moving funds from criminal proceedings
- Account Take Over Fraud:
A fraudster manages to control an account and immediately extracts money from it. He may use the account as a ‘money mule’ for the transfer and withdrawal of illicit funds as part of a wider network. Even if the legitimate account holder ever receives notification of any illegal transaction, he would not have any time to react.
- Authorized push payments:
A fraudster trick an account holder into transferring funds, by impersonating the boss for example, or he sends a fake invoice from a known supplier containing fraudster’s account details. The fraudster might have gleaned actual invoice data using social media research and intercepted the communication between the client and the legitimate supplier. The fake invoice could be sent by means of the ‘request to pay service’ prompting an instant payment in response.
There is a very fine line between responsibility and liability. In most of the fraud cases however, the latter remains on client’s side and it is rarely transferred to the banking institution. In some countries and for specific payment schemes such as UK-CHAPS, a customer is entitled to a refund if found victim of fraud. The vast majority of schemes do not offer such protections though, and the outcome is uncertain after an investigation ensuing the police report concludes.
In instances of account take over, there have been cases of legitimate account holders being denied of banking services or even being imprisoned.
Usually, clients have no capacity to perform a risk analysis on their transactions, and only the banking institution with access to huge amounts of data and resources can. This could justify a change in liability to the services provider in case of fraud. From a banking perspective this is still a complicated equation to solve, because laws around data privacy and tackling fraud are usually in opposition.
Clearly an industry wide approach setting rules and effective processes for the handling of fraud is necessary and the adherence of participants to a conduct code may be very useful. Besides, industry wide collaboration is crucial to fight against fraud because insights are needed from many data sources.
Banking institutions are launching initiatives to control fraud ranging from the introduction of refund mechanisms, to verifying payee details prior to issuing a payment, or being able to freeze bank accounts real-time. In addition, operational procedures around account opening are being reviewed, and fraud specialist are deployed around the clock to support clients.
Further to implementing necessary changes to regulation and procedures, the main focus is put on preventing fraud from happening in the first place rather than managing its consequences.
Preventing fraud in Instant Payments
An effective way of preventing fraud against a backdrop of instant payments is to use the combined forces of Artificial Intelligence and Machine Learning. The central idea is to create clients’ behavioural profiles for payments originators and set them as real-time benchmarks against abnormal or unexpected behaviour.
Artificial Intelligence driven solutions have to be reliable, scalable, and flexible enough to evolve. Ideally, they have to ensure end-to-end data traceability, being capable of dealing with several languages, and have the capacity to import and adopt risk models and machine learning tools. This is because to trace patterns linking movement of money to criminal activity a holistic approach using a variety of disparate data sources is required. Any single banking institution has only a limited view of the end-to-end payment flow, which limits its ability to spot criminal activity.
Figure 1. Exhibits the main architectural components of a fraud solution. The risk engine features a fraud scoring tool enabling real-time decisions on any suspect transaction when a given score has been hit.
This engine could be fed with external data sources and tools in an automated fashion, thus giving flexibility to expand the scope of fraud control and speed to the solution. The machine learning engine is capable of selecting models in a way that only the best are implemented so that a good balance between customer experience and control is ensured.
A dashboard helps data scientists and back-officers to spot fraud patters and to follow-up fraud cases, providing them with relevant analytics, insights, and graphical representations for better visualization.
In addition to implementing above like solutions and even more importantly, the payment initiation process needs to be made as secure as it could possibly be.
This is achieved by applying data protection techniques, such as two-factor authentication, encryption, tokenization, card readers, device fingerprinting, etc. Securing payment initiation is obviously not sufficient, as fraudsters will try out alternative ways of accessing accounts by means of browser attacks or malware to hijack user’s sessions, though tools can also be implemented to detect bot behaviour.