In this C-suite column, Chief Product Officer, Martin Threakall gives his take on how fraud (and the industry) has evolved in his 14 years' experience of payments and what fintech is doing to stamp it out, including the newly launched Confirmation of Payee (CoP) solution.
We’ve all been there, sat at the computer in front of an unbelievable offer. We're about to press ‘pay’ and then we hesitate and backspace, paranoia setting in that a fraudster is on the other end.
But more often than not, we click ‘pay’ with a sigh of ‘it’s probably okay’ and ‘Marketplace X is a big business with lots of money to reimburse me’.
Likewise, those who have sadly been defrauded will resonate with, ‘it seemed so legitimate’. This is push payment fraud.
And this type of unwitting scamming goes hand in hand with the ever-changing technological environment of the payments landscape. As chief operations officer at Modulr, the tech behind the tech powering the payments of many FinTechs, I’ve been right in the middle of the industry’s fight against fraud.
In this blog, I’ll look at the current factors surrounding fraud and how the industry is discussing the big questions, what the industry is doing to combat fraud - such as launching Confirmation of Payee - and what other solutions will be available in the future.
According to the UK’s comprehensive fraud reporter, UK Finance, fraudsters and scam artists successfully stole over £1.2bn in 2019. There are fears the figures for 2020 could be even higher, as fraudsters have sought to exploit vulnerable people and changes in working circumstances during the COVID-19 pandemic.
While unauthorised remote banking fraud fell by 1% between 2018 and 2019, authorised push payment (APP) fraud rose by a worrying 29% in the same time frame. And that’s because fraudsters are taking advantage of the rapidly evolving technology landscape and the rewiring of consumer behaviour.
Push vs Pull payment fraud
The rewiring of consumer behaviour ultimately comes down to how the difference between push versus pulled payments has blurred for consumers. Pull payments is a card-present payment or a direct debit where your card details are taken and charged a set amount, such as at a till or to pay for gym membership. In pull payments, there is a level of reimbursement guarantee with chargeback rights, and section 75 of the consumer credit act providing extra protection on credit cards.
With push payments there is no protection because there’s an assumption of trust before the payment is made, i.e. you are punching in the beneficiary’s details. This applies to payment schemes like Faster Payments, Bacs and CHAPS.
Think of it like this. You want to buy a smartphone for £500 from a man on the street. The man asks you to hand over the £500 and he’ll pop around the corner and get the phone. You simply wouldn’t do it - you’d ask to test the phone first, check that it works, and make sure all was proper before exchanging the money.
The same payment logic should be applied to push payments, but unfortunately, the rapidly evolving role of technology in our lives as consumers has distorted the difference between push (sending money) and pull (having money drawn from you). In essence, it's the difference between ensuring the trust is in place beforehand versus the trust that the scheme builds in for us.
Situations from a convincing picture of an iPhone on well-known P2P marketplaces, or a seemingly legitimate email from your ‘landlord’ notifying you their bank details have changed can seem totally normal and may well be in many instances. Businesses can also be victims of push fraud, be it an email from your ‘boss’ asking you to send them corporate money while on a business trip, or a fraudster masquerading as a supplier changing bank details.
As we’re increasingly used to the convenience of ‘pushing’ money we don’t always stop to think about whether it’s the right way to pay, or whether we’ve ensured the right level of trust has been established.
While card fraud (carried out using your secure card details, stolen by physically accessing your card or hacking into online systems) is still a major threat, fraudsters are increasingly taking advantage of the fact they don’t necessarily need to steal your details, if they can just convince you to push them money instead.
All doom and gloom for push payment fraud victims?
No-fault push payment fraud is a difficult position to be in. If the measures are in place - the bank correctly validated the customer and the customer didn’t share their password – then neither party can be blamed.
And, of course, the victim shouldn’t be left out of pocket if there is no fault attached. This is something the industry recognises and voiced strongly by the Financial Ombudsman this time last year. The Ombudsman ruled that banks could no longer claim defrauded customers are “grossly negligent” for simply being scammed and thus, liable.
The industry has taken note and are currently working on schemes to reduce the level of push payment fraud.
The current crusade against push payment fraud
Currently, once a fraud has been detected, the response typically looks like this.
Institution A notifies institution B on behalf of the victim that money went missing or was scammed from its system. Institution B will then perform forensic investigation on the suspected account receiving those funds. Once the fraudster’s accounts are located, then institution B will recover the money and return to institution A and the victim, should it be obvious the stolen money is there.
The more of these communicative processes that happen, the better able the industry is to draw a map of existing fraudsters, especially between providers who operate the payments infrastructure for numerous financial institutions.
If one customer of an infrastructure provider holds a fraudster’s account, the provider can notify its other customers to begin closing down the fraudster’s accounts. Under the terms and conditions, the provider can typically close down the accounts if there is sufficiently strong confidence that they are linked to a known fraudster.
These processes are already established and being refined by incumbents through anti-fraud networks. But for smaller FinTechs joining these networks, it comes at a monetary cost which could be the equivalent of employing an additional person in the compliance or security department, and decisions have to be made about the most effective use of those funds.
But it should be seen as an investment and value-added service for a FinTech’s clients. That’s why we've joined UK Finance to engage in the industry dialogue so that we had the right connections with other banks to support the process outlined above.
The future solutions to push payment fraud
Confirmation of Payee (CoP)
One of the most promising new developments in the industry is Confirmation of Payee (CoP), a fraud prevention initiative spearheaded by Pay.UK. Previously, banks could only identify the sort code and the account number you wished to send a payment to, but CoP will verify against the account holder’s name for added security. This gives businesses and consumers greater reassurance that they’re sending funds to a legitimate account.
At Modulr, we’ve just launched our own CoP solution to combat fraud, protecting our customers and their end users. We’re the first non-bank to launch CoP. For our customers, this should reduce the risk of direct financial losses from fraud and minimise the time and costs they spend on fraud resolution. It’s a significant step forward towards a safer financial ecosystem.
It seems too obvious, but consumers need to be better aware and prepared. The industry campaigns like Take Five or the National Phish and Chip day are aimed at raising public awareness of fraud, while banks have been putting ‘stop and think’ anti-fraud slogans all over their online banking.
Ultimately, in the fight against push payment fraud the industry is responsible for ensuring consumers are educated about the latest trends and, where possible, should use technology to plug gaps and loopholes.
And the payments infrastructure needs to be better understood as we transition away from hard, physical movement of value towards the digital future. We should all also remember that a £500 payment online is the same as handing £500 in cash to someone on the street. It warrants a bit of thought, and requires the right level of trust to be in place before you do it.
Want more insights like this? Sign up to the newsletter.
View our handy 'how to spot fraud' infographic.