In this guide to how fintech is fighting fraud, we look at how fraud (and the industry) has evolved and what fintech is doing to stamp it out and answer your frequently asked questions, including those about the newly launched Confirmation of Payee (CoP) solution.
Contents
- Introduction
- How fintech is fighting back
- The two types of payment fraud: Push vs Pull
- All doom and gloom for push payment fraud victims?
- The future solutions of push payment fraud: Confirmation of Payee
- Frequently Asked Questions about fraud answered
Introduction
We’ve all been there, sat at the computer in front of an unbelievable offer. We're about to press ‘pay’ and then we hesitate and backspace, paranoia setting in that a fraudster is on the other end.
But more often than not, we click ‘pay’ with a sigh of ‘it’s probably okay’ and ‘Marketplace X is a big business with lots of money to reimburse me’.
Likewise, those who have sadly been defrauded will resonate with, ‘it seemed so legitimate’. It may be your friend asking if you can lend them some money so they can make rent through social media. You agree, and your 'friend' subsequently provides you with bank details. But it isn't your friend. It's a fraudster who's hacked your friend's social media account - and their not your friend's bank details either. This is push payment fraud.
But fintech is fighting back
And this type of fraud goes hand in hand with the ever-changing technological environment of the payments landscape. As chief operations officer at Modulr, the tech behind the tech powering the payments of many FinTechs, I’ve been right in the middle of the industry’s fight against fraud.
In this blog, I’ll look at the current factors surrounding fraud and how the industry is discussing the big questions, what the industry is doing to combat fraud - such as launching Confirmation of Payee - and what other solutions will be available in the future.
According to the UK’s comprehensive fraud reporter, UK Finance, fraudsters and scam artists successfully stole over £1.2bn in 2019. There are fears the figures for 2020 could be even higher, as fraudsters have sought to exploit vulnerable people and changes in working circumstances during the COVID-19 pandemic.
While unauthorised remote banking fraud fell by 1% between 2018 and 2019, authorised push payment (APP) fraud rose by a worrying 29% in the same time frame. And that’s because fraudsters are taking advantage of the rapidly evolving technology landscape and the rewiring of consumer behaviour.
The two types of payment fraud: Push vs Pull
There are two broad categories of payment fraud, push and pull. The rewiring of consumer behaviour ultimately comes down to how the difference between push versus pulled payments has blurred for consumers. Pull payments is a card-present payment or a direct debit where your card details are taken and charged a set amount, such as at a till or to pay for gym membership. In pull payments, there is a level of reimbursement guarantee with chargeback rights, and section 75 of the consumer credit act providing extra protection on credit cards.
With push payments there is no protection because there’s an assumption of trust before the payment is made, i.e. you are punching in the beneficiary’s details. This applies to payment schemes like Faster Payments, Bacs and CHAPS.
Think of it like this. You want to buy a smartphone for £500 from a man on the street. The man asks you to hand over the £500 and he’ll pop around the corner and get the phone. You simply wouldn’t do it - you’d ask to test the phone first, check that it works, and make sure all was proper before exchanging the money.
The same payment logic should be applied to push payments, but unfortunately, the rapidly evolving role of technology in our lives as consumers has distorted the difference between push (sending money) and pull (having money drawn from you). In essence, it's the difference between ensuring the trust is in place beforehand versus the trust that the scheme builds in for us.
Situations from a convincing picture of an iPhone on well-known P2P marketplaces, or a seemingly legitimate email from your ‘landlord’ notifying you their bank details have changed can seem totally normal and may well be in many instances. Businesses can also be victims of push fraud, be it an email from your ‘boss’ asking you to send them corporate money while on a business trip, or a fraudster masquerading as a supplier changing bank details.
As we’re increasingly used to the convenience of ‘pushing’ money we don’t always stop to think about whether it’s the right way to pay, or whether we’ve ensured the right level of trust has been established.
While card fraud (carried out using your secure card details, stolen by physically accessing your card or hacking into online systems) is still a major threat, fraudsters are increasingly taking advantage of the fact they don’t necessarily need to steal your details, if they can just convince you to push them money instead.
All doom and gloom for push payment fraud victims?
No-fault push payment fraud is a difficult position to be in. If the measures are in place - the bank correctly validated the customer and the customer didn’t share their password – then neither party can be blamed.
And, of course, the victim shouldn’t be left out of pocket if there is no fault attached. This is something the industry recognises and voiced strongly by the Financial Ombudsman this time last year. The Ombudsman ruled that banks could no longer claim defrauded customers are “grossly negligent” for simply being scammed and thus, liable.
The industry has taken note and are currently working on schemes to reduce the level of push payment fraud.
The current crusade against push payment fraud
Currently, once a fraud has been detected, the response typically looks like this.
Institution A notifies institution B on behalf of the victim that money went missing or was scammed from its system. Institution B will then perform forensic investigation on the suspected account receiving those funds. Once the fraudster’s accounts are located, then institution B will recover the money and return to institution A and the victim, should it be obvious the stolen money is there.
The more of these communicative processes that happen, the better able the industry is to draw a map of existing fraudsters, especially between providers who operate the payments infrastructure for numerous financial institutions.
If one customer of an infrastructure provider holds a fraudster’s account, the provider can notify its other customers to begin closing down the fraudster’s accounts. Under the terms and conditions, the provider can typically close down the accounts if there is sufficiently strong confidence that they are linked to a known fraudster.
These processes are already established and being refined by incumbents through anti-fraud networks. But for smaller FinTechs joining these networks, it comes at a monetary cost which could be the equivalent of employing an additional person in the compliance or security department, and decisions have to be made about the most effective use of those funds.
But it should be seen as an investment and value-added service for a FinTech’s clients. That’s why we've joined UK Finance to engage in the industry dialogue so that we had the right connections with other banks to support the process outlined above.
The future solutions to push payment fraud
Confirmation of Payee (CoP)
One of the most promising new developments in the industry is Confirmation of Payee (CoP), a fraud prevention initiative spearheaded by Pay.UK. Previously, banks could only identify the sort code and the account number you wished to send a payment to, but CoP verifies against the account holder’s name for added security. This gives businesses and consumers greater reassurance that they’re sending funds to a legitimate account.
At Modulr, we’ve just launched our own CoP solution to combat fraud, protecting our customers and their end users. We’re the first non-bank to launch CoP. For our customers, this should reduce the risk of direct financial losses from fraud and minimise the time and costs they spend on fraud resolution. It’s a significant step forward towards a safer financial ecosystem.
It seems obvious, but we all need to be better aware and prepared. The industry campaigns like Take Five or the National Phish and Chip day are aimed at raising public awareness of fraud, while banks have been putting ‘stop and think’ anti-fraud slogans all over their online banking.
Ultimately, in the fight against push payment fraud the industry is responsible for ensuring consumers are educated about the latest trends and, where possible, should use technology to plug gaps and loopholes.
And the payments infrastructure needs to be better understood as we transition away from hard, physical movement of value towards the digital future. We should all also remember that a £500 payment online is the same as handing £500 in cash to someone on the street. It warrants a bit of thought, and requires the right level of trust to be in place before you do it.
Your Frequently Asked Questions (FAQ) about fraud
It's important that the financial services technology industry stays one step ahead of fraudsters. Criminals are constantly evolving their techniques. They’re unscrupulous and will even seek to take advantage of vulnerabilities and changes in circumstances brought about by tragic events like COVID-19.
We often get asked how Modulr protects businesses and their customers from payment fraud and scams. That’s why we’ve compiled answers to your most frequently asked questions.
Read on to learn how Modulr is regulated, how we protect our clients’ funds, what we’re doing to combat fraud and what you can do to stay safe.
Here's how we're actively combatting fraud.
What is Modulr and how is it regulated?
Modulr is authorised and regulated by the Financial Conduct Authority (FCA) as an Electronic Money Institution (FRN: 900573). This means we can issue accounts with sort codes and power the payments infrastructure of many businesses. As a direct participant of the Faster Payments and Bacs schemes, we hold and settle funds at the Bank of England, providing reliability and security for our users.
Our platform is built and operated to the highest levels of security, utilising web application firewalls, DDoS protection, threat detection, certificate management, penetration testing and two-factor authentication as well as being PCI compliant. We take a security-first approach to everything to help protect the businesses we work with as well as their customers.
Is Modulr FS Limited legitimate?
Yes, Modulr FS Limited is a legitimate business. The payment company, known as Modulr to the industry, provides legitimate, secure and regulated payment services and payments infrastructure to a variety of businesses who may, in some cases, use Modulr's sort code.
Modulr FS Limited, a company registered in England with company number 09891919 and ICO registration: ZA183098 is authorised and regulated by the Financial Conduct Authority as an Electronic Money Institution (Firm Reference Number: 900573). Modulr FS Europe Limited (638002) is authorised by the Central Bank of Ireland as an Electronic Money Institution.
Is Modulr regulated in the same way as a bank?
Not quite. As an EMI, our payment service is bound by a different class of regulations than banks. Because Modulr is a non-bank Financial Institution with direct access to the payment schemes, we fall under the FCA’s Enhanced Supervision model.
As part of this enhanced supervision, we provide regular management information (MI) to the FCA, including data on the amount of client funds held and management accounts for the business. This means our services are subject, as with all EMIs, to regular and rigorous audit as directed by the FCA.
How does Modulr protect its partners' funds?
The nature of our e-money licence means that we’re required to keep 100% of our customers’ money safeguarded at the Bank of England and totally separated from our own funds. This means that e-money held in Modulr accounts is protected from any risk associated with our insolvency, excluding costs deducted by the insolvency administrator, as laid out by the FCA. As Modulr does not provide payment services directly to consumers, this answer is only applicable to businesses using our infrastructure. If you are a consumer enquiring about the relevance of FSCS, please speak to the business that issued you the service.
Can consumers open unlimited Modulr accounts?
No. Modulr’s services are offered to businesses only – individual consumers are not able to open or manage e-money accounts directly with us. Every company we work with undergoes rigorous compliance checks. Those businesses then offer accounts or financial services to their own customers and those businesses - unless they have a special arrangement with Modulr - are responsible for performing anti-money laundering, KYC and compliance checks on those individual customers.
What security checks does Modulr run on its business customers?
When a business seeks to use Modulr’s services, they go through a robust process of checks before becoming one of our clients. Businesses can only open Modulr accounts after AML and KYC compliance checks have been satisfied. Once onboarded, we monitor client behaviour to ensure it remains in line with expected activity undertaking regular reviews directly with clients and partners to ensure we maintain the correct level of information.
What is Modulr doing to help combat fraud?
Modulr has a zero-tolerance policy towards criminal activity. We have a dedicated financial crime team who work hard to monitor for criminal activity and suspicious behaviour and to stop this wherever possible.
Modulr works closely with regulators and industry bodies such as UK Finance, Pay.UK and law enforcement to drive preventative fraud initiatives. Members of our team sit on working groups that engage with bodies like the National Crime Agency (NCA) to tackle the issue of financial crime.
We’re also continually looking for ways to build added protection into our platform. For example, we worked closely with Pay.UK on the issue of tackling authorised push payment (APP) fraud and have recently launched Confirmation of Payee (CoP).
When a business or consumer makes a payment, CoP checks that the account name matches the account details – giving greater reassurance that the payment is going to a legitimate recipient. Modulr is the first non-bank or building society to launch CoP for its users.
What can I do to protect myself from fraud?
Whether you’re a consumer or a business, there are steps you can take to protect yourself from fraud. The most important thing is vigilance.
Be wary of messages that seem to be from friends or relatives on social media asking for financial help. These could be fake or hacked profiles. It’s best to call the person on the phone and verify that it’s really them before agreeing to anything.
Businesses should also be careful when receiving requests purporting to be from suppliers asking for unusual payments or changes to account details. Again, always call the business directly to verify that it’s a genuine request.
Advice from Financial Fraud Action UK recommends that you ‘take five’
- Stop. If a person or business requests money or information from you, stop and think – does anything about the situation seem suspicious?
- Challenge. Ask questions or seek further information, or simply say no. Legitimate organisations won’t try to rush you into making decisions.
- Protect. If you think you’ve been scammed, report it immediately to your bank or financial services provider and Action Fraud.
By working together, staying alert and reporting suspicious incidents, we can all play our part in building a safer financial ecosystem.
Want more insights like this? Sign up to the newsletter.
View our handy 'how to spot fraud' infographic.