In this C-suite column, chief operations officer, Martin Threakall gives his take on how fraud (and the industry) has evolved in his 14 years' experience of payments and what fintech is doing to stamp it out.
We’ve all been there, sat at the computer in front of an unbelievable offer. We're about to press ‘pay’ and then we hesitate and backspace, paranoia setting in that a fraudster is on the other end.
But more often than not, we click ‘pay’ with a sigh of ‘it’s probably okay’ and ‘Marketplace X is a big business with lots of money to reimburse me’.
Likewise, those who have sadly been defrauded will resonate with, ‘it seemed so legitimate’. This is push payment fraud.
And this type of unwitting scamming goes hand in hand with the ever-changing technological environment of the payments landscape. As chief operations officer at Modulr, the tech behind the tech powering the payments of many FinTechs, I’ve been right in the middle of the industry’s fight against fraud.
In this blog, I’ll look at the current factors surrounding fraud and how the industry is discussing the big questions, what the industry is doing to combat fraud, and what other solutions will be available in the future.
According to the UK’s comprehensive fraud reporter, UK Finance, fraudsters and scam artists successfully stole £1.2bn in 2018.
While unauthorised remote banking fraud fell by 2% between 2017 and 2018, authorised push payment (APP) fraud rose by a worrying 50% in the same time frame. And that’s because fraudsters are taking advantage of the rapidly evolving technology landscape and the rewiring of consumer behaviour.
Push vs Pull payment fraud
The rewiring of consumer behaviour ultimately comes down to how the difference between push versus pulled payments has blurred for consumers. Pull payments is a card-present payment or a direct debit where your card details are taken and charged a set amount, such as at a till or to pay for gym membership. In pull payments, there is a level of reimbursement guarantee with chargeback rights, and section 75 of the consumer credit act providing extra protection on credit cards.
With push payments there is no protection because there’s an assumption of trust before the payment is made, i.e. you are punching in the beneficiary’s details. This applies to payment schemes like Faster Payments, Bacs and CHAPS.
Think of it like this. You want to buy a smartphone for £500 from a man on the street. The man asks you to hand over the £500 and he’ll pop around the corner and get the phone. You simply wouldn’t do it, you’d ask to test the phone first, checked that it works, and all was proper before exchanging the money.
The same payment logic should be applied to push payments, but unfortunately, the rapidly evolving role of technology in our lives as consumers has distorted the difference between push (sending money) and pull (having money drawn from you). In essence, it's the difference between ensuring the trust is in place beforehand versus the trust that the scheme builds in for us.
Situations from a convincing picture of an iPhone on well-known P2P marketplaces, or a seemingly legitimate email from your ‘landlord’ notifying you their bank details have changed can seem totally normal and may well be in many instances. Businesses can also be victims of push fraud be it an email from your ‘boss’ asking you to send them corporate money while on a business trip, or a fraudster masquerading as a supplier changing bank details.
As we’re increasingly used to the convenience of ‘pushing’ money we don’t always stop to think about whether it’s the right way to pay, or whether we’ve ensured the right level of trust has been established.
While card fraud (carried out using your secure card details, stolen by physically accessing your card or hacking into online systems) is still a major threat, fraudsters are increasingly taking advantage of the fact they don’t necessarily need to steal your details, if they can just convince you to push them money instead.
All doom and gloom for push payment fraud victims?
No-fault push payment fraud is a difficult position to be in. If the measures are in place - the bank correctly validated the customer and the customer didn’t share their password – then neither party can be blamed.
And, of course, the victim shouldn’t be left out of pocket if there is no fault attached. This is something the industry recognises and voiced strongly by the Financial Ombudsman this time last year. The Ombudsman ruled that banks could no longer claim defrauded customers are “grossly negligent” for simply being scammed and thus, liable.
The industry has taken note and are currently working on schemes to reduce the level of push payment fraud.
The current crusade against push payment fraud
Currently, once a fraud has been detected, the response typically looks like this.
Institution A notifies institution B on behalf of the victim that money went missing or was scammed from its system. Institution B will then perform forensic investigation on the suspected account receiving those funds. Once the fraudster’s accounts are located, then institution B will recover the money and return to institution A and the victim, should it be obvious the stolen money is there.
The more of these communicative processes that happen, the better able the industry is to draw a map of existing fraudsters, especially between providers who operate the payments infrastructure for numerous financial institutions.
If one customer of an infrastructure provider holds a fraudster’s account, the provider can notify its other customers to begin closing down the fraudster’s accounts. Under the terms and conditions, the provider can typically close down the accounts if there is sufficiently strong confidence that they are linked to a known fraudster.
These processes are already established and being refined by incumbents through anti-fraud networks. But for smaller FinTechs joining these networks, it comes at a monetary cost which could be the equivalent of employing an additional person in the compliance or security department, and decisions have to be made about the most effective use of those funds.
But it should be seen as an investment and value-added service for a FinTech’s clients. That’s why we've joined UK Finance to engage in the industry dialogue so that we had the right connections with other banks to support the process outlined above.
The future solutions to push payment fraud1. Contingent reimbursement model (CRM)
CRM is a current initiative to reduce the occurrence of APP scams and increase the proportion of victims protected from the impact of APP scams, through reimbursement. It is a code to which payment service providers (PSPs) commit and sets out increased consumer protection standards through detection, prevention and response to APP scams.
If you are a customer of a PSP that has committed to the code, the code sets out circumstances where the victim would be fully reimbursed and sets out where the refund would come from e.g. either their PSP (the sending PSP) or the PSP that received the money on behalf of the fraudster (the receiving PSP), or elsewhere. The decision to refund the customer is based on an assessment of the victim’s actions and whether the victim did everything expected of them within the Code e.g. had not been grossly negligent.2. Funds insurance
Insurance also seems like an obvious solution. As individuals we insure our possessions through contents insurance, motor insurance, travel insurance, so why not funds insurance? It’s an interesting idea but one that must overcome the many loopholes which the nature of payments throws up, such as, I could claim to have been conned by sending you money, and after the payout, you return it to me. Though these are challenges the insurance sector would be well placed to tackle.3. Education
It seems too obvious, but consumers need to be better aware and prepared. The industry campaigns like Take Five or the National Phish and Chip day are aimed at raising public awareness of fraud, while banks have been putting ‘stop and think’ anti-fraud slogans all over their online banking.4. Confirmation of Payee
Of particular interest to the industry is the Confirmation of Payee (CoP). Banks can currently only identify the sort code and the account number you wish to send a payment to, but CoP will verify against the account holder’s name for added security.
Modulr, for instance, is working on a Fraud+ Prevention with our own CoP solution to combat fraud among SMEs.
Ultimately, in the fight against push payment fraud the industry is responsible for ensuring consumers are educated about the latest trends and, where possible, use technology to plug gaps and loopholes.
And the payments infrastructure needs to be better understood as we transition away from hard, physical movement of value towards the digital future. We should all also remember that a £500 payment online is the same as handing £500 in cash to someone on the street. It warrants a bit of thought, and requires the right level of trust to be in place before you do it.
Want more insights like this? Sign up to the newsletter.