Real-time payments – fast and safe: Can it be done?

In our third year of pandemic-driven change, the payments industry hasn’t stood still. For businesses, digital transformation accelerated at an unprecedented pace, and individuals have been forced into new digital behaviours at a rate previously unseen. Current media headlines suggest that the immediacy of real-time payments has brought with it a new surge in fraud: in the UK, for example, Authorised Push Payment (APP) fraud increased by 71% in H1 of 2021, and overtook card crime for the first time. Are we therefore on a slippery fraud slope with real-time payments? 

The UK Faster Payments Scheme (FPS) was a first worldwide when it launched in 2008, and many lessons can be learned from this early implementation as other geographies continue to adopt real-time payments frameworks:

Open image in new tab to enlarge

Looking back

When early adopters break new grounds, it is always easy to criticise the way things were done many years down the line. Criticism may be justified, but we must not forget the context. When FPS was deployed, modern infrastructures were not commonplace, let alone modern messaging standards, such as ISO 20022. Socio-economic conditions were also different: we just faced the global financial crisis of 2007–2008, which was considered the worst since the Great Depression. 

Therefore, in the UK, like in many other geographies, the drivers for new national infrastructures were primarily centred around boosting the economy, helping businesses, and fostering competition. For payments infrastructures, it was also about speeding up money flows. 

The take-up was slow: in the first ten months of FPS, only 83 million payments were processed, and only two banks were ready on launch (despite the fact that thirteen banks were directly connected to the scheme). 

In the first couple of years, there was a concern that faster payments might generate faster fraud. They didn’t. In fact, the UK FPS implementation body said that there had been no increase in fraud as a result of FPS’ introduction, nor any new types of fraud. 

This confidence resulted in the payment value limit being increased from GBP 10K to GBP 100K. As uptake continued, and fraud volumes remained commensurate, the value limit increased to GBP 250K in 2015, where it stands today. That year, five billion payments had been processed on FPS, a far cry from the 83 million processed in the first year. This is when things became tricky: 

The birth of Authorised Push Payment fraud (APP)

Socio-economic factors

• large payment volumes on FPS are now worth the effort for criminals, and the general increase in digital adoption, and digital banking, in particular, makes this even more attractive;
• lack of consumer awareness on digital risks;
• criminals have had six years to study the FPS process and find any loopholes;
•  AML regulations, whilst in place were not as stringent as they are now. 

Technological and implementation factors

• bank risk and fraud management approaches differed across the board (e.g. value limits, availability, channels etc.);
• the FPS process didn’t allow for an account name to be checked alongside the sort code and bank account number;
• lack of information sharing and threat intelligence in the industry;
• once an FPS payment is processed, it is quasi- irrevocable. And because a bank payment is essentially ‘authorised’ by the bank account holder, the law doesn’t protect victims of fraud (or those that make payments in error).

The demise of APP fraud (hopefully)

As real-time payment infrastructures worldwide get built using modern standards and processes, it seems that the lessons learned are being put to good use. APP fraud usually starts with a phishing attack, which then leads on to Business Email Compromise (BEC). 

Once the email is compromised, the fraudster can insert themselves in an email conversation (e.g. between a buyer and a solicitor for a house purchase), and at the right time, they will impersonate one of the parties to redirect a payment to a different bank account. Luckily, as deployment of ‘Confirmation of Payee’ increases, we will start seeing the positive effects, but we have some way to go yet.

To ensure that we have a chance of addressing this issue, here are some best practices:

Detection 

• establish transactional data monitoring and use technologies such as customer behavioural analytics to be able to detect abnormal behaviour in real time;
• educate employees to identify payments that are at a high risk of APP fraud.

Prevention

• take reasonable steps to provide customers with effective warnings (including protection against APP fraud);
• open accounts in line with legal and regulatory requirements on customer due diligence, and deploy effective authentication mechanisms;
• use available shared intelligence sources and industry fraud databases to screen customer accounts;
• implement confirmation of a payee in a way the customer can understand so that payment beneficiary details can be checked before any instruction is made.

Response 

• where firms have concerns that a payment may be APP fraud, they should delay making payment while they investigate and/or notify the receiving firm;
• establish effective communication mechanisms with all stakeholders;
• freeze any remaining funds and take steps to repatriate funds to the customer as soon as possible;
• define a fair Contingent Reimbursement model for erroneous payments, or for fraud victims.

Fraud is like a balloon, if you squeeze it in one place, it bulges in another. As we move more and more towards Open Banking and Open Finance, more types of fraud might emerge.

This editorial is part of the The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.

About Neira Jones

Neira advises organisations on many topics, including payments, fintech, regulations, and cybersecurity. She is also a professional speaker, regularly addressing global audiences, and is a recognised trainer (see her e-learning website here). You can check out Neira’s activity on her LinkedIn and Twitter accounts.