Experts Eye DORA & APP Fraud Rules' Impact on Bank Security
Jason Soroko
Senior Fellow, Sectigo
How has the UK's 2024 Mandatory Reimbursement Requirement spurred FIs to shore up security?
The new measures require financial institutions to reimburse customers who fall victim to Authorised Push Payment (APP) fraud, significantly increasing their financial liability.
This change incentivises banks to enhance their fraud detection and prevention systems to minimise losses. The added responsibility may also lead to increased liability handling costs and could impact their risk management strategies.
The implementation of new APP measures may prompt regulators to scrutinise tech firms' roles in fraud prevention more closely.
While banks are currently bearing the brunt of liability, there could be a shift toward shared responsibility if tech platforms are found to facilitate fraud due to inadequate safeguards.
Future regulations might evolve to impose stricter obligations on tech companies to monitor and prevent fraudulent activities, potentially affecting their liability in cases of APP fraud.
Marios Joannou
Head of Digital Risk and Privacy, payabl.
Now that DORA is in play too, how much more important is security?
In many ways, DORA is a step by regulators to address the vulnerabilities exposed by the rapid innovation of fintech.
It signals the end of the "move fast and break things" era that accelerated growth but often left critical resilience gaps, exposing institutions and markets to significant operational risks.
While it may look cyber security oriented, the reality is that DORA addresses a wide range of risks. These include service availability, business insolvency, and hostile takeover as the framework seeks to balance the need for innovation with sustainable growth.
DORA is the right step to improve resilience but it has placed a significant burden on fintechs. The high compliance costs and heightened scrutiny of third-party providers demand significant resources, which may be challenging – especially for start-ups and scale-ups.
For larger, multinational institutions like payabl., the harmonisation of resilience rules between the UK and the EU reduces the need to navigate divergent frameworks. At the same time, dual compliance frameworks still create significant operational obstacles.
Although it has presented an enormous challenge for the industry, it is a necessary growing pain as the industry matures and shifts its focus toward long-term stability.
Maciej Pitucha
VP of Data, Mangopay
How has the UK's 2024 Mandatory Reimbursement Requirement spurred FIs to shore up security?
As new threats emerge, so do new regulations. With GDPR safeguarded online data, PSD2 protected e-commerce consumers and financial transactions on the rise, the Digital Operational Resilience Act (DORA) and the UK’s mandatory reimbursement requirement sets a new standard for fraud prevention.
The UK’s mandatory reimbursement rule, effective in 2024, addresses a critical gap in protections. Unlike payment cards, which offer chargeback mechanisms, account-to-account payments left APP fraud victims with little recourse. This regulation ensures fair treatment for victims, compelling financial institutions (FIs) to reimburse losses and driving them to prioritise fraud prevention like never before.
Now that DORA is in play too, how much more important is security?
DORA, meanwhile, prioritises operational resilience, pushing financial institutions (FIs), fintechs, and PSPs to strengthen their systems against modern threats like Fraud-as-a-Service. Together, these regulations demand a proactive approach to fraud prevention, as fraudsters’ tactics evolve rapidly, making it clear that historical transaction patterns alone are not enough.
To meet these challenges, FIs are adopting advanced tools like real-time data analysis to tackle both APP and first-party fraud, where individuals falsely claim scams to exploit reimbursements. If resources allow, we also recommend employing solutions based on dark web intelligence to detect fraud with high precision.
Anastasia Sakharova
Head of Fintech Compliance, Sumsub
How has the UK's 2024 Mandatory Reimbursement Requirement spurred FIs to shore up security?
Authorised Push Payment (APP) fraud, where victims are tricked into transferring money to fraudsters, is now one of the largest types of payment fraud - costing UK consumers £341m (US$422m) in 2023. As such, it is unsurprising that the PSR has taken action to ensure customers can receive at least partial restitution when it occurs.
While this marks a significant step toward protecting consumers from APP fraud, concerns remain that the reduced compensation cap (£85,000 (US$105,00) per claim) may leave some victims vulnerable. Besides, reimbursement will not apply if the PSP determines that the individual was complicit in the fraud or acted with gross negligence. However, the concept of gross negligence is often vague and inconsistently applied, which can lead to disputes and uncertainty for victims seeking compensation.
The key is to stay one step ahead of fraudsters. While this can be challenging—especially since it is often hard to prove "coercion" or identify transactions driven by deception—one of the measures which can help to detect such fraud is the adoption of AI-powered transaction monitoring solutions.
However, this alone won’t solve the problem. Collaboration between regulators, financial institutions and expert fraud prevention companies is essential to create a more secure financial ecosystem.
Vitaly Volodenkov
Chief Information Officer, Sumsub
Now that DORA is in play too, how much more important is security?
The EU’s Digital Operational Resilience Act (DORA) creates a strong impetus for financial services, institutions, and the IT systems they use, to prioritise strengthening their cybersecurity.
It is a well-structured and comprehensive regulation that strikes the right balance between thoroughness and flexibility, making it suitable for organisations of all sizes.
DORA’s greatest strength lies in its aim to secure all aspects of the financial system’s digital ecosystem. As such, organisations handling sensitive customer data, including identity verification service providers, should also uphold high standards of security and fraud prevention.
For companies like ours, holding those highest standards in line with DORA, means we can confidently offer the critical full-cycle, multi-layer protection for financial institutions needed to firm up their defences against identity fraud, which is a key gateway for fraudsters to threaten a company’s cybersecurity.
Our data has shown that screening scammers during the onboarding stage alone is not enough, as 76% of fraud occurs after KYC checks.There is no ‘magic tool’ that can solve all fraud; however, implementing advanced, adaptive protection at all stages of the user journey will be essential to eliminating as many threats as possible.
Samar Pratt
Global Financial Crime Compliance Advisory Leader, Capgemini
How has the UK's 2024 Mandatory Reimbursement Requirement spurred FIs to shore up security?
The mandatory reimbursement requirement is more than a regulatory shift. We see it as a catalyst for innovation. Financial institutions now have a direct financial incentive to invest in cutting-edge technologies like AI-powered fraud detection, behavioural analytics, and real-time transaction monitoring. This regulation isn't just about reimbursement; it's about prevention becoming the new priority.
My hope is that this move could spark a new era of collaboration between financial institutions, payment services firms, social media platforms, telecom providers, and regulators. Shared databases of known scams, cross-industry alerts, and joint initiatives will be key to staying ahead of fraudsters. Collaboration might just become the next competitive advantage in the fight against scams.
One of the core challenges that financial institutions will face is striking a balance between enhanced security and a seamless customer experience. While stricter authentication measures and monitoring tools are table stakes, they must be implemented thoughtfully to avoid alienating customers or slowing down transactions.
This regulation also elevates APP scams from an operational issue to a boardroom priority. Financial institutions will need to rethink their risk management frameworks, not just to meet compliance requirements but to protect their bottom line. Fraud prevention will become more of a strategic imperative rather than a cost centre.
Benjamin Barrier
Co-founder and Chief Strategy Officer, DataDome
Now that DORA is in play too, how much more important is security?
DORA takes aim at a serious problem for the financial industry. Despite being a prime target for criminals, the sector sometimes lacks adequate protection against cyber attacks. In fact, it is currently the second least cyber-secure sector in the UK.
Our most recent bot security report found that over half of banking websites had no protection against even the most basic of bot attacks - leaving them exposed to Account Take Over (ATO) fraud, DDoS attacks and widespread data scraping.
We all know attackers are increasingly sophisticated. Their bots have little in common with the simple crawlers of yesteryear: they are using highly complex software that can rotate through IPs, hide inside user sessions, look like browsers and mimic human behaviour.
Financial organisations handle such high volumes of transactions and sensitive data online, making effective fraud detection critical. AI-powered fraud detection techniques play a big part in mitigating losses and preventing catastrophe for businesses, both financially and operationally.
I am positive that Dora will serve as a wake up call to financial institutions - arm yourselves against this threat, or risk damaging customer trust and legislative penalties too.
To read the full article in the magazine, click HERE.
Explore the latest edition of FinTech Magazine and be part of the conversation at our global conference series, FinTech LIVE.
Discover all our upcoming events and secure your tickets today.
FinTech Magazine is a BizClik brand