Chris Stephens, Head of Banking Solutions at Callsign, discusses the expected rise of APP (authorised push payment) fraud, asking whether banks are ready for mobile-first and the risks that come with it.
Earlier in May it was announced that bank account holders who are tricked into transferring money to fraudsters could be entitled to reimbursement in certain circumstances under a new voluntary industry code (the Authorised Push Payment Scam Voluntary Code). TSB has gone even further; and is already promising to refund customers who lose money through any type of fraud under its fraud refund guarantee.
This is in response to a dramatic rise in Authorised Push Payment (APP) fraud - according to the UK Finance’s annual fraud report ‘Fraud the Facts 2019’, this type of crime was up by a staggering 44% last year and this trend is only set to continue.
This uptick in APP fraud levels suggests that not all institutions have the right tools to tackle this type of crime. Are they putting their reputations at risk by not doing enough to protect their customers?
Although new legislation such as Strong Customer Authentication (SCA) has primarily been designed to protect the consumer from other types of fraud by enforcing that any remote account access or payments must be authenticated by at least two of three authentication factors, it may inadvertently create more problems than it has been designed to solve, and could end up being a contributing factor to an increase to APP.
In terms of improving authentication, SCA will not have an effect on reducing APP fraud, purely because this type of deception occurs when the customer is manipulated into unknowingly moving money to a fraudulent account. This is the main reason why, in the past, banks have been so reluctant take accountability and reimburse victims of this type of crime. In addition, if new regulation such as PSD2 makes other forms of account takeover that much harder, it is only logical that fraudsters will look to easier scam methods, such as APP fraud, where the return could be far more fruitful.
Yes, SCA will mean initially accessing account information will be harder for criminals (fraudsters use personal and transactional details they have harvested online to gain a customer’s confidence that they are calling from the bank), however the rise of Third-Party Payment Providers (TPPs) fuelled by Open Banking, such as Yolt who utilise screen scraping, complicates the authentication landscape.
Using TPPs as an example, ultimately, if a consumer hands over information about all their various accounts to one TPP, and that provider then gets compromised, all of that individual’s accounts are at risk - you are only as strong as your weakest link. What’s more, this surge of new payment providers and services will mean there are a wider range of sources for criminals to use to gather victim’s information. It will also be more challenging for consumers to keep track of all the various payment providers that they engage with, meaning it’s harder to keep tabs on the security of all their accounts.
Enforcing new regulation to improve identification and authentication is one thing. But, clearly APP fraud is a real challenge and could rise exponentially unless banks take a more holistic view of their security policies. Financial institutions must be able to see the full picture, so they can understand if their customers may have been socially engineered by a criminal. This includes phone calls or emails that they may have received from fraudsters.
Intelligence from both telcos and email providers will make a big difference here. For example, by incorporating data from a telco it is possible to see if the customer has received a stream of calls from an unusual number, a number which has also targeted many other people. Furthermore, if you have visibility of emails being sent to a customer which say an organisation’s account details have changed – by piecing that together with other information and behavioural insights means the bank can build up a more complete view of fraudulent activity.
By collating multiple data points, it is possible to recognise users through deep learning insights derived across device, location and behaviour. If banks can harness this additional customer identification verification, they can flag any suspicious activity and get in touch with their customer immediately warning them of the dangers or prevent a payment from going through.
As the regulatory landscape continues to evolve, so will the tactics that hackers use to commit fraud. Therefore, there needs to be a dramatic overhaul in the way banks are dealing with this issue. Fraudsters pool their information from as many sources as possible and it’s time for banks to do the same. To even stand a chance of tackling this issue financial institutions must join forces with organisations from other sectors - you wouldn’t head out onto the battlefield without consulting your allies and the same goes for this scenario.