Last Updated on: 12th October 2023, 10:40 pm
South Africa | The US Federal Reserve launched the FedNow real-time payments service in July, creating a centralised system it hopes will enable faster cash flow for individuals and businesses in the US.
As exciting as the launch of this frictionless new payment rail is, fraudsters will find new ways to exploit merchants and customers.
Authorised push payments fraud, already a major problem for services like Zelle, is likely to flourish. Banks will need to be proactive to stay one step ahead of the criminals.
Real-time payments have ushered in a new age of convenience for consumers, allowing them to make and receive instant or near-instant payments with low transaction costs. But along with the speed and ease of transacting, real-time payments also expose consumers to an elevated risk of authorised push payment (APP) fraud. Losses to this form of fraud are expected to top $5.25 billion by 2026 across the UK, India and the US.
APP fraud plagues every real-time payment scheme and app in the world, from India’s United Payments Interface (UPI) and Brazil’s Pix, through to Zelle and Venmo in the US.
Payers are deceived into transferring money into an account that a fraudster controls because they think they’re making a payment to someone they know—for example, criminals might pretend to be a family member who needs money urgently or their child’s school is sending an invoice.
In one case, a Wells Fargo customer was tricked into sending $500 via Zelle to a criminal pretending to be a bank official. A recent consumer survey shows just how commonplace these social engineering attacks have become.
The research found that 72% of Americans received an unsolicited text, email, phone call or other outreach they thought was part of a scam. Nearly half (43%) of respondents said their family and friends have been victims of scams.
Why is APP fraud so hard to fight?
APP fraud has developed into a major headache for banks and their customers alike. For banks, the challenge is that they can’t control how their customers respond to fraudulent requests, no matter how much money they invest in consumer awareness and education.
Consumers may approve numerous fraudulent transactions before they realise they’ve been duped—leaving ample time for criminals to disappear with the money.
Recognizing the impact that APP fraud has on customer relationships and trust in the financial system, banks have implemented a range of measures to protect consumers.
These include education drives, encouraging customers to institute short delays to bigger transactions, instituting multi-factor authentication, and investing in technologies such as behavioural biometrics, artificial intelligence (AI) and big data analytics.
While these techniques are making a difference, they’re not enough to stop APP fraud in its tracks. The speed and irrevocability of the payments, along with the lack of visibility into transaction counterparties, make it complex to detect and prevent APP fraud—especially when fraudsters use automated tools to scan multiple people at once.
The use of mule accounts and multiple intermediaries to obscure the money trail makes recovery of funds near impossible.
How is the real-time payments regulatory landscape shifting?
Up until recently, victims of APP fraud on platforms such as Zelle would generally not be reimbursed for their losses. This picture is starting to change. Zelle—a payments network owned by Bank of America, Truist, Capital One, JPMorgan Chase, PNC Bank, U.S. Bank, and Wells Fargo—recently announced that it is implementing new requirements to “mandate consumer reimbursement for certain types of scams” on its network.
This appears to be a response to growing calls from US lawmakers and consumers to strengthen consumer protections against APP fraud.
It echoes moves in other markets such as the UK, where the Payment Systems Regulator (PSR) has announced that it will require all payment service providers to reimburse victims of APP fraud, barring exceptional circumstances. It is too early, as yet, to gauge how successful these moves will be.
How could FedNow change payments in the US?
While it’s fair to say the US has lagged behind many other parts of the world in real-time payments adoption, the launch of the Federal Reserve’s FedNow scheme in July 2023 could be a game-changer. FedNow isn’t a peer-to-peer payment service like Venmo, PayPal and Zelle.
Instead, it’s a basic system banks can use to build innovative real-time payment applications and services of their own—for example, P2P payment apps or fast bill payments.
FedNow is more comparable to The Clearing House, a real-time payments network launched by a consortium of banks in 2017. Whereas The Clearing House currently has around 280 participants, FedNow could eventually embrace the 10,000 regulated US banks and credit unions served by the Fed.
This has the potential to make real-time payments go truly mainstream for a range of B2B, B2C and business and consumer-to-government transactions.
How much APP fraud risk does FedNow pose?
If FedNow succeeds in its goal of revolutionising payments in the US, services built on the system will almost certainly become a magnet for fraudsters. One potential risk lies in the fact that FedNow could open participation in real-time payments up to smaller institutions that can’t invest as much money in fraud detection solutions as the large national banks.
But the Fed also has the benefit of learning from years of experience in other countries as well as from domestic examples like The Clearing House and Zelle. It has built a range of security features into the system from the start, offering participating financial institutions a range of tools they can leverage to defend against fraudulent transactions.
These include: The ability for financial institutions to establish risk-based transaction value limits.
The ability to specify certain conditions under which transactions would be rejected, such as by account number.
Message signing, which will validate that the message contents have not been altered or modified.
Reporting features and functionality, including reports on the number of payment messages that were rejected based on a participating financial institution’s settings.
This is just the start. The Fed aims to add more security features in future releases to help participants manage fraud risk. These include value limits that could be tailored to certain uses, aggregate value or volume limits for specific periods (for example, per business day), and functionality that uses advanced statistical methods and historical patterns to identify potentially fraudulent payments.
What does the future look like?
The FedNow platform’s promise of increased efficiency, accessibility, and security could transform the payment landscape over the next five years.
However, since participation in FedNow isn’t mandatory, real-time platforms might not grow as quickly in the US as in jurisdictions such as Brazil, where regulators compelled all institutions to take part in Pix. It may take years for banks to fully test and adopt FedNow.
This could give financial institutions and the Fed breathing room to deploy safeguards that reduce successful APP fraud attempts. Closer industry collaboration will also help to reduce the gaps that fraudsters currently exploit. The likes of Plaid and FiVerity, for example, are facilitating information-sharing networks where institutions and customers can exchange intelligence on suspected fraudsters.
Fraud detection technologies, meanwhile, continue to evolve into more powerful tools in the fight against APP fraud. Transaction monitoring systems that analyse payment transactions in real time can alert banks to suspicious patterns for investigation. AI will have an increasingly important role to play in helping institutions sift through millions of transactions and data points to identify potential APP fraud.
The rise of real-time payments has brought unprecedented convenience to consumers but has also exposed them to the growing risk of APP fraud. Despite financial institutions’ efforts, this form of fraud has thrived in most countries with real-time payment schemes.
It remains challenging to combat because of banks’ limited control of customer behaviour, the instantaneous and irrevocable nature of transactions, and the sophistication of the criminals.
While the launch of initiatives like the Federal Reserve’s FedNow scheme in the US offers promise, they also introduce new risks. However, with continued collaboration, innovation in fraud detection technologies, and the adoption of advanced AI systems, the financial industry can strike a balance between convenience and security, ultimately working toward a safer future for real-time payments.
Steps you can take to protect your business.
A critical component to stopping Authorised Push Payment fraud is to have the right monitoring and next-generation fraud tools. These tools layer onto your existing investment so can be quick to put in place rather than replacing existing vendors.
One of the leading technology solution vendors that Stanchion has worked with in this area is INETCO based out of Canada but with a global and blue-chip client base and bringing nearly four decades of experience managing fraud and rich transaction data insights.
By Alice Umutesiwase