There are two broad categories of consumer payments fraud — authorised and unauthorised. Unauthorised is the bigger issue in terms of volume, at least in the UK where £360 million was stolen in H1 2022 alone, according to UK Finance, but authorised is causing more concern among industry participants and regulatory bodies.
That’s because authorised payment fraud occurs when someone approves a payment from their own account to a fraudster’s, hence it being commonly known as Authorised Push Payment (APP) fraud, leaving a grey area as to whether the customer or the institution is at fault.
How does it work?
APP fraud can be broken down into a number of categories, including “impersonation” scams, where the criminal pretends to be someone else, like a bank employee, in order to convince the victim to make a payment to the criminal’s account and investment scams and purchase scams, where the criminal claims to be selling a good or service that doesn’t exist.
It’s important to note that the UK isn’t the only country where fraud of this kind occurring, in the US real-time payment apps are also under fire for facilitating such scams. Notably Zelle, which enables account-to-account payments and is owned by a group of major US banks, was called out in a report released by Senator Elizabeth Warren.
Why is concern around APP fraud escalating?
For a start, the volumes lost by consumers are significant — in the UK, APP fraud losses reached £249 million in H1 2022, while in the US the banks included in Senator Warren’s report (notably not all those with a stake in Zelle participated) are expecting to receive claims for scams and fraud of $255 million this year.
The scams listed above are also continuously successful, largely thanks to the rise in digitalization across all areas of people’s lives. Customers are increasingly confident engaging with their financial institution digitally, so when a digital communication arrives purporting to be from that provider, they are less suspicious. At the same time, people both knowingly and unknowingly make personal data public, making it easier for fraudsters to convince their victim that they are legitimate, for example by knowing their address.
Many people also give no thought to checking whether the phone number or email address actually corresponds to the provider’s official contact details — why would you if the name displayed in the “from” box is that of their bank?
The same is true of being asked to send money via an app or online banking portal to a merchant or service provider — that’s the way a significant number of people now make most of their transactions so it doesn’t feel unusual. Here, social media plays a significant role in distributing convincing advertisements, which are so virulent because it’s impossible for advertising bodies to keep up with the sheer volume of posts generated across multiple platforms.
Whose fault is it?
One of the reasons APP fraud is such a hot topic is the grey area it creates in terms of responsibility for the fraud occurring in the first place. That’s an issue because it dictates whether the victim is reimbursed for their losses or not. Unlike in unauthorised fraud where there is a clear process for returning stolen funds, meaning the majority of victims get their money back, there is no unanimously agreed procedure for APP.
Some payment providers in the UK have signed up to the Contingent Reimbursement Model (CRM) — a voluntary code laying out the circumstances under which customers will be reimbursed following APP fraud. However, not every payment provider has signed up, and of those which have, reimbursement rates vary significantly. Senator Warren’s investigation found a similar state of affairs in the US, with only 9.6% of victims being reimbursed.
Sometimes, banks will say that they have introduced controls to prevent fraud happening, and that the customer ignored or overrode them, leaving the provider blameless and the customer out of pocket. In the UK, such controls include confirmation of payee (CoP), where a customer is alerted that the recipient details they’ve entered don’t match those of the account details, and asked if they wish to proceed. Some banks also use warnings when a customer adds a new payee which inform them of the ways in which fraudsters operate, and require the customer to confirm they have read the warning via tickbox before they can continue.
It’s easy to see how customers become complacent about such measures, viewing them as introducing friction into a process they believe should be seamless. As Sandra Peaston, Director of Research and Development at fraud prevention service CIFAS points out, when they are applied to all transactions — fraudulent or otherwise — “consumers then tend to treat them in a manner not dissimilar to reading Ts&Cs, as just something that they have to skip past in order to do what they want.”
However, that doesn’t mean it’s entirely the victim’s fault — the blind application of warnings to all new payees occurs because banks aren’t able to assess which transactions are likely to be fraudulent due to a lack of data. Many consumers, and increasingly regulators, argue that’s a situation banks should be investing more into to change.
What can we do to stop it?
Senator Warren is pushing the CFPB “to clarify and strengthen” a piece of regulation which dictates when a bank has to pay a victim of loss back. The UK’s Payments Services Regulator meanwhile has proposed mandatory reimbursement for victims, a move designed to incentivise payments providers to do more to prevent APP scams.
Ways in which providers might do that are varied, but boil down to one key element: data. More specifically, greater sharing of data between institutions in order to make it easier to identify fraudulent actors. However, that’s not as easy as it sounds given the need for banks to protect their customers’ personal data as well as the nuances involved in certain APP circumstances, for example the account funds are transferred to doesn’t belong to the criminal, but to another victim who doesn’t realise their account is being used for illegal purposes.
Another core necessity is consistent implementation of measures, including Confirmation of Payee, and constant evaluation of its application to ensure it’s working as effectively as possible.
The more peripheral parties involved in the occurrence of APP should also be held accountable to some extent, says Peaston. That includes social media platforms and networking apps which are used by fraudsters to advertise their illegal scams. These players also have a role to play in reducing incidences of APP fraud.
Finally, while technological solutions and policies have a significant role to play, the final key part of the puzzle is changing customer behaviour. Banks and other providers need to ensure that the protection measures they bring in are customer-centric in order to ensure they have the desired result.