APP and Account Take Over Fraud online: an untenable Pariah

Police have been authorised to employ 20,000 to assist in combating of crime. One of their first targets is domestic burglary, which we can agree is a horrible crime causing financial and emotional deep distress. Last year there were 268,000 victims of domestic burglary in England and Wales, and part of the 19% decline in total crime excluding fraud and computer misuse.

Fraud and computer misuse increased 36% and included 224,000 victims of Authorised Push Payments (APP) and Account Take (AT) for £676 million in online fraud. Given the trends, APP and AT, will exceed domestic burglaries this year.

The chances of APP and AT fraudsters being arrested and charged in court are very small. Burglary is a physical crime and the laws and Police are well honed in identifying, pursuing and arresting burglaries but not when the crime is online. The key expertise for online fraud is with The City of London Police and combined with the rest of the force, represents 1% of Police skills to fight a rapidly growing menace in society.  Within a few years there could be an annual 1,000,000 victims.

The bank account is the key target of the fraudsters, the goal is to have the bank account holder authorise the movement of money into the fraudsters (payee) bank account.  As the growth of APP and AT exploded, the regulator mandated six of the largest banks to include Confirmation of Payee (CoP). This marries to the Account Name, the Sort Code and the Bank Account Number. Without this triad the fraudster could use any account name, e.g. HMRC, and receive payment.  

CoP has been so successful that the fraudsters are moving their payee accounts to the non-enabled CoP banks, i.e. 95% of the banking community. While the six banks make 85% of the payments, the remaining, will by year-end, contain at least 50% of the online fraud.  This leaves the 5% of CoP enabled banks significantly safer than the rest of the banking industry.  

Banks have formed a voluntary reimbursement code for fraud victims. Banks, now reimburse an average of 40%, up from 20% prior to the code to victims.  That is, 60% of bank customers are treated as if they were some how involved in the fraud. Victims can appeal the refused reimbursement to the Financial Ombudsman who overturns 50% of the banks’ decisions. 

Depending upon which bank has the bank account the actual reimbursement can be much lower than 40%. The actual reimbursement amount varies by bank as the code is voluntary.  Only TSB (99%) and Barclays (74%) disclosing their rates. 

There are a number of regulators and agencies for banking, payments and online fraud. They include the FCA, The Bank of England, Payment System Regulator (PSR) and The Lending Standards Board as well as Action Fraud. The regulators do require banks to know the customers of their bank accounts on an on going basis.  PSR is reviewing CoP. Action Fraud is being transformed into being more sensitive and proactive agency.       

Bank Accounts

Before an account is opened the bank has to do due diligence on the holders of the bank account and its usage. The bank itself owns the bank account. 

What seems to be missing here is the use of online technology that can pinpoint when an account holders’ information has changed with verification of the bank account user. Similarly, red flags can be generated on new payee transactions in the account do not match the account initial set up requirements or are simply suspicious. 

The fraudsters are using the same, available technology to exploit each bank’s weaknesses for their own gain. One clear example is once a fraudster has received the money into the payee account it is moved to other accounts in minutes while the victim, for example, could take up to 7 hours to reach someone at the bank that can support them to resolve the fraud. 

UK Government while adding to the Police force is sponsoring an Online Safety Bill. This bill is focused on online abuse and not financial fraud. The Prime Minister has met with the big telecom and digital social media companies requesting that they up their game on preventing harm to their clients.

The UK Treasury probably has the most to lose as online fraud deprives the country of revenue. The recipients of fraud proceeds do not pay tax and are likely to invest in non-taxable activities, e.g. drug trafficking.  Less tax income means lower level of social intervention investment. Money is needed, given our lack of cohesive activities and light regulatory enforcement, to prevent online ATT and AT fraud.  

We now have a fast, growing, social pariah feeding off of us that demands an end. 

Inspired by Ediri Irho report on the status of online fraud: includes Banks, Police, Regulators, Telecomm and Social Media companies and the UK Government