The Payment Services Regulations (PSR) approach will bring about a significant change for all the payment firms. Its aim is to proactively prevent Authorized Push Payment (APP) fraud from occurring. In APP fraud, customers are tricked into authorizing payments to fraudsters, making it difficult for banks to detect since the transaction appears legitimate. Unlike unauthorized transactions, where banks can flag unrecognized activity, APP fraud involves the customer’s active participation. APP transactions are often processed in real-time, leaving little time for banks to identify and intercept fraudulent transactions before the funds are transferred. Once the money is sent, it can be quickly moved to other accounts, often overseas, making the recovery difficult. According to UK Finance, in 2023, APP fraud losses have amounted to GBP 459.7 million stolen from over 232,000 consumers, in the form of purchase scams, romance scams, investment and impersonation scams.

Given the shift to a 50:50 liability sharing model, there is a need to enhance the capabilities in managing and preventing fraudulent activities, particularly in the realm of processing inbound transactions. This change necessitates a higher level of sophistication in the approach to fraud prevention. The implementation of this initiative will involve a considerable financial investment for banks due to the need for extensive technical upgrades and the associated operational expenditures.

Inbound Transaction Processing

The current systems employed by banks are specifically engineered to prevent unauthorized transactions from being initiated from an account in the form of outbound payments. However, this approach has unfortunately resulted in an increase in account takeovers. To effectively prevent APP fraud, it is crucial for banks to shift their focus from the account sending the money to the bank account receiving the payment, in short, the inbound payments.

• How can we efficiently prioritize incoming payments?

The transition to inbound transaction processing is a critical strategy for effectively addressing instances of APP fraud. This approach will enable the banks to prioritize monitoring the behavior of the perpetrators, rather than solely focusing on the victims of the fraud. In situations involving APP fraud, it's important to note that the receiving bank typically possesses more comprehensive information about the fraudster's account compared to the sending bank. This gives them a distinct advantage when it comes to taking action such as blocking or freezing the funds in question. Additionally, the receiving bank is better positioned to request and obtain necessary clarifications regarding the fraudulent activity. The Confirmation of Payee (COP) initiative has been implemented to address the issue of APP fraud. While COP has contributed to some reduction in APP fraud, fraudsters still continue to devise new tactics to carry out fraudulent activities.

• Are the correct rules being input into the fraud prevention systems?

The current fraud prevention systems have mainly focused on safeguarding outbound payments, however the focus needs to move inbound. The process of inbound screening will necessitate extensive and large-scale operations. The demand for faster payments is increasing as customers want to send and receive money instantly. As a result, banks must make real-time decisions to facilitate these transactions. However, false positives, which are erroneous identifications of legitimate transactions as fraudulent, pose a significant threat to the overall customer experience. Therefore, minimizing false positives is crucial for banks to meet customer expectations and maintain smooth and efficient payment operations in line with the customer duty.

• So how should it be done?

Consider triaging the alert rules, such as £1 payments followed by a larger amount, card purchases to Money Service Businesses (MSB’s), card purchases to high street designers, card payments to crypto providers, changes in IP addresses, and a payment is initiated; changes in phone number, and a payment is initiated; high-value payments received from third parties such as loan providers, credit card providers, cash deposits; and again, a payment is initiated. The incoming payments should be assessed for review before processing them using new technology providers who will work alongside the APP fraud detection systems to strengthen the inbound screening process. In this context, behavioral analytics will provide valuable insights into the patterns of behavior and actions of the customers, allowing the banks to make more informed decisions and optimize inbound payments. We may not be able to completely eliminate fraud losses, but we can aim to minimize/limit them.

Review the fraud prevention rules monthly. During the review, check how many alerts are triggering against those rules, how much is the incurred loss versus the prevention, how is your Management Information (MI) placed? Additionally, document any additional measures that can be taken to protect both the victims and the bank. Finally, collaborate with the 2LOD and 3LOD for further discussions on the fraud strategy, risk assessments etc.

Inbound conversations

• Time to move away from the traditional tick-box approach

Fraud prevention has traditionally relied on a tick-box approach, but it's time to evolve this strategy. Moving forward, we need to prioritize proactive measures that empower well-trained staff to effectively deter fraudulent activities. Fraud prevention should always be considered as a two-way conversation. One of the most powerful tools is asking the right questions. By engaging with customers in a thorough and diligent manner, staff can significantly mitigate the risks of fraud.

For instance, when interacting with customers, staff should consider asking probing questions such as, ‘Have you made payments to this beneficiary in the past?’ This not only establishes a baseline for the transaction but also prompts the customer to provide additional relevant details. Furthermore, delving deeper with queries like, ‘How do you know this person?’ and ‘Are you anticipating further payments to be sent to this individual?’ can offer valuable insight into the nature and legitimacy of the transaction.

Moreover, it's important to recognize that any deviation from established payment patterns, particularly changes in bank details, should be carefully scrutinized. Behavioral analytics will help here. When a customer has previously made payments to a beneficiary and there is a sudden alteration in the associated bank information, it should serve as a flag for further investigation. Challenging such changes is a fundamental step in fortifying the defense against fraudulent activities.

• Probing, and more probing

By prompting staff to adopt a more inquisitive and vigilant stance in their interactions with customers, we can bolster our fraud prevention efforts. In my experience, I have successfully prevented numerous fraud/scam cases. It is difficult to explain to the customer that they have fallen victim to a scam, however it is crucial to take decisive action by blocking their accounts and advising them to visit the nearest branch or sometimes a banking protocol is required. With the closure of numerous branches, it has become increasingly important to establish a dedicated team to support the vulnerable individuals, especially those affected by romance scams.

• Challenge the flagged rules to build a conversation

Another instance, if the customers are instructed to make a card purchase to MSBs (Money Service Businesses), ensure that there is a payment rule in place to flag these transactions. This is important because fraudsters may instruct the customer to withdraw funds in a specific currency. When handling such calls, ask the customer if they are planning to go on a holiday and request that they confirm the holiday destination. Additionally, inquire if someone has requested them to withdraw funds. These extra questions can help identify and prevent potential fraudulent activities.

How can we mitigate the risk of fraud and get ready for the upcoming PSR regulations?

• Real-time fraud detection system

Smaller banks, which are still using the traditional legacy systems, may face difficulties in transitioning to real-time fraud detection systems with advanced prevention features, a technology that has already been adopted by many larger banks. It is important to recognize the necessity of a real-time fraud detection system that is capable of conducting thorough data analysis beyond basic rule-based approaches. Such a system is crucial for detecting and identifying intricate and sophisticated patterns of fraudulent activity.

• First party fraud cases

Given the immediate reimbursement, it is anticipated that there will be a significant rise in first party fraud cases. It is important to evaluate whether the current systems are equipped to effectively detect these instances of first party fraud. It's essential to consider if customers are reporting fraud too frequently, if there is a pattern of customers reporting their card as lost too often, and whether there have been recent changes to a customer's address or phone number prior to the occurrence of a reported fraud.

• Collaboration in the 3 Lines Of Defense (3LOD) model

Are you ensuring that you collate and provide constructive feedback to the team responsible for handling fraud cases on 1LOD? It is imperative to share intelligence and insights with the relevant stakeholders, specifically with the 1LOD.  We need to foster collaboration between the 2LOD and 3LOD to ensure effective intelligence sharing. When investigating a fraud loss, it's crucial to thoroughly review all customer communications such as call recordings/branch visits to ascertain how the fraud occurred and identify opportunities for prevention. Compile a comprehensive list of points and exemplify them anonymously in training materials to support continuous improvement in fraud prevention strategies.

• Specific training modules

Make sure to emphasize the importance of understanding various types of fraud, such as mule accounts, romance scams, and social engineering scams. It's crucial to educate the team about the specific signs that may indicate fraudulent activities. Focus on training them to ask relevant and probing questions to uncover any suspicious behavior or requests from customers, especially related to unusual payment instructions.

• Integrating fraud and AML teams

When a fraud or scam is reported, it is vital that we follow the money, which includes reviewing connected accounts, especially in the case of an internal beneficiary. It is also important to file a Suspicious Activity Report (SAR) for the proceeds of the fraud or scam to be reported to the NCA. From my personal experience, while fraud cases are closed within the team, there has been inconsistency in reporting the proceeds of crime to the NCA. Fraud and AML team usually work in silos and there is a higher chance of missing potential risks.

Conclusion

To achieve the UK government's established objective of mitigating fraud through the Economic Crime and Corporate Transparency Act 2023, an expeditious response is imperative given the persistent evolution of criminal methodologies and the enduring susceptibility of the current systems. Advocating for a holistic approach by incorporating enhanced trainings, healthy inbound conversations, building a collaborative culture amongst the teams, intelligence sharing, continuous tuning of fraud controls, creating digital sandboxes etc., will be helpful. These initiatives are pivotal in mitigating vulnerabilities, promoting transparency, and fortifying our economy and society against fraudulent activities. As I've mentioned before, we may not be able to completely eradicate fraud, but we can definitely take steps to minimize its impact.

Disclaimer – The views expressed in the content are my own and do not necessarily reflect the views of my employer or other associated parties.