Banks must get ahead of payment scammers, not clean up in their wake

It’s been a busier year than usual for fraud teams at UK banks as they’ve grappled with significant regulatory change handed down on a tight deadline in an effort to stem the rising tide of payments fraud.

Starting 7 October, every UK retail bank is required by the Payment Systems Regulator (PSR) to reimburse customers who lose money in proven instances of Automated Push Payments (APP) scams, paying out up to £85,000 in every case.

Mandatory reimbursement is a step-change in how banks manage scams carried out against their customers, and a step in the right direction to protect innocent people against highly sophisticated, global, organised crime. 

But, while what the PSR is doing is commendable, right and essential for consumer protection, there’s a gathering sense that we’re the shutting stable door after the fraudulent horse has bolted. 

Attention now must be given - and more investment committed - to detecting and preventing fraud before it happens. Shifting the burden of loss from consumer to bank is one thing, removing it altogether is another.

We’re told that there was almost £500m lost to APP fraud alone last year, impacting 250,000 people. It’s likely, however, that these volumes are hugely underestimated. 

First, the vast majority of people don’t report suspected fraud. Often they don’t see the point, they don’t realise it’s happened, or they feel huge embarrassment or shame for having fallen victim to a scammer. Second, banks exclude from the tally any alleged scams that they classify as ‘civil disputes’ (cases they will not have to reimburse under the new rules). 

Industry estimates put the total number of cases anywhere from 3x to 10x higher. This means that 2.5 million people could be victims of fraud every year, costing them (or now, the banks) as much as £5bn annually.

That’s an extraordinary amount of cash that’s only getting bigger. As consumers realise that reimbursement is an option, we fully expect to see a sharp rise in the number of reported (and proven) fraud cases, costing the banks dear. 

With so much emphasis on who pays the price to fix things when they go wrong, a bigger problem is going unaddressed. How do banks better equip themselves to stop fraud happening in the first place?

The standard prevention tool in place is, frankly, a gift to fraudsters: greater friction in the payment process. The Payments Association tells us that accepting slower payments (thanks to friction) is a necessary burden to reduce fraud, but how true is that in reality? The banks we work with show us through study after study that warnings don’t prevent fraud. 

Fraud-prevention friction is universal and generic. Most banks bombard consumers with zero-context warning screens and several stages of consent, regardless of the unique details of the specific payment being made. 

Friction has its place, certainly, but placing more onus on consumers to be more educated and vigilant is proven not to work. Shockingly, studies show past victims of scamming are no less likely to fall victim again.

Now that the burden of loss falls more heavily on banks’ shoulders, there needs to be greater innovation that refocuses attention from offloading liability to actively identifying scammers. 

Scams stem from information asymmetry. Silos built up around financial institutions over decades warp the quality of mutual information sharing. Banks might know their customers inside and out, from their keystrokes to their usual payment behaviour. But they know nothing about who these customers are paying. Therefore, we know that information is key to solving the fraud problem. 

Closed-loop systems like PayPal tame scams because both parties must onboard the same platform, opening the door to greater knowledge about who that recipient is. Faster payments between banks lack that openness and knowledge transfer. 

By building a robust system to share identifying information between banks, banks can start treating every transaction individually. A sender confidently paying a long-established and well-networked account should proceed without warnings. Meanwhile, a sender paying the same cash to an newly-established account whose owner has just switched geolocation should have their payment paused for inspection.

Before the PSR mandated reimbursements, we had already seen the majority of banks adopt this practice voluntarily. Now let’s see the same voluntary commitment to better data-sharing between banks, creating an information exchange that goes beyond the limiting ‘confirmation of payee’ - a confirmation that is in name if not anything else.

An unhelpful mantra persists among those who don’t know how to stem the scams: faster payments, faster fraud. Sadly, we know that the opposite isn’t true: slower payments don’t slow the fraudsters. Cleverer payments, those enriched with verifying data about the recipients at a level never seen before in financial services, can end fraud. That’s the mantra we all need to adopt before this £5bn-a-year problem balloons again.