The future of payments: Perfecting payments protection

With merchants leaning on card-not-present payments during the pandemic, and consumers themselves further embracing online banking, new opportunities have been created for financial criminals to exploit weaknesses in the digital payments system, and defraud people out of their hard-earned cash. Therefore, financial institutions are adjusting their fraud prevention controls to protect customers.

This is an excerpt from Finextra Research report 'The Future of Payments 2021', which is exclusively available on the EBAday digital platform. Register here for EBAday to access the full report.

The Covid-19-induced upheaval of brick-and-mortar retail has resulted in the soaring uptake of e-commerce. However, with increased card-not-present transactions, has come a deluge of financial fraud. According to the Q2 2021 Feedzai Report, 93% of all fraud attempts are now carried out online. Authorised push payments (APP) fraud, has also been on the rise, according to UK Finance – resulting in total losses of £479 million, in 2020.

Arguably, these statistics would have been even more severe in the UK, were it not for the introduction of the Confirmation of Payee (CoP) scheme. However, since the adoption of CoP has been somewhat sluggish – with the Payment Systems Regulator (PSR) intervening to implement deadlines – financial institutions are now under more pressure than ever to implement their own payments authentication processes and protect customers.

The stakes of failing to fight fraud effectively are high. Fraud attacks can mean big financial losses at an institutional level; customers losing their savings; and even further intervention from regulators – which, if too extensive, threatens to degrade the customer experience.

Fraud in the post-pandemic world

Person-to-person, or card-not present, fraud has been particularly prevalent since the outbreak of Covid-19, while card-present, or stolen card, fraud has dropped off.

According to Adam Speakman, head of fraud and investigations, Metro Bank: “With the rise in online shopping – driven by national lockdowns – we have seen a surge in card-not-present fraud. Normally we see this around Black Friday, or the Christmas shopping period, but it’s certainly had a longer lifespan during the pandemic.”

Martin Salter, senior fraud manager, Nationwide Building Society adds: “Smishing messages from Royal Mail have been commonplace over the last couple months. Rather than fraudsters saying to victims, ‘I'm ringing from your bank’, it's a lot easier for them to say, ‘I'm ringing from TV licencing’
or ‘Royal Mail’, because that’s on customers’ minds at the moment.”

For financial institutions, these scams are proving extremely challenging to combat – particularly given it is the customer themselves that is, unknowingly, doing the job for the fraudster.

Mounting a counterattack

Looking to the future, financial institutions must be proactive with fraud prevention, and consider the speed and security that customers demand when it comes to their payments experience. Forward-thinking financial institutions are using two key tactics: rules-based logic and machine
learning (ML) technology.

According to Stripe, “rules-based fraud detection operates on an ‘If x happens, then do y’ logic, and is managed on an ongoing basis by fraud analysts. Examples include blocking all transactions from a certain country, IP address, or above a certain dollar amount.”

Nationwide – which is currently spending tens of millions of pounds on anti-fraud measures – uses a similar scoring system, which discerns whether a card payment is ‘normal’ or not. “The score is based on several factors,” explains Otto Benz, payments director, Nationwide Building Society. “this includes how often the person makes this kind of transaction, the time at which it is being executed, and where it is being executed geographically. Fraudsters often send amounts that they think will go under the radar, but they are creatures of habit, often sending similar amounts each time, so this can also give us a clue. We can tell a lot about the legitimacy of a pending transaction this way.”

“We're looking for clues in payee data,” adds Salter. “If you’re illicitly moving money, there's a good chance you're moving it to your own account. So, if the surname doesn't match it’s less likely to be a scam. We also analyse payment references. Fraudsters are creatures of habit – they like to use the same references, such as ‘motorbike, caravan, and car’. That's likely fraud, because nobody buys a car, motorbike and van at the same time. We stop four out of five of fraudulent transactions over £1000 with these methods.”

However, because rules-based systems are based on strict logic, argues Stripe, it can sometimes fail to “recognise hidden patterns, nor does it adapt to shifting fraud vectors by analysing information beyond these defined parameters. As a result, analysts are often playing catch up – manually creating new rules after they detect fraud rather than proactively fighting fraud.”

To help get around this, Nationwide is “shifting from rules-based systems to identify fraud, to rules-based systems to identify genuine,” says Salter. “The way strong customer authentication works, means that as a fraud team, we have to challenge everything unless it's low risk. Under this new system, however, instead of writing countless scenarios outlining the types of expected fraud activity, we write scenarios for likely genuine activity. If a transaction doesn’t align with one of those types of genuine activity, we challenge it because it’s not low risk.”

The second means to fight fraud, machine learning, encompasses a range of algorithmic approaches and statistical methods – such as regressions and neural networks – that helps to separate legitimate transactions from the illegitimate.

“When it comes to AML procedure,” says Salter, “we use AI, ML and heuristic rules to examine the transaction patterns that people follow, and whether there has been a significant change from previous activity, quick movements of cash, transactions in similar or round amounts, or payments from high-risk geographies. The industry is now working on bringing these systems together to bolster the collective money laundering response. This is the cutting edge of technological development.”

Combining both rules-based logic and ML tactics can be a potent and flexible anti-fraud measure, enabling financial institutions to benefit from the sophistication of ML technology, as well as the customisable nature of rules-based logic – thus satisfying customers’ demands of both a safe and efficient payments experience.

Powering cutting-edge tech

The vanguard of anti-fraud measures, however, is biometrics, which involves the measurement and statistical analysis of people's unique physical and behavioural characteristics, for near-bulletproof customer identification purposes.

There are several kinds of biometrics that financial institutions can use to fight payments fraud, including facial recognition, signature recognition, voice biometrics, keystroke biometrics, fingerprint biometrics.

According to Salter, Nationwide has been using voice biometrics to recognise speech patterns, and fight impersonation fraud, for three years now. “Once someone has talked on the phone for long enough, the technology can remember the way your voice works.

This is very useful for attempted account takeovers. When someone rings up, changes the address, and orders a new card and PIN, we log that voice and are notified if that person calls again,” says Salter.

Keystroke biometrics, on the other hand, discerns “whether the person typing is unusually familiar with, for instance, an application form,” adds Salter. “They might be hovering over a field before it's even appeared on the screen – that’s a fraudster who does this all day.”

Yet, arguably the most secure and efficient means of confirming a customers’ identity is fingerprint biometrics. “When it comes to fingerprint data, you can’t write it down somewhere, and have it stolen,” says Salter. “If consumers are looking for both a frictionless and secure payments experience, this is
the way to go.”

Shielding against digital deception

As we have seen, there are a number of steps financial institutions can take to shield themselves, and their customers, against rising levels of payments fraud.

Naturally, technology holds the answer to many modern security-related challenges – tactics such as rules-based logic and ML are extremely effective at separating criminal from the genuine. Machine learning can also be used to power cutting-edge authentication solutions, such as keystroke, voice, and fingerprint biometrics – giving financial institutions confidence that they are dealing with a true customer.

This kind of proactive approach is exactly what is needed for financial institutions to survive the fraud threats of the post-pandemic world.