APP (Authorized Push Payment) fraud is turning out to be a widespread menace with the UK being the most affected, according to the UK consumer rights champion When a business or an individual gets tricked into sending money to a fraudulent account to pay
for goods or services it is a fraud. Businesses and individuals are scammed when criminals send seemingly legitimate invoices to business professionals with requests for payment.
When payment service providers (including banks) receive instructions to transfer money from a customer’s account to another account it’s called a push payment. It becomes an APP when the customer gives consent for a transaction to be processed. Payments
can be authorized over phone, online banking or in person.
Typical APP scams are:
- Malicious misdirection where victims believe they are paying a known, legitimate payee, but are instead tricked into making a push payment to a scammer’s account.
- Malicious payee where victims make a push payment – typically in return for promised goods or services – to people they believe are legitimate, but who later turn out to be scammers.
Reasons for the growth of APP scams include the increased use of mobile and online technologies as online banking becomes more popular, more push payments will be made. According to the UK Payments System Regulator (PSR) there are about 100 payment scams
hitting consumers and businesses every day. Given the scale and nature of the fraud being committed, in the current system, banks don’t reimburse their consumer and business customers unlike in other fraudulent transactions on credit or debit cards.
After extensive research, Which? found that there was a crucial discrepancy between how banks deal with APP scams, and how they handle other types of customer-based fraud. In other cases of fraud, banks are generally liable for losses, but in an APP fraud,
it is deemed authorized payment with the customer authorizing it and hence banks are not liable to pay. According to PSR, individuals lose an average of $4,000 while businesses lose an average of more than $28,000 per scam.
Which? raised a super-complaint against the PSR on APP scams which it said, could result in trauma for victims of such frauds where large sums of money are lost with no hopes of recovery. The PSR and FCA in the UK recognize the magnitude of the problem and
are working on creating awareness amongst consumers and a policy framework that could enable PSPs including banks to take protective measures.
PSR is working on strengthening the APP ecosystem by:
- Increasing consumer awareness and education
- Publishing guidelines for identity verification, authentication and risk assessment (by 2018)
- Publishing rules and requirements to provide confirmation from the payee (by 2018) to the user
- Developing industry collaborative standards and rules for a trusted KYC data sharing (by 2020)
- Collaborating with the UK Finance in defining financial crime data and information sharing
- Setting up transaction data analytics system to spot mule accounts and fraudulent transactions
A review by the Financial Conduct Authority (FCA) had found that the banks’ procedures for dealing with these scams were “inconsistent”, while their existing fraud detection systems could not easily detect such frauds.
Meanwhile, a path-breaking idea proposed by PSR is the ‘contingent reimbursement model’ with the intent of shifting a part of the liability (of the scams) from the consumer to the banks. While contingent reimbursement is yet to be legally forced upon PSPs,
the FCA has already notified UK banks that they will be held accountable for payment frauds including push payments.
If the fraud liability is going to shift to PSPs and banks, it means that they will have to do something smarter and fast.
The situation now demands that PSPs including banks would have to dramatically improve their security measures and reinforce the identification and authentication mechanism. It would also mean that banks would have to invest in smarter/faster transactional
data analytics to identify, track and report anomalies.
From a technology standpoint they simply cannot afford to rely on traditional siloed ‘channels only’ defense mechanisms.
The entire process – from identification to authentication to anomaly detection to fraud prevention – will have to be enhanced exponentially with intelligent extreme real-time technology that can detect anomalies by synthesizing collective wisdom from across
all systems of the bank, instead of just mobile banking only or internet banking only fraud detection.
AI-based real-time intervention systems are able to synthesize pan-enterprise insight from across all channels and bring it to bear instantly for precise ‘segment of one’ interventions when a fraud occurs. Banks and PSPs are also able to predict potential
frauds that may be cooking, more accurately and well in advance.
As PSR’s MD Hannah Nixon put it, “There is no silver bullet – but more can be done to prevent these scams in the first instance, and to respond faster when it does happen.”