Iain Swaine, Global Advisory Director EMEA, BioCatch and Katie McKenzie, Engagement Manager EMEA, BioCatch

The financial industry is preparing itself for a surge in Authorised Push Payment (APP) scam reimbursements. Why? Because the statistics speak for themselves. In the UK alone, APP scams cost consumers close to £250 million in the first half of 2022. Despite a slight decline from the previous year, when it overtook payment card fraud for the first time, APP scams continue to be a top target for criminals.

Recently, there have been some significant initiatives in scam education. Emails from banks, videos on social media, and radio advertisements urging vigilance around the scams in circulation are common. Unfortunately, education alone is insufficient. Despite all of our efforts to spread the word about scams, criminals are still refining their social engineering techniques, and there will always be unsuspecting consumers for them to prey on.

Financial institutions are under pressure to do more due to the increased visibility of scams and money laundering, as customers now have more resources to recover money they lost through scams. However, getting to where we are now with reimbursements wasn't an easy process. It has taken us almost seven years to arrive at this point, where just over half of all APP scam losses in the UK have been compensated (56%).

The who and the what

In September 2022, the PSR published their APP consultation document which outlines the proposed regluation around scam reimbursement. Fast forward to the end of 2023 which is when the proposed regulation is likely to become a reality, there are two significant points in the consultation paper which will have a huge impact on financial organisations.

Firstly, the PSR consultation proposes mandatory reimbursement of losses to victims of APP scams, unless it can be proven the victim has been grossly negligent. What will constitute as gross negligence and whether the Financial Ombudsman and other bodies will align is still to be determined.

Perhaps more challenging is that there will be a liability split between the sending and receiving bank. This will have huge commercial impacts for banks on both ends, particularly those that are being targeted by scammers with mule accounts. As a result of the proposed change, the receiving banks will be liable for up to half of the amount lost by the customer. Consequently, financial institutions will be motivated to proactively tackle their mule account issues. However, fraudulent accounts are extremely hard to detect when they sit dormant, so this won’t be easy.

The PSR proposed changes, if they are implemented in their current form, will have two very significant impacts on UK banks:

• The amount reimbursed to customers will become significantly higher in 2023 and beyond, potentially going as high as 90%-95% reimbursement and nearly doubling the overall reimbursement amount in the UK for APP scams, pushing it closer to £1B per year for the first time ever.
• The split liability proposal will mean that more financial institutions are liable for more cases of fraud. Simply having the money mule account that received the fraudulent payment means the receiving bank is liable for half of the bill. These two factors mean significant increases in fraud losses if appropriate AML controls are not in place.

What can financial organisations do to get on top of APP scams?

The challenge with APP scams is it’s the customer being coerced into transferring their own money from their account into another account that they have no control over. Therefore, traditional fraud controls cannot step in and prevent the payment because they are limited to looking only at ‘what you know’ and ‘what you have.’

One of the best ways to stop APP scams in their tracks is to look at pre-transfer behaviour. Behavioural biometrics looks at several things to recognise APP scams in real-time such as session length, segmented typing, hesitation, and device displacement. These actions are all altered when when fraudulent activity occurs, a revealing tell that the user is under the coercive control of a criminal. When compared alongside the transactional behaviour, the legitimacy of the customer activity is identified.  

As for money mule accounts, identifying them has been difficult as banks cannot tell that it is a malicious account until the dirty money starts flowing in and out. Inbound transaction profiling is utilised to spot suspicious activity at the point of receiving money, but operational overheads and false positives can cause issues if used on its own.

Detecting the receiving accounts before they are used is now a critical component of a robust malicious account mitigation platform. In the build-up to a dormant account being used for money laundering, there are typical behavioural events that occur, such as multiple users accessing the account. Being able to recognise these red flags before the fraudulent transaction is how financial institutions can shut down these accounts before the damage is done. Financial institutions that have deployed behavioural biometrics for this purpose are seeing over 90% of malicious accounts detected before existing controls catch them.

Banks are already putting the appropriate steps in place in preparation for the proposed regulation. However, those that are slow to react may well find themselves with a barrage of new cases on their doorstep if they don’t act early. Implementing the necessary solutions that help them to detect and prevent the accounts that are at risk of fraudulent activity will be a crucial saver of time and money as this new era of consumer protection dawns.