Another year and another increase in the cases of push payment fraud. Things are getting so bad now that, apparently, the surge in fraud attacks on consumers has become a “national security threat”.
The Covid pandemic had many more of us shopping online, making online investments, utilising open banking capabilities and basically, moving to a more digital world of payments. Fraud figures last year (2020) were pretty record breaking, that is until you see the figures for the first half of 2021. Criminals manged to dupe us consumers out of some £754m ($1.03b) over the first half of 2021! That is a ridiculous amount of money.
The big issue, well area of growth, is what we call Push Payment fraud – which is basically where consumers are tricked into making a real payment from their bank account directly to a fraudster. This type of fraud is up 71% which puts it ahead now of card-based fraud. Now while everyone is digging out Google, Amazon, Facebook, EBay etc for not doing enough, the simple fact is that the financial services industry doesn’t do enough at all. The banking infrastructure pretty much works on sticky tape and plasters, which makes it all too easy for fraudsters to get around and trick.
Let’s have a look then at what could be done…
Confirmation of payee
Don’t get me started on this. Whoever came up with this idea hadn’t really thought about how smart criminals are, nor how they go about committing most cases of fraud. The idea here is, your bank can confirm that you are paying the right person / account holder details the other end. It does this by basically asking you for the account holder name (business or individual), then requests the bank that holds that account if that is the account holder name. That bank responses with some data and yes, you get a confirmation of payment – or you notice that there are some tiny differences, and you accept the recommendation. Now this stops only one single type of push payment fraud – and I call that “lazy trying my luck push payment fraud”.
Why you might ask do I say this. Well, the only way you stop the fraud is if the fraudster opened an account in a name that is nothing like the name of the person/company that I as the consumer think I am paying. So this is fraudsters who are just saying, “I am Apple inc. pay me my £750 for your new iPhone”, but the account detail is “John Smith”. I mean come on, this will only catch really lazy fraudsters (that being said that probably equated to millions last year).
The issue is fraudsters are smarter than that. They set up real businesses with names that match companies they wish to impersonate. They may even set up legitimate businesses and sell the goods, they don’t even claim to be anyone else, they just will never send you any products once you have paid for them. In these cases, confirmation of payee did nothing, not a single thing to even slow the fraudster down. Fab, what a waste of investment this was then…
Understand invoice finance fraud
When I was setting up ClearBank, one of the areas of business we thought about was providing invoice financing services. Now as a CTO I wanted to look at technically how we make this as effective, efficient, and as safe for the customer as well as the bank. We brought in specialists in this area to hear their war stories and I personally got quite fixated on the ways the banks were duped out of millions. Now I am not going to share any details, as it may well give someone a great idea, but the learning is, fraudsters go to great lengths, they are highly intelligent, highly skilled, highly motivated – so don’t think you can stop them with some token security ideas.
We must learn from all areas of cyber crime to understand how to start to combat push payment fraud, invoice financing can provide us with great learnings.
Putting the cost onto the banks
Now this has been floated a lot. The concept here is that your bank wears the cost of the push payment fraud, pays you as its customer back and rights off the loss. Now, pre 2008 this may well have been an easy win, since banks were sitting on mountains of capital, liquidity, and profits. However, I am not sure if anyone has taken a long look at the industry, not many banks make big profits on a consistent basis now days, and even if they are, they still have a mountain of tax payer money to pay out – oh and that is before we look at pay-outs for PPI type scandals and hopefully one day, mis-selling of FX trades to businesses (especially around Brexit – but that’s for another post). In addition, how does this work for the new entrants, the challenger banks, the neo banks, the banks that are trying to get a foothold in the industry and get to break even. Paying for fraud just doesn’t help them.
So, the industry moved on a little from this and decided, why don’t we make all the members of a payment system put money in that can be then released to banks when fraud takes place, effectively a pot that they can claim against to compensate their customers. Now this to many sounded a fair argument, however, the issue there is that there are many participants now in payment systems, and all the money would have been claimed back primarily by 4 participants. So how does that work? A bank may have zero push payment fraud and yet it is paying the big 4 banks to compensate the big 4 banks customers. I personally think this is not even a sticky plaster solution, rather its just someone with an agenda to shift costs onto others.
This all being said, there is some element here that I do agree with. I know, you maybe surprised to have read that, but yes, banks should wear the costs of fraud. My issue is though, the bank that wears the cost is the bank that RECEIVED the payment. This is the total opposite of my bank compensating me, this is the fraudsters bank compensating me. Now why do I like this. Well first off, the fraudster has managed to open a bank account with you and received fraudulent funds. They are your customer; you are making money off their activity so only fair you compensate those who have been defrauded. After all, the customers bank doesn’t deal with that fraudster, doesn’t make money from them, doesn’t even know them – apart from the confirmation of the name via confirmation of payee ☹
I think this approach has some legs. The banks are therefore forced to look at their customer KYC, they are forced to look at their customer inbound payment profiles, they are forced to try to catch fraud and remove it from the system. They are forced to do all these things because they ultimately are compensating all the other banks for their customer actions. Economics at play here forces them to be better…..The issue here is, is the bank making more money from the fraudulent activity than it is paying out, if so, well then this idea wont work for that bank. At least though the regulator can look at this and step in – issue some fines, enforce the SMR regime and put someone in prison. The bank will then act I am certain.
Identity to Identity payments
The real solution though is to move away from the banking infrastructure dependency on what is an abstracted reference to an account holder, the sort code, account number and account holder name. These things do not tie up to the identity of the account holder at all, nor do they give me as the sender any additional information / confirmation / comfort that they are actually the people I think I am dealing with and think I am paying. No…The underlying infrastructure of banks has to start moving away from “enter sort code, enter account number, enter account holder name” interactions with their customers.
The real solution is, I have a connection with the person I am paying, outside of banking. If I am buying good from them, then I have a secure connection. They have to present a verifiable digital identity, now that solves problem 1, am I actually interacting with who I think I am interacting with. Example, I jump onto the Apple website, I am browsing away and make a purchase. Now in a verifiable identity world I would receive a credential that verifies exactly that this is Apple and it will give me details to prove that it is THE REAL APPLE that I am dealing with. If the website was fake, even if it had an SSL certificate, the verifiable credential that comes back would not be the cryptographic key that is associated with THE REAL APPLE, rather at best (for the fraudster) I get something else named Apple but it will confirm that the website is not THE REAL APPLE…. So straight away, my consumer is much safer.
However, the payment part is somewhat different. The payment should be taking verifiable credentials and proofs from the counterparty, your bank should be accepting these and using these to route transactions not asking you for some account details. By working in this way, you have payments always going to the people you think they are going to, the consumer cannot make a wrong payment out of being tricked, only out of actively making that payment. That leaves us then with push payment fraud that is based on a fraudster setting up a legitimate business and actually trading….
Now this isn’t that hard to solve. The card schemes once upon a time solved this – and they did it by asking the merchant for collateral. A big sum of cash that is put aside until they see the merchant is actually trading as they say they will. Then that sum of money and their revenues go back to the merchant because the consumer is receiving the goods and services they paid for. Simples….
Solving push payment fraud is possible!
It most certainly is. It comes down to 3 components:
- Crediting banks pay up for the cost of fraudulent transactions
- Businesses via merchant acquirers, PISPs etc etc have to embrace digital identity
- Banks embrace digital identity and we move to identity to identity payments
Now the last 2 may seem like many years away, but they really aren’t. ID Crypt Global (a digital identity company) has already proven this is possible with limited integration and limited investment needed from acquirers, PISPs and banks….. Their solutions are in their final developments and will be available sometime next year – so this is all possible, if we as a collective within the industry actively want to take on fraud. If you are a regulator, a bank, a PISP, a merchant, an acquirer and you want to address push payment fraud and get involved in using this tech, then send a mail to LetsTalk@idcrypt.global and get the conversation started.