I recently had the pleasure to join Jonathan Williams from the Payment Systems Regulator (PSR) and Ronald Praetsch from About Fraud to discuss the PSR’s scam reimbursement proposals and mitigation strategies leveraging behavioural biometrics. While I expected this session would draw huge interest, I was not prepared for the high number of questions that rolled in. Unfortunately, we didn’t have enough time to answer all of the questions during the live session so I decided to write a follow-up blog to answer them, purely because they were great questions!
I have consulted with some of our industry experts at BioCatch to respond to eight questions and comments raised by the attendees. So, with no further delay, here they are:
“Banks are the endpoint of a victim being under the spell of a fraudster. There needs to be more accountability across the likes of social media and other parts of the scam journey.”
Jonathan and I shared some thoughts on this in the webinar so I’ll reiterate those thoughts now. The online banking phase of an Authorised Push Payment scam is the pinnacle point of the scam. At this point, there has already been hours of preparation, planning and deceit. And there are many other non-banking parties that have enabled this deceit. I agree that accountability across the scam lifecycle is what is needed. For example, search engines shouldn’t suggest results that lead to a fake advert. Social media shouldn’t enable the advertising of fake ads, and they shouldn’t drive people to scam sites that are being hosted by organisations that offer hosting services. Telcos shouldn’t enable scam texts that lead the victims to the fake advert. It goes on and on. All the governing bodies of all the relevant sectors and industries need to continue to bolster their scam prevention efforts.
Behavioural biometric insights can help prevent more scams and help you detect a mule account before the pinnacle moment. That is very possible. However, if you consider all of the above, there shouldn’t be as many scams making it to the pinnacle stage. As Jonathan Williams said in the webinar, all the parties involved in the scam need to try and do more.
“How do we envisage this being enforced to non-agency, non-bank PSPs, for example FinTechs like e-money providers who perhaps don't have the same infrastructure as larger financial institutions and retail banks? Is the expectation that they will need to put operational processes in place to manage reimbursement? And if so, is there a risk of putting innovative FinTechs at risk?”
I asked Wiebe Fokma from our Global Advisory team to respond to this question as he keeps a very close eye on the wider banking ecosystem. He responded with the following:
A very good question to which there is no easy answer. On first sight, it is very sympathetic to take these kinds of limitations into account, and to some extent, it might even be fair. But it shouldn’t be exaggerated as there has to be an incentive for all parties in the system to protect the consumer to the best of their abilities. In the end that is the reason for this regulation. Finding the right balance in this without overcomplicating things will be a challenge for the PSR, and we will be following the developments closely at BioCatch.
“Are there any plans to introduce industry standards around what is expected of the sending and receiving banks? For example, if the standards aren't completely met by one bank, does the share of liability change from 50/50 to 75/25?”
I recently read the House of Commons Treasury Committee Report on scam reimbursement published in January of this year. It states, “the cost of reimbursement will be allocated equally between sending and receiving PSPs, with a default 50:50 split. PSPs can use a dispute management process to adjust the allocation to better reflect the steps each PSP took to prevent the scam.”
So the short answer, is yes. And I believe this is fair and appropriate. If one PSP is making more effort to prevent a scam than the other, then it is only fair that the other PSP contributes more to the scam reimbursement. This is all assuming that gross negligence isn’t a factor with the scam in question.
“APP scams are predicated on somebody being convinced to do something that is against their best interests and causes financial and psychological harm. It is a type of grooming. Therefore, I don't believe there is an issue of gross negligence.”
I asked Iain Swaine from our Global Advisory team to respond to this statement as he has taken a personal interest in how to help retail banks protect vulnerable customers. He responded with the following:
I agree that a number of APP scams are similar to grooming – they occur over a longer period of time. They distort the victim's perception of the truth, and they often target vulnerable members of society. In these cases, I agree it would be hard to categorise them as gross negligence – and any negligence could well be argued to be on the part of the platform that allows this to happen – whether dating, social media, instant messaging or similar (which is also being addressed in government legislation this year).
Other APP scams are more immediate – such as bank impersonation scams where there is pressure on the victim to do something now. Again, we see vulnerable populations disproportionately targeted (e.g. the elderly). In this case, it is not a grooming, but an old fashioned ‘grift’ or con. Often, they succeed against educated people who might be in a temporarily vulnerable position – whether stressed, tired, or down to something happening in their life – and would again argue unlikely to be negligent.
“Wouldn't it be easier to flip the approach and force reimbursement when the bank has been grossly negligent, the bank should demonstrate how it attempted to prevent the scam. For example, did they contact the customer? Provide targeted education? And did the customer still authorise the transaction? As an example, several international transfers from an elderly lady who has never made an international transfer. Arguably this is gross negligence on the banks side. So, to say this is gross negligence on the customer’s side is not realistic.”
I asked Katie McKenzie from our customer engagement team for her view on this thought-provoking comment because she was a part of the decision-making process when it came to reimbursing funds to customers in a previous role. She responded with the following:
The appetite to refund victims of fraud and scams has increased over recent years and the definition of ‘gross negligence’ has become a bone of contention. Either approach to reimbursement in your question still requires a careful balance of customer responsibility and the responsibility of the bank, both sending and receiving. In the example you have provided if there was no intervention then the fair outcome would be a refund, however, banks are heavily investing in controls to ensure impactful intervention. The other challenge I see with your suggestion is how do customers prove that a bank has been grossly negligent? I do not see how a customer could uphold the 'burden of proof'.
“FCA Handbook rules already make banks and PSPs liable for reimbursement through the FOS where the bank or PSP did not do enough to prevent the fraud. This will cover most cases today.”
Once again, I decided to lean on Katie McKenzie to answer this question because she is very familiar with the FOS processes. She replied:
This is a good point. The Financial Ombudsman Service (FOS) already make reimbursement decisions based on what they think is fair and reasonable. However, not all victims of fraud or scams will pursue an outcome with FOS. Sadly, many victims, once they realise they have fallen for a scam, may be too embarrassed to come forward and confide in their bank. If their bank chooses to decline their claim, it can be disheartening to continue by involving the FOS. The positive in the regulation proposed by the PSR, if used by genuine victims, is that hopefully, it removes reluctance for scam victims to come forward and helps provide a level of consistency in reimbursement.
“Is the best use being made of open banking platforms and banks? E.g. Compliance monitoring such as account infancy, dormancy, or average balances to help identify potentially fraudulent transactions?”
I asked Wiebe Fokma from our Global Advisory team for his perspective on this question. He responded as follows:
The examples you give will most certainly help in identifying fraudulent transactions. The thing is that these were already used ten years ago so the fraudsters are also well aware and will work around them. It doesn’t mean that they are useless. Not at all. But nowadays, you will have to combine them with other fraud indicators to create an effective detection model with low false positives. Think about combining as many fraud indicators as possible, for example, transaction, device, network and also different perspectives: technical, behaviour, and biometrical behaviour. Best-in-breed models can use up to a few thousand parameters.
“There will be a tsunami of new fraud that the PSR's proposals will introduce. When any individual can reclaim their payment even when negligent, or for a vulnerable person even when grossly negligent. Organised crime will quickly mechanise claims of hundreds of millions of pounds or more each year.”
I asked Iain Swaine for some thoughts on this slightly solemn outlook because we regularly discuss the challenges of first-party fraud. His view on this observation:
This is an unknown factor. When we look at banks which have already introduced a refund guarantee, there is not much evidence to suggest this claim so far. And hopefully it stays that way. Some people will try to reclaim back, but there are a lot of signals available to the bank to determine what is happening. With behaviour, you go beyond just device fingerprinting and authentication as the main mechanisms to validate the customer. Using behavioural intelligence at many levels – from device, to user interactions, to population-level anomalies, to transactions – the true intent of the payment can be seen. We have already seen some banks investigate deeper into claimed scams to show that certain characteristics really show it was the customer and they were not being duped – and the absence of behaviour traits such as showing duress or being guided when linked to analysis of the destination account can be used to prove this.
In short, I expect to see a further maturation of risk models using AI and multiple data points to not only spot scams, but to be able to provide a non-repudiation that a customer made a transaction themselves as a first party false claim under the PSR rules.
There were so many great questions and comments in the recent webinar – all of which deserved some airtime and discussion. And the fact that so many questions rolled into the chat further reinforces that the topic of scam reimbursement is complex. There is no silver bullet. And no solution is going to keep all parties – whether regulators, banks or customers – 100% happy.
It brings me back to asking the same questions in the webinar: Aren’t scams just best avoided? And is it better to proactively tackle mule accounts to mitigate the liability?
While the other non-banking parties involved in scams continue to bolster their fraud defences, I would recommend retail banks consider behavioural biometrics for their fraud stack. They can help stop scams in their tracks before the funds leave the customer’s account. And they can help banks identify a mule account before the funds come and go and liability is set. Watch the full webinar to find out more detail.