The value of payments cleared by Payments Canada’s systems in 2017 was approximately $50 trillion, or roughly $200 billion every business day. By 2020, these payments will be completed faster — in “real-time” or “near real-time” — with many benefits beyond just faster access to funds.
But one of the biggest concerns in Canada’s move to faster payments is unknowns related to payment fraud prevention. Fraudsters exploit the speed element, creating new accounts, taking over accounts, and transferring funds in a way that is difficult and time-consuming to trace.
How do we know this? BioCatch had a front row seat to the UK transition to faster payments. Lessons learned from the UK experience can help Canadian banks in their own entrance to the world of real-time payments and reduce the risk of a spike in payment fraud.
3 Reasons Faster Payments Require Real-Time Fraud Detection
1. Fraudsters know how to circumvent existing controls
The first form of payment fraud to watch out for is application fraud or new account fraud. In these cases, a criminal opens a new account using stolen or synthetic identities. The fraudulent account is used not only to move money around, but to extract it as well (for example, asking for payment for fake purchases). Because of the plethora of personal data available on the dark web and through other exploits, relying on biographic and demographic information is not an effective way to distinguish between a legitimate person and a fraudster at account opening.
The second type of fraudulent account is a money mule. Money mules are accounts used by criminals to mask stolen money without controlling the funds directly. In some cases, people allow their accounts to be used as mules because they are tricked into believing they are helping someone in need. In other cases, the mule account holder receives a payment for facilitating the fraud.
The final case is account takeover fraud. A criminal takes over an account and then transfers money through it, making it very difficult to track the money. In some instances, the account holder may not even know that an account takeover or money transfer has occurred in their account, particularly if it is one they do not use regularly.
In more recent cases, like vishing and Authorized Push Payments fraud, social engineering has gotten so sophisticated that victims are duped into making fraudulent transfers under the direction of a criminal. The trouble with these request-to-pay (RTP) transactions is that once a customer is tricked into sending money to a fraudster’s account, the transaction is irrevocable and often impossible to trace as fraudsters continue to send funds to several other accounts via RTPs. After it was revealed that this type of scam is costing British consumers £1M per day, banks agreed to begin reimbursing victims, raising the stakes for all involved.
These statistics on social engineering further highlight the problem:
Today, only about 3% of malware tries to exploit an exclusively technical flaw. The other 97% target instead users through Social Engineering.
It takes 3 emails on average to obtain a click (average click rate is 34%).
It takes 4 emails on average to obtain a valid credential.
In each of these three cases, 100% of the payment fraud occurred inside authenticated sessions. The real danger with faster payments is that once the money is sent, it is really gone. To protect customers and the business, real-time fraud detection tools are needed to catch fraudsters in the act and block them before they can make a transfer.
2. Fraud quickly spirals out of control
As reported by Financial Fraud Action UK, the rate of fraud documented in the UK between 2008 and 2010 grew by more than 300% after the adoption of faster payments in the UK.
Put another way, according to an article in American Banker, banks have at times reported double-digit basis-point spikes in fraud after adopting a real-time payment system. However, real-time payments in and of themselves are not risky if the proper fraud prevention and identity verification methods are put in place before implementation. Banks need real-time fraud detection solutions that focus on catching fraud before a transaction, conducting checks before the payment goes out in a way that doesn’t slow down the transaction.
For example, in implementing PSD2 guidelines, the European Union imposed reference fraud rates and reporting rules, under which payment service providers are required to report on unauthorized payment transfers and “manipulated” payments. The update is forcing a real conversation on what technologies should be applied to the fraud stack in a way that will not compromise the user experience.
3. Fraudsters are dynamic, and solutions need to be dynamic too
Fraudsters are quick to adapt new techniques, the UK move to faster payments showed. Consequently, fixed rule-based systems and static measures of authentication like two-factor authentication tokens and other traditional fraud prevention measures alone are not enough to thwart payment fraud — especially, as stated above, when 97% of malware attacks are actually social engineering attacks where the user enables a fraudster’s activity unwittingly.
Behavior-based solutions are changing the payment fraud prevention game. Subtle and hidden events in user behavior can reveal many more correlations between a user’s intent as relates to fraud and applying artificial intelligence significantly improves analysis of sessions. There are several benefits of a behavior-based, real-time fraud detection solution.
First, by definition behavior is dynamic and changing. Behavior profiles are created not by measuring known attributes, but by looking for the uniqueness in a user relative to the general population. With the ability to measure and extract more than 2000 parameters, BioCatch uses machine learning to develop very strong user profiles over time, taking into account the natural changes in user behavior, adding a level of precision that reduces false alarms and contributes to a desirable online user experience. Fraudsters are not aware of the parameters that make up a profile, since every profile is unique, and therefore it is impossible to steal, record, or otherwise mimic.
Second, with deep domain expertise, user behavior can reveal very powerful insights. Signals that alone may not mean anything (for example, a user is multi-tasking), when analyzed in context combine to produce correlations in the data that point to fraud or help to validate that a transaction is being conducted by the legitimate user, even if there has been a change in device, location, transaction activity, or other verification factor.
In the UK, banks that applied behavioral biometrics technology in response to the spike in payment fraud saw a 24% decline. Now behavioral biometrics is being applied to the fight against vishing scams and is being built into various banking platforms, like ACI’s UP Payments Risk Management, Forgerock’s Identity Platform, and others.
Innovations in real-time fraud detection will not change the way that payments are settled, but instead will change the rules for fraud checking. Irrevocable payments mean that fraud prevention must happen ahead of a payment, without adding unnecessary friction to the customer experience. Unleashing the real value of real-time payments is more about rewriting the rules for real-time enablement of the bank from end to end.
Canadian banks would be well-served to learn from the UK experience and get ahead of the curve before real-time payments becomes a reality.
Have questions about how your financial services firm can prepare for faster payments? Tap into our knowledge and experience by getting in touch with the BioCatch team.