Industry bodies are rallying around Authorised Push Payment (APP) scam reimbursements. Why? Because the numbers speak for themselves. Nearly £250 million was lost to APP scams in the first half of 2022 in the UK alone. While down slightly from last year when it outpaced payment card fraud for the first time, APP scams remain a primary focus for criminals.
There have been some momentous efforts around scam education recently. Outside of my profession, and as a consumer, I listen to adverts on the radio, watch videos on social, and receive emails from my bank regularly - all reminding me to be vigilant around scams. Unfortunately, the numbers are the numbers, and they tell us that education is not enough. Despite all our best efforts to raise awareness around scams, criminals continue to advance their social engineering methods and there will always be vulnerable customers out there for them to exploit.
With a brighter spotlight on scams and money laundering, financial institutions are finding themselves under increasing pressure to do more because customers have more grounds and support to claim their money back lost via scams. However, where we are today with reimbursements hasn’t been a quick process. It’s taken nearly seven years to get to where we are now - which is just over half of all APP scams in the UK being reimbursed (56%).
The Road to the Halfway Mark
While we crossed the halfway mark in reimbursement this year, it was a long road to get to this point and the result of many significant developments over the years.
2016: The Payment Services Regulator (PSR) announced they had eyes on the growing problem of APP scams. The PSR received a super-complaint in September 2016 from the consumer organisation, Which? concerning the lack of protection for consumers and said payment service providers (PSPs) and payment system operators could have better incentives to manage the risks of scams.
2018: In February, a PSR App Scams Steering Group was established to create the Contingent Reimbursement Model (CRM) code. The Code, as it became known, was designed to bring down the occurrence of APP scams but also give consumers more confidence they will get reimbursed if they fall victim to an APP scam. Also in 2018, the Financial Ombudsman expanded its jurisdiction to include APP scams as well. These two significant movements alone were enough to get the attention of many financial institutions.
2019: The final publication of the CRM code came into effect, and this started a small domino effect for some UK retail banks. For example, the TSB Fraud Refund Guarantee was launched, and it promised customers they would be protected from scams. And a year later, Nationwide Building Society launched its Scam Checker Service which is designed to help the consumer identify scams before they inflict the contentious blow for banks to deal with.
2021: The Government published the Financial Services and Markets Bill. If passed, estimated to be around Spring 2023, it will allow the use of regulatory powers to require PSPs to reimburse APP scam victims. It will also force the social tech giants to play more of an active role in preventing APP scams because social feeds are quite often where the path of deception begins. A consumer survey by Which? revealed that 8 out of 10 consumers have seen or been targeted by a scam ad on social media. Data released by Barclays corroborates this indicating that 75% of scams originate on social media, auction sites, and dating apps.
Also in 2021, the House of Lords Fraud Act 2006 and Digital Committee published its report, Fighting Fraud: Breaking the Chain which contains many recommendations including bringing in a delay on certain high-risk payments giving banks more time to analyse whether a payment might be fraudulent - which is being received well by a lot of bodies.
What are the major impacts of the proposed PSR legislation?
In September 2022, and the most motivating factor for me to write this blog, the PSR published their APP consultation document which outlines the proposed legislation around scam reimbursement. Fast forward to next year which is when the proposed legislation is likely to become a reality, there are two significant points in the consultation paper will have a huge impact on financial organisations.
1. Mandatory reimbursement of losses to victims of an APP scam, unless it can be proven the victim has been grossly negligent. Grossly negligent meaning the consumer had multiple chances to realise they were being scammed and plenty of chances to prevent it.
2. Liability splits. Perhaps more challenging is there will be a 50/50 liability split between the sending and RECEIVING bank. This will take a lot of banks by surprise, particularly banks that are not aware they have a money laundering problem. Suddenly, the unknowing receiving banks will be liable for half of the amount lost by the customer. This will motivate financial institutions to proactively tackle their mule account issues which won’t be easy because fraudulent accounts are extremely hard to detect when they sit dormant, waiting to be used by criminals.
What does the proposed PSR legislation mean for financial institutions?
The proposed PSR legislation, if it becomes approved and regulated, will have two very significant impacts on UK banks.
1. As mentioned earlier, just over half of money has been reimbursed to victims of APP scams this year. This will be a much different number in 2023 and beyond, potentially going as high as 90%-95% reimbursement and nearly doubling the overall loss amount in the UK for APP scams, pushing it closer to £1B per year for the first time ever.
2. The 50/50 liability proposal will mean that more financial institutions are liable for more cases of fraud. Simply having the money mule account that received the fraudulent payment means the receiving bank is liable for half of the bill. These two factors mean significant increases in fraud losses if appropriate AML controls are not in place.
What can financial organisations do to get on top of APP scams?
The challenge with APP scams is it’s the customer being coerced into transferring their own money from their account into another account that they have no control over. Therefore, traditional fraud controls cannot step in and prevent the payment because they are limited to looking only at ‘what you know’ and ‘what you have.’ The only way to stop APP scams in their tracks is to look at how the customer is behaving before the transfer. Behavioural biometrics looks at several things to recognise APP scams in real-time such as:
The overall length of the session - Typically when a fraudulent payment is about to happen, sessions are longer and have lots of aimless mouse movements indicating the customer is waiting for further instructions from someone over the phone claiming to be someone they are not such as a representative from the bank.
Segmented typing - Segmented typing is very telling. Think about the way you enter an account number yourself VS someone reading the number out to you. There will be differences in the typing cadence, and these patterns indicate dictation.
Hesitation - Often when customers are being scammed, they show signs of hesitation. Instinctively they think something is wrong, but the well-rehearsed fraudster is an expert in coercion and reassurance. These longer pauses before performing simple actions indicate what is going on.
Finally, device displacement - the continuous movement of the phone suggests the user is picking the phone up to take instructions and placing it back down to perform the actions instructed by the fraudster.
What can financial organisations do to get on top of money laundering accounts?
The challenge financial institutions have with identifying money laundering accounts is they cannot tell that it is a malicious account until the dirty money actually starts flowing in and out.
The use of behavioural biometrics to detect these accounts before they are used has become a critical component of a robust malicious account mitigation platform. There are typical behavioural events that happen in the build-up to a dormant account being used for money laundering such as multiple users accessing it. Behaviour can distinguish between the account users, e.g. left-handed, right-handed and typical mouse patterns. Being able to recognise these red flags in the gap between account opening and the lead-up to the fraudulent transaction is how financial institutions can win and shut down these accounts before the damage is done. Financial institutions that have deployed behavioural biometrics for this purpose are seeing over 90% of malicious accounts detected before existing controls catch them.
Discover more about how financial institutions are using behavioural biometrics to solve complex fraud challenges, including social engineering, APP scams and mule accounts, in the following resources:
The Forgotten AML Gap: How to Prevent Money Laundering with Behavioural Detection
The Emerging Case for Proactive Mule Detection (Analyst Report)