Well, 2022 was quite interesting. Customers continue to complain around the world about falling victim to financial scams (ranging from romance scams, investment scams, Authorized Push Payment scams and Zelle scams) that cost them money. In general, banks have refused to reimburse customers by saying the payment was authorized, and thus the customer is responsible for the loss.
The main exceptions where reimbursement can occur for financial scams are the Netherlands and the UK. Dutch banks will generally reimburse for bank impersonation scams. And about 50% of the time, the large UK banks will reimburse for a number of financial scams, most notably authorized push payment scams. Occasionally, in the US, a bank will reimburse for Zelle scams. But in all of these reimbursements, it is the sending bank that will reimburse the victim. So where does this idea of involving the receiving bank in reimbursement come from?
In 2022, three countries started to raise the issue of involving the receiving bank in the reimbursement of select financial scams. Singapore, the UK and the US all started to think about the role of the receiving bank in reimbursement. In the UK, regulators went even further and thought social media companies, where many scams begin, and even the telcos, which deliver scam calls and text messages, should be included in the reimbursement process.
But back to receiving banks. The Monetary Authority of Singapore (MAS), in its investigations of bank related scams, suggested “shared responsibility amongst relevant parties” in order to create an incentive for both parties (sending and receiving banks) to be “vigilant against scams.” MAS continues to work with government agencies on such a new regulation.
The UK’s Payment System Regulator (PSR) wants to incentivize both sending in and receiving banks to prevent Authorized Push Payment (APP) scams. The PSR sees a 50/50 split in the reimbursement between sending and receiving banks. After all, it is at the receiving bank where the money mule account has been set up that facilitates the scam.
In the US, the discussion about receiving banks has come from the bank owners of Early Warning Services (EWS). In the 4th quarter of 2022, the owner banks said the receiving bank in a Zelle scam transaction (an “authorized” payment scam) should be 100% liable for reimbursement. The reasoning is that the control weaknesses by the receiving bank cause the scam to be completed. This can involve weak online account opening and weak money mule detection (including anomaly detection of inbound transactions to the money mule account).
So, if reimbursement by receiving bank becomes real, what controls must receiving banks have in place to mitigate the financial risk? First, the fraud controls around online account opening must be very tight. Defense in depth is essential. No one control solves the problem. The controls need to assess the address information, the email address and the phone number. This data should be shown matching together and the individual email address and phone number should be assessed for risk. These data fields should be run through consortium data to discover any previous mis-use. There should also be good location data assessment. In the US, the Social Security Number should be sent to the Social Security Administration for validation (this eCBVS service verifies if a person’s SSN, name, and date of birth combination matches Social Security records).
If the application is being filled out on a mobile device, one consideration for financial institutions is to require it be done via the mobile app in order to have SDK security modules (e.g., exact location data) as part of the controls. Downloading the mobile app adds friction, but it may become worthwhile to help prevent fraud. There should also be synthetic ID assessments made. Finally, there should be a behavioral assessment that looks at how the user enters data and navigates the form. Over 60% of fraudulent new accounts demonstrate a lack of familiarity with the data being entered.
Second, controls need to be added specific to the actual account activity. This is especially important as some money mules are real people, with existing bank accounts that have been established for years, recruited by the fraudster. There needs to be anomaly assessment of the dollar amounts of transactions and the velocity of transactions. Plus, there needs to be a review of how the online account is accessed and the velocity of accessing the account (e.g., logins every 30 minutes checking for new deposits). Money mule accounts have shown to have different user behavior that can be identified.
As the regulatory landscape evolves, part of the challenge for the receiving bank is how to account for first party fraud. There will be first party fraud cases. If the person authorizing the transaction is actually the sending bank’s customer committing the fraud, how can the receiving bank be made aware of that action and therefore treat this as fraud, not a scam—and there is no reimbursement for first party fraud. But this will be difficult as only the sending bank can assess its customer as to whether there is first-party fraud.
The rise in authorized payment scams globally clearly shows that controls are fundamentally broken. As there are known weaknesses in fraud controls on both the sending bank and receiving bank, a 50/50 reimbursement split, as proposed by the UK’s PSR, may be the best approach.
Additional Resources
The UK is perhaps the furthest along in passing legislation making reimbursement for scam victims a reality. Join us on February 22, 2023, along with payments expert, Jonathan Williams, from the UK PSR to learn about the potential impact on banks if the proposed legislation goes through and strategies to mitigate the proposed liability shifts. Register now!