Scams are a complicated, human-centric problem that all financial services businesses are battling against. As the impact to both customers and their businesses grows in excess of $55 billion annually, the important debate around who pays for the losses becomes louder.
The UK is leading from a regulatory perspective, with the PSR proposed model of a shared APP scam 50/50 liability split between the sending and recipient banks. The new requirements are due to come into force in 2024, and the implications will be tracked closely by all other global regulators and banks.
There are obviously huge financial implications of these new liability regulations, and it presents some open questions in my mind such as:
- What will be the mechanism for sending and recipient banks to pool evidence to decide whether it is a valid claim?
- Who will make the ultimate decision to reimburse the scam victim? Assuming it is the victim’s (sending) bank, then the recipient bank will need a high degree of assurance around the rigor of the dispute management process by the sending bank (given they are underwritng 50% of the loss!).
- If some funds from the scam are recovered, will they be shared 50/50 between the sending and receiving banks, or will it be ‘finder keeper’?
- Is the recipient bank defined as such just for the first transaction? If the scam payments are bounced through a chain of accounts, is it the first destination of the funds that is defined as the recipient? Or will the third or fourth or fifth bank also be considered a recipient as money is laundered through the banking system?
The Good and Bad of Card Fraud Dispute Frameworks
In my opinion, the best example to examine for lessons learned when building a fraud dispute liability framework is the scheme that has processed millions of fraud claims over the last 30+ years – credit card fraud disputes. So, what can we learn from credit card fraud when deciding who pays for digital banking scams?
Let’s examine the credit card fraud dispute framework and processes – what has and has not worked.
What has worked?
- Maintained confidence in the card payment networks
- Supported huge growth in ecommerce payments
- Protecting genuine consumers from the impacts of fraud
- Rules of the road. Explicit definitions and reason codes
- Relatively simple and easy for consumers
What has been less successful?
- Administration. Huge overhead for issuers, acquirers, and merchants.
- Complicated rulebooks. Vary by card schemes and geographies.
- Shared intelligence. Limited connection between issuers and merchants to enable accurate and fair dispute decision making.
- Issuer accountability. Passing through losses to merchants for card not present fraud, without rigorous evaluation in many cases.
- Consumer accountability. Most banks allow a dispute to be lodged by clicking a button in their banking apps, without any implications for submitting a false claim.
- Friendly fraud. Huge growth in ecommerce friendly fraud claims (aka liar buyers, false disputes)
Friendly Fraud is a Big Problem
In my opinion, one of the biggest unindented consequences of the card fraud dispute process has been friendly fraud. According to the Merchant Risk Council, friendly fraud is now the second most common card fraud problem, with a 62% increase since 2021. Visa reports that friendly fraud now accounts for over 18% of all credit card fraud.
Source: Visa, 2023 Global Ecommerce and Payments Fraud Report
Translation: approximately 1 in 5 consumers are willing to lie when submitting a fraud claim. This is very important when considering liability models, and I believe that a shared accountability is therefore critical for achieving fair outcomes.
Key Lessons for Building Liability Frameworks for Digital Banking Scams
Taking the good (and bad) of what we have learned from decades of data involving credit card fraud disputes, here are some key lessons to consider as regulators and industry grapple with deciding who pays for digital banking scams.
- Shared intelligence for decision making. Building connections between sending and receiving banks to ensure that the most fair and accurate decisions are made.
- Legal. Submitting a claim for scam reimbursement needs to have legal wrappers/implications for the claimant. If a customer is not willing to digitally sign a legal document that the claim is true and valid, or submit a formal report to law enforcement, then should the bank still process a claim?
- Vulnerable customers. Often, scam victims are from a vulnerable population and therefore require special assistance/care when managing these claims.
- Claim excesses. To avoid frivolous or fraudulent claims, should a victim pay a fee to submit a scam reimbursement claim, or only if it is rejected?
- Evidence. Clear guidance around the obligations of all parties (sending bank, receiving bank, scam victim) to meet evidence thresholds for each dispute.
- Reimbursement caps. Should there be a limit on the value that will be reimbursed, and if so, will it be the same for everyone or proportionate according to the scam type or victim?
- Case sampling. To ensure the model is working as designed, random sampling of APP scam disputes will need to be conducted by an impartial third party. Parties not consistently meeting their obligations need consequences of non-compliance.
- Metrics. Closely tracking reimbursement, claim and decision outcomes.
- Simple definitions. Scams are a messy problem, but a simple rulebook that covers 80% of the most common scenarios (with examples) will help greatly.
- Data centric. Allow for automation and case triage by AI (for example) to enable the disputes to be processed as quickly and efficiently as possible.
- Arbitration. A clear and efficient arbitration process for involved parties (sending bank, receiving bank and victims).
There are some excellent lessons to be learned from card fraud that may be applied to the new scam liability frameworks. We have a great opportunity as an industry to ensure the fairest approaches are implemented. Measure twice, cut once.
Prevention is the best cure. At BioCatch, we continue to research and invest in the most innovative technologies to detect as many of these scams as possible. Find out how behavioral biometrics is being used by financial institutions to protect their customers from falling victim to these attacks in the white paper, Spot the Impostor: Tackling the Rise in Social Engineering Scams.