In our recent Digital Banking Fraud Trends in APAC report, we focused on the fraud trends we’re seeing throughout the region and highlighted how scams are increasing practically everywhere.
Everywhere except Australia.
In 2023, Australia was a scam-losses outlier. While seemingly every other nation in the region saw its scam losses increase last year, Australia reported a $90 million decline.
We can attribute this in part to a unified approach to tackling scams and new initiatives Australian financial institutions launched in collaboration with the Australian government, such as the National Anti-Scam Centre.
Ten thousand miles away in the UK, scams have also decreased but they’ve done so thanks to regulation that forces banks to comply with new reimbursement rules around APP scams, thus driving greater efforts to detect such activity. Such success and the rise of scams across the continent has led many European counterparts to look to the UK as a model of how to combat scams, especially considering PSD3 placing more liability on banks. Once again, these are reactionary measures to new legislation.
Australia offers a novel approach.
While Australian financial institutions also learned from UK banks by analysing what worked well and what didn’t, they did so without regulation (although the potential threat of looming legislation was a driving force in speeding up this action). As such, Australian banks are self-policing when it comes to scams. Their partnership with the government also allows them to self-correct in an agile manner and have a say in any regulation that is enacted.
What lessons can we learn?
We believe the Australian example is a success story many banks can learn from, particularly in Southeast Asia.
For years, consumers across Southeast Asia have borne the brunt of fraud and scams liability, with some reports indicating fault lies with the customer because of their negligence. Thiscreates quite a juxtaposition when one considers the increasing sophistication of fraud schemes.
At the end of the day, any increase in the volume of attacks is a natural consequence of the sheer amount of personal data in the public domain due to numerous data breaches and leaks. Consumers cannot be held responsible for poor data management or a total lack thereof. Likewise, it is vitally important to distinguish between unauthorised fraud (where fraudsters have total control and in some cases require no participation at all from the victim) and authorised fraud (where victims are socially engineered into making payments, quite often under duress).
From safe deposit box verifications to ID/signature checks, ATM skimming security, and the analysis of counterfeit currency, banks implement a variety of controls for the physical world. For some reason, in Southeast Asia this hasn’t necessarily translated to the digital world. Several banks across the region only compensate victims when the bank is found to be at fault. When this happens, the onus is on the victims themselves to demonstrate this – something almost impossible for retail-banking customer.
As a result, we see a void in reporting these criminal acts to banks and police. This doesn’t favour anyone, as banks and governments don’t have a true idea of the size of the fraud problem, and without the full picture, it’s harder for financial institutions to implement precise measures.
Finally, it’s important to remember that the proceeds of fraud often go to funding heinous crimes. Banks acknowledge their responsibility when it comes to money laundering, so it only stands to reason that best efforts should be exercised to detect and prevent fraud, as a method of preventing the laundering of fraudulent frauds. To truly be successful, these efforts must be part of an overall, holistic approach involving government and the legal system.
Changes in Southeast Asia
Fortunately, it would appear things are starting to change, albeit slowly and in reaction to government action (i.e, legislation).
In 2023, Singapore and Thailand began a process of change, by enacting new legislation and protective measures aimed at safeguarding consumers. Vietnam and the Philippines have also begun this process. Meanwhile, Indonesia is working towards a blueprint originally released in November 2019, targeting a 2025 rollout.
A summary of the regulatory situation across these countries is outlined below:
Positive change?
At first glance, some of these efforts may be insufficient.
The proposals out of Vietnam and Philippines offer similarities with PSD2 – the EU/UK legislation first introduced back in 2015, which took effect from 2019/2020. For those less familiar with the European landscape, PSD2 revolutionised digital banking across the continent, aiming to provide better protection for consumers. While a step in the right direction, general consensus is that PSD2 didn’t go far enough. Fraud continued to rise after its implementation (see graph below, which shows the evolution of fraud and scams in the UK), and eventually caused a shift from third-party unauthorised fraud to authorised fraud, or scams, whereby victims are coerced into making payments themselves as a way to circumvent enhanced controls. Many were left unconvinced, which led to the introduction of PSD3, albeit it is still in its early stages.
Some of the measures already in effect in Singapore can be considered good “best practices,” but further detail is potentially still required, particularly when it comes to fraud systems. With ambiguous regulation, we risk fraud tools being deployed as part of a tick-box exercise, when banks out to implement such technologies as part of fraud stacks that aim is to reduce fraud, protect customers, and, ultimately, do the right thing.
That said, while some banks are still in the process of implementing these measures, others are starting to see results – perhaps most notably with a decline in malware cases. This was one of the main focuses of these measures, due to the sheer volume of victims of fraud via malware throughout 2022 and in the first half of 2023. However, with such quick results, there are fears this could be a sledgehammer approach, meaning it could be at the cost of the customer experience. Finding the balance is key, and this will take time.
Indonesia is working on a model created five years ago – a lifetime in the fraud world – and lacks updates to reflect the current climate. A recent survey (FICO, April 2023) revealed real-time payment scams are on the rise, with almost two-thirds of all Indonesians receiving unsolicited messages they believed to be scams, while 17% admitted to sending real-time payments for investments or unreceived goods. Even in countries like the UK, where significant efforts have been made to tackle scams, purchase and investment scams continue to cause headaches for banks and their fraud teams.
Thailand has been a little more specific in the definition of their measures. For example, they’ve specifically required biometric authentication on the mobile channel, and the limitation of one user per app/device is, in theory, a good measure, although we’ll have to see how exactly this is enforced.
What’s next?
One thing is clear: While banks in Southeast Asia adapt to their new legislation, learning from the experiences of other countries will be vital, so they can get ahead of the curve. Implementing best practices from proactive countries like Australia is likely to lead to quicker and more effective success.
Also, there is one commonality across the globe: As regulation and new measures implemented by banks make it more difficult for fraudsters to execute unauthorised fraud, they quickly turn to scams. Therefore, when implementing these changes – be it through imposition by regulators, or proactively to do the right thing – financial institutions should be mindful and ensure they futureproof any implementations. After all, when one door closes, another one opens, and that couldn’t be truer for fraudsters given their relentless ability to always find something new.