A massive earthquake rocked the P2P space this week when it was leaked that leading banks within the Zelle network had drafted a proposed framework for reimbursing customers and each other for some specific types of illegitimate payments. But in contrast to a physical tremor, this event was quite predictable and demonstrated remarkable leadership across the financial services industry.
It all came to a head after a cantankerous summer and fall which included highly publicized Congressional hearing and inquiries. The largest banks collaborated around the network they possess and decided to make very big thing happen. Essentially, the distilled news is that any network participant who brings in a specific fraud risk to a network ecosystem may have some liability for this risk (the details are not yet finalized), even if they didn’t initiate a financial transaction (and are the receiver or beneficiary in specific scenarios!). However, this is a sea change for watchers. It is a moment we anticipated, but now that it’s here feels transformative.
A change in the fraud liability model for real-time payments was proposed last week, and elements of it will start to be accepted, codified, and realized across the landscape of the U.S. payments infrastructure. This is quite significant, as the ramifications here may in fact be industry-wide, affecting all networks and players in the space, even some schemes not yet fully live. There have been expectations that if the banks didn’t take control of the narrative and act on impersonation scams and social engineering threats, then regulators would take action on their behalf. The potential risk for the networks and stakeholders would likely require more drastic actions that were less acceptable. First movers advantage also likely will benefit Zelle in terms of creating a stronger and more trusted brand in the end. But make no mistake, this is going to have ripples well beyond P2P.
In a recent blog post, I discussed the growing risk of aggregators and how counterparties have a requirement to be responsible denizens of all participants in the stack. This moment right now is a strong indicator that the world is likely to embrace the rule that all participants are responsible for the consumers they bring to the transaction. The residual of this post was that trust models are built on expectations of reasonable behavior and those who have been less than rigorous may now be in a place where they can be held responsible, and with this, it may mean financially liable. As we dive deeper into open banking, you can start to see how this can manifest some really interesting outcomes with this precedent.
This will also force financial institutions to confront some challenges that have been manifesting for years but had little aspiration to solve: money mules and scam victims. Fraud and AML teams are going to feel increased pressure now in terms of mule account detection, as targeted recipients of these funds. There is likely going to be more, and not less, investment in social engineering scam detection as additional visibility is now on this as a threat vector with liability components now built into the equation, and the largest banks have just blinked. Expect to see some movement to shore up brands and increase investment in controls and monitoring to ensure recurring events like this one are given sufficient attention.
But the thing that I anticipate will get far more attention and a critical investment bump is Account Opening controls, an area of weakness across the industry that has facilitated so much of the current conflict that consigns this industry to higher fraud rates. This is one of the strongest drivers that mints money mules, new account fraud or abusive behavior and has been a massive pain point in the current struggle of fraud operations teams. This move by the network should be seen as the red flag for all executives who have a new account origination target to hit. Their job is going to get harder, making the right decisions to grow their customer or member base without compromising quality.
The good news is that the solutions to solve these problems exist. Behavioral biometrics as a data science field and the machine learning models that drive it are in production today at financial institutions around the globe. It’s a threat and a movement that is simply not stopping and if we’re being honest with ourselves, this moment has been on the roadmap for quite a while. The UK and Netherlands have been working on these liability models for years and some of them are live today.
We know this works to clean up the infrastructure because we see it in the results our clients are achieving every day. This should not be a moment to fret over liability shifts, but rather use it to celebrate a transformation to a more healthy, accountable, and responsible ecosystem, where we know that participation requires disinfectant at the source and throughout the account lifecycle. As a practitioner in anti-fraud, I celebrate this moment and applaud Zelle for their courage of conviction.
Explore the global regulatory environment related to authorized payment fraud and how other countries are addressing liability and reimbursement for social engineering scams in the white paper, Authorized Payment Fraud: A Global Guide to Customer Reimbursement Models for Financial Scams.