Mon, 02 Sep 2024
For many years in the retail payments industry, we worked hard to remove friction from the payments process, believing that anything that stood in the way of a customer completing a payment was bad for commerce. Retailers reduced the complexity of their checkout flows, continuously monitoring the impact on basket abandonment. We added more and more payment options and devices in the interest of increasing customer convenience, and instant, frictionless payments have become an almost ubiquitous reality worldwide.
But the narrative is changing with the rise of new opportunities for fraudsters emerging, with Authorised Push Payments (APP) fraud representing 75% of all digital banking fraud in dollar value according to a recent white paper which states that losses in the US, UK and India are expected to double, reaching $5.25bn by 2026 with a 21% compound annual growth rate across the period.
The most common type of APP fraud is a scam where a fraudster cons an individual or business into sending money to a bank account controlled by the criminal, while the victim believes that they are undertaking a legitimate transaction. Research by Visa reveals that 1 in 3 UK consumers have fallen victim to this, but only 25% of APP scams are identified by the victim’s bank. The same research quoted a figure from UK Finance stating that £485.2 million was lost to APP scams in 2022 in the UK.
Victims of APP fraud are usually considered to be responsible for the losses unless their account information has been compromised, causing a consumer backlash against the financial services industry with the result that the UK Payment Systems Regulator has proposed changes to regulation, which places more of a burden on banks to take action to combat this type of fraud.
It seems that some UK banks are already stepping up their activity in an attempt to prevent APP fraud, as I have recently had personal experience of, which inevitably involves adding friction back into the payments process.
We recently had some renovations done in our house, which required a few high-value payments to be made. Last week, my wife attempted to pay a supplier – a legitimate, registered business that has been operating for over 20 years, from her primary bank account that she has similarly held for over 20 years.
One of the steps of the payment process, made use of the (now mandatory in the UK) Confirmation of Payee (CoP) service – an API regulated by the Financial Conduct Authority (FCA) that checks account names when a new payment is set up, to show the payer if the money is going to the correct account before funds are transferred.
This is an excellent and welcome addition to the payment process that plays a key role in protecting against APP fraud ………. when it works.
In this case, for whatever reason unknown to us, the CoP could not verify the recipient’s account details. My wife enlisted my assistance to double and triple check that she had typed in the correct details as provided on the invoice and she answered “yes” to the question “are you sure you wish to proceed with this payment?”
The next screen she was presented with gave a dire warning about potential scams and once again asked if she was really sure she wished to proceed with the payment.
This screen shook her confidence and she considered cancelling the transaction, in spite of my assurances that this was merely a case of the bank increasing awareness of the risk of proceeding.
Once again, she confirmed that she wished to proceed with the transaction and was immediately presented with a screen that said “your transaction is blocked, please phone our fraud team”.
My wife gave me a steely stare as if to say “this is all your fault” as she proceeded to phone the number provided.
Meanwhile, I was sitting there with great interest in the process as I knew exactly why the bank was doing what it was doing and I was curious to see how the scenario would play out.
After a short wait (thankfully fraud hotlines seem to be far better staffed than any other customer service lines), my wife was subject to the normal “identity checks” that really don’t verify identity at all as they merely verify account holder knowledge and to be perfectly honest, either of our daughters could have passed the checks with flying colours.
As Adam Preis of Ping Identity pointed out in a recent interview you can read here, “KYC is no longer enough to mitigate fraud. We need continuous assurance and identity verification throughout the process.”
The customer service (CS) rep then proceeded to ask my wife about her attempted transaction:
CS: Who are you trying to pay?
Wife: our bathroom fitter.
CS: What for?
Wife: errr, fitting our bathroom ……. We’ve just had it renovated.
[lots of typing noises]
CS: Has someone sent you a request to make this payment?
Wife: yes, the bathroom fitter, I just told you, we’ve had our bathroom renovated and I need to pay the invoice.
[more typing noises]
CS: Is someone forcing you to make this payment?
Wife (staying calm and taking a deep breath): no, nobody is forcing me, we have had our bathroom renovated, you can see multiple transactions on my account over the last month for bathroom related transactions. I’m just trying to pay the bathroom fitter.
[typing for a very long time at this point]
CS: ok – I need to make you aware of a kind of scam called Authorised Push Payment.
[At this point the CS rep proceeds to read out a literal short essay explaining APP scams – this takes a few minutes and is very informative to my wife. I sit there and wonder how many times a day the poor CS rep has to do this]
CS: having heard what I have had to say, are you sure that this request is not a scam?
Wife: yes, I’m sure it’s not a scam, it’s just the bathroom fitter asking me to pay the invoice.
CS: is this a deposit against goods still to be delivered or work to be done in the future?
Wife: no, the work is complete. It was completed 3 weeks ago. We are really happy with the work done and would highly recommend this fitter, I just want to pay him please.
I’m not going to continue with an attempted transcript, but this went on for a total of 26 minutes, with the CS rep repeatedly asking my wife to explicitly acknowledge that she was aware that by proceeding with the transaction, the bank “may not” be liable if it did turn out to be a scam.
In the end, the CS rep agreed to lift the block on the transaction and thankfully our bathroom fitter confirmed safe receipt of the funds shortly after.
Now, please don’t get me wrong; I know I have a bit of a reputation for “banker bashing” in the past, but this is not the case here.
I sat through the entire call, dumbfounded at the length to which the bank was going in an attempt to determine if this was a fraudulent transaction or not. The CS rep was very apologetic at the need to repeat many of the questions, assuring my wife that this was all for her own good and they were doing their very best to protect her.
My wife was very appreciative of the service as when it comes to money “better safe than sorry” is her motto.
For me, this is an example of “good friction” in the payments process, but it comes at a high cost (of customer service) to the bank, which I don’t believe is sustainable in the long term.
And this is just one, single type of fraud.
What about synthetic identity fraud, money mule accounts, AI deepfakes, cross-border fraud, card skimming (yes, it’s still a thing), money laundering, sanctions fraud and and and …….. the list goes on.
And consumers expect (demand?) protection from all of these while at the same time expecting a frictionless payments experience.
As an industry, how do we find the right balance between friction, fraud and risk?
This is one of the topics we will be exploring in our next white paper, in advance of gathering industry professionals to share their insights at The Banking Scene Conference 2025 Brussels, where we are adding a dedicated Fraud, Risk and Compliance track to our existing Banking and Payments tracks.
If you have insights to share on the topics, please get in touch; we’d love to hear from you!
Have you seen our latest white paper, "The Future of Banking Engagement", that contains insights from over 70 financial services professionals from more than 60 different organisations on "The Paradigm Shift in Banking and Payments—Transforming the Rules of Engagement" - our theme that ran across our conferences in Luxembourg, Amsterdam and Brussels in 2024.