Instant payment systems, also called real-time payment systems, facilitate the immediate transfer of funds, immediate transaction confirmation and constant availability. Although these features offer benefits to individuals, businesses and financial institutions, instant payments also introduce the risk of fraud and instant control of funds and capital. This means that with instant payments, you can’t put compliance off until later; you must address it in real time.
Most existing legal frameworks do not explicitly consider instant payments’ faster movement of funds, which multiplies and accelerates the opportunity for fraud. As such, financial institutions offering instant payment services must consider their fraud systems and use strong methods of consumer authentication.
The European Parliament periodically issues Anti-Money Laundering Directives (AMLDs) to be implemented by member states to help prevent money laundering and terrorist financing. Financial institutions should review these directives to confirm that they meet compliance requirements when offering instant payments.
During the two- to three-day payment cycle of traditional payments, financial institutions participating in the clearing and settlement mechanism manage fraud. This is possible and appropriate due to the relatively slow speed of the cycle.
Because of the immediate usability of funds with instant payments and the increased threat of cyberattacks, instant payments’ fraud risk needs to be addressed during clearing and settlement processes.
The FraudClassifier Model.
Because classifying fraud is the same in all payment ecosystems, the FraudClassifier Model can help you classify fraud regardless of payment type, channel or other characteristics.
The Federal Reserve created the FraudClassifier Model in collaboration with industry experts to develop a robust, interactive resource for defining fraud using consistent language. This system helps users accurately identify fraud typologies using an industry-validated process based on whether the payment initiator was authorized or unauthorized.
The FraudClassifier Model asks three successive questions to help specify the nature of a given fraud event.
Common types of fraud in instant payments.
The following fraud types commonly occur in instant payments:
Authorized push payment (APP) – APP fraud occurs when a customer is tricked into transferring money to an account controlled by a criminal. The most effective method to minimize this very common type of fraud is to know your customer (KYC) by checking your customer during onboarding and reviewing their day-to-day spending patterns on a regular basis. You may opt to use artificial intelligence (AI) to aid you with this monitoring.
Account takeover (ATO) – In an ATO attack, a fraudster uses stolen credentials, such as email addresses, phone numbers or other personally identifiable information, to gain access to someone else’s bank accounts. A rules-based system can help your organization understand how your customers typically engage with your platform and highlight suspicious patterns. The financial institution should also work closely with an internal or external computer security incident response team (CSIRT) to understand if the attack is part of a wider cybersecurity threat.
Phishing – In phishing attacks, fraudsters use a variety of tactics to deceive individuals into revealing personal information. This can include using emails, phone calls or websites and pretending to be legitimate businesses to deceive the target. Fraudsters often rely on an element of urgency to convince their target to move quickly and transfer their money. Customer awareness campaigns can help mitigate phishing when used to complement bank fraud activities.
Fraud detection around the world.
The volume of instant payments is increasing, and each clearing system is developing an effective strategy for managing fraud.
Europe: Single Euro Payments Area (SEPA) Instant.
In Europe, the revised Payment Services Directive (PSD2) introduced a pan-European approach to managing online payment and card fraud. The standards describe:
The attack vector and specify the first point of contact between the fraudster and the victim (how the attack was initiated).
The unauthorized and often manipulative action taken by the fraudster resulting in the loss of money via a payment transaction (what action took place).
PSD2 introduced the following guidelines to help combat fraud:
Multifactor strong customer authentication (SCA) – All payment processors (and, by extension, businesses that collect customer transactions) must obtain at least two authentication factors for user logins to help protect all payment infrastructures.
Dynamic linking – Linking connects each transaction to its value and recipient.
Fraud reporting – Payment service providers continuously report fraud data on means of payments to their national regulatory authorities.
Fraud monitoring tool – This tool enables payment service providers (PSPs) to detect and prevent unauthorized or fraudulent payment transactions.
EBA Clearing plans to enrich its SEPA payment systems, RT1 and STEP2, with fraud prevention and detection capabilities by November 2023. This will include confirmation-of-payee functionality, which will allow PSPs to flexibly integrate into their service offerings the ability for customers to detect any mismatches in the international bank number (IBAN)/name combination they have entered for the beneficiary of the payment.
India: Unified Payments Interface (UPI).
UPI is the largest instant payment clearing system in the world by volume. However, according to India’s Ministry of Finance, cyber cells recorded more than 95,000 UPI transaction fraud incidents in the country between the end of 2022 and the first quarter of 2023.
UPI responded to fraud reports with the following interventions:
UPI grievance portal – This national cybercrime reporting portal allows users to file complaints regarding UPI fraud. The UPI app imitates a user-initiated payment to an unknown beneficiary.
UPI education service – This campaign offers five tips to avoid a scam:
- Always verify the UPI identification (ID) of the person before making a payment.
- Only share the UPI personal identification number (PIN) on the dedicated UPI page.
- Enter the UPI PIN only to make a payment.
- Check all incoming messages and report any suspicious activities related to the account.
- Use the UPI app to report any concerns.
U.S.: FedNow.
FedNow launched in July 2023 . FedNow’s path to protect against fraud includes the following aspects:
Transaction limit at the network level – The Federal Reserve sets the maximum amount per transaction a financial institution can send over the FedNow network. Participants can set a lower transaction limit for credit transfers based on their organization’s risk policies.
Negative list network – The negative list network contains participant-defined negative lists where financial institutions may specify suspicious accounts their organizations can’t send to or receive from.
Standard ISO 2022 message for fraud detection.
- Request for information.
- Return request.
- Data security standard.
- Digital signature.
- Data encryption and tokenization.
FedNow is scheduled to release a fraud tool service for all participants in Q4 2023 and is expected to provide additional tools to help prevent fraud as the system evolves.
Combatting fraud at each stage of the instant payment journey.
Each region of the world is working to prevent fraud at different payment stages. A single rule won’t successfully address all instances because fraud is tied to the specific user, financial institution and payment scheme ecosystem. However, financial institutions, end users and payment schemes can each take responsibility in combatting fraud.
Financial institutions.
Develop strong KYC guidelines and procedures.
Continuously monitor customer preferences.
Collaborate and share knowledge with other financial institutions and the central bank.
Use the latest payment authentication technology.
Integrate fraud and cyberthreat data.
Payment schemes.
Use fraud monitoring tools.
Confirm the payee scheme.
Use the API secure data-sharing scheme.
Collaborate and share knowledge with members and nonmembers.
Adopt an agile scheme to continuously adapt to new fraud techniques.
End users.
Detect suspicious emails.
Adopt a zero-trust contact policy.
Use strong and unique passwords for different accounts.
Enable alerts on any suspicious activity related to your accounts.
Set up payment authorization digital signature rules based on amount, currency, payment type and payment destination.
Collaborate and share knowledge with your peers.
Conclusion.
Fraudsters are becoming more sophisticated in their tactics, employing social engineering, phishing attacks and account takeovers to deceive consumers. With the speed of these transactions, there is little to no time for victims to reverse the transaction or for banks to conduct proper verification.
Taking a layered approach to combatting fraud is critical in instant payments. Perform KYC checks when opening an account, check IBAN against the name a customer enters in an app or online before submitting the payment order, etc.
Taking a holistic approach to fraud can be challenging because not all signals are verified in one place. All parties involved must form a united front and take responsibility for securing the system. Only through a collective effort can we hope to protect consumers and make more secure instant payments.