The rise of instant payments: protecting consumers from criminals in 10 seconds
Over the last decade and a half, we have undoubtedly witnessed a payments revolution – from three-day cheque settlement to instant credit, from clearing house-specific payment windows to on-demand 24×7 execution, from bank branches and internet banking to omnichannel payments.
How can financial institutions strike a balance between speed and safety with instant payments?
While these tectonic shifts have immensely benefited consumers in terms of convenience and speed, they have also inevitably created opportunities for criminals to commit financial fraud and launder money quicker, with much less friction.
As consumers around the world are looking for faster and more convenient ways to make payments – both domestic and cross-border – how can financial institutions strike a balance between speed and safety to meet consumer demands while preventing fraud and crime?
Instant payments: an unstoppable global journey
The Council of the European Union recently adopted a new regulation to make instant payments fully available in euros to consumers and businesses in the EU and in EEA countries. This mandates all payment service providers (PSPs) to offer the facility to their customers to send and receive euro payments within 10 seconds, 24/7, across the EU and EEA.
The EU’s journey with instant payments started in 2017 with the launch of SEPA instant credit transfers, which initially only saw the participation of a few banks. With growing adoption and increased demand from consumers and businesses who have witnessed the benefits of instant settlement, the EU has now passed the regulation for all PSPs to make instant payments available and affordable across the EU and EEA.
Across the world, instant payments have disrupted the finserv ecosystem of several nations, channelling a huge volume of transactions into this route. Some such examples are the UK’s Faster Payments, India’s IMPS (Immediate Payment Services), Africa’s RPP (Rapid Payments Program) and Brazil’s Pix. Australia’s New Payment Platform (NPP), the US’ FedNow and Canada’s upcoming RTR (Real-time Rails) also promise similar successes.
Speed and convenience: instant payments and the potential for faster fraud
Instant payments are executed in real time. In most cases, funds reach the beneficiary’s account within 10 seconds of initiation by a consumer. So, if a fraudulent payment is made from a customer’s account, the money is lost within 10 seconds, allowing the customer no time to inform the bank and block the funds from leaving. The criminal on the other hand would instantly receive the money in their bank account and then transfer it within seconds to some other bank, thus making it impossible to recover the funds.
Authorised push payment (APP) fraud and scams have become increasingly common across the world. Criminals use various social engineering methods to target unsuspecting consumers, convincing them to make instant payments into their bank accounts. By the time consumers realise it was a fraud, the criminals would have moved the funds across several banks and countries, with no chances of recovery.
Protecting consumers from criminals in real time
Fraud prevention and detection for traditional payments has evolved and matured during the last decade. However, instant payments have witnessed a phenomenal surge in a very short time, with overwhelmingly high volumes moving through these payment rails. Fraud prevention and detection mechanisms for such payments are still maturing as the industry is banking on consumer awareness on one hand and advanced technology on the other to stop instant payment fraud.
Confirmation of Payee (CoP), first introduced in the UK, serves as a strong fraud prevention method as the consumer can verify the payee/beneficiary name against the account number before authorising the payment. Similar checks are now being introduced in the EU through Verification of Payee (VoP) and IBAN name confirmation for domestic and cross-border payments within the EU.
CoP/VoP can help in cases where a genuine customer is authorising a payment. But what about payments which are fraudulently made by criminals through identity theft, using stolen cards and devices, account takeover and other such deceptive means? Multi-layered fraud detection models can help identify fraudsters by accumulating data from the network layer (IP address and geolocation), device layer, application layer (web browser or mobile app) and account layer (bank/card account) during the instant payment initiation journey. Anomalies aggregated in each layer can help to detect fraud even before the payment is submitted by a criminal, and in such cases, the instant payment can be blocked.
Several PSPs have been piloting behavioural biometrics tools that can track user behaviour while making a transaction – such as how the user handles the device and keypad usage. These tools can test behaviour by having the user make a payment while on an active phone call and taking instructions and can spot the use of a remote access tool (RAT) to hijack a legitimate user’s session. Unusual behaviour and fraud triggers from such tools can be used to stop such payments from execution instantly.
Machine learning models are experiencing increasing adoption in traditional payments for fraud detection, and the same are being explored for instant payments as well. While the effectiveness of ML models in fraud detection is now well established, what will be critical for instant payments is the response time of such models – industry expectations are somewhere around 200 to 500 milliseconds.
Monitoring incoming instant payments for fraud: a viable approach?
Until now, only outgoing payments have been subjected to monitoring for fraud detection, and this is performed by the sending bank. But with the UK’s upcoming PSR3 regulation, both sending and receiving banks will have to shoulder APP fraud loss reimbursements on a 50:50 basis. This will now necessitate recipient banks in the UK to monitor incoming payments for fraud as well, as half of the APP fraud loss liability now shifts to the receiving bank.
Monitoring incoming instant payments for fraud in real time will mark a paradigm shift in fraud prevention. PSPs will need to implement new systems and processes to accomplish this. As most payment formats now use the ISO20022 standard with richer data, recipient banks can verify additional fields beyond the current practice of account number alone at most banks. Verification of payee name, payment purpose, payer-payee pair history, transaction history for similar incoming payments from first-time payers, and so on can trigger ML models to identify fraudulent receipts. However, the treatment of the alerted fund – whether to hold off from crediting the payee until the investigation is over or block and return the payment to the sending bank instantly – will need to be agreed as there are no such standards currently.
The UK’s contingent reimbursement model for APP fraud victims set the precedent for some other regions to come up with similar models, such as the EU’s reimbursement model for bank impersonation scams. So, PSR3’s 50:50 model might also inspire a similar shift in liability to receiving banks in other regions soon.
As instant payments continue to expand their footprint across the world, banks and regulators globally must start collaborating on frameworks, standards and best practices for fraud prevention by both sending and receiving banks, which can be uniformly adopted in each jurisdiction.
About the author
Sujata Dasgupta is an industry leader and global head of financial crime compliance advisory at Tata Consultancy Services, based in Stockholm, Sweden.
She has over 24 years of experience, having worked extensively in the areas of fraud and financial crime prevention across banking operations, IT services and consulting.
She has had global exposure through her work with premier banks in several major financial hubs in seven countries across North America, Europe, the UK and Asia.
She is an accomplished thought leader, author, columnist and speaker and is regularly interviewed by reputed international journals for her analysis and opinions on contemporary topics in this area.
She can be contacted on LinkedIn.
