With new faster payment options comes new fraud opportunities. According to an Aite-Novarica survey of 21 fraud executives, 71% of respondents said consumer account takeover (ATO) using real-time payment rails increased in 2022 from the prior year, while 62% cited an increase in consumer authorized push payment (APP) fraud. More than half (57%) saw an increase in mule activity. At the time of the survey in 2022, FedNow had yet to launch.
Responses varied regarding the increase per fraud type, and some institutions saw a decrease. Fraud activity among small business customers also increased, but small‑business fraud across all institutions was generally less frequent than consumer fraud.
Keeping pace with fraud
Aite-Novarica provided several recommendations on how institutions can step up their strategies to address authorized and unauthorized instant payments fraud:
Risk assessment for outgoing transactions is no longer sufficient. Institutions must also put in place risk assessment for inbound transactions.
Institutions should continuously monitor local regulatory actions and mandates to ascertain the timing and potential impact on their real-time payments systems and fraud controls.
Banks should develop internal tracking and reporting of APP payment fraud to monitor transaction counts and amounts; this is a necessary first step in managing this form of fraud.
Consumer education alone is insufficient to control and lower APP fraud losses. Institutions should evaluate their existing control framework for both ATO and scam detection. They should analyze the various types of commercial fraud solutions to determine which ones are best suited for and complement their existing framework.
However, the authors note, “There is no silver bullet: effectively addressing authorized and unauthorized real-time payments fraud requires a combination of techniques, including transaction monitoring, consortium data and multifactor authentication.”
What community banks can do
Community banks using FedNow or The Clearing House’s RTP network need to enhance their existing mitigation strategies to detect fraud faster, says Scott Anchin, ICBA’s vice president of operational risk and payments policy. Detecting irrevocable transactions should also be continuous, because the rails are available 24/7/365.
“Fortunately, instant payment rails have built-in controls to help mitigate the risk of fraud, including transaction limits, per-transaction blocking capabilities and comprehensive reporting,” Anchin says. “There are a number of third-party solutions available that augment the built-in capabilities as well.”
He says community banks should understand how third-party fraud tools operate and make sure their vendor management programs include consistent interaction with solution providers. They should also educate customers on how instant payments work, including the concept of irrevocability, and how scammers take advantage of this. Banks should include several confirmations or warnings for customers to read before finalizing transactions. “This is one case where friction is beneficial,” Anchin says.
Community banks sending faster payments should have robust multifactor authentication controls for sign-in, says Abhishek Veeraghanta, founder and CEO of Atlanta-based Pidgin, which supports live transactions on FedNow and RTP on behalf of financial institutions. This should include geolocation controls to determine whether the person is signing in from their usual locations, Veeraghanta says.
“Fraud control is best done in layers. Fraud companies will perform transaction analysis, as well as individual analysis on both the sender and the receiver using data across a number of institutions.”—Mark Majeske, Alacriti
Establishing secure parameters
Community banks should also create thresholds for transaction dollar amounts as well as for the velocity of multiple transactions over a short period, Veeraghanta says.
“We built limits into our platform to make sure that we keep people secure at the time of transaction, and we’ve also built pieces like geolocation and additional authentication points into our payments workflows,” he says. “We also have a partnership with Effectiv, which is an excellent fraud engine that does a great job qualifying and protecting against potential fraud risk that comes with faster payments.”
Depending on a bank’s customer base and risk profile, the Treasury Department’s Office of Foreign Assets Control recommends that OFAC checks be conducted on a case-by-case basis, Veeraghanta says.
Alacriti in Piscataway, N.J., also supports faster payment processing. Within its payments platform, it integrates the specific fraud detection rules set by its bank clients that are administered by the fraud detection solution provider of their choice, says Mark Majeske, senior vice president of faster payments.
“Fraud control is best done in layers,” he says. “Fraud companies will perform transaction analysis, as well as individual analysis on both the sender and the receiver using data across a number of institutions. Device management is also very effective.”
Alacriti will help its bank clients develop fraud control rules and customer limits that appropriately balance the need to reduce the chance of fraud with customer expectations.
“Banks need to have a broad system that analyzes the transaction, the sender and the receiver based on historical data—most of the time using machine learning—about what’s normal for their customer,” Majeske says. “Then the decision needs to be made in milliseconds. We apply the bank’s rules and decision on behalf of them.”