While beneficial for businesses and consumers, Nacha's new rule for same day transactions will require banks and other financial institutions to review thousands of additional transactions per day, leading to a significant increase in costs, not to mention an increased potential for fraud due to volume and rapidness of review.
Fortunately, banks gearing up for this major change in the U.S., which goes into effect in September, can learn a lot from the U.K.’s “Faster Payments” system. Launched in 2008, Faster Payments propelled the U.K. to the forefront of payments technology globally and allowed banks to clear payments in hours instead of the three days previously required for BACS (Bankers' Automated Clearing Services)payments.
This new system, however, also attracted the attention of fraudsters who quickly saw an opportunity to steal and get away with money before they were detected. The years following the adoption of faster payments saw a surge in online banking fraud. Losses went from £22.6 million in 2007 to £52.2m in 2008 and £59.7 million in 2009. After receding for several years, online banking fraud losses in the U.K. jumped again last year to more than £100 million.
How and why this happened is actually quite simple. Digital fraud quickly migrated from other types of fraud such as phone fraud and check fraud simply because fraudsters saw that they could cash out much faster, and at the same time, avoid being caught.
While security measures were essentially the same both before and after the move to faster payments, banks didn’t take into account the specific lead time they would need to review an increased number of transactions over a shorter period of time. Ultimately, the banks just weren’t ready.
Here are 5 lessons we can learn from the U.K.’s faster payments migration:
Faster Payments = Faster (and larger) Fraud: When payments are faster, the time for cash out becomes faster for fraudsters, driving an increase in fraud. Fraudsters appreciate when the cash out time is as short as possible because they can get away with money before they are detected.
Automation is Key: Adding resources to a risky manual process cannot bridge the gap of moving from hours of review to seconds of review. There are simply no number of people that can be added to this process that will enable the process to move faster. It is imperative to shift towards a set of processes and controls that are automated. Specifically, banks should transparently auto-authenticate transactions to reduce the number of cases that are sent to manual review. Technologies such as behavioral biometrics allow banks to authenticate the user based solely on the interaction data – without requiring the user to actively participate in the process.
Streamline the “recouping” process: Currently, when a bank identifies that a fraudulent transaction has resulted in a money transfer to another bank it initiates a manual process designed to recoup the funds. Typically, this process is labor intensive, involving multiple phone calls and paperwork. The short timeframe that will come into play in September will not allow the current longwinded recouping process to remain effective. Banks must work together to streamline the current reporting and approval processes for recouping stolen funds.
Expect a jump in Remote Access (RAT) fraud. With the introduction of faster payments, banks must beef up their security posture to address current fraud vectors such as phishing and MitB malware attacks. However, as witnessed in the U.K., to maintain their livelihood, fraudsters simply shift to new attack vectors that are undetectable by current fraud detection controls. Remote Access attacks are currently the #1 fraud attack in the UK. In this attack a criminal uses a remote access tool to take control of the victim’s device and browser and submit fraudulent transactions. Banks need to introduce innovative technologies to detect remote access attacks as well as other evolving threats.
Share data: While sharing information between banks in order improve their collective fraud detection capabilities is not a new concept, platforms for sharing threat-data are mostly siloed. The need for better fraud detection that comes with faster payments should result in additional bank consortium data sharing initiatives.
While it is impossible to know for certain what will happen as the US shifts to same-day payments later this year, taking a look at the UK’s Faster Payments can help banks and their customers prepare, and most importantly learn, from the UK’s experience in order to make the transition a smooth one.
Oren Kedem is vice president of product management at BioCatch.