Our “always-on” digital world requires payments that can be made in an instant. However, more speed means less time to doublecheck security and that translates to increased opportunities for criminals. In fact, early implementations of faster payments have come with spikes in fraud. So how can the system stay safe as faster payments systems roll out in the United States?
Faster Payments Defined
In the most recent edition of Flavors of Fast, the annual analytical report on faster payment systems across the globe from FIS™, we defined a faster payment system to be “an interbank fully electronic payment system in which irrevocable funds are transferred from one bank account to another and where confirmation back to the originator and receiver of the payment is available in one minute or less.” The distinction between posting and settlement times is key to understanding the process. Payments post in real-time, but most real-time systems settle in net several times per day on the same day as posting.
While the United States is currently evaluating multiple contender solutions for its own faster payment infrastructure, 25 countries are already live, with 10 more systems expected to roll out later this year or in 2018. To keep pace and to ensure global payments interoperability, the United States will have to enable faster payments very soon.
Faster Payments Empower Faster Fraud
In a real-time or near-real-time environment, once money is gone, it’s gone. Payments are irrevocable. This is in sharp contrast to long-established payment mechanisms where transaction settlement took multiple days to complete and thus gave financial institutions time to investigate transactions and dispute them before they fully cleared. Consequently, fraudsters had to wait for money to hit accounts before they could escape with the proceeds.
By reducing the processing time, however, the time to look for and act on fraud is greatly reduced. Therefore, whichever technology is used to underpin faster payments, it must also support banks’ abilities to detect and limit fraud. Several heists of SWIFT payments have proven how easy it is for fraudsters to exploit lax identity management practices used to authenticate and verify bank-to-bank transactions.
UK Faster Payments (UKFP), launched in 2008, was one of the first of the new generation services. While UKFP has been an unmitigated success, the potential for fraud was evident immediately. In its first two years of operation, fraud tripled in the wake of the launch. While it was determined that the inherent infrastructure was sound, the entry points to transaction initiation were weak, and this weakness was exposed by fraudsters.
Authentication was highlighted as a weak spot, so measures were taken to beef up customer credentials using two-factor identification, tokenization and smartcard readers. With each successive year, UKFP fraud loss rates have significantly dropped as a percentage of the total value of faster payments transactions – they are now at lower levels than card payments. Despite these best efforts, fraudsters continue to develop clever ways to breach the defenses and to circumvent the mechanisms altogether. Increasingly, fraudsters are turning to malware to hijack a user session and move money automatically, forcing banks to evolve alongside to keep the situation under control.
As countries continue to rollout faster payment systems, they would be wise to heed these lessons.
Reasons to Be Cheerful
It is incumbent on financial institutions themselves to implement crime prevention capabilities that more effectively detect, investigate, prevent and resolve financial crimes. Quite simply, real-time payments mandate real-time fraud detection and prevention. Faster payment systems need to both monitor transactions and act on them, all in real-time. The faster payment service is likely to be available across multiple channels (interactive voice response, online, mobile, kiosk, etc.) and, therefore, all payment monitoring will need to cover all channels and look for patterns of fraud or deviations from a customer’s usual behavior.
The UKFP service benefits greatly from the establishment of a security code of conduct. This code outlines the controls participants must implement on their own payments systems and gateways and provides rules that financial institutions must follow to protect their end customers. This ensures that banks put sufficient controls in place while keeping the user experience consistent across different institutions.
The most fundamental risk to payments is poor identity management, so the best way to prevent fraud in payment systems is by making payment initiation more secure. This means using multi-factor identification to confirm payment parties. In addition, behavioral analytics and biometric information have also been highly effective additions to the arsenal when combatting criminals using remote access attacks and malware. The use of behavioral and analytical tools can root out threats by simply differentiating between good use and bad use. The reality is that faster payments open multiple opportunities for fraudulent payments that must be addressed.
Is the U.S. Ready to Go Faster?
U.S. banks and other industry participants evaluating their options have a unique opportunity to thwart fraud by integrating multiple layers of security into the design of their new faster payment systems. Security is certainly a priority for the Fed, which is now reviewing more than 20 proposals for technologies that could facilitate faster payments in the United States, where the payments system is much more diverse and complex than in other nations.
As a result, banking institutions will have to completely rethink how they authenticate and verify payments to move to speedier payments and that hinges on good identity management. Anti-fraud mechanisms – multi-factor authentication, tokenization, analytics, rule changes, codes of conduct and individual bank policies – will need to ensure the overall security and stability of a real-time payments system.
Payment providers that take an enterprise, layered, customer-centric approach to addressing fraud in real-time will position themselves to be trusted providers and they will be able to generate new revenue from differentiated, value-added services. Fraudsters will inevitably attack – and in ever more ingenious ways – but, to paraphrase Sherlock Holmes, “what one man can invent, another can discover.”