Person-to-person transactions in real time pose unique risks. Here’s how to manage them while ensuring a great experience for users.
Splitting the lunch bill. Paying a friend back for picking up those last-minute tickets. Covering the cost for your kid’s college textbooks. Each of these scenarios represents an opportunity for digital payments to replace cash and checks. But the question remains: What are financial institutions doing to ensure your payments are easy, fast, and (most important) safe?
The demand for digital person-to-person payments has grown rapidly, and as more people use the capability and experience it for themselves, continued growth is almost certain. Aite Group sized the U.S. P2P payments market and projects over 200% growth from 2015 to 2020—from $100.3 billion to $316.6 billion.
However, this move to real-time payments comes with a very real set of risks that FIs must be aware of and prepare for. It isn’t enough for fraud executives to stick with their current tools and expect positive results in real-time fraud protection. It takes a strategic approach to foster a fraud-risk environment that balances loss mitigation with the desire for a frictionless customer experience.
Here are four common risk moments and some mitigation strategies for banking professionals to consider:
- Registration Fraud
Knowing that customers are who they say they are is vital when protecting real-time payments. Once a customer is ready to initiate a real-time payment, it’s too late.
FIs must strengthen their application controls and perform a series of identity-validation and authentication checks on consumers before they even initiate a payment. They can do this using state-of-the-art identity-proofing data sources. This is in addition to validating the consumer based on information from layered authenticators, such as device intelligence or data directly from the mobile network operators.
- Account Takeover
Account takeover (ATO) fraud occurs when a fraudster impersonates a customer and takes over their account. According to Aite Group, this is the single largest type of fraud that FIs are facing in digital channels.
For most FIs, this is nothing new, but it takes on an added sense of urgency with real-time payments due to the expediency of funds availability. Accounts only need to be controlled for a short while for damage to be done that is increasingly difficult to reverse.
As ATO continues to grow, it further proves the necessity for upgraded authentication measures that can protect customers’ accounts and keep fraudsters out.
- Mobile Threats
Although some fraud executives believe the mobile channel is easier to secure than online, there are several threats that are unique to the mobile channel that FIs must guard against.
These threats include phone-number ports, spoofed calls, SIM card swaps, and mobile-specific malware that can infect the device. Threats such as these can allow a fraudster to appear to be a legitimate customer and defeat fraud-prevention steps performed by the FI.
Malware that detects one-time passwords and forwards them to a fraudster is another very real threat that allows criminals to take over accounts and steal funds. A layered approach that combines network, device, and behavioral data can help thwart some of these mobile threats.
- Consumer Understanding
The lack of understanding by many consumers on how real-time payments work and the ramifications of faster funds availability is another large concern for FIs. Some of the incidents stemming from payments systems are based on misdirected funds and lack of consumer knowledge.
Consumer education and reinforcement of proper etiquette with real-time payments are musts to maintain a successful payment system and cut down misdirected payments. For example, payments through Zelle are typically considered direct and irrevocable, so consumers must only transfer money to people they know and trust.
By contrast, paying from a third-party site to someone you’ve never met for concert tickets is definitely not a recommended best practice. The appropriate ways to use real-time payments must be communicated to the consumer.
Actionable Best Practices
In the world of fraud, it is wise to be prepared for the worst, as it then becomes less likely to materialize. Fraudsters are constantly reinventing themselves and their methods of attack. Those offering real-time payments may become targeted by these groups and that could result in a higher probability of attacks.
Mobile network operator data is one option that can be leveraged to cross-check customers’ information directly with the mobile carriers. This technology can alert FIs as to whether a phone number or device has been recently ported or had ownership changes or a recent SIM card swap—all of which could be reason to deny access or to step up authentication. Having access to this data is pivotal in securing the mobile channel.
Additionally, FIs have technology that can bind the customer’s device through a unique identifier that is recognized in future logins. If that identifier is not recognized, an FI can similarly engage in stepped-up authentication to further validate the customer. And device intelligence can be integrated into an FI’s digital-security suite to help identify the health of a device and identify the malware or other threats impacting the device itself.
FIs should always be evaluating their fraud protection to make sure there are no gaps as it relates to emerging threats or changes in technology. A layered approach of authentication capabilities is always key. This can incorporate passive, behind-the-scenes authenticators such as MNO data, along with active, stepped-up authenticators.
This approach will help balance friction and risk within the experience for legitimate customers, while making it much more difficult for fraudsters to gain access.
Having proper intelligence on current offerings, key threats, and vulnerabilities is a straightforward step, but a very necessary one that is sometimes overlooked.
Other Security to Consider
As FIs think about offering real-time P2P payments, what are the particular considerations that need to be taken into account to use accurate and up-to-date phone numbers and/or emails when sending payments?
In most real-time P2P payment networks, mobile-phone numbers or emails are used as “tokens” to be the unique identifiers for consumers participating on the network. These tokens enable consumers to receive payments by linking directly into the bank and the account they’ve designated at time of enrollment.
More important, they are the key to an inherently safer digital-payments experience, an experience that removes a consumer’s personally identifiable information (PII) from the equation, along with their sensitive bank-account information.
The concept of the token as an identifier is intrinsically important as more and more consumers are making every effort to protect themselves in digital channels. But it is equally important to ensure priorities such as token management and portfolio contact information cleanup and maintenance are also monitored.
FIs must evaluate their complete portfolio of contact information to ensure accuracy. Additionally, FIs will also need to monitor and track those tokens and keep them up-to-date, as customer mobile numbers can change periodically.
While many of us keep the same phone number for years, there is actually a large portion of the population that gets a new mobile number when they switch carriers, receive device upgrades, move, or even when they are looking for a more desirable number or area code. Email addresses can be just as precarious, as people change names or get overloaded with spam emails.
As mentioned before, MNO intelligence can confirm whether or not the mobile number or token being used in your P2P directory is associated with the correct customer. It can also tell you if a number has been deactivated by the carrier or canceled by a customer.
For FIs preparing to launch a P2P platform, at minimum, a one-time token cleanup of their existing customer base is a good practice to ensure accurate payments, and, more important, happy customers.
That’s a great first step, but remember you’ll want to perform a token cleanup on a regular basis. The timing, pacing, and cadence will vary by your specific financial institution’s needs. But it would be ill-advised to rely solely on just the one-time cleanup effort from a long-term perspective. This regular maintenance includes line-type monitoring as well, as customers could port a mobile number to a VoIP or landline after it’s been successfully registered.
Real-time payments will only continue to gain momentum as they become more mainstream. Having the appropriate fraud and risk solutions in place, however, will help ensure an easy, fast, and, most important, safe experience for your customers.
—Donna Turner is chief operations officer at Early Warning Services, Scottsdale, Ariz.