Fraud in an Instant

The fraud that threatens real-time payments is quicker—and demands quicker action.

Today’s world of instant gratification is about to take another big leap forward in July when a second real-time payments network debuts with the launch of FedNow, the Federal Reserve’s instant-payment network.

Announced as a concept in 2019, two years after The Clearing House Payments Co. LLC launched its Real Time Payments service, FedNow will begin with a set of approximately 120 participants. Another group, characterized as fast followers, will come onboard later. The pool of potential FedNow financial institutions, directly or indirectly, is more than 10,000. The TCH network has more than 300 active participants.

Financial institutions, service providers, and processors are keenly anticipating another opportunity to expand services and cultivate deeper relationships with their clients. But criminals, too, are aware of real-time payments and the fraud opportunities they can present.

And while the United States often is a leader in electronic payments, when it comes to real-time payments, it decidedly is not. India launched its faster payments service in 2016, and Singapore did so in 2014. And the United Kingdom has had a faster-payments system since at least 2008. The experiences of these systems and others could aid the U.S. faster payments environment, just as the nearly six years of experience at the TCH RTP network can.

‘First Line of Defense’

And when it comes to fraud, experience will matter—a lot.

“There is often a lag between instant payments coming online and fraud attacks in a new market,” says Shahar Ronen, product manager of payment risk at Plaid Inc., an open-banking specialist. “Fraudsters will take the time to understand the new market structure and identify points of weakness. It may seem initially that fraud is less of an issue than expected, but it is generally only a matter of time.”

The Federal Reserve is well aware of the potential for criminal activity involving FedNow. That’s why it set transaction limits at the network level—the cap is $100,000 but can be as much as $500,000 on request—and will enable participants to set lower limits. Financial institutions may also maintain negative lists that specify suspicious accounts their organizations can’t send to or receive from.

In its literature about instant-payment fraud, the Fed says participating financial institutions are the “first line of defense.” Any transactions they detect as fraud must be reported to the FedNow service to help with mitigation efforts.

Other risk-management measures include the ability to select the level of participation, to ask for more information from the originating entity, and to use of digital signatures when exchanging messages. Encryption and tokenization applications will be used, too.

Enlisting participating organizations as the “first line of defense” implies a level of education to be alert for fraud, criminal behavior, and other indicators. Educating participants, many observers agree, will be a priority in countering real-time payments fraud.

“It’s important to educate users on the risks and the opportunities of real-time payments,” says Ross Hamilton, chief information security officer at Episode Six, an Austin, Texas-based payments-technology company. “Guidance is needed on how to recognize and avoid common scams and should be tailored depending on whether the user is a regular consumer or has a merchant account.”

Education is a top priority, says Rodrigo Figueroa, chief operating officer at Chargeback Gurus, a McKinney, Texas-based chargeback-mitigation firm.

“Once users understand the potential of such an infrastructure and how to use it, they will be much better positioned to make choices that reduce their exposure to harm,” he says. “It is imperative that education comes with content to promote secure behavior, especially when it comes to scams, which tend to increase with the introduction of real-time payments.”

Also aiding in spotting and stopping fraud is simple familiarity with faster payments. That could come at a financial institution that already works with TCH and its RTP service, or at an entity that offers the Zelle a peer-to-peer payments platform from Early Warning Services LLC. Or it could come from executives who have personally used a faster-payment service.

‘Payments Are Final’

Fraud on the TCH RTP network remains low, says Lee Kyriacou, vice president of RTP product management for TCH. “The RTP network is a credit-push system where the payer instructs the bank (or non-bank provider) to make a payment rather than the payee having funds debited from the payer’s account,” Kyriacou says in a response sent to Digital Transactions.

“Credit-push systems are generally considered to be safer by design because making a payment does not require the payer to authorize a third party to pull money from its account,” he continues. As a result, he adds, such systems have “much lower fraud rates.”

Across the RTP network, TCH has focused on mitigating fraud concerns by employing a mix of technology and consumer education on security best practices, Kyriacou says.

“We’ve found that fraud prevention requires ongoing consumer education of payers about account security best practices, such as using complex passwords, two-factor authentication, and putting in friction before a payment is made, e.g., pop-up notices like ‘Only make payments to those you trust’ or ‘Payments are final’” he says.

Another consideration in countering fraud in an instant-payments environment is the pace of transactions and their irrevocable nature.

“Moving to real time means everything needs to be more exacting,” says Adam Gable, product director for financial crime, treasury, and risk at Temenos, a Switzerland-based financial-services platform. That means, in terms of the process, checking for sanctions and for fraud, he says. In Europe, for example, demand is up for real-time anti-money laundering checks, Gable says.

‘Detecting the Signals’

The concept of instant payments is more exacting than that of other payment types. While a successful instant payment can be satisfying to the payer, payee, and financial institution, when it’s interrupted there can be fallout, Gable says.

“The more consumers rely on that experience, the brand becomes more important,” he says. “The bank’s job is to elevate everything. It is challenging. It does open a new financial-crime vector.”

Initial FedNow use cases are more business-oriented, but even a bank or credit union’s client will need to educate its staff about how real-time payments work if they are new to them. Criminals may use phishing or social engineering to manipulate employees into authorizing a push payment.

“With higher transaction speed, victims have less chance to revert a fraudulent transaction if they find out later that they were scammed,” says Bence Jendruszak, chief operating officer of Seon, a London-based online fraud-prevention provider. “Customers need to be aware of the risks and have to be vigilant. Awareness communications and education of customers are even more important and have to be done by financial institutions.”

While algorithms and rules can be operated along a rules-based system, accounting for the human element in a payment transaction is less rigid.

“It is a commonplace in information security that humans are the weakest link,” Jendruszak says. “Many fraudulent transactions [using] stolen credit card information start with a phishing email or SMS. Financial institutions should strive to inform users about this kind of attack to keep them more or less safe.”

The fraudulent-transaction reporting requirement built into FedNow also speaks to the role of collaboration in thwarting real-time payments fraud.

“There will not be a single solution to solving instant payments fraud,” Plaid’s Ronen says. “Collaboration between financial institutions, payment processors, technology providers, and regulatory bodies is essential.

“Money will be moving in real time, we—as a collective—need to be learning and detecting the signals in real-time,” Ronen adds. “As we’ve seen through cross-industry collaboration in the U.K., Brazil, India, and several other markets with successful instant-payment systems, [authorized push-payment] fraud requires a range of technical, policy and regulatory, and coordination tools. If we do not do it holistically, we open ourselves up to vulnerabilities which impact the adoption of the new infrastructure and capabilities.”

‘The Eye Opener’

Instant payments will require instant fraud decisions, not too unlike what many involved in payments are accustomed to with card payments, e-commerce transactions, and peer-to-peer payments. What’s unique about real-time payments, especially with FedNow, is that, once authorized, the transaction is done and irrevocable, placing more emphasis on ensuring the validity of the transaction components.

“We know that every best effort has been made to secure information and prevent fraud at the source,” says John Buzzard, lead analyst for fraud and security at Javelin Strategy & Research, a Pleasanton, Calif.-based financial consultancy. “The rest of the heavy lifting is on the financial institutions to solve for and it’s not unreasonable.”

“The eye opener for financial institutions,” he continues, “should be the addition of specialized analysts who are in charge of the fraud-response and -mitigation process. This won’t be something that you can just add to someone’s daily job duties without suffering some major growth and fraud-loss pains.”

Real-time payments can alter the fraud-decision process, says Parag Rohan Jain, vice president and general manager of real-time payments at Brookfield, Wis.-based Fiserv Inc. “The rate of fraud detection is highly correlated with the speed of the payment,” Jain says. “You need the ability to detect fraud before a [request for payment] is sent across the rails.”

A request for payment is a tool for a person or organization to request an instant payment from another person or organization, according to the Fed. “Fraud detection needs to be in advance of executing a send instruction,” Jain says.

‘A Sustainable Balance’

As FedNow’s commercial debut nears and it joins the TCH RTP network in providing a financial institution-focused instant payments environment, it will face some familiar fraud threats that it is prepared for. But, especially if FedNow is a catalyst for widespread real-time payments adoption, it could foster a new security norm, one based on consumer and business education, collaboration, and speed.

For financial institutions, that will mean a faster fraud-decisioning process, says Jorge Jimenez, president of Juniper Payments LLC, a Wichita, Kan.-based payments and banking services provider. Juniper is part of PSCU, a credit union service organization. That won’t be easy to do.

“Financial institutions need to enforce time-efficient fraud-prevention measures while improving false positive rates and ensuring a seamless user experience,” Jimenez says. “To
achieve this, sophisticated fraud-prevention measures similar to those currently in place for cards are necessary, such as two-factor authentication and real-time monitoring.”

This means manual tasks are not feasible in detecting real-time payments fraud. “Specialized systems with low response time and high transaction-processing capabilities with the support of highly customizable, complex detection and evaluation rulesets are essential to combat fraud at this speed,” says Seon’s Jendruszak.

While balancing fraud measures against legitimate transactions, real-time payments providers can adopt a multi-layered approach that combines prevention, detection, and response, suggests PJ Gupta, chief executive at San Mateo, Calif.-based Checkbook, a payments provider.

Risk-based transaction monitoring and transaction limits can help with prevention. Real-time monitoring and transaction data analysis to detect anomalies and suspicious activity are another element. “In the event fraud is detected, it is important to respond quickly to minimize losses and prevent further damage,” Gupta says.

Contending with the possibility of real-time payments fraud doesn’t necessarily mean a wholesale overhaul of an organization’s approach to prevention, but it does require a unique review of how such crime differs from other fraud.

There may be an assumption in some places that real-time payments are similar to card transactions, Figueroa says. That idea “could not be further from the truth,” he adds. “For this reason, real-time detection models need to be super-calibrated and updated constantly to ensure a sustainable balance between usability and risk.”