Seven ways to combat fraud in Financial Services
Philippa Kelly looks at what the financial services industry should be doing to combat fraud, the most common crime in the country
Fraud creates operational, reputational and financial risks for businesses of all shape and size, and is increasingly front of mind for boards. Where the responsibility to fight this growing epidemic actually lies is a matter of debate between consumers, police and financial institutions. But it’s clear that everyone needs to up their game.
In The Royal Bank of Scotland’s (RBS) 2018 annual report, chief executive officer Ross McEwan described the bank’s responsibilities: “Alongside our financial strength we have continued to build greater resilience into our systems, helping to protect our customers who are at greater risk of fraud and scams than ever before.”
In terms of outcomes for victims, this includes law enforcement and those who work on their behalf. Prosecution and conviction rates for fraud are incredibly low. The treatment of fraud victims by Action Fraud – the national fraud and cyber crime reporting centre – exposed by The Times earlier this year, paints a depressing picture of the uphill struggle to successfully bring a fraudster to justice.
The outsourced first point of contact for fraud victims can barely scratch the surface on the number of cases that need to be dealt with, but the reported mocking, ignoring and not taking victims seriously suggests that a cultural change is needed in terms of how we look at the crime, as well as the resources needed to combat it.
In a recent speech Charles Randall, chairman of the Financial Conduct Authority (FCA), called out the role of government: “We need to discuss whether policy makers do enough to embed thinking about the risk of skimming and scamming into the savings and investment policies they make.”
While Randall explicitly stated that this was not a view on the wisdom of pension freedom policy as such, the implication is clear. If individuals are to be given greater responsibility for their own finances, and we expect them to remain resilient, we need to ensure they’re confident and able to make the right decisions at the right time.
The inability to deal with fraud and the creation of an environment where it can easily flourish means efforts at prevention are more important than ever.
Wider vulnerability
Tackling fraud requires us to think differently about vulnerability. The traditional understanding of who is a vulnerable customer risks underplaying the fact that people across the spectrum can be equally vulnerable to fraud.
In September, private banks warned their highnet-worth customers about the need to be alert to fraud. One JP Morgan Private Bank customer was reported to have been tricked into transferring $250,000 to a fraudster who found information of the family’s holiday on Facebook and used this to convince them to make the transaction.
“Fraudsters aren’t stupid” comments David Clarke, chairman of The Fraud Advisory Panel, the respected, influential and independent voice of the anti-fraud community. “They will exploit individuals weaknesses but also their strengths.”
No one is immune to fraud, as the statistics show. Investment fraud is the latest area of focus for the FCA, having identified 5,000,000 pension customers who they consider to be at risk of falling for scams. With the average investment fraud loss sitting at £30,000, further consumer awareness of the risks is clearly needed. Just because someone is not by definition a vulnerable consumer, does not mean they are not perhaps even more vulnerable to fraud.
Helping consumers
Despite several well publicised cases, inspiring people to act on the messages around fraud prevention is problematic. Commander Karen Baxter, national co-ordinator for economic crime at the City of London police, has said people should be “more diligent [and] more personally responsible.”
The Fraud Advisory Panel has called for a public service campaign across different mediums to address this, but it has yet to appear. Alongside this a more consistent approach to messages around cyber security would also help. If consumers are expected to take more responsibility, we need to go some way to increasing the general level of education around how to avoid fraud.
Given that fraudsters are reliant on the mechanisms of the financial system to succeed, some think that starting with the banks is a more effective way to tackle fraud. Since its launch in May 2019, 17 banks have signed up to the voluntary industry code or – the Contingent Reimbursement Model Code for Authorised Push Payment Scams. Under the code, banks will confirm whether an individual who is the victim of fraud will be reimbursed within 15 business days and cannot take more than 35 business days. Many are still working through the practicalities of the code, including accounting implications.
It’s not a get out of jail free card for consumers though. An individual may not be reimbursed if they:
- ignored warnings about scams when setting up and amending payees, or before making a payment;
- didn’t take care to establish that the person they were sending money to was legitimate;
- were ‘grossly negligent’ – which may be strictly interpreted;
- are a small business or charity and did not follow internal procedures for making payments; or
- acted dishonestly when reporting the scam.
If consumers don’t feel a bank has adhered to the code they may have recourse to the Financial Ombudsman Service.
Confirmation of payee
As well as putting pressure on banks to ensure those who fall victim to push payment fraud are fairly treated, measures from the Payment Systems Regulator due to come in next year should give individuals a better chance of avoiding fraud in the first place.
After some delay, the six largest banking groups in the UK, who are involved in around 90% of bank transfers, will implement Confirmation of Payee (CoP) by 31 March 2020 (banks will have to respond to confirmation requests from 31 December 2019).
CoP is the industry-agreed way of ensuring that names of payment recipients are checked before payments are sent. It will work by checking whether the name of the account that a payer is sending money to matches the name they have entered. Alerts will notify the payer when there has not been a match, meaning corrections can be made before the payment is made.
The additional check and hurdle to making an online payment should help cut fraud, but banks – notorious for being somewhat verbose in their disclosures – need to ensure clear messaging and that customers know when to seek help in order for it to be as effective as possible. This is vital when phishing emails and other tactics are becoming increasingly sophisticated.
Strong customer authentication
Other customer initiated payments will soon become subject to strong customer authentication (SCA), which adds friction to online transactions. This element of the Payment Services Directive 2 (PSD 2) is being phased in from September 2019, when online banking requirements come in, through to March 2020 when payments firms follow, with online retailers bringing up the rear with their new deadline of March 2021, deferred after they complained they weren’t ready.
SCA requires any customer-initiated online payments (phone payments are not in scope), including non-recurring direct debits, to be authenticated with two of the following:
- something the customer knows – a password, or a PIN;
- something the customer has – a phone or a token; or
- something the customer is – facial recognition or a finger print
It is expected that banks will start declining payments made without two-factor authentication but there are exceptions for low risk transactions where fraud rates are below a certain level.
SCA also has implications for contactless payments, where they will be declined after a certain number of payments or at a certain value in order to be further authenticated, which may make them less convenient but will be a relief for anyone who has ever worried about a lost or stolen card. As Apple Pay and Google Pay already use biometric security, they’re exempt, so they may be a more convenient way to pay for those who already use them or were thinking about it.
Appropriate infrastructure
Industry-wide and regulatory-driven initiatives aside, fraud solutions often seek to rely on technology not only to strengthen the banks and insurers ability to fight fraud, but also to empower the end user to combat fraud. This has the potential to be increasingly effective, but also gives rise to new risks like AI enabled fraud (see “Vishing” below). Insurers are fighting fraud on all fronts – encouraging customers to be more aware, and in developing new technology to combat fraudulent claims. This has become a particular focus with the rise of large bodily injury claims settled with periodic payment orders, where the insurer takes the investment, inflation and longevity risk that would sit with the claimant if a lump sum had been awarded, making these awards more expensive for insurers. For example, use of AI to analyse voice data is increasingly being used in assessing claims.
As incumbent financial institutions try to keep up with technological changes, fintech firms are ploughing ahead unhindered by legacy IT challenges. Some of the newer banks are being more proactive on combatting fraud and are achieving good results. They’re increasingly able to use data to spot issues in advance of even the business itself. In 2018, mobile bank Monzo outed the breach at Ticketmaster and helped customers protect themselves by prompting password changes and other action before Ticketmaster even got in touch with people.
In 2013 the Financial Services Faculty published Audit Insights: Banking, where we highlighted that banks have under-invested in renewing core systems and no UK bank of any scale has an integrated or fully modernised IT system. Since then, customers have dealt with system outages, increasing fraud, not helped by enduring legacy systems. There is still the need, as pointed out in the report, for boards to consider whether their IT systems are sufficiently robust and resilient to threats posed by cybercrime and operational vulnerabilities, and are fit for purpose. They will also need the right mix of experience and support to enable them to assess this robustly.
Finding the balance
The fraud epidemic highlights a perfect storm of regulators and financial institutions trying to keep up with increasingly sophisticated fraudsters; a lack of policing priority and budget for victims of fraud; confusing policy messages about financial responsibility and resilience; and a continuing lack of consumer education about fraud and financial responsibility. There is also the issue of how we share personal data and the role of big tech in making individuals more aware of the picture of our lives that can be built up and accessed by fraudsters.
The role of financial services firms in contributing to better infrastructure and checks to empower consumers is clear, but it is only one piece of the puzzle. Everyone must play their part.
Vishing
In September, the Wall Street Journal reported the first AI-based “vishing” voice fraud, which cost a company (or rather, their insurer) $243,000. Fraudsters used commercially available software to impersonate the boss of a German parent company, tricking the CEO of its UK subsidiary into transferring funds to a Hungarian supplier on the promise they would be immediately reimbursed. The cyber criminals have not been tracked down and it fell to the company’s insurer to cover the cost of the payment.
As technology becomes more readily available and organisations' defences work hard to keep up, this type of authorised push payment fraud will inevitably increase. Advice from the investigators was that in this sort of business situation, voice instructions should be followed up with email or another form of communication – a simplistic two-factor authentication if you will.
About the author
Philippa Kelly, head of financial services, Financial Services Faculty