There has been a significant shift from third-party fraud and account take-over (ATO) to scams, social engineering and Authorized Push Payment (APP) . While we within the industry haven’t fully aligned on terminology for the Modus Operandi and we have several overlapping terminologies, this is converging – largely thanks to the EU Fraud Taxonomy, as well as the classification from the US Federal Reserve.
While these frameworks significantly differ on how to classify the “who” and “how”, they are quite aligned on two broad fraud classifications:
- Unauthorized fraud, where somebody else other than the user performs the payment, for example due to ATO. And,
- Authorized fraud, where the user is the one performing the transaction.
There is one additional nuance of authorized fraud that the US Federal Reserve captures in more detail: cases where the account details have been modified by the fraudster, but it is still the user that initiates the payment.
The size of the problem is clear. According to EU and UK fraud reports, of all account-to-account transfers, between 48% and 73% of the fraud is authorized fraud.
Scams and the question of liability
The balancing act of who should cover the losses from a liability standpoint is ever-changing at the moment. This varies significantly between countries. While Northern Europe is starting to settle on the liability for scams sitting with the banks, there are court cases relating to the issue of liability that are still to be decided.
The split between sender and receiver
The United Kingdom has had clear guidance on reimbursement of fraud with the Contingent Reimbursement Model (CRM). The CRM has now been expanded in the new Payment Systems Regulator’s (PSR) legislation on APP fraud to include splitting the liability for reimbursement 50%-50% between the sending and receiving bank. The thinking behind this is to align incentives with the fact that monitoring outgoing payments is equally as important as avoiding mule accounts. This will have a significant impact on money remittance services, who until now have been relatively isolated from liability for money they receive and then send on to the next account. More can be found on the PSR Legislation here.
Central Europe and voluntary reimbursement schemes
Within Central Europe liability tends to sit with the bank, but on a more voluntary basis (instead of legislation and court cases).
As Central Europe has some of the best detection rates for scams, it makes reimbursement easier given the lower volumes and total value.
North American legislation
With more consumers turning to real-time payments platforms such as Zelle, the scams landscape in North America is shifting further towards users being coerced by fraudsters into making payments themselves. This has prompted discussions in the US around reimbursement and APP fraud prevention, with new guidance being developed by the Consumer Financial Protection Bureau (CFPB) that could potentially lead to an extension of Reg E to cover these types of scams.
In 2021, the US CFPB published a document clarifying the implications of Regulation E (Reg E). This included details around protection for consumers who are tricked into handing over account details to scammers, who then later use this information to access the customer’s account and make payments from it.
Whilst these changes aren’t as clear cut as in other regions such as the UK, we can see that legislation is beginning to adapt, particularly to factor in the rise of authorized fraud.
Some way to go for global best-practices
What is also interesting is the significant differences in strategy between different financial institutions and countries. Below are some examples of strategies and how the varying scams legislation support, incentivizes, or hinders effective fraud detection and prevention:
- Use of dedicated machine learning for scams detection, and not just a generic fraud model trained for unauthorized fraud. The regulation around AI is a clear help here, which enables usage for these purposes.
- Use of real-time inbound payment scanning. This is also related to how banks handle concerns or possible anti-money laundering (AML) tip-off risks, and how they block funds in those cases. Here fraud legislation can help with further clarity of the boundaries and approaches that can be taken to not come in conflict with AML legislation.
- The capability to analyze signals picked up from channels such as Remote Access Trojans (common in up to 50% of scams cases), and behavior signals that indicate duress and coercion into performing a payment. Fortunately, legislation for this kind of monitoring is already in place, so there is no challenge for this case.
- Data sharing over and above the Malware Information Sharing Platform (MISP) instances for threat intelligence, which goes wider than just security information and is also being piggybacked by fraud experts. The challenge for local legislation is how specific victim and fraudster data can be shared while being compliant with bank secrecy and GDPR. This is where exceptions for the use for fraud prevention purposes in legislation are important, but at the moment this varies widely between countries.
- The approach to crypto. If crypto payments are allowed at all, and if crypto payments are being reimbursed when they are part of the Modus Operandi of an investment scam. Here legislation also plays a role, as for example the PSR has specifically called out crypto in their guidance for reimbursement examples. This is where further regulatory clarity of AML, KYC and fraud responsibility for crypto transactions is already helping.
- The work with takedowns, and prevention of fraudulent search ads, phishing sites, blocking of inbound fraud SMS. Here legislation also plays an important role in how other players in the ecosystem are enabled and incentivized to reduce possible contact points for fraudsters. While the UK is considering legislation in this case, we have also seen good results just based on better collaboration.
The detection rates for scams can vary significantly. Some banks’ detection capabilities are as low as 20%, but they can be above 80% for other banks, depending on which of the above strategies they utilize.
Deploying the right technologies to prevent scams
There is a lot of work to do and a lot of potential in the fight against scams. Having legislation that enables and helps in that fight is crucial, but so is deploying the right solution. At Callsign we work with sharing best-practices across borders, our combined intelligence and orchestration capabilities are empowering banks to not only detect more scams but ensure the appropriate preventative methods can be deployed – whether it's authorized or unauthorized fraud that is taking place. All of which is tracked and reported to help align with local (and global) legislation.
There is still a long way to go in the prevention of scams, and I am excited about all the discussions going on between the financial sector and governments around the globe for more legislation that can facilitate better scams prevention.
If you’d like to discuss legislation or any of the methods outlined in this blog further, feel free to get in touch or connect with me on LinkedIn.
