APP fraud is rocketing, up 70 per cent in six months, and likely to be a multi billion business shortly. No one is surprise to learn that the Bank of England, Pay.UK and UK Finance (The Collaboration) have joined forces in defining a new data model to mitigate Authorised Push Payment Fraud and reduce friction in the payment process, e.g. misdirected payments(1).
The question is will all banks implement the procedures voluntarily as you need everyone all in to really mitigate APP fraud?
Using international data standard ISO 20022 for message formats is the opportunity to enable The Collaboration to:
· Payer to know exactly where the payment is at any moment
· Payee to receive full information on the actual payment
· Payer to receive information on Payee to identify suspect payments faster
What is needed is a synthetic entity and for this example let’s call it SCAM. It is shown above in a high-level logical data model (HL LDM). SCAM sits on the same level as the Bank, Customer and Counterparty.
Banking scams come in many disguises and are inextricably linked to the counterparty, commonly referred to as the Payee in a bank payment transaction.
Also, it’s well known that the Bank owns its accounts and permits the customer to use it. In cloud technology parlance, this could even be called Bank Account As A Service or BaaS because a monthly fee or subscription is becoming the norm. Apart from some of challenger banks, the incumbents mostly charge an account maintenance fee to use their bank account service.
The professional cyber criminals have set up their own cloud subscription service to compete with BaaS, and that’s RaaS or Ransomware as a Service in order to attract the new masters of the universe – scammers.
Now two Goliath’s are at the top table so let’s consider their marketplace. Low and behold, both BaaS and RaaS are after bank customers money.
What’s interesting about these two Goliaths is that one hosts the other – it’s a bit like a parasite using the host for nourishment. In order to execute scams on bank customers, scammers themselves need bank accounts.
Therefore, in developing an effective payment technology to deal with APP and banking fraud, it is of the utmost importance to Know Your Payee.
Confirmation of Payment, CoP, shows who owns the bank account but is only used by 5 per cent of banks and not one bank making International Transfers, (IBAN does not show who owns the bank account).
The issue is like COVID. If you are not vaccinated (non-vaxx) you are more likely to spread the virus that those who are vaccinated. Banks with CoP have to pay away to non-COP banks and it is here the fraudsters, like COVID, hang out. Without the whole industry providing data to identify scammers, the cost of fraud will continue to rise. Fraudsters gravitate to the weakest link the non-CoP bank.
The collaboration will result in a new standard of access to the right information that would definitely mitigate APP fraud only if used by all in the banking and payment community. Even if a few in the community do not participate they will become the fraudsters’ bank accounts of choice.
CoP was mandated to the top six banks as they represented 85 per cent of the payment volume. Fraud was then evenly spread across the payment flow. Since then the 15 per cent of the payments received by non-COP banks now represents 50 per cent of the industry’s fraud and growing.
The Collaborators must ensure the community, as a whole, implements their recommendations to strongly mitigate fraud while making the process even more frictionless.
John Bertrand and Douglas Cosbert