Financial institutions must collaborate and see the bigger picture to prevent fraudsters taking advantage of the fragmented payments sector.
Companies must forge a data sharing mechanism in order to tackle payment-related financial crime, a white paper from The Payments Association says.
Fraudsters are becoming more sophisticated and taking advantage of the increasingly fragmented payments sector, piling costs onto companies. Financial crime compliance costs hit £32.4 billion in 2023, up 19% from two years earlier, according to the report published in April.
Data sharing is a key weapon to prevent criminals exploiting the gaps in the payments infrastructure, but companies’ ability to share data is hampered by legislation designed to protect consumers that in fact makes anti-fraud cooperation more difficult.
One solution, which may be made easier by new rules in the UK, is to create mechanisms that enable data sharing partnerships, says Nick Fleetwood, head of data services at Form3. These mechanisms “need to be specific in terms of the problem they solve, the data required, the standards that need to be applied to that data and how the data will be handled, protected and stored”.
The payments sector is going through a period of disruption and innovation, with people able to choose from a wider range of products and providers than ever before.
“This offers clear benefits to consumers but makes it even more difficult for a single institution to detect bad behaviour,” says Kathryn Westmore, senior research fellow at the Royal United Services Institute, a military and security think tank funded by members, companies and non-UK governments.
Retailers and telecommunications companies involved in payments are particularly reticent with customer data, The Payment Association’s white paper notes.
Financial institutions will only see its own part of the picture, which can be as little as 15-25% of its own customers’ activity, states the white paper. This makes it harder to spot fraud – either by or against consumers – and also carries institutional risk.
“There is also an obligation to identify unusual transactions and if a financial institution only sees a fraction of a customer’s activity, it has no baseline to judge what is ‘usual’ activity,” the white paper adds.
The best way to stop criminals exploiting the fragmentation and lack of information is to share data.
“We need to see collaboration between financial institutions to make sure we’re stopping scams at their source and catching the criminals who are committing fraud,” says Aaron Elliott-Gross, group head of financial crime and fraud at Revolut.
Data sharing can be particularly helpful in the areas of customer identification, transaction monitoring, sanctions, risk and business relationship management, as well as beneficial ownership identification, the white paper says.
In addition, better informed companies can help companies identify different types of crime and cooperate with inquiries from the intelligence services.
But at present, companies are hesitant to share data with competitors, even when the data concerns suspicious parties, victims or even proven criminals.
“There are not sufficient incentives to share data with other payment companies,” says the report’s executive summary.
Data protection is companies’ biggest concern around sharing more data, with around eight out of 10 respondents to The Payment Association’s February/March survey listing it as a concern when asked.
The UK’s upcoming Data Protection and Digital Information Bill recognises preventing crime as a ‘legitimate interest’ for companies, cutting out various paperwork steps that are currently necessary to share data for anti-fraud purposes “where the processing is necessary for the purposes of (a) detecting, investigating or preventing crime, or (b) apprehending or prosecuting offenders”, the white paper highlights.
If the government passes the proposed legislation as it currently stands, it will largely – though not completely – address data protection fears, leaving financial institutions free to overcome other obstacles.
Katie Hewson and Chloe Kite of Stephenson Harwood LLP note that firms will still feel “some nervousness” about data sharing, and that “data protection hurdles remain”.
Yet the direction of travel is towards giving firms more leeway to share data.
The government also paid lip service to greater collaboration in its second Economic Crime Plan, published in March this year, which covers 2023-2026.
And the Economic Crime and Corporate Transparency Bill, which passed the House of Commons in January 2023, recognises that regulated firms struggle to share data and proposes allowing firms to voluntarily share customer information under some circumstances.
Another development that can help allay data-sharing concerns is the emergence and proliferation of privacy-enhancing technologies (PETs) like homomorphic encryption, where data is encrypted in such a way that it can still be run through formulae.
While some of these technologies are in their infancy or haven’t yet proven their robustness against sophisticated cyberattacks, they show promise for the future.
The White House Office of Science & Technology and Innovate UK ran a research challenge on designing PETs for preventing economic crime in September 2022.
It’s against this legislative and technological backdrop that The Payment Association issues its call for a data sharing mechanism.
Financial institutions are bad at sharing data. So bad, in fact, that in December last year, Santander UK was fined for not sharing data – with itself. It had been worried it would be fined for the opposite.
Current processes for sharing information are largely ad hoc and inefficient, says the white paper. They also tend to focus on investigating crimes that have already happened, rather than on prevention.
While many firms are open to sharing data under certain circumstances and for specific reasons, these circumstances and reasons are often unaligned. The solution is a mechanism which aligns the purpose, format and processes for sharing data, argues the white paper.
“Standardising the data that is sent between organisations (such as agreeing a predefined structure and definition) can help unlock many of the technical barriers associated with slow information exchange, allowing for quicker detection of suspicious payments,” says David Heron, head of standards at Pay.UK.
This data could then be held in a centralised repository which appropriate authorities could access – an approach that four-fifths of respondents to two separate polls by The Payments Association favoured.
The white paper suggests a new mechanism could target onboarding and off-boarding of customers.
“Now is the time to build a robust, data-driven, interoperable and centralised mechanism that enables effective data sharing through a public-private partnership,” the report concludes.
Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.
We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.
Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.
Please click the button below which relates to the issue you’re having.
Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association
Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.
For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.
The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.
Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.
Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.
For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.
