Open banking fraud: An open question for UK regulators

by Fatemeh Nikayin, co-founder, Rivero

Share this post

Banks and criminals are locked in competition for customers and transaction revenue, using advanced technologies as weapons of choice. Technologies that deliver speed and convenience in modern banking, if unprotected, can be weaponised against unassuming consumers, who are falling prey in record numbers to account-to-account payment fraud. These threats will continue to scale, according to a recent study, in which 62% of financial institutions surveyed saw an increase in authorized push payment (APP) fraud. 

“While the speed of these payments helps to improve convenience, transparency, and confidence in payments, it also increases the chances for fraud, and in particular authorised push payment (APP) fraud, when a fraudster tricks their victim into transferring funds into their account by pretending to be a legitimate payee,” Outseer researchers wrote, observing that APP fraud is growing faster than card fraud in numerous markets. 

Private sector impacts

In June 2023, the UK’s Payment Systems Regulator (PSR) published a proposal requiring payment firms to reimburse APP scam victims who lose money over the country’s Faster Payment System (FPS) rails, operated by Pay.UK. If approved, the new guidelines would become effective 7 October 2024. In addition, the PSR introduced similar guidelines for transactions on CHAPS, the UK’s real-time sterling payment system, operated by the Bank of England, requiring “banks and other payment firms participating in CHAPS to reimburse their customers who have been victims of authorised push payment (APP) scams.”

With plans to finalise FPS rule changes by September 2024, the PSR remains open to public commentary and received a private briefing on 10 June 2024 from The Payments Association, an industry trade association representing the UK’s broadly diversified payments community. Recommendations included delaying the implementation of the new rules by at least 12 months to allow for preparation, testing, and development. 

Tony Craddock, director general of the Payments Association, urged the PSR to allow more time for the rule changes. “This move by the PSR represents a prime opportunity to re-set the relationship between the payments industry and one of its most important regulators. We believe that to mitigate systemic risk and prevent damage to the payments industry from some of the PSR’s current plans, significant changes are needed.”

Riccardo Tordera, Head of Policy and Government Relations at The Payments Association, concurred, stating that hastily implementing these rule changes would increase risk and reduce competition and that Pay.UK needs more time to build and test its dispute resolution mechanisms and Confirmation-of-Payee capabilities.

Public sector impacts

Craddock and Tordera commended the UK Home Affairs Committee for exploring other avenues for reimbursing fraud victims, such as establishing a fraud levy on social media companies. These suggestions were detailed in a 23 May 2024 letter by Dame Diana Johnson, MP, to Home Secretary James Cleverly MP in response to its September 2023 fraud inquiry. 

Johnson advised the government to take a more holistic approach to combatting fraud by clarifying the roles and responsibilities of government entities and coordinating policymaking and enforcement resources. Such clear governance and oversight would foster a whole-system approach to managing multiple layers and iterations of fraud, she stated. 

“The harm from fraud is not just limited to the direct harm impacting victims,” Johnson wrote. “Fraudsters range from individuals to serious and organised crime groups. During our inquiry, we were particularly alarmed to hear that the proceeds from fraud can fund serious and organised crime and, in some cases, terrorism.” 

Personal impacts

Johnson noted that fraud takes a personal toll on those affected, who do not always know where to turn for assistance. A robust reporting system would make it easier for people to report crimes and track individual cases, she said, and proactive measures would help prevent financial crimes, particularly in the banking sector. For example, the Financial Conduct Authority (FCA) could monitor financial institutions’ KYC practices to prevent fraudsters from opening bank accounts or manipulating legitimate account holders into transmitting funds. 

“We believe the FCA needs to ensure there is greater supervision of banking crime

controls, including making sure banks are consistently performing customer checks

and transaction monitoring,” she wrote, urging the FCA to enforce best practices and improve data sharing across industries to build a “whole system, data-driven response to tackling fraud in the UK.” 

Tordera agreed that public and private sector cooperation will protect customers from fraud and facilitate safe, convenient, affordable and accessible financial services. 

 “Our shared aim is that we lead our market and consumers to a period of innovation and growth, and this is why we’re working proactively to help the PSR with the main priorities regarding APP fraud and the payments infrastructure,” he stated. “We hope [that’ the PSR [will] listen to our recommendations, allow all stakeholders more time to prepare and that this is the start for increased collaboration.”

Global impacts

As UK regulators noted, financial crime is a global issue. The 2024 Global eCommerce Payments and Fraud Report, published by Cybersource, Visa, and the Merchant Risk Council in April 2024, found an increase in multiple attack vectors in 2023.

“The types of fraud that merchants are seeing more of this year include first-party misuse, account takeover, loyalty fraud, and triangulation schemes,” researchers wrote. ”Refund/discount abuse and first-party misuse now top the list as the most common forms of fraud, each impacting nearly half of merchants globally. Phishing, card testing, and identity theft remain prevalent threats, as well.”

Researchers also found a 69% increase in first-party fraud and chargeback misuse in North America, affecting over 6 in 10 merchants, driven by inflation and rising ecommerce usage. Addressing these issues will require multiple strategies and techniques, they stated, noting that advanced technologies have been proven to outperform traditional notifications in identifying, verifying, and onboarding legitimate customers.

Beyond KYC

With the help of AI, ML, and other advanced payment technologies, financial institutions and service providers can know their customers and build trusted, long-term relationships. Live chatbots and virtual assistants, for example, keep lines of communication open by answering questions and escalating service issues.

Always-on chatbots and virtual assistants, built to comply with local privacy requirements, are designed to improve efficiencies and the customer experience. These always-on helpers are effective fraud deterrents, even in cases of friendly fraud, where they can offer equally friendly step-up challenges to stop chargebacks before they happen.

In the digital age, fraudsters and payments industry stakeholders are leveraging the same technologies for very different purposes. Improved collaboration and oversight within the global financial community will help stem the rising tide of attacks against merchants, customers, service providers, and financial institutions.

Article by Rivero

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?