What is this article about? The article highlights the escalating threat of payment fraud, particularly identity fraud. It discusses challenges faced by industries at risk, the limitations of KYC measures, and offers strategies such as strong verification processes and the adoption of Payment Orchestration Platforms (POPs) to bolster defences.

Why is this important? Addressing payment fraud at its core is a must due to its significant impact on businesses, consumers, and financial systems.

What’s next? The next steps involve implementing advanced fraud prevention technologies, enhancing transaction monitoring processes, strengthening authentication methods, educating personnel, and ensuring compliance with regulatory standards.

Andrew Novoselsky, Chief Product Officer at SumSub explores why Payment fraud poses a substantial challenge to the payments industry, and why its severity is anticipated to escalate in the coming years.

According to Statista, fraudulent transactions using payment cards alone are expected to increase to $38.5 billion by 2027.

Payment fraud prevention is paramount for businesses and their clients, not only for anti-money laundering (AML) compliance but also to protect assets and business reputations. However, fraudsters are constantly seeking new ways to commit payment fraud, whether through social engineering or by creating look-alike domains to pose as legitimate vendors.

There is no magic tool that can solve all fraud; however, there is a principle that can help companies effectively deal with different types of threats. It’s the blended approach principle, which involves multi-layered protection at different stages of the user journey. According to this principle, you can install several relatively simple layers that, when combined, prevent complex threats.

Let’s explore why a comprehensive transaction monitoring solution is a way to stay one step ahead of fraudsters.

What is the real payment fraud in 2024 

Phishing, email compromise (BEC) and card authentication are still challenges for industries at risk of payment fraud. But in 2023, identity fraud is at the forefront.

According to Sumsub Identity Fraud Report:

• The Fintech sector saw the rise in identity fraud from 0.67% to 1.16% between 2021 and 2023.
• Identity fraud in E-commerce increased from 0.63% in 2021 to 1.02% in 2023.

And identity fraud isn’t just growing; it’s becoming more sophisticated. Fraudsters are increasingly using deepfake technology: according to our internal statistics, the number of deepfakes worldwide increased tenfold from 2022 to 2023. Deepfake videos can be used by scammers to manipulate victims, as recently seen in Hong Kong, where a multinational company lost US$25.6 million (HK$200 million) due to an employee being deceived by a digitally created version of a company executive during a video conference call.

According to our report, other common types of identity fraud is a complex fraud scheme. It is money muling, where seemingly innocent individuals, known as money mules, are recruited to transfer illegally obtained funds, disguising their origin.

Despite efforts to strengthen security measures, instances of account takeovers are also steadily increasing. According to our internal statistics, account takeover incidents increased by 155% in 2023. A recent example is the case of Ripple co-founder Chris Larsen, who experienced unauthorised access to his personal accounts, resulting in a fraud loss valued at $112.5 million. Technological advances are allowing attackers more sophisticated methods of compromising user credentials, including phishing attacks.

However, not all payment fraud involves identity theft; 70% of chargebacks are attributed to friendly fraud. And to detect these types of fraud, KYC is not enough.

Why KYC is not enough to prevent payment fraud

Why is KYC information important for fraud prevention? Because one of the ways to determine a suspicious transaction is to compare the transaction with the profile of the person of the account (historical transactions and profile data).

Another thing is when you compare, not to that specific user, but to the relevant identical groups and the transaction patterns of those groups. If you see that there is a discrepancy, then again, you have a suspicious activity that should be investigated.

However, KYC itself is not a panacea for all problems because today, KYC data is being sold on the Darknet. According to recent research conducted while developing our proprietary course on transaction monitoring, many individuals voluntarily sell packages of their own full KYC data on the Darknet, known as KYC kits. Surprisingly, this information is not that expensive. We investigated the cost of KYC kits, and generally, the price, depending on the jurisdiction, ranges from five to $10 per kit. To ensure the detection of such cases, you need to orchestrate different tools within your compliance procedures. A reliable transaction monitoring tool allows businesses to set triggers that detect suspicious transactions, such as purchases made by the same client simultaneously, unusually large transactions (above the AML threshold), and high-risk geographies.

Ways that an organisation can minimise the risk of fraudulent chargebacks

• Implement Strong Verification Processes: An organisation is usually recommended to use robust authentication methods, such as requiring CVV/CVC codes, billing address verification, and 3D Secure protocols, to verify the cardholder’s identity during online transactions. This can help reduce the likelihood of fraudulent chargebacks. 2 Factor authentication is recommended to be used as if the client goes through this process, it could support your case against a fraudulent chargeback. For example, it is unlikely that a hacker would also have had access to their phone device or email address.
• Provide Clear Terms and Conditions: Clearly communicate your refund and cancellation policies on your website or during the checkout process. Ensuring that customers are aware of your policies can help prevent them from filing unwarranted chargebacks.
• Keep Detailed Records: Maintain accurate and detailed transaction records, including customer information, order details, shipping addresses, and proof of delivery. These records can serve as evidence during chargeback disputes, demonstrating that the customer received the products or services as agreed.
• Communicate with Customers: Engage in open and clear communication with customers throughout the transaction process. Provide order confirmations and tracking information to keep customers informed and reduce the likelihood of chargebacks resulting from confusion or miscommunication.
• Implement Fraud Detection Tools: You may utilise fraud detection and prevention tools, such as AI-powered fraud monitoring systems or manual review processes, to identify suspicious transactions. These tools can help detect potential instances of fraud and allow you to take appropriate actions to mitigate the risk.
• Stay Informed: Keep up-to-date with the latest fraud trends and techniques. Stay informed about common fraud indicators and educate your team on how to identify and respond to potential fraudulent transactions.
• Maintain a Responsive Customer Service: Provide excellent customer service to address any concerns or issues promptly. Resolving customer complaints or inquiries in a timely and satisfactory manner can help minimise the likelihood of chargebacks resulting from customer dissatisfaction or frustration.

POPs as a way to fight payment fraud

The current landscape of payment gateways presents a fragmented defence against fraud, leaving gaping holes ripe for exploitation. Fraudsters deftly navigate the varied strengths and weaknesses of individual vendors, slipping through the cracks where protection isn’t quite robust enough. This calls for a paradigm shift from individual gateways to Payment Orchestration Platforms (POPs).

The transition to POPs could represent a strategic move towards closing the gaps and vulnerabilities in the current payment ecosystem. By stitching together once-fragmented defences, POPs promise a consolidated, adaptable, and ultimately more resilient front against the evolving tactics of fraudsters. This is not just an incremental improvement but a fundamental shift in our approach to securing the financial arteries of our digital world.

As we delve into the complexities of combating payment fraud globally and in the UK in particular, it’s essential to recognise compliance as a critical component of this multifaceted strategy. Compliance measures play a pivotal role in aligning with established standards and regulations, ensuring that businesses not only adopt advanced technologies like POPs but also adhere to the necessary legal frameworks to enhance their overall fraud prevention capabilities. Let’s explore how compliance intersects with the technological and regulatory aspects of our payment fraud mitigation discussion.

Payment Fraud regulations in the UK-key requirements and facts

• Payment Card Industry Data Security Standard (PCI DCSS): PCI DSS is a set of security standards established by some major card schemes, such as Visa and Mastercard, to protect cardholder data and prevent payment fraud. It outlines requirements for secure processing, storage and transmission of cardholder information.
• The Financial Conduct Authority (FCA) is the regulatory authority responsible for ensuring the integrity and stability of the UK’s financial markets. More specifically, it also sets out requirements for the prevention of financial crime, including payment fraud. All regulated firms must comply with FCA regulations. According to the FCA, the use of risk-based, automated warning messages during the payment journey can be effective to help customers consider whether the payment they are making is to a genuine payee. The Consumer Duty, which came into force on 31 July 2023, sets a higher standard of care that firms must provide to consumers in retail financial markets and plays a key role in underpinning our expectations of firms in this area. The Consumer Duty Finalised Guidance FG 22/5 (Paragraph 5.23) confirms the importance of firms having adequate systems and processes to avoid foreseeable harm, including to design, test, tailor and monitor the effectiveness of such messages.
• The Payment Services Regulations 2017 (PSR) is also a relevant piece of legislation that implements the eu payment Services Directive (PSD2) into UK law. It sets out requirements for payment service providers and aims to enhance security and consumer protection with relation to payment services. It includes provisions on strong customer authentication, secure communication, fraud reporting, and dispute resolution.
• Proceeds of Crime Act 2022 is also a relevant piece of legislation as it is the prime legislation in the UK related to the prevention and detection of financial crimes. It requires businesses to have appropriate controls and procedures in place to prevent this kind of crime as well as report any suspicious activities, including those related to payment fraud.
• The Consumer Rights Act 2005 can also be taken into consideration as it promotes consumer protection also regarding payment fraud in terms of consumers rights and liability in case of unauthorised transactions.
• The Payment Systems Regulator (PSR) and the Bank of England are introducing a mandatory reimbursement scheme for victims of authorised push payment fraud (APP fraud). APP fraud is when a consumer is persuaded or tricked into authorising a payment to a fraudster, whether through being deceived as to the recipient of the payment or as to the purpose for which they are transferring the funds. The new reimbursement scheme is intended to come into force on 7 October 2024. Some key provisions will be mandatory reimbursement within five working days, cost to be split 50/50 between sending and receiving PSPs and special requirements for vulnerable consumers

Andrew Novoselsky is Chief Payments Officer at SumSub.