Fighting fraud in real-time payments: a balancing act
As the global trend towards real-time payments systems continues to accelerate, many industry stakeholders fear increased fraud – and rightly so.
Eric Le Lay
Chief Compliance Officer, Global Transaction Banking, Societe Generale
One of the most pressing issues for banks, system operators and regulators is how to increase speed without sacrificing security. In this new payment landscape, can technology contribute to fraud and financial crime prevention, rather than simply speeding up payments? And in a world of instant payments, how much risk is too much? Are regulators ready to adapt a risk-based approach across the board, or does a zero-tolerance approach for certain compliance activities still stand? As new payments bring about new methods of fraud, how are financial-crime compliance teams shifting their focus to prevention rather than detection?
When real-time and instant payments systems have been launched around the world, fraud attempts have immediately followed. Such payments are a new paradigm, delivering 24/7 payments transfers in a matter of seconds. Unfortunately, instant payments could open the door to instant fraud.
Before it introduced the SEPA instant credit transfer, SCT Inst, into the Single Euro Payment Area (SEPA), the European Payments Council (EPC) discussed options for fighting fraud with regulators and other bodies in countries that had experience of real-time payments. Based on those discussions, a ceiling was placed on the maximum amount that could be transferred using SCT Inst – €15,000. This ceiling, which reflects the fact the eurozone is a new-born real-time payments market, is anticipated to be reviewed by the EPC in 2020. The imposition of the limit has, to an extent, hampered development of real-time payments in euro, particularly for B2B use. However, as the market matures, it is likely this ceiling will be raised as participants feel more comfortable with this new payment paradigm.
Banks, infrastructures and regulators must work together to tackle instant payments fraud. At the bank level, technologies such as intelligent scoring and detection tools can be deployed to identify and block suspect transactions. Infrastructures have an important role to play because they are in a position to identify abnormal patterns, on a country-wide or regional level, within the huge volumes of payments they process. By deploying the same technologies as banks, infrastructures can identify wider trends and alert banks to these. Finally, regulators can use their high-level position to harmonize laws, particularly around data privacy. The industry's fight against fraud has been hampered by legal restrictions to communicating fraudulent parties' information, such as IBANs, to counterparts, which is made more complex by the differing national data protection and privacy laws. Harmonizing information-sharing at the SEPA level will be vital in the fight against fraud.
On the technology level, a big issue for banks in implementing real-time and instant payments is the filtering of the flows. This has to take place in order to comply with international rules in respect of sanctions and be followed by any action very quickly for the payment to be processed within the required time. If the filtering tool identifies an atypical payment that requires investigation it is impossible to process that payment within the time expected. Like many banks, Societe Generale, is investigating artificial intelligence (AI) and robotics technologies that will enable it to detect only the real problem transactions and complete all the others quickly.
The main issue is false positives – transactions that are flagged as atypical but in fact are legitimate. This is a particular problem with sanctions lists, as names similar to those on such lists can be identified as a problem. Robotics should enable banks to immediately investigate such instances (e.g., the name is the same as a sanctioned party, but address and other details are different) online and clear the transaction immediately if appropriate.
Another area that has promise to improve detection is credit scoring. Societe Generale is building intelligent scoring capabilities on unitary credit transfers. Based on its knowledge of customers, it sets a certain score and executes instant payments that reach that score; anything below is investigated.
In detecting and preventing real-time payments fraud, banks must also consider the customer experience. If real-time and instant payments are to succeed, they must ensure the user experience is perfect. In creating a new way of paying, banks need to ensure they can also create and maintain trust in that new instrument. This takes time, but fraudsters do not wait; they attack new payments channels and instruments from the beginning. Collaboration with infrastructures and regulators, and the application of new technologies, will help the industry to fight back against fraudsters while ensuring customers receive the instant service they expect.