4 minute read

Faster payments, faster fraud: Why real-time payments struggle to balance security and speed

Tuesday, July 30, 2024

4 Minute Read

Part 2 of 3

Part 1 of our real-time payments blog series highlighted the state of real-time payments on a global scale. Part 2 looks at customer vulnerability and the role of AI/authentication technology.

Stopping fraud is never easy. When you speed up how a payment is processed to a few seconds, there is an even smaller amount of time to detect fraudulent activity. That’s the challenge for real-time payment (RTP) adoption — and 65% of consumers want more warnings about emerging scams when they make RTPs.

When a RTP is received, it’s irreversible and the money can immediately be used. If it’s a fraudulent transaction, the person or business who sent the money typically wants to know who is liable, how to get refunded and how to assure protection with future transactions.

As fraud losses continue to mount — up to $9 billion globally in 2023 — answers are not coming easily. There are many reasons for it.

Technology is a big factor. Many banks and fintechs use machine learning and AI-fraud detection tools, but fraudsters also use such technology to bypass security loopholes. Fraudsters have attempted to combine fake and real information to create fictitious identities, clone voices, even exploit gaps in the AI behavior to conduct fraudulent transactions.

“It’s an arms race when it comes to AI,” said Szymon Morytko, Principal Consultant, FICO.1 “Fraud can be achieved so much more easier now.”

It’s also about analyzing vast amounts of data in seconds to determine fraud while still creating a seamless consumer experience. For regions where RTPs are being introduced, there may be little to no historical transactional data to rely on for an accurate assessment of the persons or businesses involved. In other words, it’s hard to distinguish between genuine and fraudulent transactions.

The simple fact is many people are just not prepared.

“Most of the banks we work with aren’t ready,” said Bhavik (Vick) Soni, Practice Partner, Risk & Regulatory Compliance, BFSI US, Wipro.2 “Your real-time payments will lose customers. The end customer doesn’t know if they are liable (for the payment if it’s fraudulent).”

Consumer vulnerability

With so much uncertainty around RTP fraud, consumers and businesses are vulnerable. Ask yourself, when am I most likely to be exposed to payment fraud?

Fraudsters often target transactions that play off the psychology and human factor: charity donations, federal stimulus payments, even medical bill payments. People also make impulsive purchasing decisions during promotional or holiday shopping events, such as Black Friday and Cyber Monday. These transactions can be hard to detect as they typically do not trigger a “red flag” as a conclusive indication of fraud.

Two common types of payment fraud that fit here are account takeover and authorized push.

Account takeover fraud deals with obtaining access to a person’s bank account. Authorized push payment (APP) fraud involves tricking a victim into transferring money to a bank account that fraudsters control.

APP fraud is a top financial crime threat in the United Kingdom with losses totaling £459.7 million (roughly $583.5 million) in 2023. That’s down 5% from 2022, largely due to the rollout of the Strong Customer Authentication, a requirement of the second Payment Services Directive that aims to add additional security to electronic payments.

The rule helped reduce remote purchase losses with payment cards by verifying customers’ identities. This is done through two-factor authentication when making purchases online or in stores with contactless payments. Two-factor authentication is a security system that requires at least two forms of identification to gain access to a service or system such as an online bank account.

The rules, however, are a concern for payment service providers (PSPs) as they may soon be liable for losses on APP fraud on their own platforms. Starting in October, PSPs must reimburse victims of APP fraud.

That's good news for consumers but what about safeguarding banks, credit unions and financial institutions (FIs)? That’s where new technology comes in against fraud.

Can we trust authentication and AI systems?

In the UK, a new AI-powered fraud detection service detects account-to-account fraud in real time that could potentially save more than £330 million (about $419 million). The service, which will be available to all banks in the UK, is intended to identify and prevent suspected fraudulent transactions in real time before money leaves the victim’s bank account.

As for how it works, during the pilot stage the technology analyzed billions of previously completed retail bank transactions for a year, identifying fraudulent ones that went undetected. Now the service will analyze transactions before they are approved, flagging fraudulent activity.

The analysis before a transaction is key because it can limit fraud and lessen the amount of money that needs to be reimbursed for whatever fraud does go through. Additionally on the consumer end, this could create greater trust in digital banking fraud-fighting services.

AI technology to verify account holders is catching on worldwide.

In Uruguay, you can buy an item at a store by placing a palm over the scanner. Amazon even has its Palm Payment Service, a payment system that works on biometrics and by reading a user’s palm print. The system is trained by generative AI.

Though if you’re hesitant about using such payment authentication technology, you’re not alone. Only 34% of Americans trust businesses to use AI effectively to protect against fraud.

What happens when there is resistance to using it? Banks and FIs should step in to improve the user experience and ensure confidence.

There is an opportunity to do that with authentication solutions with RTPs. They offer fraud protection but can be vulnerable to scammers due to inconsistent user experiences and security gaps in those tools.

34%
of Americans trust businesses to use AI effectively to protect against fraud

Take a customer that uses multiple payment cards and has digital relationships with several banks. On one hand, they use a digital banking app to confirm authentication of a transaction that is managed by one vendor. That same customer also uses an online payment card and is notified of potential fraud via phone that is managed by another vendor.

Since the technology is siloed with channel-specific authentication tools, this creates disparity and inconsistency with messaging and the overall experience. Results could be that the customer stops using the technology, goes to another bank with better authentication methods or accidentally submits personal information to a fraudster due to the inconsistencies in authentication experiences.

Even if a bank is working with multiple third parties for fraud technologies, it’s ideal to have one platform that connects the tools for synergy throughout the customer journey.

“In the fraud space, we are so focused on the rules but not on all the channels,” said Kasey Boyd, Head of Fraud, TSYS. “Financial institutions must do a better job of managing authentication channels for customer engagement. We need to consider how a customer interacts with verification of a transaction, and delivers a comprehensive approach to fraud and detection that combines authentication, identity and transaction monitoring.”

1. FICOWorld 2024, Szymon Morytko, Principal Consultant, FICO, Detection to Prevention Achieved – Tackling Scams From Every Angle, Breakout Session, April 16
2. FICOWorld 2024, Bhavik (Vick) Soni, Practice Partner, Risk & Regulatory Compliance, BFSI US, Wipro, Powerful partners in prevention: Stopping real-time payments fraud, Breakout Session, April 17

Never Miss an Insight

Get the latest from TSYS a Global Payments Company