Finance Monthly hears from Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, on the threat faced by banks and countermeasures they can employ against it.

Fraudsters are natural opportunists and extremely innovative with their methods. Whether through authorised push payment (APP) fraud scams, phishing attacks or even targeting vulnerable people during the COVID-19 crisis, they will always find new ways to make money with no remorse.

Making the task of protecting consumers and companies from fraudsters relentless activities an increasingly challenging one for banks. Especially during a time of global crisis and uncertainty along with growing payment channels through Open Banking.

However, by thinking seriously about how they (banks) can embrace strategic anti-fraud technologies and ensuring that their Open Banking platforms are secure by engaging with QTSPs (Qualified Trust Service Providers), banks can protect their customers against fraudsters both today and tomorrow.

Fraud is constantly evolving and growing

A decade ago, deploying malware was the easiest and most common method of getting into someone’s account. But as banks have strengthened their technical defences, fraudsters have increasingly turned to social engineering. Whether via email or telephone, many criminal gangs now impersonate a victim’s bank or other authorities like the police, persuading the victim to hand over account authentication codes or even make fraudulent transactions themselves.

Taking this one step further, some fraudsters are even combining remote access trojans with social engineering. Persuading victims to install malicious software on their device so they can carry out their fraudulent activity without needing to engage with the victim in the future. With such scams constantly evolving, it is increasingly difficult for banks to combat fraud.

Fraudsters are natural opportunists and extremely innovative with their methods.

As such, instant payments fraud is growing at an alarming speed. And while it should be acknowledged instant payments have revolutionised banking – in an era of pandemics, it’s no exaggeration to say we are dealing with a payments pandemic.

Recent figures from UK Finance add stark colour to this picture. Card fraud (both debit and credit) accounted for £288 million in the first half of 2020 – an 8% decrease compared to the same period in 2019. However, cases of remote banking fraud and APP fraud both increased – by 59% and 15% respectively. When combined, this amounts to £287.5 million lost to remote banking and APP fraud in the first half of 2020 – almost on par with card fraud. Though there are industry initiatives such as ‘Confirmation of Payee’, in the very near future, it is expected that remote banking and APP fraud will overtake card fraud across Europe and UK. And this is worrying.

Engage with QTSPs to mitigate fraud

The rise in remote banking fraud may further be accentuated by the proliferation of open banking services. But despite the fact fraudsters will look to exploit weakness in Open Banking, this relatively new service should be embraced. Its benefits cannot be underestimated or denied. In fact, recent OBIE data suggests 50% of UK small businesses now use open banking services to see their accounts in real time, forecast their cashflow and issue paperless invoices to clients. But banks do need to think seriously about weakness and loop holes and how they protect customers from fraud in the coming months and years.

Fraudsters are already exploiting the vulnerabilities around open banking, especially when it comes to Account Information Service Providers (AISPs). Authorised to retrieve account data provided by banks and financial institutions, AISPs are a critical piece of the open banking infrastructure jigsaw. However, it is believed criminals are starting to create fake AISPs. In some cases, pretending to be legitimate AISPs, much like doxing, to gain access and data to customers’ accounts.

[ymal]

To mitigate this risk, banks need to think seriously about how they engage with Qualified Trust Service Providers (QTSPs) to certify and validate AISPs and PISPs. QTSPs provide banks the digital certificate for AISPs and PISPs, and are themselves regulated under the eIDAS directive. But while they have been around since early 2019, QTSPs still remain largely invisible in the financial community.  Banks must configure their anti-fraud technology to monitor AISP and PISP activities and also establish a process to validate eIDAS certificates via QTSP’s to ensure that they only release access to customers’ accounts to the right people. Not only will this help banks mitigate the risk of fraudulent AISPs and PISP’s or man in the middle attacks, it will also enable them to meet a range of other electronic security requirements as well.

Real time payments bring a sense of urgency for both the fraudster and the victim of the bank. And while instant payments and open banking have undoubtedly brought countless benefits, the rising levels of fraud are real cause for concern. Fraudsters will always find new ways to make money illegally. But by ensuring they have the right fraud technology and aligning that technology to integrate with Open Banking messages and with QTSPs, banks can put themselves in the best position to detect fraudulent AISPs / PISP’s and prevent as much fraud as possible.