When new products are introduced into the financial markets, criminal enterprise will take note, with an eye for new opportunities. In many cases, criminals will repurpose an old scam, based on the new financial product’s vulnerabilities. This is why, as regulatory changes occur that are driven by business innovation, I often caution clients to look into the ‘rearview mirror’, to ensure they are not repeating mistakes of the past when tackling fraud.
The uptake of real-time payments (RTP) offers a case in point. As its adoption gathers momentum, so the need to increase security controls to reduce associated fraud risk must increase. However, it may be a temptation for banks’ product managers to focus on the benefits of their new offerings, rather than assessing the risks that could delay a new product being introduced into the market.
Mindful of the threat, on 21 July, 2021, the US Consumer Financial Protection Bureau (CFPB) issued new Q&A guidance around real-time payments and consumer rights. Regulation E that covers this aspect was last updated in 2013, when RTP was just a thought. Among other effects, the new guidance is designed to help banks and account holders determine who bears the loss when fraud or human error occurs in the RTP space.
However, one issue that was not resolved with the new CFPB Q&A was who bears the loss when, for example, a non-regulated entity pushes a transaction to a regulated entity, or when actions such as account takeover or friendly fraud (when the victim is knowingly complicit) are perpetrated. Such complications are multiplied when a fraudulent transaction has crossed an international border.
Because the RTP market is a new legal segment, it’s likely that lawyers will be taking note. When retail person-to-person (P2P) fraud occurs, it usually represents a loss of up to $2,000 at most. When commercial account P2P fraud occurs, the increments are much larger. But Regulation E does not apply because it is focused on protecting consumers, not corporations.
As corporations and banks increase the use of RTP for commercial business-to-business (B2B) and business-to-consumer (B2C) applications, an in-depth risk assessment needs to be performed before signing on to a RTP product. Not only should security controls be re-evaluated but also business workflow processes, both at the corporate end and in the payment processor operations.
The risk assessment needs to be an end-to-end review, starting with company policy and procedures, for each RTP product. All business processes need to be mapped out visually, and in detail, so that when a payment goes wrong, it’s possible to see quickly how and where it happened. When mapping workflow processes, external automated clearing house (ACH) process for inbound and outbound must be included to ensure a full understanding and explanation of the event.
The word ‘assumed’ is usually one of the first words of failure. The consequences of ‘assuming’ when it comes to RTP can be significant. Right now, I see many people involved in the RTP market assuming they know how things work, and assuming who is responsible when payments go wrong.
The good news is that best practices are being updated across the payment industry, based on recent payments that have gone wrong. To keep pace, corporate risk assessment teams need to look outward and inward. Policy and procedures need to be reviewed by the board of directors, and signed off by the legal counsel, when any changes are made regarding government regulations concerning RTP technology, including risk controls and vendor relationships.
It has to be acknowledged that insider fraud is ongoing, especially for commercial accounts where the volume and value of transactions can be large. Having the right balance between fraud detection technology and human-driven workflow processes is extremely important for RTP.
The human aspect is vital because too many businesses are relying too heavily on artificial intelligence (AI) technology to prevent fraud. AI technology is definitely a benefit, but AI has its limitations, and the criminal element knows about those limitations; your business may not. What’s more, the cost of false positives and false negatives needs to be factored into the RTP business plan, because they have a negative impact on customer satisfaction and retention.
Two-Party Integrity (TPI) is a business workflow concept that prevents human error and insider fraud. The TPI concept is in place across all US military operations and in some tier one banks. TPI requires a second party to approve a first party’s business or financial transaction. One of the key benefits of TPI is that it requires employees to deal with human error or fraud in real-time time rather than after the fact.
The cornerstone of success for deploying TPI workflow processes and policy is technology that manages the real-time communications between employees. Today’s smartphones, tablets and PCs have biometric sensors built in, like cameras for facial recognition, and fingerprint readers. Leveraging mobile technology in the TPI workflow process eliminates a lot of employee friction. The biometric sensors reduce any doubt as to who is approving the transaction.
An example would be an employee needs to send a RTP to a supplier or customer and they have a payment limit. In the event that a larger RTP is required, the Treasurer or CFO’s smartphone would have an TPI-enabled app that would notify him or her that a transaction is pending, requesting their approval. This is achieved by opening the app on the smartphone. The details of the transaction request are displayed, and Treasurer/CFO would either accept or refuse, using a biometric step on their smartphone, tablet, or PC to execute their decision.
900 million reasons for TPI
In 2020, a major US bank had a corporate loan payment go seriously awry to the tune of $900m. It turned in to a major lawsuit because the recipient of the payment would not refund the sum, eventually winning their lawsuit to keep the overpayment. In most banks, a payment of that size would require more than three sign-offs. It was obvious that this bank had not embraced the TPI concept process, and the technology was not in place to prevent the error.
Another area of risk for a commercial account of any size is employees sharing login and security credentials to bank accounts. This problem has been around for a long time. Not all banks have a treasury platform that has a basic cybersecurity control in the form a login security token. Banks need to provide all commercial account holders with soft tokens, and one for each employee who will be logging into commercial accounts when executing transactions, providing an audit trail of who did what and when.
Logging into a bank account with just a password is extremely risky. However, over the past few years, criminals have developed malware that can intercept bank SMS security tokens that are sent to clients to authenticate bank account logins. All security communications with a bank need to be encrypted and in-band (so transmitted within the same packets or carrier frequency as the data).
Bank executives and regulators need to start addressing the different types of commercial account fraud and risk. While bank innovations such as RTP are welcome, so too is technology that eliminates human error and fraud, and which has a positive impact on the customer banking experience.
TMI Innovation Lab entrant Identité’s NoPass passwordless platform leverages the biometrics in smartphones, tablets and PCs and encrypts all communications in-band. NoPass can also facilitate TPI processes in the transaction approval process.