Instant Payments Pose a Fraud Management Challenge
January 16, 2024
By: Tyler Brown
FedNow launched in July 2023 with 35 early adopting financial institutions (FIs), and over the course of about six months, it added another 400. Such rapid growth of the network could very well make it increasingly attractive to fraudsters, and two characteristics point to the nature of that possible fraud:
- FedNow, unlike FedACH, only allows for push payments (from the sender). As a result, it is particularly vulnerable to fraud that involves either getting access to consumers’ accounts or tricking them into making payments.
- Payments settle instantly, and the money can be withdrawn within seconds. There is no recourse for a payment sent in error.
In other words, if a fraudster can induce someone to send a payment or get access to their account, the money is as good as gone. How do banks address it? Several years ago, the Faster Payments Council wrote a framework for how to manage fraud in faster payments. A key component of that framework is the tools and technology from banks and providers.
In the case of FedNow, some of the technology comes from the Fed itself. But to operate instant payments with minimal risk of fraud, banks need to bring more technology into the fray. FedNow itself provides basic anti-fraud features that include the ability to set risk-based transaction limits, manage conditions for rejecting payments, digitally sign the contents of payment messages, and reconcile transactions with the institution’s ledger. But the ability to manage payment fraud at scale depends on technical advances. Three areas where advances are required include:
- Authentication. “Zero trust” identity is the idea that users should be “authenticated and authorized based on all available data points.” That ultimately includes identity verification in the creation of an account, the authentication of a session in which an account is used, and the continuous reassessment that someone logged in to an account is who they say they are. Day to day, that suggests consumers use both a password or other credential to log in and their behavior related to location, transactions, and device use is tracked. As of now, this kind of holistic approach to identity is still pretty rare.
- Analytics. The shorter the time between sending and settling a payment, the less time there is to accurately flag and address fraudulent transactions. There is therefore a greater need for tools that monitor transactions in real time and enable straight-through fraud detection and prevention. Machine learning algorithms, a core component of modern fraud detection, can adapt transaction monitoring to new fraud patterns and help with faster fraud scoring. But such technology is certainly not universal.
- Integrated data. Data that can inform fraud models is often fragmented across tech stacks that are patchworks of systems and not designed to exchange data automatically and seamlessly. To manage payment fraud, banks need to be able to follow patterns across channels and across payment methods for many different customers and do so continuously as data is created.
Additionally, there is a human component to staying ahead on this. What has happened with Zelle, a faster payment method that’s also push-only and free from purchase protection, is instructive. Zelle scams involve both credential theft (via phishing or smshing) and a variety of schemes that get consumers to voluntarily part with their money. Those schemes can include fake ecommerce listings that take Zelle as payment and social engineering schemes that trick consumers into sending money to false accounts. Consumer education is therefore also an important issue to address.