Authorised push payment (APP) fraud losses decreased by 17 per cent in 2022 according to UK Finance, the UK banking and financial services trade association. However, of all reported cases of payment fraud, APP accounted for 57 per cent. As the threat of APP fraud rises, organisations are setting up ways to protect their customers – but is this enough?
Towards the end of September, it was reported that UK neobank Revolut had landed in hot water with the UK regulator, the Financial Conduct Authority (FCA) for allegedly releasing £1.7million from accounts flagged as suspicious by the National Crime Agency. According to The Financial Times, Revolut notified the FCA about £500,000 released from said accounts.
With APP fraud accounting for such a high proportion of reported fraud, it becomes increasingly difficult to return funds to all the affected consumers. Therefore, organisations must do more to protect consumers in the first place. However, it may not be that simple due to the attitudes of organisations.
Research from the UK Government has revealed that only 36 per cent of businesses and 30 per cent of charities view cybersecurity as a very high priority. Meanwhile, 27 per cent and 34 per cent respectively see it as a fairly or very low priority.
The CRM Code
One solution to security concerns and the rising number of APP fraud cases is provided by the Lending Standards Board (LSB). The LSB oversees the CRM Code, a set of protections which can ensure organisations are able to quickly spot and deal with APP accounts and cases.
Following the news about Revolut, Laura Mahoney, head of policy at the LSB commented: “It is imperative that firms implement robust APP scam prevention measures, as fraudsters become ever-more malicious and innovative. The new Code provisions provide an additional safeguard against criminals, by stopping fraudulent account openings and cracking down on those receiving illicit payments.
“Victims of scams endure lasting emotional and psychological distress even after receiving their money back, and society at large suffers as criminals continue to profit from their illegal activities. Our ongoing priority is to prevent consumer harm, reinforcing the need to maintain an industry Code that has a clear focus on the prevention and detection of APP fraud.”
According to the LSB, the CRM Code commits firms to:
- “protecting their customers with procedures to detect, prevent and respond to APP scams, providing a greater level of protection for customers considered to be vulnerable to this type of fraud;
- greater prevention of accounts being used to launder the proceeds of APP scams, including procedures to prevent, detect and respond to the receipt of funds from this type of fraud; and
- reimbursing customers who are not to blame for the success of a scam.”
The CRM Code
But is the CRM Code enough to tackle such a prevalent fraud?
For Andrew Latham, director of content of financial comparison platform, SuperMoney.com, though the CRM Code marks an essential step toward protecting consumers, “a reactive approach might not be enough”.
Latham said: “It’s crucial for organisations to focus on preventive strategies, such as strengthening their authentication procedures, keeping consumers informed about the latest fraud schemes, and leveraging advanced fraud detection systems.
“For fintech firms to fend off these challenges, they must heighten their due diligence. They must embrace and regularly update rigorous know your customer (KYC) and anti-money laundering (AML) protocols.
“While initiatives like the CRM Code are steps in the right direction, a comprehensive, proactive approach from organisations and fintechs is vital to counter APP fraud effectively.
“The adoption of real-time transaction monitoring, continuous user education on fraud awareness, and active collaboration with regulatory entities like the FCA can further reinforce their defence against APP fraud.”
Every party must be aware
“APP fraud is challenging to combat,” explains Dan Wyatt, partner at international law firm RPC. “Consumers and businesses need to educate themselves on the types of scams circulating and be able to identify the red flags to look out for.
“Ensuring their cybersecurity measures are as robust as possible is also very important, as many APP scams start with email accounts being hacked to identify invoices which are then amended by the fraudsters to include alternative bank details.
“On the other side of the coin, banks need to ensure they have best-in class account and transaction monitoring measures in place to spot APP fraud, and best-in-class processes for escalating concerns and dealing with them swiftly.”
Fraudsters tend to target new accounts or ones which have not been used in a while to launder their stolen funds, before paying them off to other (usually offshore) bank accounts.
Wyatt notes: “The number, value and speed of transactions which take place as a part of APP fraud are typically stark compared to the usual activity on the account.”
Organisations must ensure they have the technology in place to spot this early.
The role of open banking
Open banking, though often associated with simplifying payments, has a huge opportunity to mitigate the damage done by APP fraud, according to Lasma Gavarane, chief compliance officer/MLRO at open banking fintech Noda.
Despite the consumer and business penetration rate gap continuing to increase – as revealed by Open Banking Limited (OBL), only 11 per cent of consumers use open banking – meanwhile 16 per cent of businesses do.
Nonetheless, due to its strong customer authentication, real-time data sharing and monitoring, consent management and standardised protocols, Gavarne says: “While the onus of security lies with fintech platforms, the principles and mechanisms offered by open banking can significantly bolster their defence mechanisms. Incorporating open banking’s security protocols, in conjunction with regular audits and user education, can pave the way for a safer fintech environment.”