Cleber Martins, Head of Fraud Management for Banking at ACI Worldwide
Authorised Push Payment (APP) fraud is on the rise. Losses from this type of fraud are expected to record an average CAGR of 21% from 2021-26 in the UK, US and India. To combat this rising threat, late last year the Payment Systems Regulator (PSR) published new rules for banks and building societies regarding the reporting of APP fraud.
While losses won’t keep pace with the overall growth of real-time payments, banks shouldn’t be complacent regarding the risks. And though it’s true real-time payment channels have created a reality where fraudsters can succeed faster, it is mule accounts that allow them to keep getting away with it.
Fraudsters recruit mule accounts often through identity theft, turning a user’s account into a mule account without their knowledge, or by recruiting and targeting more vulnerable people on social media and other online communication channels. Thereby enabling criminals to hide their identity and quickly move stolen funds beyond the reach of banks and authorities, either through other mule accounts at different banks, or by buying crypto or NFTs. This is why, in order to effectively tackle APP fraud, banks need to shut off these mule accounts once and for all.
Banks battling back
Currently, most banks only tend to check outgoing transactions. This means that when a mule account suddenly receives money from numerous different accounts, following little to no activity, it’s usually not picked up. And this needs to change.
When battling back on scams, banks need to have the appropriate Know Your Customer (KYC) standards. Thus allowing them to monitor the money coming in as well as out of customers’ accounts and analyse the user behaviour of those accounts. This all helps banks to monitor for synthetic and stolen identities in relation to the money coming into accounts.
Being able to monitor and analyse all the data in real-time requires machine learning algorithms with rich contextual information. Put simply, these models are only as good as the signals and inputs they have been given. This means the more financial institutions – on both the sending and receiving end of the transaction – collaborate on signal sharing, the better they can target mule accounts. Additionally, more data and more accuracy should also lead to a decrease in the number of false positives and an improved user experience for legitimate customers.
To effectively shut off the supply of mule accounts, better collaboration and data sharing between banks and financial institutions are needed and with the introduction of the new PSR rules, we could see this quickly come to life.
Why receiving banks must be held accountable
There’s currently almost no risk at all for receiving fraudulent transactions into mule accounts, despite hosting the mule accounts used by fraudsters to receive stolen funds. This results in most banks doing little to no monitoring or analysis of the money coming into accounts. And little to no meaningful intelligence being exchanged between the two ends of a transaction. To turn the tide on scammers, this needs to change.
The Payment Systems Regulator (PSR) has said that in addition to putting mandatory reimbursement for most victims of APP scams, liability should be split equally between initiating and receiving banks. Unless the receiving bank can prove it has gone to greater lengths to do it’s checks, in comparison to the initiating bank, resulting in the initiating bank being held more financially liable.
This should incentivise a major shift in how banks monitor fraud activity, by increasing how they monitor the money coming in, in combination with behavioural profiling of the receiving accounts. Ideally, once the two sides of a transaction are working together, a “fraud DNA” can be constructed to enable more precise decision making. One strand of that DNA, in practice, would be the initiating end’s sending an intent for a real-time payment, including intelligence about the initiating account in metadata format. The receiving end would then correlate that with their own, thereby adding the second strand of intelligence to the DNA chain. Finally, a decision would be made as to whether to allow the transaction to be completed.
This increase in collaboration between banks, would symbolise the first step of building a framework that promotes the sharing of insights and could mean the end of mule accounts as reliable tools for fraudsters.
What future collaboration might look like
While banks play an important role, mule accounts are often created on social media, through the telecom industry, via email or even postal mail. Making APP fraud a cross-industry problem. This requires a next-level, cross-industry collaboration strategy, that sees solutions, techniques and intelligence being shared between banks and vendors, merchants, issuers and acquirers, and even with social media companies and telcos.
Ultimately, it’s about ensuring customers are better educated and protected and that banks perfect their monitoring of the money that comes in, as well as out, all while sharing that information. Building a true cross-industry framework will help deprive scammers of access to one of their main conditions for growth. As a result, we should begin to see the value of APP scam losses, as a proportion of the value of real-time transactions, drop.
 fraud is on the rise. Losses from this type of fraud are expected to record an average CAGR of 21% from 2021-26 in the UK, US and India. To combat this rising threat, late last year the Payment Systems Regulator (PSR) published new rules for banks and building societies regarding the reporting of APP fraud.){kind=link}