By Jason Costain, December 2024
Managing fraud and financial crime teams in a smaller bank or payment service provider can be extremely challenging. You are expected to meet the same set of financial crime regulations and fraud threats as your larger peers, yet you have to do so with a smaller budget, smaller workforce, and smaller talent pool.
If you get this wrong, you don’t just risk seeing your firms’ payment systems being misused by criminals, you also risk regulatory censure that could include the firm having to cease trading.
Take Dzing Finance Ltd, where the Payment Systems Regulator (PSR) found 1 in 5 incoming payments were the proceeds of an APP Fraud, far higher than any of Dzing’s peers. As a result, the FCA imposed significant restrictions[1] on Dzing Finance in 2023, effectively banning them from taking on new customers.
Fast forward to the 2024 PSR APP Fraud report[2] and the payment firm Skrill find themselves at the top of the table for firms receiving the proceeds of APP fraud. Skrill were singled out by the PSR as having a fraud rate that is “at least four times higher than any other firm in the top 20”.
“Smaller firms receive disproportionately higher rates of APP scams compared to the 14 largest banking Groups…the average scam rate of these usually smaller firms in our data is 18 times the average scam rate amongst the larger firms”
In 2023, smaller firms received 53% of all UK APP fraud volume despite only receiving 8% of UK consumer Faster Payments.
Given the challenges faced by small firms, what can a small firm do to improve their performance?:
1) Hire talent. You need fraud SME’s, particularly in analytics roles
2) Create a fraud prevention culture across the firm that rewards collaboration
3) Have an honest conversation about your firm’s fraud defence vulnerabilities
4) Ensure Fraud and Financial Crime teams work together on fraud
5) Use multi-skilling to build operational fraud capacity in other areas for times of need
6) Educate your customers on scams, keeping it relevant and up to date
7) Deploy effective and dynamic warnings and intervention during the payment journey
8) Use your ‘small firm agility’ to respond to fraud attacks and losses
9) Create robust and rapid payment recall recovery processes, automate if you can
10) Act quickly on fraud payment recall requests from other banks, automate if you can
11) Invest in data, models, and proven fraud defence software
12) Monitor your firms performance against peers and goal-set where you want to be
13) Develop effective MI that gives an early view of attack/loss/refund rates
14) Establish good links with other firms and scenario test what they’re seeing
15) Create clear guidelines for quick and consistent treatment of scam victim refunds
16) c80% of losses can be easily tackled - don’t wait for an industry solution
17) Hard code policy rules to help the fraud team contain cost and loss, for example:
*Set maximum Daily/Weekly/Monthly payment limits IN/OUT
*Only give high payment limits to those customers who need them
*Know when to say “no” to a customer’s payment request
*Freeze incoming funds if it looks high risk
*Limit the amounts you allow customers to send to risky beneficiaries
*Quarantine new accounts until trust is established
*Harden your KYC (account opening) requirements
*Implement controls to protect potentially vulnerable customers
This isn’t an exhaustive list by any means and they're a mix of strategic, cultural and tactical activities, but tackling some of these basics will get you a long way.
It's also worth knowing the relevant articles on APP fraud in the UK in recent years, the contents of which can often be invaluable to Fraud professionals. It's surprising how few fraud folks actually take the time to read this stuff. Examples include:
Despite all of its challenges, working in a small-firm fraud team can be very rewarding and it provides a fantastic opportunity to experience the organisation-wide view of fraud and financial crime that you just don’t get in a bigger firm.
Finally, whilst there undoubtably needs to be a combined effort across many different sectors to beat APP scammers, the reality is that APP fraud prevention starts and ends in payment service providers. The large differences in APP fraud performance between payments firms that continue to be seen somewhat undermine the banking sector's messaging that other sectors aren't doing enough.
If you work in a payment service provider then the bottom line is that your firm probably needs to do more and refund more when it comes to APP fraud. It is simple messages like this that the fraud team need to communicate to the wider firm. The good news is that the work required is likely to align with the firms objectives and be cheaper, easier, and less intrusive to customers than the firm might initially think.
Jason Costain
Jason has worked in banking fraud prevention for 25 years, running fraud and financial crime defence teams at some of the UK’s best-known firms.
Further resources at Javloc.com
[1] https://fintelegram.com/attention-fca-imposed-restrictions-on-dzing-over-alleged-scam-facilitation-and-money-laundering/
Comments