Faster payments doesn't mean faster fraud

 

Thank you, Brianna. So what's the point behind the title of our webinar today? It's really no secret that digital transformation of commerce and payments is changing the fraud landscape. Faster final payments, they present both vulnerabilities and opportunities in this landscape. So I was thinking that many of you, as you're considering integrating faster payments into your payment stream, are trying to reorient yourself and your processes with an eye toward understanding the fraud mitigation capabilities of these new payment rails.

 

So that's exactly what Jim and Lawrence are going to help us with today, because they're the experts in their payment rails. So three things we want you to take away today. One, understand where is digital transformation changing the fraud landscape and how is the speed of fraud increasing. And then what would you want to consider as you transform your payment mix to possibly include faster payments?

 

And then the third thing would be let's learn about the dynamics of these new payment types and how they can mitigate fraud inherently. So if I want to start maybe with the review of the landscape, let's just take a moment and consider this statistic. Recently released the 2021 AFP risk survey. It's called post-crisis and preparation for the future. Sounds like just about everything we read today. Crisis, crisis, which reveals that 47% of the correspondents they reported the cybersecurity risk are currently the most challenging risk for them to manage.

 

So this is significant, because the increase from 2010, the last time it did that, there was only 12% of the respondents. So that's a huge, huge move. So let's just talk a little bit about the landscape, and maybe Jim, if I could just start with you. So maybe you could just-- how do you think the fraud landscape really has changed with digitization?

 

Thanks, Nina Well, digitalization generally has been extraordinarily positive, right? It's helped reduce friction, improved online client experiences, and made it easier to interact between businesses, individuals, and businesses and individuals in ways that are too many to state. That's just been especially critical during this pandemic when everyone's been at home and having to work, operate, and live remotely. However, it's also introduced concepts and words into our lexicon like business email compromise, phishing, vishing, smishing, and farming, and all of which are also transforming the fraud landscape.

 

The drive for simplicity and speed is also creating a ripe environment for new and creative ways for fraudsters to operate and more ominously to evolve very rapidly. The days where rule-based or rules-based fraud systems can keep up with the changing face of fraud are being left behind and replaced by the need to train people and systems on how to recognize fraud in real time. Digitization exposes more information, which opens up doors, and when you add that to an increasing number of data breaches, fraudsters have a good deal of valid PII to go along with fraudulent information, which when they go phishing, which makes their attempts even more valid and even more successful.

 

The other thing to realize is that fraud in the digital world is alive. It's dynamic, and it's constantly evolving. Fraudsters learn and adapt in real-time nowadays. So by the time traditional rules-based systems address one scheme, it's probably already morphed into something different and more complex, and this is an environment we're going to be living in for the foreseeable future. So it does require you to take a different look at fraud, and as the payments landscape is evolving than the way you've looked at this before.

 

Great point there, because I was thinking that the way that we look at fraud and have looked at it is now, as you're trying to say, the view has to expand. The way that we evaluate things, what we look for, not so much in the rearview mirror, but we've really got to get out in front of it it's what it sounds like. And those fraudsters just get smarter every day, so Lawrence, I was thinking that your vantage point would be important to add here as we're setting the landscape. So what have you been seeing?

 

Yeah, great question, Nina. So what we've been seeing on the landscape from a corporate or government agency perspective is we've seen an increase in attempts to create requests for payments from those corporates or government agencies, and a lot of that is tied to external factors. So for example, COVID. We've seen an increase in, for example, unemployment insurance claims or requests and the government trying to meet people where they are.

 

So what we've seen is increased fraud attempts to request payments in the name of someone else by fraudsters. And those disbursements are sent honestly by the government agencies, and then the fraudsters are receiving those benefits. And typically, those that are the victims of the fraud don't find out until afterward. So what we've been seeing holistically and in summary is, in an attempt to meet people where they are in this digital world, corporates and government agencies are moving to electronic digital space to facilitate payments, and we've seen fraudsters move in that direction to capitalize on that.

 

So we've seen a huge increase in it. So hopefully, what we can do. Jim and I and yourself throughout this webinar is increase the awareness so that way we can mitigate these fraud attempts.

 

I'm not kidding you, last week, I had five messages-- five text messages-- on people trying to help me with my unemployment claims, and I was thinking that maybe the bank was trying to tell me.

 

[LAUGHTER]

 

But evidently not. It was the fraudsters.

 

That's a scary thing.

 

I know. So fraudsters traditionally took advantage of inefficiencies in the payment system, because we've seen that, where we've tried to pay attention to people key logging or piggybacking on us or taking over credentials, those kinds of things. And that's what they were looking for the inefficiencies, but now they're looking to exploit the efficiencies of these faster payments. And I think it was you, Jim that said, yeah, now, they're in those themes of the payment processing. And maybe you could talk a little bit more about what the fees of payment processing are.

 

Thanks, Nina. Well, as you mentioned, historically, fraudsters really did look at areas where payments were inefficient. They looked at those areas, where customers would take a long period of time to be able to figure out that they've been defrauded. So delays in check clearing, as an example. So if it took a week or in some instances, a month before you reconciled your account, they had a lot of time to be able to perpetrate fraud before anyone would ever pick it up.

 

Lack of transparency. Deferred settlement. So when you cleared a transaction and you got availability of funds for it, if for some reason, that settlement transaction got delayed somewhere, in an exception process in reconciliation, the fraudsters had a great deal of time to be able to perpetrate that fraud, and that was the areas that they typically looked at. So they were always looking at those areas, those seams in the process where inefficiency allowed them an opportunity to perpetrate fraud and gave them a while before it would ever be uncovered.

 

And as you mentioned, that is no longer the case. Nowadays, fraudsters are taking advantage of efficiencies and speed of payments to get money out of accounts and through their networks as quickly as possible, which makes it extremely difficult, if not impossible, to track and stuff. And quite honestly, it's only one piece of it is getting the money out of your account and into theirs. The other is in moving it in a web of transactions so that they can mask where it's coming from and ultimately get it out of the system clean.

 

They rely on the fact that there's very little friction built into the process, and they take full advantage of that. And part of the challenge that we have as financial institutions and as corporate users is to create an extraordinarily efficient process, but also make sure that we understand those areas that are vulnerable to fraud and create some necessary friction that would allow you to track these items before they get out of the system. So those are some of the areas that you have to be thinking about and that Lawrence and I will be speaking about a little bit more in terms of the type of things you need to keep in mind as you're building modern payment systems that are using some of these modern, highly efficient, and very fast rails.

 

So you pointed, Jim, to a couple of these methods that they're using. And in fact, maybe Lawrence, maybe we could just outline very quickly what are the fraud methods that we're probably most familiar with and then how are the fraudsters changing their methods for digital? Because I know you've had experience previously as a practitioner but then also now in your work with early warning.

 

Yeah, so one of the big things with respect to the methods that fraudsters are using-- we'll break it down into two things quickly. So B2C, so business to consumer transactions. If a fraudster finds out where you hold some accounts that have funds where they can be disbursed, fraudsters are figuring out how they can complete or fill out a disbursement form either online or sometimes in paper, and they're using all of the victim's information, first name, last name, social security number, account number, all that good stuff.

 

But when it comes to the payment account where disbursement should go, they are then inserting their own bank account and routing number or the fraudulent bank account routing number where they can go and pick the funds up or move the funds out of that account later. We're seeing a huge increase in that, and then in the P2P space, there are times if your credentials are not protected, those credentials could be used to facilitate transactions. And again, we are seeing fraudsters leveraging more and more today's different payment methods to capitalize or to commit these fraudulent disbursements or transactions.

 

So some of the examples that come to mind for me are like changes in W-2s, stealing your credentials so that, as you pointed out, so that then they can get the funds into their account and then they move it quickly, as Jim pointed out, so that it's gone before we can even do anything about it. So let's just talk-- because of the finality of payments, with faster payments, with real-time payments and with Zelle, I think that's an important piece. The finality of the payment.

 

What are some things when we think about awareness and education. I mean, we're always talking about that as part of payment hygiene for every business. So how are we going to be increasing this awareness to be knowledgeable about where it can come from now, and what tools do we have available? I think that's probably the next thing we should talk about with digital fraud prevention. So Lawrence, as I pointed out, as a former practitioner in the insurance space, which I think lots of B2C, what would you say is critical as a general rule for fraud mitigation really when it comes to payments?

 

Nina, you hit on there in your statement, it's really awareness. Being aware that these types of frauds can be committed. The other thing is-- this sounds like common sense, but when you think about the control

 

of your internal control environment, you want to definitely think about preventative controls. Preventing the fraud before it occurs, before that disbursement occurs.

 

Detective controls are awesome, but as Jim pointed out, it happens after the fraud has been committed. So what we want to do is take advantage of the tools that are built into some of these payment methods and then also couple those with your internal controls or corporates internal controls and mitigate that fraud before you send that money. Again, as we've talked about before, you want to measure twice and cut once. So make sure that before that payment descent that you have the right credentials.

 

You're attempting to pay the right party, and the person that you're attempting to pay matches-- their information matches that account or that destination where the funds should be submitted.

 

So with all-- as businesses, though, been focusing on the digital customer experience. And so you're talking about being able to have controls and procedures, meanwhile, the other side of the coin is the business is making it-- it's focusing on making it as simple as possible, as frictionless as possible, i.e. the less clicks, the better. And to try to invest there, because that's where their strategies are focused on gaining new clients and retaining their clients.

 

So what do we need to change if we're going to integrate faster payments but we've got to consider this customer experience. How are we going to go about that?

 

Well, I would start on something that Lawrence mentioned a few moments ago. Awareness, education, and training. With this new environment, what you have to understand is the areas where you're most vulnerable are gaps internally and internal control processes. And your staff are the people in your accounts payable department. The people who manage your vendor management platforms are your first line of defense, right?

 

If you wind up going through a process, you need to-- with faster payments, with immediate payments, instant payments, they are final and irrevocable, which is the equivalent of cash. And I always encourage businesses to look at instant payments as if you're handing over cash and have the same controls. You would not walk down the street and give a stranger $50 in cash and expect to get it back if you made a mistake. You've got to look at instant payments exactly the same way.

 

So assume that these are final. Educate your staff so that they understand how these new payment systems work, because many of them are used to HGH and wires, which are irrevocable. If you make a mistake, you can get the money back. Even with wires, there's a window before that wire settles when you can recall a payment. None of that exists in the immediate payment networks nowadays, and the people who are managing your payments and making your payments need to understand that.

 

So education is critically important. Also, training and testing. So educating people is good, but you've also got to test them to make sure that they can recognize phishing emails or SMS text that they might get so that they start to instill in their normal process ways of recognizing how somebody is going to try and beat the system, and it's not just once. We've been doing this kind of testing and training in our own environment for five years and I can tell you the first year they nailed me a few times in the test, but I can tell you now for two years, nothing has gotten past me in any of this stuff.

 

So it really does work, and I'll tell you that those good hygiene controls that Lawrence was talking about are probably the best ways to make sure that fraudsters can't get into your network and pull money out of your accounts.

 

So let's take that controls and procedures a little further, because I think Lawrence, a couple of weeks ago, you and I just talked a little bit about what you could do to work on your controls and procedures if you wanted to use faster payments, because that's it. It's a one shot deal. How would you start?

 

Yeah, so you definitely would start-- when you think about that process is create a process narrative or process flow. Understand all the parties involved, the systems involved. And once you've identified that, you can start to insert controls. You can start to insert up front preventative controls. Again, before I continue, let me piggyback off a little bit about what Jim said, because I think it ties in nicely to this.

 

You're standing. The payment method that you're going to use or the technology that you're going to use, basically, awareness is really going to lead to a great experience. And we may get into this a little bit in the future, but as we talked about, laying out that process, understanding that process that carefully constructed process to meet the needs of your customers. A lot of businesses don't want to alter that customer experience. So understanding the tools that you have are key.

 

So for example, if we are talking about Zelle, before a Zelle payment goes out, I won't get into the specifics, but there's an ability to validate the recipient before the payment is initiated, and that's passive. It happens behind the scenes, and if someone understands that, that's a control that's built into Zelle that they can leverage, making sure that that API call happens before the payment is initiated.

 

Something that's very easy to incorporate. But back to your original question, Nina, with that process flow, that narrative. Understanding all the action points and then the controls to make sure that the objective is achieved and the objective is to disburse funds to the correct person or entity or agency. And understanding your process and the controls to help you achieve that are paramount in designing those the right way and then making sure that they're operating in the correct manner.

 

So you have mentioned to me a couple of things that might raise red flags when you were trying to identify gaps in the process. What kinds of things do people need to look for that could raise red flags?

 

Yeah, so Dina, couple of things. It could be with the payment method, it could be with the process. So for example Jim mentioned in the accounts payable scenario. Understanding what you should be doing if payment information changes. So for example, you might-- or if you're paying a customer, what's changed with this customer in the past 30, 45, 60 days? Have they changed their address, have they changed their email address, have they changed their payment or bank account information?

 

So looking in the process for those types of gaps and making sure that you have controls in place to review those. Those are easy controls, and a lot of organizations do a fantastic job of executing their internal controls. But it only takes once one failure to create a significant fraud event, where there's financial losses suffered by an organization.

 

So before we scare everybody to death, which was the whole idea of faster payments don't mean faster fraud, let's jump into those dynamics of these new payment types, because while we said there are vulnerabilities, and there are. I mean, that's one that we brought up, which is finality of payment. That can also be a very important opportunity. So maybe, Jim, you'd like to just talk a little bit first about how the vectors of fraud really have changed when we now get into this immediate payment world.

 

And I will say to folks, it does sound like we're trying to scare you, and that's not the intent here. But what you need to understand is that the controls that worked 20 years ago do not work with the current payment systems. They do not work as well. So there are so many companies that we speak to nowadays that, if they haven't been hit by fraud, I don't think they will. I've had the same controls in place for the last 20 years.

 

I check them periodically. They work very well. I don't need to make any changes, so it is really important that you understand that the way fraud is being perpetrated is changing and that it is dynamic and it is evolving. These are very, very bad corollary. With what we see happening in the pandemic space, these things morph. They evolve, they change, they get better, they learn.

 

So you've got to develop systems and controls that can deal with that kind of situation. When it comes to most of the faster payment networks, the one thing that is very, very unusual and very unique versus some of the more traditional payment systems is that there's a great deal of data that accompanies the payment nowadays. In the RTP network and in the feds network when it goes live, you will have non-financial messages. So a request for a payment that can go through a banking channel, and just the fact that all of this information is going through a secure banking channels is going to create another level of control that you can rely on.

 

They're not going through email, they're not going to unsecure channels. They're going through the most secure payment channels in the world, which you have bank channels, right? And if you get a request for payment, all the messages go through these secure channels. So if you get a request for payment, you will see the name of the account on that request for payment of the person who's asking for that money.

 

So if it doesn't look-- if I'm expecting to get a request for payment from Lawrence and I get it from Nina, that should be a flag to me that says something's wrong here. So you've also got to start to take a look at the information flowing with the payment and start to introduce that into your fraud monitoring engines. So that they can start to take a look at this stuff, and you may not be able to stop that first transaction but you want to be able to stop any subsequent transactions that go through.

 

So look at the non-financial messages. Look at any transactions that reject because you have complete transparency. Within a few seconds, you will know if a payment was accepted, if it was rejected, and if it rejected, for what reason? So you've got a tremendous amount of information now that you did not have before.

 

And as you start to tune your monitoring engines, you've got to take into consideration all these new data elements that could be indications that there could be problems with that payment.

 

So I see a lot more filter opportunity. Just on the request for payment. You can ignore that. You don't have to answer it if you don't like it, but then what we used to often wait for was for payment receipt. We wouldn't know if someone actually received a payment until we sent the next bill and they were like--Well, that was the indication that your payment was actually sent to a fraudulent third party. You found out when the party you sent the money to got back to you and said, where's my money, right? So all of those things, because of that complete transparency, those things will no longer occur if you're monitoring your transaction activity correctly. So there are tools within the network that allow you to do that. And it is that full end-to-end transparency that really does create a difference in these real time systems if they're used correctly.

 

The other thing I would mention is to piggyback on something Lawrence said, which is there were trusted directories out there today. RTP is going to be introducing a tokenization capability, where we can mask your account number, which would make it easier to migrate from paying via check to paying via electronic alternative, because one of the concerns a lot of companies have is they don't want to expose their account credentials to third parties. If you tokenize your account credentials, then that's much safer. And if you're using directories, as we do with Zelle, there are other ways of validating that the money is going to a known counterparty.

 

So Lawrence, when it comes to your perspective from Zelle, what do you think practitioners need to learn about the Zelle network and in fighting off fraud when using Zelle payments?

 

Yeah, so great question. The wonderful thing about Zelle is, again, it's a directory and what disbursers or users are permitted to do is one, use one of our features to get the token's status or the status of the token as an active as an inactive or there's certain other elements that we can talk to you about that token status. The other piece is we can permit or allow verification or validation of the recipient before the payment is initiated, which are all fantastic attributes that you want to use.

 

So this particular payment network, Zelle, has fraud mitigation or the ability to mitigate fraud built right into it, should dispersers or even users of P2P leverage it. And so there's a lot that can be taken and used when you talk about a Zelle transaction, especially on the business to consumer side the disbursement side. And one of the things that I wanted to hit on because I think Jim brings up a really good point, there's a lot of data, there's rich data out there around these payment types. And Nina, I know you were asking me a question before about some of those upfront controls and some of the things that people can do in order to minimize their losses.

 

When you think about the data that you have out there that are available for use by the corporates, some of it is payment velocity or frequency of a transaction-- or I'm sorry or account numbers or tokens being used. It should serve as a red flag before payments are issued as well. If you see 20 transactions within a day to the same token or the same bank account, that might be a red flag, letting you know, listen, we may not want to send that payment.

 

Yeah, the likelihood that I just sent 20 claims payments is not real likely, is it?

 

Great thinking.

 

Shared a lot of information, so I thought maybe if I just can pull this together. We thought about some of the things that are happening in the fraud landscape and they're changing. Those vectors and the speed and the velocity of the change but things that are built into these payment types that people can use, and then the importance of education and understanding your process and making sure that the gaps are addressed, especially in the way the client experience work. That they don't get out of sync.

 

So I want to thank you both for sharing today all the information that you have, and hope we could do this again. Maybe next year and see how fast it's going. It is National Cybersecurity month, so check your health and hygiene of your system, and I'd ask everybody to watch out for our invitation for our next month's webinar, and we're going to focus on 2021 treasury management innovation. So Jim and Lawrence, again, thank you and you can certainly get in touch with any of us if you have some further questions.