According to Pradheep Sampath, CPO at Entersekt, the rise of instant payments demands a new approach to fighting fraud.
“There’s certainly a buzz in the air” about faster payments, he told PYMNTS, noting that the FedNow® Service’s launch has received a lot of attention since its July debut — and rightfully so. But instant payments are not necessarily new, as The Clearing House’s RTP network has been around since 2017.
The advantages of faster payments are numerous, according to Sampath. The general premise is that people and businesses can get paid faster at a lower cost per transaction, improving everything from payroll functions to insurance claims payouts.
“But faster payments mean that we also need to be on the ball [to] mitigate and manage risk faster, too,” he added.
That’s especially true with instant payments which, as it stands now, are immutable and irrevocable.
He noted that the growing use of peer-to-peer (P2P) payment apps such as Venmo, Zelle and CashApp have introduced consumers to the concept that their money, once sent, cannot be “clawed back.”
For those same concepts to be reinforced with consumers opting to send instant payments, said Sampath, it’s up to the issuing bank — the bank that the consumers and the businesses interact with — to make clear “both overtly and through risk management methods” the heightened security methods that need to be in place to protect all stakeholders.
The revamped approach will take time, noted Sampath, who added that financial institutions (FIs) that are early adopters of the FedNow Service will, in Sampath’s words, go in with their “eyes wide open” about the fraud threats that are out there and that will likely emerge in the future.
“There’s some legwork that’s going to need to be done,” he said.
There are, he said, ample examples for the U.S. abroad to serve as roadmaps for new approaches to security, where faster payments are more firmly entrenched.
The U.K. is one case study, where faster payments have been around since 2008, serving more than 50 million users. Approximately 10% of U.K. transactions flow though that system.
More than half of the fraud seen in the U.K. is authorized fraud, which means that the consumer’s been swayed by a nefarious actor, who’s making them issue a payment that will eventually be exfiltrated to a crypto account or to a “mule” account, said Sampath. And since most of the fraud is happening over real-time rails, it follows that the bulk of authorized fraud is proving quite successful over those channels.
Authentication, he said, stands at the forefront of any good risk management strategy. Ensuring that there’s an actual customer on the other side of the transaction is the most basic level of assurance that a payment is legitimate. Biometrics and device identifiers go a long way toward establishing those assurances.
But determining intent is a bit harder, he said, and are components in thwarting “man in the middle” attacks such as SMS forwarding and phishing attacks.
Proximity-based authentication methods are useful here. But the final line of defense, where an FI must determine whether a customer is falling victim to a fraudster, requires a “team effort.”
“You need information about the origin channel, the destination channel, the velocity of the transaction to see if there’s a phone call in motion while the transaction is happening, which might portend that the person has been manipulated into sending the money,” said Sampath.
All this should lead to stepped-up protocols (even with human reviews in the mix), prompting the would-be sender to make sure they really want to part with their funds.
“The focus must be on user experience to make [instant payments] adoption a reality,” said Sampath, who added that FIDO’s passwordless authentication powered by pass keys “is a great way of binding an identity with the device, with the consumer and with the transaction in a way that makes it all possible” in a seamless manner.
“It’s got to be a combination of an ‘always on, always watching, always protecting,’” mentality, said Sampath, “and when the circumstance is valid, stating ‘hey, let me make sure that you’re doing the right thing.’ It’s an ‘all of the above’ approach here.”