In the ever-growing world of digital banking, the Federal Reserve's introduction of the FedNow service in July 2023 marked a significant milestone, heralding a new age of instant financial transactions up to $100,000. As of October 2023, the number of participating members able to send and receive payments has
As soon as this happens,
Every country that has moved to instant payments has also seen a rise in fraud. The U.K. experienced a substantial increase in cybercrime following the introduction of its Faster Payments Service. Twenty years ago, U.K. banks started to face a surge in phishing attacks with losses escalating to £36 million by 2006. Anticipating the risks associated with the Faster Payments launch in 2008, U.K. banks implemented strong authentication measures using hardware devices to login and transact online, leading to a drop in fraud losses by 2007. And then the Faster Payment service was launched as the banks held their breath.
Despite all the measures they took, fraud incidents tripled within three years after the launch, proving the adaptability and creativity of cybercriminals to exploit new systems.
The trend suggests a clear lesson: Securing faster payment markets is
With FedNow, the stakes are even higher. Transactions will be similar in speed and convenience to Zelle but with a much higher transaction limit, there will be unparalleled attention from the international cybercrime community. The growing sophistication in criminal methods, especially with the abuse of generative artificial intelligence and deepfakes for social engineering, further amplify the threat.
While FedNow fraud is concerning, banks can take several actions to be prepared. With the rise of generative AI, customers will face increasing social engineering attacks with international fraudsters no longer needing to know English to conduct highly convincing conversations. Deepfake technology can also impersonate family members or bank staff, which is a particular threat to relationship managers serving high net-worth individuals. Banks will need to equip their fraud teams with a strong scam detection model, and educate relationship managers to contact clients for confirmation before following verbal or digital instructions to move money via FedNow.
The Alabama-based bank, which reported $135 million in check fraud losses during a six-month period, says that it had changed the period of time it holds a deposit in an effort to become more customer-friendly. "We opened the door too wide, bad people came rushing in, and we didn't close the door timely enough," said CFO David Turner.
Behavioral biometrics have been shown to work exceptionally well within instant payment systems in the U.K. and Australia to detect unauthorized account takeovers and impersonation scams. U.S. banks would be wise to learn from them as transaction monitoring and device analytics will be no match for advanced attacks using social engineering and remote access tools.
Banks gaining access to FedNow via a banking system provider should investigate the provider's fraud detection models, including specific elements that are configurable by the bank or its end users. Banking system providers' fraud teams can provide invaluable intelligence as they keep track of incidents across their customer base. Additionally, banks should inquire about running behavioral and device analytics during the login process.
Perhaps the most important thing that banks can do is engage with their customers and provide them with security options. Customers should have the option to set personal transaction limits on FedNow, backed by enhanced security measures like cooldown periods for significant transfers. Banks should simultaneously update and expand their customer education resources to cover FedNow risks, including the threats posed by deepfakes and generative AI.
Quick and decisive interactions with customers are crucial to learn the context behind a customer payment or deposit. Banks should prepare for prompt and effective customer outreach, particularly in dealing with complex scams that are difficult to detect. These efforts can be enhanced with digital and automated communication tools for efficiency, consistency and rapid response.
Internally, banks need to establish close collaboration between business and cyberintelligence teams. Establishing a joint command center is vital for the continuous updating of controls and effectively communicating these changes to customers. Fraud teams should maintain open communication with the executive team, especially when identifying gaps in security measures. Banks have a simple choice: Either invest in fraud controls to prepare for FedNow, or expect draconian supervisory measures that will increase friction and confuse customers.
FedNow heralds a new era in the U.S. financial landscape but also brings heightened risks, as evidenced by the experiences of the U.K. with Faster Payments and the U.S. with Zelle. The challenges posed by cybercrime, such as methods deploying generative AI and deepfakes, demand a proactive and multifaceted response from financial institutions. As FedNow moves toward widespread adoption, banks must remain vigilant and adaptable, ensuring robust security measures are in place to protect against the evolving landscape of digital payment fraud. Banks stand at a critical crossroads: Choose between proactive adaptation or reactive complacency. The decision will determine their resilience against the sophisticated landscape of digital payment fraud, and how much their customers will be affected by it.