BankThink

FedNow represents the next frontier for digital fraud in the U.S.

Early adoption of FedNow BankThink
Instant payment systems have been irresistible targets for scam artists, and FedNow is unlikely to be any different, writes Alisdair Faulkner, co-founder and CEO of Darwinium.
rafapress/Rafael Henrique - stock.adobe.co

With the launch of the Federal Reserve's FedNow instant payment service upon us, it's perfectly reasonable to believe it will prove to have solid fraud controls. First off, it's the Fed. Second, they have the benefit from the lessons learned by other countries with government sanctioned faster payment systems and by banks regarding Zelle fraud … right?

Perhaps, but instant or Real Time Payment (RTP) fraud is a cash cow for online fraudsters, mainly because most of the fraud is authorized by the scam victim. Last year, Zelle users transferred $490 billion using the payment app, and fraudsters followed them to the platform. In 2022, online scams were more prevalent overall (55%) than other delivery methods, with a whopping 75% success rate. Therefore, it's also perfectly reasonable to believe that, like other instant payment platforms, FedNow will be a magnet for fraudsters.

To get a preview of what FedNow fraud might look like, let's look across the pond to the United Kingdom's instant payment system. According to the U.K. government: 97% of Authorized Push Payment (APP) fraud occurs on the U.K. government's Faster Payments System. Authorized transaction scams comprise 54% of the total fraud/scams in the U.K. and in 2022 for the first time in the U.K., losses from scams (deceptive, but authorized transactions) are bigger than fraud losses (unauthorized transactions).

As for FedNow, what is sure to make a murky accountability trail even more so, is that unlike with Zelle, each financial institution that signs up for FedNow is responsible for the creation of the web/mobile pages and most of the security around the faster payment transactions. If fraud occurs because those pages were somehow compromised, lacking clear accountability trails, consumers may very well get caught in the middle as financial institutions and the Fed hash out who's liable.

But no one likes a fearmonger, right?

So, here's some good news. The Fed has stated that FedNow will launch with some (TBD) security and fraud controls, with others to be deployed in 2024 and beyond. One feature "under consideration" would enable financial institutions to activate a control setting that rejects payments that exhibit unusual frequency patterns or cumulative value over a period. Others would leverage the FedNow service network to monitor for aggregated concentrations of inbound and outbound activity (a sign of potential money mule activity) and use machine learning to score transactions.

These are smart, common-sense controls. Keeping in mind that much of instant payment fraud consists of scamming authorized users into approving a transaction, other measures include:

Looking at the age of the customer when assessing the transaction, because senior citizens and new-to-digital-banking consumers are especially vulnerable to these scams (e.g., grandparent scam/investment scam). Another effective measure is to use online transaction nudges (e.g., a popup with a tailored warning specific to what the customer is doing, such as 'Is someone on the phone directing you to send this payment?') with suspicious transactions and/or the first time a user pays a new recipient on FedNow.

The bank hasn't explained why person-to-person payments, bill processing and account-transfer services went down for parts of two days this week. But observers suspect glitches in its legacy systems could occur at other financial institutions and increasingly affect real-time payment networks.

July 27
Zelle app

Financial institutions can also have their telecommunications provider check if a customer is on an inbound mobile call while doing the transaction. A long call is also a good data point that something is not right. They can also do a confirmation of payee check (does the payee's name match the name on the receiving bank account?) and check beneficiary intelligence such as the age of account, number of incoming high value payments, etc.

In 2023, deepfake audio and video is becoming more convincing. For example, when a grandparent gets a call from their grandson about a "car wreck" or "kidnapping" and asks for money, it will sound real — because the fraudster copied the grandson's voice from TikTok and AI-cloned it. So, expect these victims to believe the scam/be scared if the fraud analyst calls to verify the transaction.

Financial institutions will also need to up their game in detecting and removing money mule accounts, their ubiquity, worldwide, being one of the main reasons why online fraudsters are so effective with scam activity. Something the U.S. can copy from the U.K. 2023 Fraud Strategy is to slow down faster payments when the financial institution has some concerns about the transaction being legitimate. And especially watch a user's first faster payment transaction.

Because instant payments are irrevocable, there are no substantive consumer protections for these scams, which means society's most vulnerable populations will have little recourse if they fall victim to one. As cliched as it sounds, we've seen time and time again that an ounce of prevention is worth a pound of cure. If APP-style fraud runs rampant on the FedNow platform, protections will eventually be legislated into effect, as was the case in the U.K. While the U.K. should be applauded for that effort, in the 14 years between the 2008 launch of pay.uk (the U.K.'s official instant payments platform) and today, billions were lost to scammers.

The U.K.'s experience can benefit everyone in the FedNow eco-system if participating financial institutions proactively deploy fraud prevention controls as a carrot, instead of waiting for the stick of regulation to arrive. They'll not only lower online fraud rates but also build digital trust with FedNow customers, which in the still-nascent world of instant payments, will be essential for FedNow to thrive. Until then, FedNow users will have little recourse if they are scammed into authorizing payments.

So … caveat emptor. At least for now.

For reprint and licensing requests for this article, click here.
Payments Bank technology Financial crimes
MORE FROM AMERICAN BANKER