Anyone who’s ever had their pocket picked knows it’s a sickening feeling, someone slipped their hand into your pocket, stole from you and you didn’t even notice. It’s the same when funds are taken from your bank account and can be far worse, because once in, they can take everything… In 2021 UK victims reported £2.35 billion in loss with many unreported as people are shamed by the dupe. These substantial losses crossover into business and enterprise. In 2021 UK Finance, the trade body for the banking and finance industry, reported that members lost over £1.3 billion to fraud, increasing costs for everyone who uses banking services.
So what can banks do to solve the virtual pocket-picking problem?
Open banking might be considered an oxymoron by some but it has led to increased competition and in many ways made things easier for the consumer. It’s also opened up new opportunities for the fraudster. Criminals can leverage instant, real-time payment networks to rapidly steal and launder, making recovery more difficult and leaving consumers with the payment responsibility.
Fraud now represents 40% of all offences in England and Wales, making it by far the most common crime. Which could leave you thinking that the modern-day version of the pick-pocket, dips a hand as easily into your bank account as they once did your pocket. And the fraudsters are operating in as much of a connected way as the labyrinth of bank accounts they target.
As quickly as banks improve their technology to prevent fraud, the criminals adapt. Unauthorised fraud – where money is taken from bank accounts without authorisation or knowledge is being replaced by authorised fraud that includes, romance and investment fraud, retail scams and many others. This social engineering combined with technology gives criminals the opportunity to orchestrate and bypass mitigation strategies, whilst instant payments makes it faster to cashout a fraud scheme before there’s time to stop it.
Where does responsibility lie and what’s the solution?
We’ve all been warned to keep our phone software and apps updated, to use passwords and to be careful where we access sensitive data. But the fraudsters are behavioural science experts, they know that many people reuse their passwords or store them under the notes section of their phone… easy pickings!
Meanwhile, legislation is battling to keep up. We have the long-awaited and much debated Online Safety Bill in the UK, and the EU’s Digital Operational Resilience Act (DORA) in Europe. The UK Fraud Strategy was presented by the UK Government in May 2023 and promises to pursue, block and empower. But Fraudsters are adept at finding ways around obstacles and have the resources to overcome them. And although the methods criminals use are varied, they are consistent across countries, indicating co-ordination. Transnational Organised Crime (TOC) poses a growing, significant threat. As criminal networks expand and diversify with potentially explosive and destabilising effects, undermining confidence in the international financial systems critical to our society and economy. Meanwhile, there are also politically-motivated threats to contend with. A recent example is Killnet, a gang of pro-Russian hacktivists, who claimed credit for attacks on the European Banking System. The European Investment Bank (EIB), confirmed the attack.
Although managing large amounts of data presents a significant and ongoing challenge for Financial Institutions (FIs) wherever there are large data sets, AI can be leveraged. With many FIs still relying on consumer education, messaging for transaction authorisation and post-authorisation monitoring, AI poses an obvious anti-fraud use case. For instance, Account-to-Account (A2A) payments will enable us to aggregate transactions using AI and provide the ability to identify anomalies. Skimming small amounts from multiple accounts can be recognised through the pinpointing of common transaction routing and behaviour.
Recent innovations include EBA Clearing’s fraud prevention and detection. The banking company that owns and operates major European payment infrastructure, is gearing up to launch an analytical pilot for pan-European fraud pattern and anomaly detection. The pilot is ahead of delivery of fully-fledged fraud prevention and detection for all STEP2 and RT1 payment system users in November, helping the user community prepare for the acceleration of A2A transactions and the wider adoption of instant payment.
Aside from also accepting that AI can be wielded by fraudsters, it’s clear that FIs will need to deploy AI to stay ahead and better understand and mitigate against fraudulent practices. There are already companies such as Feedzai and ComplyAdvantage who specialise in using AI to fight financial crime by detecting transactions from suspicious locations, currencies and deviations in behaviour.
Here's some key foundations and considerations for tackling real-time fraud:
- Cloud infrastructure enables large data ingestion capabilities and real-time data streams for simultaneous analysis and real-time assessment.
- API-based infrastructure connects to multiple systems to trigger actions (communication, card status changes, reporting, etc.).
- Link analysis identifies common fraud traits and determines when organised rings are attacking.
- Adaptive learning models identify fraud trends.
- Anomaly detection combines real-time and historical data across the enterprise to identify criminal activity.
Tokenisation – the no data, no theft concept
Asset tokenisation isn’t new, it started in crypto, the process of an issuer creating digital tokens on a blockchain to represent digital or physical assets. But it’s fast stepping into the front-line of defence for fraud and with it the battle for who owns the token. Sensitive information is scrambled into a token, which is used as a replacement for the original data that is securely protected. Actual card details are never shared. Since tokens are worthless and impossible to decrypt they stop an interceptor in their tracks.
The World Bank recognises two main token types, front end, whereby people create tokens when they sign up for an online service, and back end, where tokens are created automatically before being shared with other systems. There’s plenty of room for innovation, with many companies involved in providing solutions, such as Visa, creating their own proprietary tokens to protect customer data, and front end supplier, Tokenex. Their strapline ‘No data No Theft’ adroitly explains tokens’ power.
Tokens also help show regulatory compliance in protecting sensitive data and allow for automation. It’s not hard to see how tokenisation and AI could become effective against real-time fraud. But tokenisation is complex and tokens don’t always work well with one another. They’re also not a complete security solution, you must still ensure the data you hold in your vault is safe from theft. Which takes us back to the criminals. Fraudsters don’t have to deal with bureaucracy or budget cycles but have the freedom to brainstorm new ways to get around technology.
It’s clear that in the future we’ll require more coordination to stop criminals from committing digital fraud and collectively brainstorming ourselves on the inevitable new risks! Financial Institutions and Payment Providers will need to become accustomed to new ways of working and shift their way of thinking. With ever increasing anti-fraud capabilities and the power of new generations of technology like quantum computing, fraud prevention, data and identity security is no longer a ‘one and done’ deployment. It will require FIs to remain well informed, engaged and resilient and will inevitably require continuous investment.
Matthew is a published thought leader in a range of banking and finance, business and fintech media outlets, including Forbes, American Banker, and The Sunday Times. Where he shares his insights on the future of banking, payments and financial institutions. A fintech judge and regular speaker at leading industry events including Middle East Banking Innovation Summit (MEBIS), Self-Service Banking Europe and Women in Finance London, he has held senior leadership positions in Technology and Product for the past 20 years. He has a passionate focus on innovation and digitisation, to constantly improve the consumer experience.
16 November 2023
Hi, I’m Matt Cloke
20 September 2023
What Businesses Need to Start Innovating
24 August 2023
Resetting the Status Quo – How Banks Can Overcome Payments Challenges
08 August 2023
How Healthtech Simplifies and Secures Payments Processing
12 July 2023
Regtech - Necessary evil or competitive edge?