Banks may face more liability for P2P fraud

What used to be a clear line between “authorized” and “unauthorized” banking transactions is blurring as the regulatory definition of an unauthorized transaction evolves in response to technology-driven changes in how customers do their banking. If a scammer tricks a consumer into giving away credentials or approving a payment or transfer, the resulting transaction could still be considered unauthorized.

Such guidance by the Consumer Financial Protection Bureau and other regulatory bodies, combined with brisk growth in social engineering scams, adds to an already challenging environment for banking institutions with regard to disputed transactions.

We recently spoke with Jake Emry, a fraud prevention expert at NICE Actimize, about how regulators are reinterpreting the Federal Reserve’s Regulation E covering electronic payments, particularly peer-to-peer (P2P) payments, and what that may mean for banking institutions.

The interview has been edited for length and clarity.

BAI: Why are digital criminals increasingly targeting peer-to-peer payments?

Jake Emry: With social engineering, customers just seem to be very susceptible to these types of scams. If you have a mobile phone, you’re experiencing it every day. Responding to these solicitations from criminals and fraudsters, clicking on these links, helps continue the facilitation of the scam. These vectors with regard to social engineering are quite concerning because even with a lot of noise in media—local and national, in print and online—about how people are being scammed by these things, it’s still something that is very effective for fraudsters to use.

What do you hear about how the federal regulatory bodies are viewing responsibilities when a bank customer is scammed?

Guidance from the CFPB is specifically focused on unauthorized transactions. They’ve given very specific examples of how fraudsters get into accounts through social engineering scams. For instance, the customer gives away their credentials to the fraudster. In the past, dispute teams would say, “Well, you gave the fraudster your credentials. You have some culpability there in giving a party access to your account.” So they wouldn’t accept liability. Well, the CFPB is saying, “No, if the customer was scammed, and you can’t prove that the customer was involved in this fraud, and the customer states affirmatively, ‘I was scammed. Yes, I gave my credentials out,’ that should be considered an unauthorized transaction of the fraud that follows from handing out those credentials.” I think what the CFPB is trying to do is really clarify some of those previous loopholes—maybe some of the things that dispute teams weren’t covering.

What do these interpretations and guidance mean for banks in terms of their P2P products and their fraud reduction efforts?

It’s giving a hint of regulation to come. It’s adding to the already challenging environment for banks with these disputed transactions. Social engineering scams are very difficult to protect against, so they require multiple layers of solution. There’s no silver bullet for stopping social engineering-based fraud on accounts, so you rely on sophisticated means of interdiction based on artificial intelligence and machine learning and real-time payments interdiction capability. You can use behavioral biometrics as well to layer on top of that—knowing how the customer interacts with their account to be sure it’s actually the customer logging in. I think it’s going to drive a lot of solemn thought around the leveraging of those solutions, the improvements of those solutions, and evangelizing internally just how much of a problem it has been and will continue to be. These things aren’t going to go away.

Greater liability in this case means greater financial risk for banking institutions, right?

This is a question that I get a lot from banks that are considering hosting their own peer-to-peer payment application, because they have a lot of concern about that liability. Their customers are going to use those third-party, peer-to-peer apps regardless, so there’s only so much you can do in trying to control that activity. I would say specifically a bank should have the right risk strategy in place if it wants to open up different channels, whether it be peer-to-peer applications or crypto or whatever. It really takes a very strong risk mindset to make sure that you have the right tools in place before you enable these things for your customers because, of course, you’ll have the increased liability from disputed transactions.

Will banks have to look at more of a trade-off between greater security and delivering the instant payment execution that the customer wants?

While we’re coming up to speed on faster payment mechanisms, there’s an opportunity for smaller banks to be mindful about whether they have the right risk controls in place and then start to make those investments as adoption of instant payments ramps up. If your customer does experience fraud, you have four times higher risk of attrition of that customer, irrespective of how bad the fraud incident is. So these investments both have fraud prevention, but they also have retention benefits to these smaller organizations, so that they can keep those customers that they fought so hard to get and spend their limited marketing dollars and other resources on retaining them.

Terry Badger, CFA, is the managing editor at BAI.