Breaches amp up risks around P2P liability shift

The third-party data breach has become the darling of the cybercrime world. The number of third-party breaches, also known as supply-chain breaches, more than tripled from 2021 to 2022, and the pace of these attacks may increase as regulators continue to wrestle with determining who ultimately pays the bill for these financial crimes.

Third-party attacks are often levied against vendors with large books of business: Think accounting, payroll and administrative firms that serve multiple clients. By breaching one of those vendors, the attacker gains access to the customer and employee data of multiple organizations at once. Like any business concern, the crooks are looking for greater ROI.

Banks are largely ignored by the opportunists behind third-party breaches, at least initially. Crooks would love to find their way into the accounts of bank customers, of course. But, getting there takes creativity. Banks have invested billions in defending against the cybercrooks, identity thieves and others after the digital keys to the kingdom.

Banks are still vulnerable to third-party breaches, though, as scammers will use the personally identifiable information (PII) stolen from vendors to fool bank customers into giving them money.

Person-to-person (P2P) payment networks are a scammer’s favorite channel for doing exactly that. To date, they have not been the highest priority among bank’s fraud-fighting teams. Some of this is due to the relative newness of P2P. A more apt reason may be that any losses stemming from a P2P scam have been the responsibility of the customer, not the bank.

The liability for some incidents of P2P payments theft may soon shift to banks, however. If a consumer authorizes a P2P payments but later reports the funds were paid to a scammer, the receiving bank providing the P2P service may be responsible for the loss.

Given the deeper pockets of financial institutions, cybercriminals no doubt love the idea that banks would need to shoulder the burden of stolen funds. While some in the industry contend the liability shift will put an end to bank offerings of P2P, that’s not likely if those institutions want to maintain and grow relationships with modern consumers. New numbers out by Consumer Reports show that nearly two-thirds of Americans now use a P2P payment app. Two out of five of them use it monthly, while nearly one in five use it at least once a week.

Against this backdrop, it’s hard to imagine banks pulling back from such a highly engaging channel. What is easier to imagine is a reconfigured risk assessment and controls model, whereby banks strengthen, albeit judiciously, their fraud mitigation efforts around P2P.

As credit and debit card-issuing financial institutions have learned, the right fraud strategy can reduce losses without sacrificing experience. Today, thanks to a range of democratized technologies and proven analytics techniques, banks are getting better at identifying true fraud in real-time.

Much of this fraud-fighting strength comes from the industry’s mobilization around root causes of payments fraud. Working closely together, the card networks, associations and collaborating banks alert one another when they spot fraud trends. Working backward, they are typically able to identify the source of the data leak, which enables them to take pinpointed, preemptive action more quickly.

With the pace of third-party breaches expected to accelerate, banks must be prepared for a potential wave of identity crimes. P2P payments scams are just one of many that data-rich criminals will use to trick bank customers into handing over their hard-earned money. In the same way criminals leverage third parties for better ROI on their attacks, banks can leverage greater breach intelligence for better ROI on their fraud mitigation strategies.

While educating bank customers on common scams helps, it can only go so far. Scammers pivot their attacks on a dime. Leveraging the industry’s earned data to combat the misuse of stolen data is a powerful tool against run-away fraud. It also may be the answer to maintaining relationships with customers who expect their banks to offer the latest digital banking tools without sacrificing the safety of their money.

Jim Van Dyke is SVP of innovation at Sontiq, a TransUnion company.