Introduction

The rise of Authorised Push Payment fraud has become a growing concern in the UK, where APP fraud losses are expected to reach $5.25 billion worldwide by 2026. Authorised Push Payment (APP) fraud occurs when individuals or businesses are tricked by fraudsters into transferring a payment to a bank account controlled by the fraudster. The UK's Payment Systems Regulator (PSR) has now issued a Policy Statement intended to help victims of APP fraud and provide the payment industry with clarity about liability. We believe this marks a crucial milestone in the fight against fraudulent payments and the enhancement of customer protection.

While these measures are necessary to protect every online journey and offer relief for victims, they also raise various questions and challenges. For example, how can the PSR’s scheme protect against fraudulent claims and prevent individuals from falsely committing fraud that never took place? What happens when these protective rules are themselves targeted for exploitation? Are banks and financial institutions equipped with the tools and knowledge required to handle these challenges?

Join us as we dive into the details of the PSR’s APP fraud reimbursement rules, exploring not only their merits but the potential for misuse and what that implies for banks, customers, and the overall fight against fraud.  

Could the PSR regulations lead to more fraud?

First-Party Fraud

A central question that arises from reimbursement fraud is, “How does the PSR’s scheme protect against fraudulent claims and prevent individuals from falsely committing fraud that never took place?” Even in such cases, banks and financial institutions must be able to provide evidence using their detection systems. This fraudulent behaviour is known as “first-party fraud”, where individuals use their own identity and account to execute fraudulent activities against banks or financial institutions to gain reimbursement funds. This type of fraud adds complexity to regulations given the difficult scenarios in APP fraud attacks.

Technology has now also made it possible for perpetrators to create fake identities powered by AI to claim they have been frauded. First-party fraud detection and prevention, therefore, require a comprehensive, multi-layered strategy. This includes rigorous monitoring and analysis of transaction patterns, robust identity verification, and vigilant tracking of unusual activities.

Adaption of technology slower than regulation

By the end of 2023, the PSR will publish the claim excess and maximum reimbursement levels, offering guidance on the customer standard of caution. The new reimbursement scheme will be in effect by 2024. Despite the rapid development of the PSR’s reimbursement scheme, the financial sector's adoption of technology to foster accountability in APP fraud attacks and claims has been notably slower. This is largely attributed to the strong digital execution gap within organisations. While regulations are adapting quickly to address the threat of fraud, technology implementation within these organizations lags. This raises concerns about effectively mitigating fraud and maintaining robust protections for consumers.

Fast payments and transactional monitoring

There has been a historical emphasis on transaction monitoring which can be traced back to the 1980’s. However, modern fraud is no longer solely a case of a falsified transaction. Instead, it is a meticulously planned attack that begins before the transaction even takes place. Fraudsters can compromise an account, or a device, or manipulate a victim in ways that may not trigger alarms under traditional transaction monitoring systems. By the time the transaction occurs, the fraudsters will have set the stage for the attack, making it more difficult to detect and prevent the fraud. 

Examples of these tactics include Account Takeover (ATO) Fraud or Device Takeover (DTO) Fraud. ATO occurs when a fraudster takes full control of a legitimate account to use for malicious purposes. DTO occurs when fraudsters gain unauthorized access to a user’s device through accidentally installed banking malware or a Remote Access Tool (RAT). Once the device is taken over, attackers can engage in various types of abuse, including credential theft, acquiring 2FA tokens using screen/keystroke capturing, or executing a fraudulent transaction.

Banks and financial institutions can benefit from artificial intelligence and machine learning to recognize and address the deficiency in fraud detection for fast payments. The technological advancement of these tools is promising to enable proactive fraud prevention and detect suspicious behaviour before the actual transaction takes place. Despite the complexities, this shift represents an opportunity to create a more secure environment, reducing fraud risks for individuals and organizations.

The digital gap in execution

The regulations concerning APP fraud will require addressing the existing gap in digital execution within financial organizations for various reasons. First, it establishes accountability, showcasing the organization’s commitment to combatting fraud. Second, it enables the implementation of stronger security measures and advanced technologies that can proactively detect and prevent fraudulent activities, enhancing customer protection and trust. Third, it enables organizations to leverage advanced techniques such as AI and data analytics which can proactively identify patterns, detect anomalies, and enhance fraud detection capabilities. As a result, help banks and financial institutions proactively respond to emerging threats. This is crucial for establishing technical accountability and effectively combating fraud instances arising from social engineering techniques.

Special situations

The implementation of new regulations within the PSR's fraud reimbursement scheme is a positive step forward. However, we acknowledge that there may initially be gaps in enforcement. This is due to the learning curve and the need for understanding and collaboration between banks, financial institutions, and government organisations. It is therefore crucial that we work together to minimize these gaps and note that despite our efforts, certain cases may remain ineligible for reimbursement. Achieving perfect regulation and enforcement in such a complex domain is a challenging task.

Additional challenges for the next phase

Additional challenges we predict will follow the PSR’s new reimbursement scheme include:

1. Detection and validation of fraud claims: Banks will require more robust systems to correctly identify and confirm APP fraud cases, especially those involving first-party fraud.
2. Increased costs: Victim reimbursement and enhanced fraud measures could raise operational costs for banks, affecting customer fees or stakeholders’ profits.
3. Proof and liability: Identifying the liable party in APP fraud, particularly in first-party fraud scenarios, will be complex and challenging.
4. Increased fraud attempts: The promise of victim reimbursement may invite more fraud attempts, as potential victims will be less careful about the consequences if reimbursement is guaranteed.
5. Potential for abuse: The system might face abuse with false APP fraud claims, leading to increased investigations and costs.
6. Regulatory compliance: Banks must update their compliance procedures to match new regulations, leading to increased administrative tasks.
7. Customer trust and reputation: While reimbursement can increase customer trust, balancing this with fraud prevention will be crucial to maintain the bank's reputation.
8. Customer devices as the battleground: In recent years, the frontline of fraud has shifted to customer devices. Apart from the banking app on the device, the devices themselves are typically outside the circle of influence of banks.
   This makes it particularly tricky for banks to defend against the sophisticated fraud variants of today.

How to prepare for the next phase

“AI cannot be our saviour if we don’t mitigate the digital execution gap in organisations”.

- Han Sahin, CEO of ThreatFabric

The adoption of powerful AI-driven solutions to combat cyber fraud is prevalent. However, it's important to recognize that these solutions have a substantial learning curve in terms of feature and model development, regardless of the vendor. The deployment of solutions also requires extensive collaboration among different departments, including legal and digital teams.

Given the current situation in the UK, which can be seen as a fraud pandemic, it is crucial to focus on closing the digital execution gap. Implementing AI as a fraud solution within an organization requires approximately a year for deployment, as AI systems require time to learn and differentiate between normal and abnormal behaviours. Rushing this learning process is therefore counterproductive.

To address this digital execution gap, procurement can influence shorter exit clauses in contracts, considering AI models take 1 to 3 months to reach their full potential and provide value. Establishing clear success criteria for AI scoring before onboarding a vendor is also essential. Most importantly, the battle against significant problems with new technology begins by addressing the organization's own digital execution gap. A robust digital delivery process is crucial before inviting any technology vendor to help.

One advantage AI-driven solutions have is the ease of judging scoring metrics. However, it's important to acknowledge that evaluating AI-driven technology requires a different approach and takes time. Since introducing new technology also introduces new risks, organizations should have pentest reports ready for every release and establish a secure coding and code delivery pipeline that can be validated by procurement.

Recommendations

1. Organizations should create a cyber fusion team where all decisions are made with a democratic voting system:
   1. Legal officer
   2. Privacy Officer
   3. Digital IT team Product Owner
   4. Fraud/Risk Compliance Manager
2. Organizations should establish a shared objective and allocate a dedicated budget to ensure the protection of the customer experience and address any gaps in detection.
3. Organizations should allocate at least two technical resources per year specifically dedicated to new technology in sprint planning. These resources can be utilized by fusion teams whenever issues or challenges arise.

Conclusion

The PSR's latest reimbursement scheme represents a significant advancement in safeguarding UK victims of Authorised Push Payment (APP) fraud. Providing financial assistance and enforcing accountability on banks and payment services takes a crucial step towards protecting individuals. Effectively combating APP fraud will require a proactive approach that integrates cutting-edge techniques and resources for preventing and detecting fraudulent activities. Examples include multi-factor authentication, transaction monitoring, AI behavioural analysis, advanced device fingerprinting, parallel app monitoring, customer education and collaboration.

This multifaceted approach can help banks and institutions build a strong defence against APP fraud to prevent financial losses and reputational harm. As a result, create a safer digital banking environment, protect customers, and enhance trust in the financial ecosystem. We hope the PSR’s new scheme will encourage organizations to adopt similar measures worldwide. As a result, the best message to victims will be that the crime can no longer take place.

Prevent APP Fraud in your organization

ThreatFabric has developed an adaptive detection method to help you stay in control of modern APP fraud and banking malware attacks. Our Fraud Risk Suite is designed to minimize your fraud losses and provide peace of mind. By attending a personal session, you can learn:

1. How modern fraudsters combine Remote Access Tools (RATs) and banking malware with classic APP Fraud techniques.
2. How you can extend the visibility of your existing detection solutions.
3. How ThreatFabric’s Fraud Risk Suite will help you stay away from the classic cat & mouse game with fraudsters.

Are you ready to protect yourself and your customers against APP fraud?

Contact ThreatFabric to learn more.