A foundation built for FAST
A secure foundation is a key component of any holistic real-time strategy. The UK experience with real-time payments provides a valuable lesson in terms of understanding the dynamics between real-time payments and fraud. When UK Faster Payments launched there was no industry awareness around the new kinds of fraud that could potentially be deployed against banks and their customers. Unfortunately, the fraudsters knew exactly where the opportunities lay. And today’s fraudsters are well versed in banking regulations, and they are aware of how they can exploit the system.
The fact that real-time payments are irrefutable, and that money can be shifted in a series of subsequent real-time (and also irrefutable) payments, means that money appropriated by fraudulent means quickly becomes untraceable. However, the industry has responded well, and the fraud rate for traditional push payments made in real-time is now lower than credit cards (0.007% for UKFP in 2013, compared to 0.063% for cards).
But fraudsters never rest for long, and the UK has seen the rise of a new kind of interception fraud. Criminals are utilizing details gleaned from social media, physical mail and web scrapes to insert themselves into conversations in such a way that it doesn’t appear suspicious or unexpected. They falsify communications from a known service supplier, such as a builder, and provide fraudulent account details to direct payments to their accounts, rather than to the genuine supplier. This is possible because the UK Faster Payments scheme doesn’t check recipient details as they’re entered into a transaction request; it only verifies the formatting of the account number and sort code. That said, the implementation of proxies alongside payee confirmation will serve to curb this trend when it goes live in 2018.
Additional services that identify the payee obviously improve the current situation, but that’s only one side of identity. New real-time schemes such as The Clearing Houses RTP are being launched with these services as default, alongside the new Request to Pay (RtP) function.
‘Request to Pay’ and digital transformation
With RtP, users will present themselves via biometrics, NFC checks with a smart device at POS, identity and loyalty cards, to correctly route an RtP notification to their device. In this scenario, individual identity becomes even more important. There are a wide range of public bodies, charities and think tanks working on the best way to store that digital identity, including looking at technologies such as blockchain.
As such, banks are presented with interesting challenges around customer data security and management. The UK Faster Payments service will hold some basic details that link to the bank account; however, ownership of that data is likely to still sit with the bank. Under the General Data Protection Regulation (GDPR), banks will face new obligations around the new data needed to enable RtP for immediate payments, and the potential fines for breaches of regulations are not insubstantial.
Some governments are looking at broader schemes to store digital identity for banking, for example within blockchain-based national identity. This becomes a much trickier conversation, however, when we consider consumer (and citizen) rights. How banks manage the transition period between proprietary and national repositories will depend on how well they prepare their bank for digital transformation overall.
Part of that transformation will be helping customers navigate the New Payments Ecosystem, though this isn’t about expecting the customer to understand the technology behind these new services. If we do our jobs well, we will create seamless customer experiences where the technology fades into the background. But at the same time, we must protect customers from the more complex fraud threats that accompany real-time and open payments. And part of that is teaching them how to protect themselves.
Customer protection and education
Younger digital natives are typically less concerned than their older cohorts when it comes to digital identities. Many don’t understand that in the age of ubiquitous internet it’s relatively simple for fraudsters to source personal details – according to recent research, those in their 20s are “are more likely than pensioners to be targeted by fraudsters for the first time, because they don’t bother to check their bank statements” in the internet-age if you aren’t careful about your sharing practices. And many Gen Yers (and close behind them Gen Zers) also tend to be financially naïve, not cognizant of the fact that their identity is more valuable than the ‘hard’ cash in their account. Some banks have been launching major consumer awareness campaigns, but as we move to a full real-time system, there must be a push for more industry-driven consumer education.
On a more positive note, consumers are open to this education, because they still trust their banks t to deliver significant financial services. This is how it should be; the regulatory pressure is on banks to ensure they secure customers’ money and data properly. Would you trust a lightly regulated fintech to do the same? The opportunity for fintechs in the long run is to be ‘backed’ by a bank that has done its due diligence, especially when the payments ecosystem reaches full real-time. There’s a lot of discussion around how Open APIs will let fintechs onto the banks’ playing field, but up until now that playing field hasn’t been level. The incumbents will soon be able to offer real-time all the time, including an accurate real-time balance, and this combined with the inherent trust in these major providers will be a potential springboard for banks that take advantage of the momentum.
True real-time and open banking should not only act as an equalizer for established banks and new market entrants, but also for the consumers who are challenged by today’s legacy banking environment. Many customers struggle to manage their budgets in the partially-digital world, where they have a lack of control. The combination of real-time rails with Open API-enabled services, such as Request to Pay, is going to place the power and control back with the people.