The U.K.’s major banks are urging regulators to allow for greater flexibility in processing high-risk transactions, in a bid to tackle ever-rising levels of financial crime.
The latest version of the Payments Systems Regulations requires all payments service providers (PSPs) to make a payment when the customer has authorized it, with an expectation that this will be completed within two hours. Not doing so is seen as a regulatory failing, and banks which slow down or block any payment — even to carry out further investigations — are currently at risk of liability to the Financial Ombudsman Service.
But with fraud losses increasing every year, banks are calling for the regulations to be adapted to offer more legal protection for PSPs who opt to slow down payments in cases of suspicious activity.
According to U.K. Finance’s latest figures, the volume of authorized push payment (APP) scams currently equates to 2.9 pence for every £100 going through the payments system, adding up to a total of £145 million in the first half of 2018 alone. At a Treasury Select Committee hearing this month, banking representatives argued that having greater regulatory freedom to investigate and then block suspicious payments could drastically reduce APP fraud losses.
“The legal framework and regulatory framework rightly ensures that consumers and businesses can make financial transactions with speed,” said Katy Worobec, U.K. Finance’s managing director of economic crime. “Unfortunately, this rapid pace of payments can be exploited by fraudsters to move stolen funds quickly. The finance industry is working with the government and regulators to ensure banks have the right tools to fight economic crime by being able to more easily slow and even freeze payments where there are concerns.”
Because of market pressures from emerging fintechs and new PSD2 regulations on authentication, banks have steadily reduced the number of verification steps required when making a transaction, as part of their efforts to limit the friction experienced by the customer. In the last two years they have also implemented more sophisticated authentication measures based on behavioral biometrics, with software invisibly verifying the customer by using data on how they interact with the website, such as by their mouse movements.
But when biometric data suggests that the behavioral patterns surrounding a transaction are unusual, banks are not always able to halt the payment and investigate further, due to the need to comply with PSRs on payment speed. Leading anti-fraud experts say this is contributing heavily to fraud losses.
“There are many subtle differences that can identify that a specific payment is going to be a bad payment, and it should be moved to a special process where extra authentication is required,” said Uri Rivner, chief cyber officer at BioCatch, which has been working with U.K. banks in implementing behavioral biometrics.
“But unless you’re able to slow down the payment to do so, there’s no way to defend the user," Rivner said. "It’s crucial to have regulations that allow a certain portion of the activity to be reviewed rather than released, otherwise you end up trying to chase the transfer after it has left the bank, and by then it’s too late. Fraudsters are very quick in taking the money and then funnelling it away from that destination.”
In addition, banks say that having greater regulatory leeway to slow down suspicious payments could help prevent financial crime in other ways, most notably in the tracking of fraudulent activity. This could potentially prevent repeat attacks against other financial institutions.
“Being able to investigate suspicious payments and their intended destination enables banks to understand the patterns of behavior of criminals,” Rivner said. “If the bank can track the attempted transaction immediately, they have a lot of clues. The destination account could be being used to attack other banks, so they want to analyze and share that information as quickly as possible. But I imagine that once all these reasonable explanations are brought in front of the regulators, they will be able to find a common ground which allows banks to protect their users, while also giving them a smooth customer experience.”
