Banks let customers down with mixed approaches to security

Banks and other financial institutions are letting their customers down when it comes to protecting them from, and reimbursing them for, fraud and need to do more to protect people who have been exposed to economic crime, according to a newly published Treasury Committee report.

With more than £600m stolen from UK consumers in the first six months of 2019 alone, economic crime is becoming an increasingly serious problem, with the two most prevalent types being authorised push payments (APP) – where genuine customers process payments to a criminal-controlled account – and unauthorised fraud, where genuine customers do not provide authorisation for payments to proceed and the transaction is carried out by a third party.

Incoming Confirmation of Payee (CoP) regulations, set to be introduced in March 2020, should do much to combat fraud, said the report. CoP provides for payment initiators to give the payee’s name, account number and sort code to be cross-referenced and confirmed with the receiving bank – at present the name is not confirmed, and the report branded this a “serious failure”, urging regulators to consider sanctioning firms that miss the March deadline.

The committee also called for the voluntary Contingent Reimbursement Model – which sets out how signatories should reimburse money lost to consumers via APP fraud – to be made both compulsory and backdated to 2016. It also said the regulator should establish a definition for the term “grossly negligent” to provide consistency on whether or not consumers are reimbursed.

“The Treasury Committee’s report examines the scale of economic crime faced by consumers, ways that financial firms are combating economic crime, how economic crime is investigated, and consumers’ rights and responsibilities,” said Labour’s Rushanara Ali, lead MP on the Treasury Committee’s inquiry.

“To ensure that consumers are protected, it should now be compulsory for financial firms to reimburse money lost to victims of authorised push payment fraud, and they should consider doing so retrospectively. There should also be a mandatory 24-hour delay on all first-time payments, allowing consumers time to consider the risk that they are being defrauded.”

Ali added: “The government and regulators should take on board all of the committee’s recommendations to enhance consumer protection in the face of this harmful tide of criminal activity.”

Daniel Cohen, director of fraud and risk intelligence at RSA Security, welcomed a much-needed investigation into economic crime and fraud in the UK.

“It’s plain to see that the digital transformation of finance is well under way,” he said. “From one-click payment buttons to mobile apps from our favourite retailers, spending our money has never been easier, and yet this transformation is a double-edged sword – while digital has improved customer experience, it also introduces new risks that financial firms need to manage.

“As the number of touchpoints that consumers can access financial services through has increased dramatically, financial fraudsters have even more avenues to take advantage of and greater transaction volumes to hide fraudulent payments within.”

Cohen added: “Fraudsters will constantly seek out weak points, so to keep pace with evolving fraud tactics, financial firms need to take a layered approach to proactively manage the risk of fraud across all channels. This will help them embrace the opportunities that come with digital transformation while maintaining confidence in their ability to detect and respond to fraud, protecting both themselves and their customers.”

A recent RSA report found that globally, the number of financial fraud attacks detected in the first six months of 2019 was 63% higher than in the last six months of 2018, and over the same period, there was an 80% rise in attacks that involved the introduction of financial malware to the victim’s system.

RSA’s report also highlighted that nearly 50% of card-not-present transactions resulted from mobile banking channels, and fraud attacks originating from fake banking applications nearly trebled.

The committee report made a number of other recommendations that may help to reduce banking fraud. These include a mandatory 24-hour cooling-off period on all first-time payments between accounts, giving consumers time to consider whether they are being defrauded; new measures to crack down on money mules, where victims, often young people and students, are persuaded to hand over their login details to fraudsters seeking to evade the checking procedures needed to open a bank account; new regulations to force banks to be more transparent on derisking, where they end relationships with high-risk customers, to give high-risk individuals the best possible chance of keeping access to online financial services; and new guidelines on how fraud should be reported, by both banks and consumers, to give law enforcement a better change to tackle it.