Rising Scams Shift Liability Regime for Authorised Push Payments (APP) Fraud


The global surge in Authorized Push Payment (APP) fraud, and the emergence of contingent liability models, has heightened the risks to the reputations and brands of financial institutions. This situation calls for an urgent and coordinated response from executives in the banking and payment systems sectors. Banks that effectively address this issue stand to differentiate themselves and attract and retain loyal customers.

 

1.     APP Fraud Outpacing Industry Response

The global adoption of bank-to-bank transfers and Authorized Push Payments (APP) has mirrored the speed and efficiency we've seen in the card industry which has grown almost unchallenged for five decades. However, the rise of APP fraud is outstripping the industry's response. Markets like the UK, Singapore, Europe, New Zealand, and Australia are struggling to keep pace with escalating APP fraud. The UK has taken significant steps with its Confirmation of Payee (CoP) system to mitigate fraud, but further action is needed to combat increasingly sophisticated fraudsters. Concerns also exist about the burdens placed on financial institutions to implement and maintain these systems. Australia's "Scam-Safe Accord" is a collaborative effort between banks and consumer banking associations to combat scams, but it is still in its birthing stages, raising questions about its immediate effectiveness. Singapore, while highly proactive in public education and collaboration between banking and telecommunication sectors, has not yet adopted name checking and payee confirmation solutions. Its response to increasing scams, such as adding friction to payments (e.g. blocking funds and increasing limits) risks undermining the benefits of its instant payment system advancements like PayNow and FAST. These examples underscore the global need for more robust and universally adopted strategies to combat the growing prevalence of APP fraud and scams.

 

2.     Liability Regime Shift creates new challenges for payment firms

Currently, there's a paradigm shift in liability regimes for credit transfers (authorized push payments), similar to the mature practices in the card industry where issuers protect customers from unauthorized payments.

Picture 1.png



This shift acknowledges that customers (payers) alone should not bear the full burden of scam fraud losses. Contingent liability and reimbursement models define the circumstances under which financial institutions may be held liable for reimbursement. In the UK, a Contingent Reimbursement Model (CRM) was introduced in 2019. Although initially voluntary, it has led to the reimbursement of hundreds of millions of pounds to UK consumers. The UK has since moved to introduce regulation mandating reimbursement in most cases. To fulfil their responsibilities to customers, financial institutions are adopting increasingly sophisticated methods to protect their clients and themselves from growing liability risks. The UK’s CoP service, for example, helps customers verify if the beneficiary of their payment is the intended recipient through name and account number matching, often supplemented with other fraud detection measures.

 

Other markets are developing their own responses. Australia’s recent Scam-Safe Accord (established in November 2023) requires banks to implement additional measures like name matching for APP. The industry has committed AUD 100 million to develop a nationwide CoP system. This is complemented by significant investments in new account-opening verification processes, scam intelligence sharing, and other initiatives. This multifaceted approach underscores that no single tool can effectively combat scams.

 

In Singapore, The Monetary Authority of Singapore (MAS) and the Infocomm Media Development Authority (IMDA) have introduced the “Shared Responsibility Framework” (SRF), imposing anti-scam obligations on banks and telecommunication companies. This framework adopts a "waterfall approach" to liability, with banks as the first defence line, followed by telcos. Consumers are liable for fraud losses only if the institutions meet their obligations and the scam still occurs. Singapore is yet to publicly consider national CoP schemes or solutions, which in our view is a major opportunity for the Singapore industry to further stifle scam activity.

 

In Hong Kong, the Hong Kong Monetary Authority (HKMA) has mandated enhanced measures for real-time fund transfers to reduce the risk of erroneous transactions. These measures include a mandatory name matching process by payee institutions for transactions of HK$10,000 or above.

 

The European Union (EU) is in the final stages of ratifying a pan-European CoP requirement. This regulation will mandate institutions to provide account name and number match outcomes to payees, necessitating significant technological investments across the financial sector. The regulation introduces a liability shift, making financial institutions accountable for compensating payers if they fail to fulfil their obligations. Payers' financial institutions must disclose the account name check across all channels, while payees' financial institutions are required to uphold strong internal processes for payee data quality and provide a name check capability. The EU's regulatory developments often influence global markets, particularly in cross-border payments, and we might expect to see other markets imitate some of the European methodology.

 

The emergence of these accords, frameworks, codes, and regulations worldwide indicates a significant shift towards a more accountable and collaborative fraud management framework. This transition will certainly increase the responsibilities of financial institutions and telcos. Regardless of where the liability line between consumer and institution falls, it is clearly in the institution's interest to stay ahead of this line for better brand, reputation, and customer outcomes.

 

3.     The shifting liability environment creates opportunities for differentiation

 pic2.png

The evolving liability landscape presents several implications for financial institutions:

Brand and Reputation Risks Are Increasing: Banks that are slow to adapt to the new liability landscape risk damaging their reputation. To maintain consumer trust, proactive communication and enhanced security measures are essential. FIs must abandon any remaining "not my problem" posture and adopt a customer-centric approach when addressing the complexity of scams. Banks might consider reimbursing customers ahead of legal requirements and establishing a more customer-friendly liability line.

Customer Experience and payment efficiency can be maintained: Adding fraud prevention measures can increase friction in the customer experience. For instance, Singaporean banks are slowing down payment speeds and imposing limits on withdrawals, particularly for higher-risk customer segments (Singapore has an ageing population). Some banks are introducing "money-lock" features. At iPiD, we advocate for reducing friction in payments, preserving the efficiencies of instant payment systems and 24-7 digital payment access. Implementing effective scam abatement solutions like account checking and validation should allow payments to proceed swiftly, with higher limits and minimal additional customer friction, all qualities of a leading global financial centre.

Investment in Anti-Scam Technology Is Essential: Transaction monitoring and behavioural analytics solutions serve as established layers for fraud detection utilized by financial institutions of payers. Nevertheless, intelligence regarding the payees' accounts has traditionally been a blind spot, but advancements in technology and regulation are now addressing this gap. The widespread adoption of “confirmation of payee" and name matching solutions, as seen in the UK, is becoming increasingly crucial. For example, the Commonwealth Bank in Australia has introduced powerful capabilities like NameCheck.

The trend towards more liability placed on the financial institutions of the payees is also incentivizing those institutions to implement inbound transaction monitoring and tighten their mule account detection capabilities.

Beyond the necessary name-checking we’re also seeing a growing interest for collaborative approaches led by payment market infrastructures for solutions using “observed data” such as historical payment velocity patterns, account tenure (age of account) and other flexible fraud “signal” information as exemplified by the Fraud Pattern and Anomaly Detection (FPAD) solution developed by EBA Clearing.

Cross-Border Payments will become the Next Frontier for Scammers: Tightening domestic security environments may shift scam activities to cross-border transactions.
As a recent report from NICE Actimize noted, “the traditional nature of international payments (high value, but lower volumes) makes any increase in attempted fraud volume within this channel particularly concerning. The attempted fraud rate for international payments increased 31% in H1 2023.”

In highly internationalised environments like Singapore, scams originating in various parts of Asia are already targeting Singaporean citizens. Expect to see more of this internationalisation of scams in markets like Hong Kong, and also in cross-border trade settlements, where invoice fraud targeting small-to-medium businesses is growing.

 

4.     Solutions Exist

 

Implementing robust name matching algorithms helps verify payee identities, reducing the likelihood of fraudulent transactions. Validate by iPiD is an advanced API solution that integrates with existing payment systems to ensure secure and accurate transactions. It verifies payee identities and bank details in real-time, enhancing transaction reliability. This tool maximizes operational efficiency, reduces errors, and improves customer experience, offering customisation for specific needs. Designed with a strong focus on data security and compliance, Validate by iPiD is a comprehensive solution that bolsters security and efficiency in digital financial transactions.

pic3.png

5.     A Call to Action

The rising threat of APP fraud highlights the need for immediate and decisive action from financial institutions worldwide. Standardizing measures, particularly in technology adoption and understanding the new liability norm, will enhance international cooperation, protect consumers, and strengthen the integrity of financial systems. Financial leaders must unite in their efforts, leveraging technology and collaboration to stay ahead of evolving fraud tactics and maintain customer trust.

 


-------------

About iPiD

iPiD is a fast-growing, venture-backed fintech start-up that was founded in late 2021 by a global team who have held senior roles at major payments and technology companies, including SWIFT and Thomson Reuters. In addition to our HQ in Singapore, our global team has representatives in India, Belgium, Malaysia, Netherlands, UAE, Spain, and Vietnam.

iPiD’s vision is to make cross-border payments easy, secure, and seamless. We achieve this by partnering with financial services providers (banks, payment systems, payment fintechs, wallets…) to deliver an addressing data platform that helps the payment industry to provide a more efficient and user-friendly payment journey. iPiD is built for all – we do not replace banks, payment fintechs, wallets or remittance companies; nor do we replace existing payment rails. Our Advisory Board includes senior figures from across the industry: Christian Sarafidis, Microsoft Chief Business Development Officer WWFSI; Kosta Peric, Deputy Director, Financial Services for the Poor, the Bill & Melinda Gates Foundation; and Nick Lewins, former banking Chief Technology Officer and now an advisor in data and AI, cloud technology and digital transformation.

For more information, contact [email protected]