Liability and fraud with APP or instant payments

David Liu, SVP of Fraud & Risk at Trulioo, examines the structure of incentives, controls, and fraud for real time payments.

We continue our Real-Time Payments Fraud Series by focusing on liabilities and incentives in real-time payments. In our previous edition, Anis Ahmed, founder and host of The Fraud Fellas, shared his insights on the benefits and risks of real-time payments fraud. He emphasised that balancing innovation with consumer protection demands a collaborative, multi-layered approach—one that includes robust security frameworks, regulatory alignment, and the use of industry-wide intelligence networks and digital identity systems.

Advancements in technology (from delayed pull payments to real-time push payments) and increased cooperation between institutions have led to a rise in instant payments.

• Incentives for sending institutions: When real-time payment systems are implemented, liability typically falls on the sending institution or the individual making the payment. In some cases, the receiving institution shares liability if the recipient's account is relatively new. This model is beneficial because the sending institution has the most control and the best access to the necessary information to authenticate transactions.

• Stronger controls: Regulations require institutions to implement robust controls to initiate these transactions. New technologies (such as passkeys, WebAuthN, and mobile app-based authentication) make account takeover harder for fraudsters. Institutions can also verify account ownership or assess risks through Open Banking or consortia-based checks, or by verifying the ownership of phone numbers or email addresses when those serve as the transaction's identifiers.

These improvements make it much harder for fraudsters to attack the system. However, as a result, we're seeing a rise in first-party fraud and scams, which represent a rising challenge. While it’s a positive development that fraud attacks are becoming harder to execute, the challenge now lies in handling this growing type of fraud.

A fundamental rule in fraud management is that the entity with the best ability to authenticate ‘should’ bear liability. For example, in push transactions (where funds are sent from the sender), the sending institution generally holds responsibility, while in pull transactions (where the receiver initiates the payment), the pulling institution is liable.

This same principle would suggest that consumers should be liable when it is a scam. In some places, this is the case, but often because of regulation & public sentiment, the liability is pushed on to the sending institution (or split with the receiving institution in some cases). However, this raises concerns. For instance, if someone like ‘David Liu’ is wrongly flagged as a fraudster, could they be unjustly excluded from the financial system? Alternatively, if there is a reluctance to label scams, could fraudsters exploit this to make false claims for large sums of money?

We are just swapping which populations are marginalised. In the future, marginalisation may shift from victims of fraud to those with poor reputations in the payment system. While most people will experience a slightly worse experience, some may be unfairly excluded from the payment ecosystem.

For example:

1. Fraudster creates a new account in the name of the victim (there is often the verification of a name match on the receiving bank account / phone # / email).

2. Fraudster tricks / coerces a victim into sending money to ‘their own’ account. Or, even if the victim doesn’t think this is their account, the sending institution does.

To make this real - a friend recently told me an example where a fraudster signed up for Zelle using the same phone # as the victim, but a different bank account. It really looked like someone was sending money to themselves when using Zelle. Fraudsters are tricky!

We’ll find that when institutions lack strong controls, fraudsters can create multiple fake accounts, increasing the likelihood of successful fraud attempts. This has led to the adoption of more rigorous identity verification processes, such as using Document Verification during onboarding.

It’s hard to tell the difference between scams and first-party fraud.  And even if you can tell the difference, what do you do?

One typical answer for scam prevention:

• Let’s assume there are strong account takeover controls - you know the person doing this is the person who opened this account.

• Detection based on a rule / model-based system to detect instances where scams might be likely, using things like

 - New recipient

 - Higher $ amount

 - Unusual behavioural biometrics

 - Out of the pattern in other ways.

• Then you challenge:  

 - Dialogue with the sender. Traditionally this is a phone call …

 - ‘Are you on the phone with someone?’, ‘Are you sending this to someone where you initiated the transaction?’, Etc.

However, … if you didn’t challenge someone who claims there was a scam, or if you are operating in a regime where that doesn’t shift liability … then you’re probably on the hook.

And how do you mitigate this residual first-party fraud risk? This is tough and depends a lot on the industry, customer lifetime value, and the availability of data.

• Ultimately first-party fraud is often a reputation question. ‘Does David have good intent’ is hard to answer. This usually turns into ‘is David Reputable’.  

• Credit bureaus and consortia will be helpful, and models and data can help us be a bit more targeted.  

• Then we ask, can we limit functionality, and tier up trust over time as there are more good transactions?

To end on a positive note, there are a wealth of new solutions appearing to proactively make it more difficult to commit these kinds of crimes. For scams - things like monitoring text messages, social media posts, and website impersonation, and also tools to detect them. Similarly, there is a wealth of new solutions & consortia to address first-party fraud. One thing that would be helpful and likely happen over time is an evolution in regulations and rulings in the handling of first-party fraud.

Please feel free to reach out to me with your thoughts as we all work together to improve how we handle these challenges.

Tomorrow, December 10th, David Mattei, Strategic Advisor at Datos Insights, will share insights on real-time payments in the United States—covering growth, opportunities, and challenges.

About David Liu

David Liu is SVP of Fraud & Risk at Trulioo, the world's Identity platform, trusted by leading companies for their verification and fraud prevention needs. David has been working in fraud prevention for almost 20 years, both as a front-line fraud fighter, a consultant, and a solution provider.

About Trulioo

Trulioo is the world’s identity platform, trusted by leading companies for their verification and fraud prevention needs. Offering business and person verification across the globe, Trulioo covers 195 countries.  Combining its state-of-the-art technology with expertise across diverse markets, Trulioo enables the highest verification assurance levels, optimizing onboarding costs and fostering trust in the global digital economy.