It’s no secret that card fraud remains an enormous problem. In 2019, almost half (48%) of all frauds in the UK involved debit or credit cards – with losses totalling more than GBP 620 million.
Granted, progress is being made. The UK reduced year-on-year card fraud by GBP 46 million in 2020, while Europe as a whole saw a EUR 62 million reduction. Credit must go to the banks for improving their fraud defences, but a lot more needs to be done.
Take, for example, Open Banking payments. In 2021, according to recent Juniper Research, the value of global Open Banking-powered payments will total almost USD 4 billion. By 2026, they’ll be worth more than USD 116 billion, which equates to a growth rate of over 2,800%.
In other words, more people will start paying for things using their bank accounts – and fast. Indeed, the same research predicts that Open Banking payments “threaten to end card dominance”. From a fraud perspective, this begs the question: what will the impact be on banks’ fraud prevention and mitigation processes?
In theory, banks have less to worry about. Compared to card transactions, Open Banking payments – which use encryption and tokens, and which require customers to authorise payments via their bank using 2FA – are inherently more secure. Bank accounts, unlike cards, can’t be stolen or skimmed.
But while Open Banking payments don’t create new fraud risks per se, they do pose new opportunities for fraudsters. Bank transfers and IBANs are not, for example, governed by an explicit rule framework – unlike PCI DSS for card payments. PSD1 and 2, alongside GDPR, provide orientation on how to handle security needs, though in reality IBANs are treated with less caution.
If you’re making a donation or, say, paying a sports club, a Google search can throw up the IBAN you need. With the growth of Open Banking, we expect more IBAN data sets to be distributed. These may become publicly available. This has potential fraud implications for not only PSD2-enabled payment initiation services (PIS), but for direct debits which do not require an explicit 2FA authorisation.
In the PSD2 realm, another more immediate threat is the increasing prevalence of account takeovers. At the other end of the value chain, banks’ own PSD2 implementations for PIS can be targeted. We saw a stark example of this in October, when millions of pounds were stolen from Barclays accounts – by a fraudster using a Monzo account and a PISP.
What this laid bare is that banks’ fraud prevention systems, despite their incremental improvements, are under-engineered for Open Banking and the data requirements according to PSD2. There is an asymmetric distribution of available shopper data – making banks less likely to cope with specific fraud attack types.
This issue is amplified when you consider the operational inhomogeneity of the European banking landscape. While UK banks, and some in the Nordic region, have made strides, those in France, Germany and Poland have suffered setbacks. Fraudsters there are succeeding.
When banks’ systems do work, problems can and do arise. Merchants may find that they’re blocked in the event of a fraud attack, with no explanation as to why. But should we really blame the banks? TPPs should live up to their responsibilities, whether they’re prescribed by regulators or not. Open Banking is a ‘network of trust’ – all participants have a shared responsibility to instill confidence in the system by proactively securing it.
The regulators, for their part, introduced Strong Customer Authentication (SCA) as a requirement under PSD2. What it adds in security, however, it takes away in experience. Customers don’t want more friction at the checkout via a push notification or text message.
This disruption can be quantified – in 2020, payments consultancy CMSPI predicted that SCA would amount to EUR 108 billion in lost sales. Ironically, card fraud in Europe – which SCA is designed to prevent – totalled EUR 0.94 billion in 2018. That’s 115 times less than the cost of lost sales.
What’s needed instead is a solution that’s a) fit for purpose, for everyone b) puts merchants in control with real-time transaction monitoring, and c) reflects the shift away from cards to account-to-account payments. Instead of waiting for regulators or banks to come up with it, innovators should strive for real-time infrastructure. This is what’s needed to get the whole industry fit for the real-time challenge racing towards it.
We as TPPs need to build solutions and explore other ventures in the space we occupy to deal with the real-time character of account-to-account payments, such as Sentinels’ anti-money laundering tools, which are designed for this new reality.
At Volt, we’ve just launched Circuit Breaker – the first fraud prevention solution developed exclusively for the Open Banking space. It has two core functionalities: first, its flexible rule system, which applies a score to each payment received.
This score is based on rules like volume of transactions, number of initiated transactions, and transaction amount. If the additive score triggered by these rules reaches a certain threshold, the transaction is blocked and the fraud attack prevented.
Second, Circuit Breaker enables merchants to create blocklists of confirmed fraudsters based on set criteria such as the bank they’re paying from, their device fingerprint, and their email address.
By filtering transactions ‘at the gate’ before they’re sent to the bank, and blocking those it understands to be fraudulent, Circuit Breaker acts as a surgical tool. In doing so, it addresses issues with banks and clearing mechanisms and overcomes the operational inhomogeneity I mentioned earlier.
We believe it’s not just the intelligent solution Open Banking needed, but the biggest indicator yet that Open Banking itself, if furthered in the right direction, is the key to dramatically lessening the impact of online payments fraud.
About Steffen Vollert
About Volt
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now