What are the key considerations for Banks and Non-Banks in tackling APP fraud reimbursement? (Part 1)

With APP fraud on the rise and the soon-to-be mandatory requirement to reimburse, it is critical that PSPs understand their APP fraud risk and exposure, for both inbound and outbound payments. To do this PSPs need to ‘size up’ their risk exposure by collecting and monitoring data on the volumes and monetary value of APP fraud that goes through their business. Firms should monitor this from both sides i.e. where they are the sender or receiver to help identify where there biggest risks and control weaknesses are. PSPs will need to identify and interrogate the underlying reasons for their risk exposure whether that be a lack of controls or weaknesses in existing controls. As part of these interrogations, PSPs should map their APP fraud instances to specific control gaps to allow them to better prioritise their control uplift efforts. 

Working with your payment counterparties
The way the reimbursement requirement works in practice, with the sender firm liable to reimburse 100% to the victim, and the receiver firm liable to reimburse the sender firm 50% of the APP fraud losses, binds the sender and receiver firm. As result, firms not only need to consider their own controls, but also need to consider the risk profile of other firms they are receiving funds from. Firms should assess the fraud controls, volumes of APP fraud, as well as other related vulnerabilities in their fraud and FC control landscape. This might include adapting rules within their detection systems for different counterparties. Firms may choose to leverage learnings and processes from their correspondent banking risk assessments to evaluate sender firm risk.  

Outside of evaluating the controls of your payment counterparties more closely moving forward, there will also be the practical requirement to work more closely with other firms to coordinate reimbursement to customers, where communications and process will need to be considered. This is covered more in Part 2 as we consider operating model considerations.  

How a PSP uses technology and data will be a key differentiator in how successful they are in preventing APP fraud. Both sender and receiver will need to strengthen their controls across the fraud landscape. This means controls will need to be in place on both inbound and outbound payments, and firms will need to consider detection, rules orchestration and decisioning.  

Detection – Firms should be looking to enhance their real-time monitoring capabilities to ensure suspected APP fraud payments are identified and stopped before they go through. Having effective detection controls will largely depend on having specific and targeted typologies from which detection rules and risk attributes can be developed. Firms will need to determine what are the attributes associated with APP fraud, and what weightings attributes should have on fraud risk scores. 

For inbound payments, PSPs will need to consider typologies such as mule accounts and account takeover. Due to the nature of APP fraud it cannot always be assumed the receiving account belongs to a “bad actor” and as result it won’t be as simple as blacklisting receiver accounts. For outbound payments, typologies may involve web-based payments linked to certain IP addresses, and scanning these IP addresses against the customer’s typical payment origination as well as against known “bad actors” i.e. corrupt IP addresses. Due to the limited information available within a single payment, the use of 3rd party data may also form a critical part of a firm’s detection strategy. 

We are seeing many firms invest in their machine learning and AI capabilities to support better detection across their datasets to be able to identify cases more effectively.  

Rules orchestration – Firms will need to consider the steps and the process around whether to hold, accept or reject a payment. With pressure for real-time transactions and the volume of payments across the industry, firms need to minimise held payments where it is a false positive. Rule calibration will be the key to ensuring efficient and effective detection. Whether firms choose to use existing screening systems or invest in new solutions, they will need to ensure attributes associated with APP fraud are correctly tuned with the correct risk scores and weightings.  

Decisioning – Where it is detected that payments hit certain attributes or indicators, firms will need the ability to hold payments, reject or accept payments. As such PSPs will need to focus on their decisioning rules both from an automation perspective (accept / reject) as well as managing subsequent cases and workflow where there is further investigation needed. This decisioning needs to be include a clear audit trail so the decisioning logic is explainable.  

As part of a firm’s investigations process, sender and receiver firms should seek to ensure that lessons are being learned to both (1) Identify the vulnerabilities in their own control landscape, and (2) Understand new (or existing) APP fraud typologies from ‘real life’ customer behaviour.  

This will allow firms to strengthen their own controls as well as educate customers to ultimately reduce their risk of falling victim in the first place. With the burden of reimbursement, PSPs will be incentivised to invest in educating their customers on the identification of APP fraud before it happens. 

Reimbursement requirements will incentivise firms to invest in new technology, but firms will have to weigh up the cost-benefits too of investments. Right now, that case for investment looks extremely strong for most firms whose financial exposure will significantly increase from 7th October. Any investments in technology should consider how adaptable configurability of the model is, and the capacity for machine learning to ensure rule detection is intelligent and adaptable based on information received via investigations from both victims, from receiver firms on accounts/bad actors, and trend analysis. 

With the new requirements coming into effect on the 7th October 2024, firms need to act fast to understand their risk and exposure, as well as enhancing their fraud control landscape. In part 2 of our mini-blog series, we look at how firms will need to consider changes to their operating models, establish effective governance, manage financial risks, and navigate the significant changes required.