What payment firms need to do
Any UK financial institution that has exposure to APP fraud is impacted by the new reimbursement requirement and should take immediate action. The PSR explicitly says it expects the industry to start working “now” to implement the new requirements, beginning by allocating appropriate resources and understanding how they can meet the conditions. Specifically, firms should move towards adopting a stronger risk-based approach to payments, and make better decisions on when to intervene and hold or stop a payment. The PSR believes the requirements will lead firms to “innovate and develop effective, data-driven interventions to change customer behaviour”. Given our long-held belief in the value of innovative compliance focused on effective outcomes rather than tick-box compliance, this message is music to FINTRAIL’s ears!
Actions to take right now
Understand your fraud risk
Make sure your business wide risk assessment and customer risk assessment model both adequately cover fraud specific risks (i.e. make sure they are not too narrowly focused on AML risks) and consider updating your assessments.
Determine who owns this change in your organisation
(e.g. the fraud team or the AML team). Where will the policy and management information sit? Do you have operational silos (e.g. between fraud and AML teams) that will hinder your response?
Secure a budget
Consider the upcoming technical and operational costs to implement the policy changes and help your executives understand the implications in real terms.
Reassess third party compliance vendors
How will this new policy impact the vendor solutions you need? Will you require additional fraud prevention, onboarding or monitoring tools? Prioritise areas that will take the longest time to deploy change, so you have the best chance of having the right controls in place by the time the requirement is introduced.
Stopping outgoing payments
To identify outgoing fraudulent payments and prevent customers from sending money to fraudsters, financial institutions should do the following:
- Assess your existing fraud controls and conduct ongoing assurance. Download our Fraud Controls Checklist to get started.
- Strengthen your transaction monitoring. Include fraud specific rules and have sufficient monitoring in place to protect vulnerable customers who may be susceptible to fraud.
- Redesign customer risk assessments to identify not only customers who pose a risk of committing financial crime, but also vulnerable customers.
- Improve customer messaging around fraud. Have clear, consistent, and educational information around scams and frauds. Ensure that communication is accessible and in plain language. Staff should undergo enhanced training to detect and handle APP fraud cases.
Stopping incoming payments
To prevent fraudsters using their products and to identify and prevent incoming fraudulent payments, financial institutions should do the following:
- Assess your existing fraud controls and conduct ongoing assurance. Download our Fraud Controls Checklist to get started.
- Redesign customer risk assessments to ensure adequate coverage of fraud specific risks.
- Redesign identification and verification (ID&V) controls and fortify customer due diligence to prevent fraudsters from opening an account using false identities or documents.
- Strengthen your transaction monitoring to identify both fraudster and money mule accounts.
- Enhance investigations to include network analysis, use internal data and financial intelligence optimally, and better identify mule activity and typologies.
- Engage in data sharing initiatives with other financial institutions, including but not necessarily limited to the Enhanced Fraud Data initiative being delivered by Pay.UK.
Get advice from the experts
FINTRAIL is here to help payment firms adapt to the new requirements. Over the last five years we've helped a range of companies to successfully reduce their APP fraud exposure.
We design nuanced, bespoke solutions based on each client's specific offerings, customer base and risk profile to avoid overly simplistic solutions. We challenge conventional wisdom using data-driven insights to identify meaningful ways to assess risk and design effective processes.
What customers can do to protect themselves
As the best line of protection, firms should emphasise how customers can stay vigilant against APP fraud. Customers should beware of unsolicited communications or any requests that create a sense of urgency, even if they appear to come from a reputable organisation such as a bank. Financial institutions should encourage customers to verify information independently, report suspicious activity as it happens to prevent further loss, and stay informed about the latest APP scams.