Banks may face more liability for payments fraud

There continues to be an increase in scams and fraud that target banks and their customers. And with this continued increase could come more liability for banks when scams and fraud occur.

Jake Emry, a fraud prevention expert at NICE Actimize, discusses how regulators are reinterpreting existing laws, and how banking institutions can better protect themselves.

A few takeaways from the conversation:

  • The long-established line between authorized and unauthorized transactions is blurring, which may increase bank liability for payment scams affecting customers.
  • Guidance from regulatory bodies, along with growth in social engineering scams, adds to the challenging environment for banks regarding disputed transactions.
  • Customers experiencing fraud are far more likely to move their accounts elsewhere, so investments to prevent fraud may also be investments in customer happiness.

Subscribe to the BAI Banking Strategies podcast:

Apple Podcasts     Spotify    Google Podcasts    Amazon Music

Sign up for the free BAI Banking Strategies newsletter and get industry insights delivered to your inbox.

By clicking the Subscribe button, you acknowledge that you have read our Privacy Policy and Terms of Use and agree to be bound by them.

Scams and fraud targeting banks and their customers is growing, and so is the potential liability for banks when it occurs. Jake Emry, a fraud prevention expert at NICE Actimize, is here to talk about how regulators are reinterpreting the Fed’s Regulation E covering electronic payments, and what that may mean for banking institutions. Jake, thanks for joining us on the BAI Banking Strategies podcast.

Thank you. Very happy to be here.

Jake, it’s a given by now that scams targeting banks and their customers are up considerably since the pandemic began, both in number and in their dollar value. You work in this world every day. What types of fraud stand out to you these days as being of most concern to banking institutions and their customers?

I think what we’re seeing a lot is scams that are being facilitated by peer-to-peer or more faster payment mechanisms. Obviously, a lot of scam activity out there – the social engineering, the romance scams, elder financial exploitation. But the fraudsters, they really seem to have a preference for cashing out on these scams through these peer-to-peer applications. We’re hearing a lot about this in the industry – that would be a primary focus right now. What I’m hearing in the industry is really a lot of concern around scam activity.

On the payment side, I’m guessing that part of this increase is because consumers are relying more on digital transactions since the pandemic, so really there’s a bigger opportunity set for scammers to target. What else is contributing to peer-to-peer payments being more of a target of digital criminals?

I think with social engineering, customers just seem to be very susceptible to these types of scams. If you have a mobile phone, I mean, you’re experiencing it every day. You’re getting weird, strange text messages – we call that smishing. You get weird phone calls from auto-dialers and things like that – we call that vishing. Then the suspicious emails, which we’ve all been getting for now decades, which is called phishing. Responding to these solicitations from criminals and fraudsters, clicking on these links, it exposes your devices to viruses and malware, or it just helps continue the facilitation of the scam. The fraudster may be asking you for your OTP code because they’re trying to get their device trusted onto your bank account information and they’re scamming somebody and trying to get credential information, so on and so forth. Really, these vectors with regards to social engineering are quite concerning because even with the general amount of customer education out there, a lot of noise in media, both local and national and print and online about how people are being scammed by these things, it’s still something that is very effective for fraudsters to use.

The upswing in P2P fraud via social engineering and other avenues, this is getting a lot of attention from politicians and from regulatory bodies as well. Elizabeth Warren and another senator sent a pretty tough-worded letter to the head of Zelle’s parent company in late April, accusing that P2P service of not doing enough to protect its users from scammers. Knowing that senators send out stern letters pretty regularly, tell us a bit about this particular letter and how you are reading its potential significance for P2P providers.

One part of that letter shouldn’t be a surprise for the peer-to-peer providers because the updated guidance, both in the summer and at the end of the year from the CFPB, did state the CFPB does feel that peer-to-peer providers are a regulated entity under Reg E for electronic payments. That part shouldn’t be a surprise. I think what is drawing some raised eyebrows in the industry is what the senator said about bank liability in regard to these peer-to-peer payments. It’s not about the means by which the fraudsters get into the account or whether the customers let the fraudsters into the account because they got scammed. It’s really who is directing the payment. If the fraudster gets into the account and initiates the payment, we’ve seen from regulator guidance that this is supposed to be a liability situation where the customer can file a dispute. Unfortunately, we haven’t seen in the regulator guidance that same opinion and direction insofar as, let’s say the customer is being scammed, but they authorized the payment. What happened in this letter, though, is that the senators were very explicit that they felt these authorized push payments where the consumer is directing the payment to the fraudster are covered. But we haven’t been able to find that corresponding guidance ourselves in review of what the regulators have been saying, particularly the CFPB.

You mention the CFPB, the Consumer Financial Protection Bureau, and Reg E as well, and you said that they have been looking at this issue. Can you give us a quick overview of what the latest guidance is from the CFPB on Reg E?

The latest guidance is very specifically focused on unauthorized transactions, but what it’s trying to do is clarify for banks. In December of last year, they gave very specific examples of how fraudsters get into these accounts through social engineering scams. For instance, the customer gives away their credentials to the fraudster. In the past, disputes teams would say, “Well, you gave the fraudster your credentials. You have some culpability there in giving a party access to your account.” So, they wouldn’t accept liability. Well, the CFPB is saying, “No, if the customer was scammed and you can’t prove that the customer was involved in this fraud, that would be first-party fraud, the customer stating affirmatively, ‘I was scammed. Yes, I gave my credentials out,’ that should be considered an unauthorized transaction of the fraud that follows from handing out those credentials.” I think what the CFPB is trying to do is really clarify some of those previous loopholes – maybe some of the things that dispute teams weren’t covering, really more in a muscle memory interpretation of Reg E and saying specifically, “Hey, following these attack vectors of social engineering, i.e., people are giving away their credentials, the fraudsters are directing payment. That should be covered under Reg E.” I think that’s what they specifically focused on.

That muscle memory that you’re talking about regarding Reg E, that’s the idea that there’s a bright line separating authorized and unauthorized transactions by the consumer. The FDIC is also weighing in on this issue. They had a communication last month that seems to be saying that that liability divide may not be as clear as banks think, consistent with what the senators are saying and what the CFPB is saying, right?

They are, but nobody’s really stating affirmatively, as they have for the unauthorized transactions, which is really a clarification. This guidance under Reg E is nothing new. It’s that the CFPB is getting hit with so many complaints and they really don’t feel that the industry is interpreting liability for unauthorized transactions correctly, and that’s obviously driving the effort to educate. I think banks need to really pay strong focus to what the CFPB is saying on these unauthorized transactions and to be careful about how they’re determining liability decisions when peer-to-peer payment applications are involved.

Now we have all this complex background in place, what do these various letters and guidance and interpretations mean for banks in terms of their P2P products and their fraud reduction efforts?

It’s giving a hint of regulation to come. It’s adding to the already existing challenging environment for banks with these disputed transactions. If the bank finds in the favor of the customer, then obviously they have to accept that liability and that can mean a loss for the bank. Particularly, the success of social engineering scams are very difficult to protect against, so they require multiple layers of solution. There’s no silver bullet for stopping social engineering-based fraud on accounts, so you rely on sophisticated means of interdiction based on artificial intelligence and machine learning and real-time payments interdiction capability. You can use behavioral biometrics as well to layer on top of that, so actually knowing that the customer is actually logging into the account and knowing how the customer interacts with your account to know that, “Hey, is this automated? Is this a bot? I mean, does this really look like our customer?” The behavior of biometric signals will really give you very specific and detailed information about those risky circumstances, and then your payments engine and how you’re monitoring your fraud, your models, and so forth. That gives you that real-time payment interdiction ability. I think it’s going to drive a lot of solemn thought around the leveraging of those solutions, the improvements of those solutions, as well as evangelizing internally just how much of a problem it has been and will continue to be. There are examples in the U.K. They’ve had a lot of experience with authorized push payment fraud. These things aren’t going to go away.

The FDIC, in their April communication, they offered a couple of suggestions to banks, among them beefing up their fraud detection capabilities to better monitor geographic data, to better monitor spending patterns, and IP addresses. How much benefit do you think this would provide in the context of the other things that you mentioned as well?

The regulators, they’re not modeling experts, so they hear about some of these feature functionality, these very specific risk indicators or red flags, if you will. Again, these are things that you would consider in your models and consider in your fraud rules that would help you interdict in these situations, whether it be there’s something anomalous about the payment or there’s something anomalous about the device or there’s something anomalous about how the customer is interacting with the site or you’re authenticating a new device, so on and so forth – all these high-risk signals that you would ingest. Personally, I like to see when the regulators opine because, generally speaking, what they’re doing is they’re using that experience with the different people that they’re going in and doing their exams with and saying, “Hey, what are your general risk indicators?” So, they’re very valuable, but from a very high level if they’re saying, “OK, these are things that we’re seeing across the board with regard to these frauds.” All those signals are very valuable, but when it gets down to the nitty-gritty of beefing up your fraud prevention strategy, it’s obviously a bit more complicated than that.

Greater liability in this case means greater financial risk for banking institutions. So, Jake, do you have any gauge on what kind of dollar figures we might be talking about? I’m thinking about this, particularly from the viewpoint of smaller banks with more limited ability to absorb these kinds of costs.

Interestingly enough, this is a question that I get a lot from some banks that are considering hosting their own peer-to-peer payment application because they have a lot of concern about that liability. I mean, their customers are going to use those third-party, peer-to-peer apps, regardless. There’s only so much you can do, I guess, in trying to control that activity. But if the customer creates an account with a cash app or a Venmo or something like that, the bank is not going to be able to say, “Oh, well, you can’t pull money off your card or pull money off ACH for these vendors.” Again, it’s just having a very holistic strategy. I would say specifically have the right risk strategy in place if you want to open up different channels, whether it be peer-to-peer applications or crypto or whatever. I think it’s starting with that risk-based and risk-minded approach toward the types of products, for instance, in this question, peer-to-peer application availability or having access to Zelle or something like that for your customers. It really takes a very strong risk mindset to make sure that you have the right tools in place before you enable these things for your customers because of course you’ll have the increased liability from disputed transactions.

I have to say I’m not hearing a lot about this, which is kind of surprising given the potential magnitude of the financial impact if that liability line between authorized and unauthorized transactions gets muddled or even erased. Why do you think this topic is not more of a public, front burner issue for banks?

We do know from the FTC that socially engineered scams last year were worth about $740 million. There’s a lot of experience of this in the U.K and it’s a multi-billion-pound issue there. I would say it’s definitely a billion-dollar issue in the industry. I think for the larger banks, there’s definitely concern about this. They’re constantly enhancing their tools. Now for the smaller banks, you may not have the resources that the big multi-regional banks have and you have to really consider very carefully where you go into business channel-wise and whether you have the right controls. I think that this is definitely of concern to banks, obviously the bigger concern for maybe some of the larger banks where you see higher proportion and volume of peer-to-peer application activity.

For customers, the payment imperatives are to make them faster, to make them easier, and more convenient. Banks and credit unions have been trying to do that, but with tighter liability standards, will they have to rethink that and perhaps look at a trade-off between greater security, more protection for the customer, and also delivering that instant payment execution that the customer wants?

I think for the consideration of smaller banks and credit unions, it is a customer experience. A lot of customers, as you said, they want these faster payments. Our uptake in adoption here in the United States is slower, so I do think that while we’re coming up to speed where other regions are using these faster payment mechanisms to a greater scale, that also presents an opportunity for the smaller banks to, again, be mindful about whether they have the right risk controls in place and then start to make those investments as adoption for instant payments ramps up. It’s not going to stop. Really, the message to the industry is, “OK, you know you need enhanced risk controls,” particularly because these social engineering scams, they follow these payment rails. They love it. They love peer-to-peer applications both for the fraud activity and the money mules, which is a huge problem, obviously. We want the banks to see that this is a fraud modality that’s going to follow along these payment channels but it’s also, generally speaking, a good experience for your customers to have better risk controls and to be ready for the fraud that is in play and coming. If your customer does experience that fraud, you have four times higher risk of attrition of that customer, irrespective of the totality how bad the fraud incident is going to be. So, these investments both have fraud prevention but they also have retention benefits to these smaller organizations, so that they can keep those customers that they fought so hard to get and to spend their limited marketing dollars and other resources in retaining.

As the saying goes, a happy customer is a loyal customer, and no doubt a great way to keep them happy is to keep them safe from the bad guys.  Jake Emry, fraud protection subject matter expert at NICE Actimize, many thanks again for joining us on the BAI Banking Strategies podcast.

Thank you so much, Terry. It was great to speak with you.

Terry Badger, CFA, is the managing editor at BAI.