Authorized Push Payment Fraud Needs Accountability by the Receiving Bank

Claire Greene, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed wrote a fabulous opinion piece in May 2023 related to authorized-push payment fraud. 

In the article, Greene points out the requirement under Reg E for banks to refund customer funds in the event of unauthorized payments fraud, and brings up a major issue in that regulation: the lack of understanding by consumers of what defines and separates an “authorized” and an “unauthorized” payment from one another creates confusion. This is costly to consumers and allows bank and fintech account holders to suggest that those losses are indeed “somebody else’s problem.” Greene believes, and we agree, that this lack of consumer awareness creates an imperative for receiving banks and payments providers to fight authorized push payment fraud.

The discussion of a liability shift is nothing new. The CFPB kickstarted the discussion in earnest last October when they proposed that consumer scam financial loss should be shouldered by the financial services companies, rather than consumer victims. Since that time there has been a great deal of debate, and banks have signaled they plan to self-regulate rather than be regulated by the CFPB or other regulatory groups. In fact, Zelle has taken a leadership role in the industry and is developing a strategy with its top-tier bank owners to begin to charge back receiving banks for certain types of P2P fraud that are run through their real-time payments system. 

Addressing Money Mules

What really excited me about Greene’s article was her focus on the fact that money mules are being inadvertently welcomed into our banking systems today, directly through the front door. She goes on to say, “…controls on the account opening process can help to prevent authorized fraud.” To these points, Socureans shout from the rooftop – thank you, Ms. Greene!

We agree that new account fraud in deposit institutions is up. In fact, we saw in our proprietary analysis that during and following COVID, the synthetic identity fraud attack rate at these banks and fintechs increased drastically. Following the SVB bank failure, they continued to increase, and today, our analysis shows that 1-3% or more of every open and active deposit account in the U.S. is held by a fraudulent synthetic identity.  

Money mules can take the form of first-party fraud, second-party fraud (first party aided by a “handler” bad actor), and victims. Money mules can also be associated with synthetic identities and third-party fraud that has slipped through origination, and accounts that are taken over. 

Through “Clean” True Name ID Theft, bad actors are able to penetrate fraud defenses at origination by using a consumer’s full, accurate Personal Identifiable Information (PII) and changing the contact elements, such as email or phone number, after the account has been opened. 

The upshot of Greene’s article is that receiving banks should be more accountable to keep all types of fraud from entering through the front door, and identify account takeover (ATO) attempts whenever possible. She even calls out a list of fraud strategies and tools that are being used more often by financial institutions to mitigate ID-related fraud at account opening, including:

• Email risk assessment
• Phone number risk assessment
• Challenge questions to identify bots
• Automated risk scoring
• One-time password
• Geolocation

By the way, this is a recipe for Socure’s ID+ solution suite. Our 1,900+ customers use Sigma Synthetic and Sigma Identity to automate risk scoring at origination. Suspicious applications are challenged with Socure’s efficient document verification and identity verification software,Predictive DocV. One Time Passwords (OTP), P2P credentials, and non-monetary changes to PII via mobile device, online, or through a call center are passively analyzed using our industry-leading email, phone, and address RiskScores and Correlation Values that help Socure customers identify suspicious “receivers” and reduce the occurrence of ATO. 

For those banks and fintechs that have not kept appropriate levels of fraud controls at origination, it’s not too late. Many of our customers are performing portfolio scrubs to accurately identify and efficiently weed out identities acting as money mules within their portfolio.

There is a tectonic shift happening right now across DDA, savings and investment account ecosystems. These shifts are driven by drastic changes in fraud behaviors, regulatory pressures for banks and fintechs to cover losses resulting from consumer scams, and a growing need by bad actors to fuel fraudulent money movement to hide their money laundering, trafficking, and financial scam efforts from regulators and the U.S. financial system. 

We applaud Greene and her keen eye on these problems of identifying fraud detection in banking, and are aggressively working to meet our 2023 goal to root out 100,000 synthetic identities from the U.S. financial system by the end of this year.

Will you join the fight?