Fraud and instant payments: The basics
There’s a lot to love about instant payments (a specific type of faster payment): Consumers benefit from increased flexibility and transparency into payment status; businesses benefit from improved cash flow and money management; and financial institutions benefit from new solutions that enable them to better serve their customers.
While many can benefit from instant payments, as with any type of payment, the potential for fraud exists. But some characteristics of instant payments may increase fraud concerns. Read on to learn about various types of fraud involving payments, the particular challenges posed by the unique characteristics of instant payments, ways to protect your organization and customers against instant payments-related fraud, and some tools that the FedNowSM Service1 will offer to help financial institutions prevent fraud.
Fraud involving payments comes in a few flavors
Let’s begin with a basic understanding of the most common ways in which fraud involving payments occurs. Fraud scenarios that are relevant for other payment types can also occur within instant payments.
Those who need to understand key fraud categories might start with the FraudClassifierSM Model (Off-site), which enables organizations to systematically classify fraud involving payments based on three key questions. The first question asks whether an authorized or unauthorized party2 initiated the payment. The second and third questions ask how the fraud was executed and what tactic was used.
The speed of instant payments compounds challenges in combating fraud
While prone to types of fraud that are similar to those for other payment types, instant payments pose some unique challenges due to their speed and irrevocability. With most payment types, a customer can recall a payment made in error before it is processed. In contrast, an instant payment is completed in a matter of seconds, and because it is irrevocable, the payer cannot cancel the transaction. In addition, the payee can withdraw the funds immediately. When the bad actor is the payee, these characteristics make it more challenging to detect and stop payment on a fraudulent instant payment transaction before the bad actor has already withdrawn the funds.3
Ways to minimize fraud
Regardless of payment type, however, the actions that can be taken to combat fraud are consistent and involve multiple layers of safeguards, including the security measures built into the payment systems themselves, as well as those built into the participating financial institutions’ systems. With respect to instant payments, financial institutions should consider taking a holistic approach to combating fraud, particularly in cases where existing fraud solutions and processes may be based on batch processing or manual intervention. An analysis of processes, technology, staff training and approaches to customer education may be beneficial in order to identify opportunities for improvement.
Here are some tips for how financial institutions might begin to take a more holistic view of their solutions and processes for instant payments.
- Stay involved and informed: Join industry councils or conferences, like the U.S. Faster Payments Council and the FedNow Community, to keep apprised of developments in the fraud landscape and share insights with peers.
- Talk with vendors and technology partners about new approaches, including applying real-time fraud-detection capabilities and achieving a comprehensive view of transaction patterns across all payment types.
- Add suspicious accounts and aliases to a watch list to block potentially fraudulent transactions before the funds leave your institution.
In addition, as with other payment types, fraud prevention doesn’t rest solely with financial institutions. Necessary safeguards also include actions end users take to protect their personal data, such as user IDs and passwords. Educating consumers about social engineering scams – not only in their personal lives, but also at work – can raise awareness about potential fraud risks and make them more inclined to take appropriate precautions.
Straightforward enough, but end users may not fully understand that instant payments’ speed and irrevocability make them different from most payment options. As a result, educating end users about these differences and how they can help prevent fraud is a critical complement to all the other security measures that can be taken by instant payment systems and the participating financial institutions.
Besides what financial institutions can do, below are some best practices for how consumers and businesses can add security measures to prevent fraud.
- Never respond to suspicious emails, open attachments or click on hyperlinks embedded in them. Check the sender’s email address to note any irregularities by hovering the mouse over it.
- Adopt a “zero trust” contact policy. Financial institutions will never ask for login information over the phone, email or text.
- Use strong and unique passwords for different accounts.
- Enable alerts for transactions from your accounts; this allows you to keep an eye on transactions. While you’re at it, verify your contact information with your financial institutions.
- Train employees to verify the source (e.g., a supplier or biller) of a request and any changes to payment accounts by using a known phone number for the requestor.
- Implement dual approval for certain types of payments; this can introduce a pause and validation process before sending funds.
The FedNow Service and tools to combat fraud
Beyond what financial institutions and end users can do to prevent fraud in instant payments, the Federal Reserve is taking action to support these efforts in a number of ways. First, the recently-released FraudClassifier Model provides a common language for classifying fraud. The payments industry can use this model to better understand current and emerging fraud trends across multiple payment types, which can then help the industry refine approaches to combat it.
Second, the Federal Reserve Banks’ forthcoming FedNow Service, will provide tools to assist participating financial institutions in their role as the primary line of defense against fraudulent transactions. Per a recent Federal Register notice (Off-site), the features at launch include:
- The ability for a financial institution to establish risk-based transaction value limits.4
- The ability to specify certain conditions under which transactions would be rejected, such as by account number (a “negative list”).
- Message signing, which will validate that the message contents have not been altered or modified.
- Reporting features and functionality, including reports on the number of payment messages that were rejected based on a participating financial institution’s settings. (Such information can be used to verify that transactions align with a financial institution’s own records and detect whether a bad actor may have interceded or deleted records.)
The Federal Reserve is exploring other features that could be made available as part of future releases to aid participants in managing fraud risk, including, for example, value limits that could be tailored to certain uses, aggregate value or volume limits for specific periods (for example, per business day), and/or centralized monitoring performed by the FedNow Service such as functionality that leverages advanced statistical methods and historical patterns to identify potentially fraudulent payments.
Here are some key takeaways from this article:
- All payment types are faced with the risk of fraud.
- Instant payments pose unique challenges in combating fraud because they are immediate and irrevocable.
- Individuals, businesses, financial institutions and technology providers may be able to combat instant payments fraud similarly to how they combat fraud for other payment types, but it’s wise to review and adjust these measures accordingly in light of instant payment characteristics.
- The Fed offers additional helpful resources through the FraudClassifier Model (Off-site) and at-launch tools for the FedNow Service.
1 FedNow is a service mark of the Federal Reserve Banks.
2 An authorized party is an individual or entity with the right to initiate the payment; whereas an unauthorized party does not have the right to initiate the payment.
3 When the bad actor is the payer, however, instant payments may make it harder for that payer to succeed in committing a false claim fraud.
4 The maximum transaction limit amount will be consistent with market practices and needs for instant payments.