The world of digital payments is founded on trust: customers need to trust that any time they send money it will arrive, and won't get hijacked on the way; businesses need to be sure their payments infrastructure is secure enough to handle whatever cybercriminals and fraudsters will throw at it.
While fraud dogs every type of payment, keeping money safe from unintended loss or deliberate theft is a priority for digital payments providers as it is crucial to maintaining that level of trust among consumers and companies.
According to the financial services organisation UK Finance, fraud cost the UK £1.2 billion last year in stolen funds. However, thanks to the introduction of new security processes and technologies, the payments industry managed to prevent almost as much money being lost: the organisation said £1.6 billion of fraudulent transactions were stopped in 2018.
A number of new standards are being introduced to continue strengthening financial institutions' fight against fraud, and reduce losses to shoppers and businesses alike.
The combination of the European Union's second Payment Service Directive (PSD2) and the push for Open Banking, is leading to a greater opening-up of financial services.
Under the auspices of PSD2 and Open Banking, consumers will be able to share their banking data with third parties of their choosing. It's hoped the two initiatives will lead to a new wave of innovation in financial services, but in order to achieve that, sensitive information has to be shared between banks and other organisations through APIs.
To cut the risk of fraud associated with this next generation of Open Banking-driven services, PSD2 stipulates that providers must have robust security in place, including strong customer authentication that can link individuals to specific transactions. Companies that don't use strong enough authentication will be held liable for any breaches that occur as a result – a powerful inducement for companies to boost their security.
Strong Customer Authentication (SCA), as laid out by PSD2, will be brought in across Europe later this year, although the UK’s Financial Conduct Authority (FCA) recently confirmed it will delay enforcement by 18 months. Companies will need to authenticate their users via at least two different methods, including knowledge that only the customer would have (such as a PIN, password or unique answer); a two-factor identification system that only the user can access; or a unique characteristic, such as a fingerprint or iris scan.
By making sure financial services providers confirm transactions are genuine, SCA is aimed at preventing criminals from masquerading as customers, and stopping them accessing money, even if they’ve managed to acquire user data.
The Open Banking initiative also contains its own anti-fraud measures. Companies that want to take part are regulated by the FCA, which should help users identify those companies they can trust, and individuals can revoke their decision to share data with any company at any time. PSD2 also allows financial services companies to block third parties from accessing sensitive data if they suspect fraud.
Open Banking is not the only scheme designed to promote greater openness in financial services, while also having a positive anti-fraud effect. The Bank of England last year launched a consultation on the introduction of ISO 20022, a messaging standard for payments in the UK, which would be used across the BACS, CHAPS and Faster Payments interbank payments systems, and which is designed to function internationally. According to the Bank of England, ISO 20022 should allow the data supporting fraud and financial crime detection to be standardised and improved.
Further out, the introduction of the New Payments Architecture for the UK, which will replace BACS and Faster Payments, could also help crack down on fraud. There's no definitive deadline for its roll-out yet, and estimates vary on when it may be introduced, but anti-fraud measures will almost certainly feature.
Implementing new standards can take time, but there are other initiatives already being undertaken by the financial services industry to help victims of fraud.
The Authorised Push Payment Scam code, while voluntary, is good news for individuals and small businesses who have been tricked into sending money to a fraudster through a bank transfer. Companies that sign up to the code are not only promising to better educate and protect their customers about authorised push payments scams, they have also agree to reimburse the losses in certain circumstances.