Fraud, Transaction Monitoring 5 min read
From liability to leadership: Transforming transaction monitoring to combat authorized push payment fraud
There is a quiet revolution going on in the world of payments: Instant payment schemes are catching up to credit cards. The Real-Time Payments (RTP) market is valued at $193b, with an estimated compound annual growth rate of 35% as of 2024, with distinct regional systems in play:
- FedNow in the US
- Instant Single Europe Payments Area (SEPA) in Europe
- Pix in Brazil
- Unified Payments Interface (or UPI) in India
- Faster Payment Service in the UK
The momentum is clear enough that both Visa and Mastercard are rolling out their own Pay by Bank initiatives, as real-time payment systems rely on bank rather than card rails to work and are thus eating away at the market share of the issuing giants. And it is easy to see why.
Compared to debit or credit cards, instant payments carry lower processing fees. The fund movements are not only instantaneous but irreversible by default; hence, they are considered risk-free as there is no threat of chargebacks.
But what makes it attractive to merchants and consumers has also made it irresistible to fraudsters. Authorized push payment (APP) fraud has skyrocketed in the past few years, with losses up to £459.7 million in the UK alone last year.
Real-time payments mean real-time fraud
APP fraud is a thorny issue because, technically and legally speaking, it originates from a scam. Fraudsters use all sorts of social engineering tactics to convince the victim to wire them money, and once they receive the funds, they empty the account, making both detection and recollection difficult.
The proliferation of these scams meant that the number of victims was climbing year-on-year, putting enough pressure on regulators to draw the line and declare mandatory reimbursements.
By the end of 2024, the US, UK, EU, Australia, Singapore, and Hong Kong will have regulations in place in which both the sender and the receiver institution will be liable to reimburse scam victims, with a 50/50 split in their responsibility.
This move puts pressure on fintech companies and financial institutions, as their transaction monitoring systems must be optimized to tackle a problem that they were not originally designed to solve.
It is telling that the new regulations have to spell out the need to verify the recipient's name and IBAN match, which means that the transfer system never considered this information valuable in the first place.
Currently, several challenges hinder effective fraud detection when it comes to APP fraud:
- Speed: Most transaction monitoring systems at financial institutions were designed with Anti-Money Laundering (AML) in mind to comply with regulations and proactively prevent fraud. While these systems are robust, AML investigations are typically slow. In the case of APP fraud, the system has to respond in real-time and either take action automatically or have an analyst look at the case within minutes.
- Data quality: Not only are Real-Time Payment (RTP) systems based on ISO 20022, or in the case of India and the UK, on ISO 8583, but transaction data will also be of varying quality. As with all fraud, detection relies on spotting anomalies or outliers - but low-quality data makes this process difficult, requiring additional resources to clean it up.
- Detection difficulty and friction: The payment system was designed in such a way that if someone is in their banking app and authorizing a payment, they have already gone through several security checks and are acting with intent. This makes APP scam victims look exactly like everyone else conducting normal transactions, making detection difficult, and we risk adding unnecessary friction to the customer journey by being too prudent with additional security checks.
- First-party fraud and abuse: The payments industry protested the upcoming regulation precisely because we have seen this story play out with chargeback fraud and credit cards, where fraudsters knowingly abuse consumer protection measures for financial gain by claiming fraud when, in fact, they had authorized the transaction. There will likely be an uptick in false APP fraud claims, which will be mitigated to some extent by the upcoming requirement to file a police report.
As complex as these issues may seem, by leveraging modern technology, the industry can prepare for these challenges by keeping its transaction monitoring systems up to date. The following section will walk you through the steps you can take to comply with regulations and proactively prepare for emerging fraud threats.
Transaction monitoring against APP fraud
First and foremost, APP fraud reimbursement regulations require increased scrutiny of accounts in terms of both outgoing and incoming transactions. Fintech companies and financial institutions already have plenty of data available on the nature of APP fraud to the extent that their systems were implicated in such scams, allowing them to see patterns that can form a baseline for risk procedures and policy.
Teams need to take a thoughtful, methodical approach to ensure their transaction monitoring system is ready for the job. To help ease the transition, we have highlighted five key considerations:
1. Categorize transaction data
You already have a wealth of information about your customers' transaction behavior, but to make sense of it, you need to apply categorization. This allows you to see if outgoing and incoming payments are purchases, utility payments, typical short-term loans, or other money movement between family or friends, for example. This will give you a clear picture of what is expected behavior from your clients, allowing you to set up alerts based on deviations from the norm.
Not only can you use data enrichment to get a full picture of what is happening within your system, but with the help of AI, labeling data becomes so much simpler.
Forward-thinking teams are already leveraging large language models (LLMs) trained on public data (GPT-4, LaMDA, and BLOOM) to extract and make sense of data from unstructured or semi-structured sources - for example, to categorize bank transaction data and build risk KPIs on top.
If you’re curious to learn more about this technique, check out how Taktile customer Branch International utilizes LLMs to categorize data and more.
2. Set up real-time rules based on user behavior
It's not enough to simply monitor the entities in your system; you also need to understand when and how they typically interact. Since APP fraud stems from scams, we can assume that while the recipient entity may not trigger alerts, unusual customer behavior—such as making a large transaction at odd times or outside their normal activity patterns—would raise a red flag.
An up-to-date transaction monitoring system enables fraud and risk teams to respond to these anomalies automatically, using risk scores to either stop the transaction, flag it for manual review, or introduce additional security steps into the process.
For example, if a transaction is flagged as risky, your team could ask the user to verify it by phone. This not only helps educate the user about potential scams but also allows you to perform due diligence by gathering more information about the recipient.
3. Monitor fraudster profiles
Scammers will always have their favored tools, and when it comes to APP fraud, they likely have their preferred payment providers.
With the data you already have, you can create risk profiles of the likely offenders and monitor outgoing transactions accordingly. In a similar vein, fraud attacks scale when the fraudsters figure out a vulnerability at a given bank or fintech provider; hence, incoming payments can be scored based on the volume of APP fraud coming through as well.
4. Stay nimble and flexible
Fraudsters are more interconnected and nimble than ever before. Whatever defenses you deploy, they will likely work hard to circumvent them. This means that your transaction monitoring system must be easy and intuitive to use, and your analysts should have the ability to test and quickly deploy new rules as needed to counter fraud attacks quickly.
Engineering resources are always scarce, but when it comes to countering real-time fraud, you cannot afford to have intra-department friction and long wait times to deploy a new ruleset or to plug in a new data source.
Forward-thinking teams are using risk decisioning platforms like Taktile to create flexible transaction monitoring workflows while tapping into a vast marketplace of third-party fraud prevention solutions that integrate with a single click. This allows fraud and risk teams to quickly experiment and adjust based on evolving business needs. With this approach, you can tailor transaction monitoring not only for specific use cases or fraud types but also to account for diverse behaviors across different market segments and geographies.
5. Remain customer-focused
While new regulations may allow companies to waive liability by proving gross negligence, the key takeaway is that these are everyday people trusting fintechs and financial institutions with their money.
Beyond preventing fraud, transaction monitoring systems directly impact customer satisfaction, retention, and loyalty. How customers experience the system matters—especially when suspicious activity is involved—and well-designed user journeys are essential.
The real cost isn't just in reimbursements but in the lifetime value and trust of your customers.
Real-time payments aren’t just here to stay—they’re becoming a bigger part of daily financial transactions. The new regulations are simply a response to the realities of this shift, much like how chargebacks were introduced when credit cards went mainstream.
Now, it’s up to financial institutions and fintech companies to adapt and update systems and procedures to handle the risks associated with instant payments.
The financial industry is far better equipped to manage fraud than consumers, and in a competitive market, that could be the edge needed to build trust.