The Payments Podcast transcript

John Gaffney: Greetings and welcome to the Payments Podcast from Bottomline. I am your host, John Gaffney, and today marks part two of our series covering the data, insights, and expertise from the 2022 Business Payments Barometer, which hit the streets in late June and is still resonating.

From our UK office, we are happy to have James Richardson, Head of Market Development for Fraud, Risk, and Treasury at Bottomline.

James Richardson: Thanks for having me, John. Great to be here.

John Gaffney: The release of our Payments Barometer report was followed closely by UK Finance’s latest annual fraud report. Both were dramatic.

The UK Finance report showed some stunning figures on push payment fraud, known as APP in the UK. Here are some numbers. There were 195,000 incidents of PP scams in 2021, gross losses well north of £500m. Some of the year-upon-year increases for specific types of PP fraud reached triple digits, like CEO fraud, which is up 165%, and romance fraud up 73%. Now that is the UK Finance report.

Our report found a complacent attitude toward all that, which is kind of amazing. 64% of large enterprises said they were concerned about fraud and only 44% of small businesses.

So, James, your take first on the dramatic numbers in the UK Finance report, and then your analysis of some of the attitudes that we are seeing from some of the companies.

James Richardson: Yeah, a great question, and a great way to kick off those statistics on the Barometer and in the UK Finance report too. They kind of go really nicely hand in hand, to really underscore the situation that we are seeing in the UK market.

But again I think one of the lovely things with the Barometer this year is it has got a global feel to it in being able to understand and really see trends in all different parts of the globe.

John Gaffney: So, James, what you are saying then is that, “Here is a good thing. We are investing in this. But here is a not-so-good thing. Which is we are accepting this as part and parcel of doing business.” When you talk to clients on your side of the business, are they comfortable with this balance? And, more importantly, do you think they should be comfortable with this balance?

James Richardson: I get asked about fraud defenses. And that is not just to talk about technology. It is also about the levels of education, and the levels of control that span an organization. It is in my top three conversations in every client meeting, without a doubt.

And an interesting new dynamic that is coming about is where organizations should get their information from. What are their sources of data?

And Bottomline, for many, is seen as a strategic payments partner for all different sizes of organizations, frankly. But we can help them not just around payments but by providing them with some good practice on fraud prevention too. But we wouldn’t ever say, “We are the only source that you should be listening to.”

Interestingly, changes in the payment landscape, meaning more open banking, instant payments- The role that banks played is changing, in the way in which organisations want to pay and get paid.

So previously banks have been entrusted to provide the ultimate counsel to businesses on a number of different aspects, and that dynamic is starting to shift. I get asked quite a lot about where do we see the future heading.

But it is interesting to see the dynamic of how well banks have been leveraged in the past and how organisations are starting to wake up and go, “I no longer want to have just my bank as a way of getting information around security because I am now making payments in different ways. Therefore my data sources should reflect that.”

John Gaffney: We talked about the attitude here and the balance that is needed to fight fraud. There are some numbers in here that go as far as maybe apathy. I mean 47% of all Great Britain respondents said that, “There is little I can do to recover the losses incurred due to payment fraud.”

Now what I would like to ask you is we know the attitude is concerning but you brought up some things that work. And there are some things in the UK that are well ahead of the US, to be honest. Confirmation of Payee is one of them. Could you talk a little bit about prevention and the cure and the balance between detection and prevention?

James Richardson: In terms of culturally how an organisation thinks about fraud. That is something that can be addressed immediately.

So whether it is your first job or whether you are in your 60s or 70s and looking at winding up your career within an organisation, everyone can take their part in helping secure the payments. It doesn’t matter where you sit in an organisation. It doesn’t just belong in a finance department. And I think that is one of the important things that can be addressed. I think it has certainly started.

The banks, actually, to their credit, did a pretty neat job a few years ago globally in starting to raise the profile of challenging payments. Certainly within the UK there is greater scrutiny when a consumer payment is being made. You do this through the app and it asks you for the beneficiary account details.

And very recently, in the last 12 months, we have introduced this service called Confirmation of Payee, which is kind of like account verification. It basically allows the payer to look up by making a direct API call through to the beneficiary bank, kind of like a telephone, you need a sending telephone and a receiving telephone for it to work effectively, basically you are just saying does this person with this name have a bank account here, it goes back and kind of confirms that the account, beneficiary account details are correct or not, or that is kind of similar. What it is doing, is that it leverages new payment architecture, so open banking, ways for it best to be facilitated. Great innovation. And the second thing it does is it pushes responsibility on to the person paying to say right, “I am telling you that this stuff matches are not and if does not you are paying at your own risk.” It’s the level of change when we are making payments, more responsibility is being pushed on to the individual making the payment. We are going to see that shift certainly on to corporates, but they are going to be armed with better defences and they can still choose to override the information which is telling them “I think you are paying a fraudster, are you sure you want to continue? If you choose to continue then why should you get that money back?” I think that will be the challenge that comes back. You can only do that if you tool the organizations up completely, and we’re starting to see that in merge certainly with the UK market. The UK’s not alone, out in Europe there are few other countries that started introducing this too. Account verification is not a silver bullet, but it is a big step forward and corporates cannot wait to get this tested. It’s coming and I get asked this question about 3-4 times a week “When are we going to be able to offer confirmation of payee directly to corporates?” this is coming and is going to be an excellent initiative, but as I say it’s, it’ll help address attitude because it gives people control and when people have options with the technology and to guide them that puts them in a good position to make payments. I think in summary; the attitude is very concerning, but I think we are seeing this wake-up call starting to emerge when we realise the fraudulent payments as a result of the COVID worldwide, people are going to awaken up to that and they are going have a few things to do, technology like confirmation of payee and other initiatives, its got real-time fraud detection, multi factor authentication and other security standards that are available to corporates and banks alike. That really helps, but having it wrapped around a culture as I mentioned it, in the very beginning that, that’s really important cause no one individual is responsible for payments, its everyone’s responsibility.

John Gaffney: Let’s go to insider fraud. 63% of companies in the US said that the work-from-home environment or the hybrid environment has increased insider fraud. And I think we have seen that from Bottomline’s perspective, defining quickly as more employees and partners access unauthorised data or even cash.

So that would seem to be a case of balancing detection and prevention. But if you don’t detect insider fraud it is going to be awfully hard to recover when it gets out of the gate, right?

I know you have written in the past about the importance of regulations in insider fraud. So start us off with a little bit of background about record and replay. And then if you could tell us how you think regulations could help that would be great.

James Richardson: Yeah, no worries.

So record and replay is a pretty unique set of capabilities that we have been offering to both banks and to corporates to help them tackle insider fraud having technology to help forewarn you is helpful because this is a tough, tough area.

Interesting in the Barometer, right? Because there was a clear message coming through, from both US and UK respondents, that they are seeing insider fraud. There is an increase in insider fraud.

So how some of this tech is able to help, and has helped, many organisations in the past, becoming more and more important right now with working from home as well, is being able to piece together what users are doing within specific business applications.

And we tend to focus on applications that are involved in payments of course. So it might be looking at treasury systems, looking at payment systems. But basically alerting when there are activities that are seen as out of the ordinary. It could be all of a sudden someone is logging on to a system and working at 3:00am or creating new users to generate payments.

At a log file level those things are really difficult to understand and detect. But if I am watching it and can generate alerts on those things, and piece together visually, “This is what happened,” click by click, in the context of someone generating a fraudulent payment, that is hugely powerful.

And so we are in the business of A) helping detect and B) rapidly reducing the amount of time it takes to conclude the investigation. So it is how long to investigate, how long to detect, together, and helping address that. So we would definitely be happy to help organisations and speak to them and share more on that of course.

In terms of how it all ties together with regulations, here is the thing that really gets to me on regulations. Regulations come about largely, when it comes to compliance or fraud related, as a result of a major problem that is going on. And therefore regulators step up and say, “Here is a big problem. Here are some new regulations that are going to help combat that problem. And here is the data that you need to comply by.”

Now regulations are good because it helps elevate the standards that people operate to. So by and large they are good. They help. It is becoming more challenging where more regulations are being imposed. But that is okay. We are having to adjust to that.

And actually what you are seeing is regulations move on to the banks, and these are now moving on to the corporates. Maybe diluted, but there is impetus for corporates to want to become more responsible.

And you see that in the Barometer. They want to take more responsibility of their own destiny when it comes to payments going out the door. They don’t want to rely on the banks for all the checks. So there is logic in wanting to push this through.

Here is the downside of the regulation though. When regulations come in, fraudsters don’t sit there and say, “Right, there is this new regulation that is coming in. It means that banks are going to have to increase their defences on 1st August 2023. So everyone hold back. Let’s play fairly. Let’s only start attacking them on 1st August 2023.” Not one fraudster is going to think like that.

So when regulations are coming in it is because we are behind the curve already. So they are good because they help improve the standards, definitely, but the most forward-looking organisations won’t be relying on regulations in order to help improve their defences in the first place. When the regulations come in they will be looking at it going, “Yeah, been doing that for years.” That would be the best position to be in.

Not always possible, but it is definitely an opportunity to really look ahead and go, “What is coming down the line over the next three years that we need to raise the bar on now? Because we need to be tackling the future stuff today.”

John Gaffney: Well said. Well said.

James, I am going to assume that fraud showing up is number one on the influences expected over the next three years is not a surprise to you. First, do you agree with that? And second, how do we play offence?

James Richardson: No, not at all surprised, as I have mentioned earlier. And Chris has given some excellent responses that really help understand what is going on in organisations. So I think I am not surprised. Not surprised to see it is in the top three.

Here is what I would do. I would ask around the organisation, “Who protects our payments in our business? Who is responsible?”

Now if you are a large, multinational corporate you have probably got security teams. You may have fraud and financial crime groups. That is great. If you are small to midsize you probably haven’t got that. But challenge and check. Who is actually responsible for protecting the payments?

And you would be surprised. When people go off and ask that question they realise that it is often seen as a secondary responsibility to someone or some team. IT and technical teams focus on different stuff. They don’t necessarily get the problem on payments and how to circumvent payments.

So form a team. And often it is a cross-functional group. But share the responsibility. Make sure you are really clear. “Who owns protecting the payments in our business?” And you may need to get some outside counsel on supporting that but do it. Understand it and act.

I think the other thing that is important to do is really broaden your horizon on what is going on at the moment. The Business Payments Barometer is a wonderful source of information, and I am sure that many of the readers will value it and maybe look back at some of the previous years to see some of the trends, but don’t just rely on that. Go and find out. Go and get multiple data sources that are really going to help you understand, “How are fraudsters attacking business like mine?”

Chris talked about business email compromise and concerns around vendors getting compromised for payments. Absolutely. And if you know that your peer group, your competitors are getting targeted, you can be sure that you are getting targeted. So lift up and just look at what is going on around you.

And my final piece of advice would be to look at the report, right? This is a great way of looking at what your peer group, at a business size, thinks and is doing. If you look at that.

And there will be other measures as well, but if you look at it and think, “Actually, we are not implementing any of these things and yet we can see that many organisations are,” you are behind.

If you are behind, you are already a target or you are going to be a target very quickly. Fraudsters move far quicker than we do. And you have got to be on the front foot.

So look at where you sit today. Look at where you think you need to be over the next 12 to 18 months. Don’t wait for a regulation. Act now. And regulations will catch up.

Fraudsters will keep moving on as well, by the way. But you don’t want to be that last house in the street that doesn’t have the burglar alarm. You don’t want to be in that place. So if you can lift up, get a group, share the responsibility and make it a boardroom topic, you are in a much better place.

John Gaffney: Well said. That is a wrap. Quite a lot of information in here. I hope everybody can get into the data a little bit more, but this is certainly just a great way to unpack it.

Once again that is going to wrap our Payments Podcast on the Business Payments Barometer, Rise in Fraud and Financial Crime Rings the Alarm for Better Detection and Prevention.

First I would like to thank James Richardson from our UK office. James, thanks a lot.

James Richardson: Thank you so much for having me.

John Gaffney: Okay. So Payments Podcast. Listen on SoundCloud, Apple, Spotify. Wherever you get your podcasts, please listen. And we will see you next time. Thanks.




Want to learn more about Bottomline's solutions?

Give us a call.

Our solution experts are here to help.

+61 2 9068 9438 | SG +65 6508 8088

Chat with us.

Chat with one of our solution experts. We'll recommend the right product to fit your needs.

Let us help drive your business forward.

Tell us a bit about you and your business and we’ll get back to you with all the information you need.

footer curve