Faster payments is the generic term for the smarter, instant payments that have been emerging on a global scale over the last decade. Faster payments schemes have recently been implemented in the US, Europe and Australia, making faster payments transfers possible in 36 new countries. Combine these latest adopters with existing schemes in the UK, China and India and that adds up to nearly 1 billion people with access to faster payments technology.
We sat down with three payment and security experts to find out what types of risks faster payments present and what steps organizations can take to protect their assets. We spoke with Andrew Leon, a global cyber-fraud and security specialist, Ed Adshead-Grant, a UK-based Fintech expert in the global Payments and Cash Management industry; and Missy Rose, a 20 year veteran of banking and financial technology in the U.S.
As use of these payment schemes expands, so does concern about faster payments security – understandably so, because as technological innovation proceeds at lightning speed and payments are processed and settled in the blink of an eye, banks and corporations are struggling to protect themselves against savvy fraudsters looking to exploit these transactions.
SmartPayments: Since faster payments have been in the UK market for much longer than in the U.S., let’s start by setting the stage: What do you see as the main drivers of faster payments adoption?
Andrew: Market demand is probably the biggest driver, particularly within the millennial generation, they are used to everything being instantaneous. That mentality is making its way into the corporate world as the generation matures, and there’s a growing consumer expectation for increased speed and reaction time in everything we do as a society. Also, banks realize that there are big benefits to offering their commercial banking clients a way to deal with funds in a more immediate way than they have traditionally. Plus, faster payments come with reduced processing costs, higher visibility and instant access to funds.
Missy: Offering faster payments is definitely seen as a strategic industry play. In the U.S. market, the new faster payments system also offers some innovations and advantages for B2B payments that don’t exist for other payment systems. It is a CEO mandate for many of the banks I’ve spoken to.
Ed: In the UK, there are a growing number of challenger/start-up banks entering the market. These banks begin with a clean slate in their technology plans and are offering faster payments capability from the onset along with traditional payment systems. More established banks see this as a threat because for them to institute new technology it can be costly and time consuming. But they realize the need to become more digital and build capabilities like faster payments options are a necessity in order to stay competitive.
SmartPayments: Missy, from a U.S. perspective, what trends or reactions are you seeing in the industry around the recent launch of faster payments in the U.S.?
Missy: As a top-down mandate, a lot of regional and larger banks are already in the planning stage and are beginning to figure out what they need to do to get faster payments up and running as quickly as possible. However, there aren’t many that have gone live in the market yet. One of the key things to keep in mind about faster payments is that it is an initiative that touches so many areas of the bank. If you think about it, innovative banks are going to use the new system to launch new products, and that affects everything from servicing, support, implementation and billing to accounting, in addition to integration with a new clearing system, so it’s a pretty extensive and involved rollout.
SmartPayments: Ed, how does Missy’s experience compare to what you’re seeing in the UK and Europe?
Ed: I’m glad you separate the UK and Europe because they are in very different stages of adoption. Similar to the U.S., the European Union recently went live with its faster payments scheme, SEPA Credit Transfer Instant (SCT INST). It is somewhat limited in its use and is very conservative and low risk with a max of €15,000 per transaction.
In contrast, the UK has been offering its faster payments scheme for a decade - Faster payments Service (FPS) – and is much further along in some of its operations. Banks can set their own limits but FPS currently supports individual transactions up to a maximum of £250,000 and there are discussions of opening it up to £1M per transaction. With a more mature scheme, consumer confidence is high, rules are well established and practitioners are comfortable with faster payments being in the domestic banking systems.
SmartPayments: So, with faster payments schemes mimicking ‘cash-in-hand’ transactions, what are some of the security concerns organizations should be aware of?
Andrew: I see three specific areas of concern in the U.S. as faster payments becomes more prevalent:
1 – The biggest security threat to these types of payments is the faster/real-time aspect. Transaction speed is a pretty clear indicator of a payment type’s inherent risk of fraud. The faster a payment is settled, the easier it is for fraudsters to exploit it because the funds are irrevocable. Once they’re gone, they’re gone.
2 – The second is that faster payments is going to come with some distinct functionality that is new to the payment industry. I think we can try to predict some things that fraudsters will do to take advantage of the situation, but because there are aspects to faster payments that haven’t been seen before, there’s no way we could predict the unique and creative methods fraudsters might use to exploit those areas. We can try, but the reality is that when you open up a whole new can of worms, there will be all kinds of new ways fraudsters will try to thwart our efforts to protect this new channel.
3 – The third thing is that faster payments is a 24x7 payment type which is something that commercial banking hasn’t had to deal with previously. If you think about it, some of the issues are common across all payment types – account take-over and social engineering scams for example. From an operational perspective, however, what do you do with a payment that comes in at 1:00AM that’s expected to be real-time? This 24x7 mentality hasn’t been something commercial banks have had to deal with until now.
Ed: In the UK we deal with the same security issues Andrew spells out but we also have significant compliance and regulation complexity, for instance GDPR and Open Banking. We are also going through a wholesale modernization program in the UK for a New Payment Architecture (NPA) to stay competitive globally and this all adds another level of challenge to the ongoing operations.
Andrew: Also, as faster payments functionality expands globally, cross-border transactions pose another significant challenge. For instance, if a U.S. bank sends a faster payments to the UK, it has to be compliant with that country’s regulations. The overall risk is extremely high and it’s significantly harder to recover funds – especially when sending money to a country that may not follow regulations.
SmartPayments: So basically, the stakes are higher than ever when it comes to protecting faster payments. What are some of the security protections organizations should implement to protect themselves?
Andrew: Protecting your organization against the exploitation of faster payments is about having a very modern enterprise payment fraud system that has all the tools in the bag, such as behavior analytics, rule-based risk assessment, and continuous risk assessment, which are the types of capabilities that you’re going to need to deal with the threats of today. Everything from monitoring the initiation channel to a powerful analytic and machine learning approach that monitors these payments and can handle the newer aspects faster payments that we haven’t dealt with before.
Real-time monitoring capability is going to be imperative in these fraud-prevention systems. Machine learning is another important tool for effectively dealing with many aspects of faster payments, so banks and corporations need to find a fraud-prevention solution that has that functionality incorporated into its platform. For example, machine learning will be very helpful in identifying anomalies that are indicative of fraud types we couldn’t predict or prebuild rules and analytics to protect against, like we’re able to do for established payment types.
Missy: I agree. Because transaction settlement is getting faster and faster, it’s crucial that financial institutions can detect potential fraud at the point of origination, reducing the burden on back office systems and staff.
Ed: Another thing to consider is that these new, faster payments types are bringing a surge of digitization to payment solutions. In older, well-established organizations that means building digital solutions on top of legacy technology and processes. This creates an interesting friction point of instant, irrevocable digital payments interacting with older analog, often batch-based systems.
For these organizations with older systems, the digitization journey can be complex and expensive. Some keep it all internal, some build afresh in a green-site model and others like to outsource to a payment specialist who can take care of the modernization across payment processing, compliance checks, effective workflows and system integration.
With the way technology is consumed today, organizations can find an off-the-shelf solution, cloud-based on a subscription package, which offers the cyber security, compliance flows and faster payments checkpoints – freeing them to focus on just the touch points that integrate their APIs and file transfers with the technology.
SmartPayments: So as organizations look to the future, as faster payments mature, what other kinds of proactive steps do you recommend they take?
Andrew: These payments are going to drive a requirement for an automated fraud system. In the past many banks have gotten away with limited manual reviews or fraud systems that were inadequate based on the volume of payments processed. As we move to 24x7 payment types, these stop gap solutions are just not going to be acceptable in the industry – either for banks or corporates, and sophisticated payment fraud systems are going to be a necessity. In the commercial world, the need to have an industry-leading fraud system in place is going to be much more important than just conducting due diligence and checking the boxes. There is going to be a lot more risk associated with faster payments and that will require organizations to have a higher standard when looking for a payment fraud provider.
Ed: There is another interesting trend we’re just starting to see in payment fraud prevention that corporations should be aware of. As everything is getting faster and more payments become irrevocable, banks are pushing back on the liability for losses or misdirected payments. Corporations are having to take more accountability for payment fraud or illegal payments by knowing their payments and their suppliers much better.
Legally in the UK, corporations should now be looking to do their own sanction screening and their own anti-money laundering checks. What we’re seeing is that regulators are pushing the onus for verifying trading partners downstream to the active corporations. They can no longer rely on their banks to do this. Everything is growing and moving too fast. Corporations need to invest in the compliance and risk software solutions that will protect their own reputation and ensure they’ve done everything possible to protect the validity and routing of their payments.
Andrew: The fact is, to protect against the security threats posed by faster payments types, organizations will need to find a payments expert, not just a fraud expert (TWEETABLE QUOTE). One that has subject matter experts who sit on payment innovation task forces and really understand the fraud impact that these emerging payment types will bring to market. It’s about creating a comprehensive strategy for faster payments, one with security at the forefront. Additionally, if you send payments cross-border, you will also need to make sure to find a global fraud provider that is on top of the regulations in all of the countries you send payment to.
For more guidance on how to protect your organization against fraud threats, or for information about faster payments, check out these additional resources: