Does the need for speed invite payments fraud vulnerability?

Fraud and Financial Crime


Ruud Grotens

Oct 4, 2022

As real-time payments continue their international climb toward critical mass, you have to wonder how one of its central issues has become so confused. While the payments industry from Washington DC to London to Mumbai should be discussing the cash flow and real-time settlement advantages of this newest payments technology, instead, we’re focused on fraud. That’s a legitimate concern, but are real-time payments really more vulnerable to fraud?

Here's an example of the issue in, real time. I was on a panel recently for a webinar hosted by the Association of Certified Financial Crime Specialists (ACFCS). The moderator asked a poll question: What do you think is behind the rise in real-time payments fraud? The answer was the speed and scale of the payment mechanism, but it strikes me in hindsight that the question should have been: Have you noticed more fraud activity around real-time payments? In a recent report commissioned by Bottomline with Themis, 51% identified the increasing speed and volume of online payments as the greatest contributor to fraud risk. But a recent study by shows that about 10% of respondents listed lack of fraud risk as the most important feature of real-time payments. So we have been forced to assume (as is safe and responsible) that fraud surrounds the irrevocability of real-time payments. 

Before I go forward, some semantics. I will use real-time payments interchangeably in this piece to represent the world of its labels, from instant payments (EU and US Federal Reserve) to faster payments (UK).

Learning from banking history

As I said, this is a worthwhile debate and better to err on the side of caution. Let’s assume that fraudsters are hard at work trying to find ways to take advantage of real-time payments. And here, it’s worth looking at the history of instant payments. When instant payments were first introduced in the UK in 2008, banks managed to reduce fraud losses by implementing real-time detection solutions that blocked any suspicious transactions, but only after suffering some steep losses. We will get to the importance of ISO 20022 in the next section, and the next level fraud prevention it provides, but those early fraud detection efforts helped instant payments to gain awareness despite their weaknesses. So, what are the lessons learned? Firstly, early preparation is required as fraud rates are highest when new real-time payment schemes are rolled roll out. Fraud rates will rise for real-time payments as more countries adopt them, will be used for higher ticket payments, and will likely attract more bad actors. Real-time payment fraud solutions need to be enhanced and stress-tested, able to block transactions in real time from day one. Banks and other businesses will require more capacity to handle real-time volume and manage real-time fraud. So as an industry, we need to prepare ourselves and be ready for what is coming.

ISO 20022 was introduced in 2004 but has found its true calling with real-time payments. It will be key in driving real-time payment schemes for cross-border settlements in the coming years. One of its aims is to ensure interoperability between financial institutions and separate countries. Its ability to carry rich data sets will help move through fraud protection. And it will also help to better structure that data and improve overall quality compared to legacy messaging standards. For example, ISO 20022 contains around ten times more data about each payment, shared with participating banks and beneficiaries through the transaction’s journey to its final destination. This data includes information about the purpose of the payment and its original source. For example, in the Netherlands, ISO fields share the fraud scores from the sending party to the receiving party. This enables the receiving party to better judge borderline cases where the information may be insufficient to flag a transaction.

Risk mitigation in real-time

When it comes to real-time fraud, risks appear within milliseconds. Where unusual or suspicious customer behaviour is detected, it is good practice to challenge the customer with authentication, i.e., extra steps to prove that the customer is the ‘real customer’. Only if the authentication is successful will the payment proceed. Otherwise, it will be blocked. So instant payment networks have rules outlining the timeframes for conducting transactions (often within 10 seconds) but offer exceptions when suspicious or fraudulent activity is detected. You can imagine that when the added element of secure customer authentication was discussed during the introduction of the EU’s Open Banking legislation, PSD2, stakeholders felt there was too much focus on anti-fraud measures and not enough attention on the customer experience. So businesses were concerned that secure customer authentication would cost them a large percentage of their online business. It didn’t, and therein lies a lesson for those who believe anti-fraud measures will slow real-time payments.  

The Bottomline: Back to the data points. The study mentioned earlier found that 75% of US financial institutions using real-time payments report lower rates of fraud than those who don’t offer it. Granted, real-time accounts for about 1% of all transactions in the US. Know this: Fraud happens, bad actors flock toward new technologies, and responsible financial leaders should act proactively. Seeing fraud as an obstacle to adopting faster, instant, or real-time payments, depending on your geography, is a short-sighted approach. The primary functionality to consider for a payment fraud solution is risk-based detection that will minimise the impact on non-risky client behaviour and maximise impact on high-risk behaviour.


Posted by

Ruud Grotens

Ruud Grotens, Certified Financial Crime Specialist (ACFCS), is Head of Solution Consulting, Fraud and Financial Crime, at Bottomline Technologies. With over 30 years of experience internationally, advising banks (including central banks) and non-banks (including asset management firms, insurance firms, and MSBs) about financial crime risk management technology, covering anti-money laundering, counter-terrorist financing, sanctions, tax evasion, internal/external fraud including payment fraud and cybercrime.
Browse all posts
footer curve