The challenge of fraud risk continues, as almost 1 in 2 businesses have seen an increase in insider fraud and collusion in the working from home environment.

This episode on the Payments Podcast reviews what this year’s 2021 Business Payments Barometer revealed when it came to Payment Fraud and how businesses can take these insights to apply them to their business.

 

Subscribe to The Payments Podcast   501554829436_apple-podcast-badge.png  Podcast Spotify logo v2.png 871554829437_orange_white_32-94fc761.png  

START AUDIO

[0:00:18]

(Music)

Female: The Payments Podcast from Bottomline Technologies.

Jack Gianella: Financial loss due to payment fraud is part and parcel of running a business. That is why a shocking 55% of companies agreed to in the 2021 Business Payments Barometer.

Hello, my name is Jack Gianella, and I am a Market Development Executive within Risk and Fraud at Bottomline, and I’m your host of today’s Payments Podcast episode.

Bottomline’s Business Payments Barometer is a research report that is now in its sixth year. It surveys 800 financial professionals from across the UK, gauging the pulse of businesses and their priorities for managing payments in the next 12 months.

Today on the Payments Podcast we’ll be focussing on the key themes from this year’s Barometer when it comes to all things payment fraud, and to do so, I’m joined by two of my esteemed colleagues.

Firstly, Omri Kletter, Global Vice President of Product and Strategy Risk and Fraud. Hello, Omri, how are you?

Omri Kletter: I’m good. It’s good to be here, it’s good to be here with you.

Jack Gianella: And also, James Richardson, Head of Market Development for Risk and Fraud. Hi, James, nice to see you.

James Richardson: Hey Jack, I’m all good, thank you.

Jack Gianella: Good. Good to have you both with me. So, to get us kicked off into our topic, it’s been some year, hasn’t it? I think we would all agree with that, it was some year.

And when it comes to fraud, it seems evident that fraudsters are willing to use any means possible to take advantage of individuals and businesses alike, which is why businesses, we feel, have to probably stay one step ahead, I think we would agree.

So, we’ll talk about insider fraud first of all. So, from the Barometer, we can see that just under half of businesses have seen an increase in fraud and collusion since many of us have been working from home.

Can you guys sort of summarise what type of risks we can expect to see in our new, sort of remote environment, and does this truly show within the results of the Barometer, do we think? James, shall we start with you, for example?

James Richardson: Yes Jack, great question and introduction to the topic. Here’s the thing, I am not at all surprised; that’s the scary reality of the situation. To talk about 57% of large businesses seeing an increase in fraudulent payment activity, we should not be surprised at that, and one of the reasons why, is whilst this has created challenges to security teams, it’s created opportunity to fraudsters. The whole new working dynamic has created an opportunity for people to take up full advantage of the conditions.

The playing fields have changed, and we’ve got to be really mindful of that in our year ahead. I don’t think it’s all doom and gloom, by the way, because I do think that COVID has really demonstrated that organisations can accelerate digital business transformation, and that has made a remarkable difference into how organisations have continued trading.

They have been forced to up their game in a number of different areas, but I think we’ve got to be honest with ourselves in saying that there are areas that really need to catch up.

Omri Kletter: I totally agree with James’s outlook into his point that we shouldn’t be surprised. And I think, you know, we sat last year and obviously we need obviously always to keep our roadmap up to date, keep our investment up to date, and we saw this becoming a bigger issue, and obviously we took the relevant measurements from our side as an organisation that is aiming to help corporates and banks to fight fraud and financial crime.

I would say even more than that, with all of us who have been in this industry in 2008, will remember a similar reaction to a crisis, although it wasn’t necessarily the working from home element, but there is kind of, I would say, the notion of instability that previously James pointed on, kind of both the opportunities for the fraudsters to adapt, but also I would say a bit more vulnerable by a workforce that is maybe more adjusted to that.

0:05:05 And in addition to working from home, we’re talking also about the different reality of work generally, right? We are hiring in a different way; we are hiring remotely. We have more offshores and more organisations working in different industries. We are going through additional M&A, which by the way, brings their own systems, their own tools, their own procedures. All of these things are almost like a petri plate for internal fraud.

And just going on another thing that James talked about opportunity, I think it’s also a good notion if you want to really be true with ourselves, why look in a mirror as an industry, are we doing enough in terms of internal fraud, and what is the current gap with how we’re addressing external fraud and internal fraud? I think this is very observant; I would say very transparent to a certain degree.

And I think good practice and good reaction to that would be to take many of the advancements we had as an industry around external fraud, which is focussed on let’s collect information, let’s profile the relevant entities, let’s address this, let’s have dedicated teams, let’s have investigation centres, etc., etc., we should definitely address this into internal fraud.

This is true for banks. This is definitely true for big, medium, and small enterprises.

Jack Gianella: That’s so interesting, isn’t it, it really is. We’ve almost got to be honest with ourselves, if you like.

If we move away from the insider bits and pieces into external cyber-attacks, we saw that 70% of large businesses agreed that their company is concerned about external cyber-attacks. Could you both comment on whether there’s a perception that fraud is a larger business problem, rather than in general?

James Richardson: I completely agree with that, and the comment around insider fraud, it’s almost felt like a bit of a dirty phrase to use across organisations. It’s got such negative connotations around it, but it’s so important that people – and I like your comment around check in the mirror, right – but the reflective moment is securing business payments is everybody’s responsibility.

It doesn’t matter where you sit within the payment lifecycle, whether you’re involved right at the beginning for changes coming in with new suppliers and there’s a change to the way in which suppliers are going to get paid, all the way through to the individual that hits approve on a payment as it goes out the door; that entire lifecycle is everyone’s responsibility.

And I think it’s true that culturally, things have certainly been more accepting within organisations that it’s okay to check. A few years ago, we were talking about the CEO fraud, or business email compromise as it’s also known around the world, and how the culture needs to adapt to check, “Is it okay, and I’m going to phone my CEO and I’m going to phone my FD and I’m going to really make sure this payment’s okay.”

But this is a different dynamic now, and insider fraud, we’ve got to be okay with that level of comfort in challenging the individuals respectfully, because securing the payments is everyone’s job.

Omri Kletter: I would start with quoting one of my best friends, Spiderman, who tends to say, “With great power comes great responsibility.” So, there is definitely a relation between size and fraud ethic problems; there are many aspects of that.

Obviously, bigger organisations are more lucrative from a fraudster’s point of view. Usually there is a bigger [programme 0:08:57], additional layers of constraint, and we know that smaller organisations have sometimes smaller links, and hence safer links, but there is no question about it, that this is a problem across the board.

One term that we really helped to inject in the industry is the notion of catastrophic loss, right, and that’s actually one of the things that the Barometer has done very well, I think from [ ___0:09:23] perspective, the notion that you are moving forward part and parcel ___, if some of it is more meaningful, almost one can say part of the modern warfare.

And we need to remember that catastrophic loss for a big organisation means millions of dollars or pounds being erased, but for a smaller organisation, catastrophic loss could be 100, 200 cases. So, we need the magnitude of fraud maybe relates more around bigger organisations, the notion of catastrophic loss could be sometimes even to consumers.

And to James’s point around business payments and how we’re securing business payments, we can't allow ourselves to be focussed, and to score, for example, only payments about a certain amount, or only certain scenarios; we need to make sure that we are injecting our analytics, our procedures, our tools into each and every business payment.

0:10:17 So that’s kind of my take of why we’re seeing these interesting statistics. And obviously there are a few mergers being addressed across the industry to stop Confirmation of Payee, traditional analytics and others, but I think this is definitely an interesting takeaway from this year’s Barometer.

Jack Gianella: That’s really interesting, Omri, and thank you for that, because I think one of the questions I was going to ask you was around what we feel that businesses can be doing about fraud, and I think that’s what you’re getting to, as we saw within the Barometer, for example, 58% - only 58% of small businesses agree that there’s more that they can be doing about payment fraud.

And I was going to ask – which you’re alluding to – do we think that’s the right stance to take, or do we believe that there’s more that businesses should be doing?

So, I’ll pass to James at that point, then. I think the point that we’re making here, James, is we think that businesses can always have a process, a way of improving their processes around protecting themselves.

Omri Kletter: Correct, and to a certain degree we need to remember on a positive note, that there is almost, there is a perfect storm, there is a perfect storm.

James started to touch about kind of the chronology type of storm with cloud and SAS being, obviously from an analytics perspective, machine learning and bigger databases, access for more data, the ability to fuse data from different sources.

And there is also evolution around how payments are being facilitated. And we know that, for example, fraud detection prefers more and more data, and we think about ISO 20022, when the standard is actually more data opportunities and more data points that can go into a detection system.

I think one of the things we’ll see if we also aim to focus a little bit – and we’re seeing, by the way when we’re having multiple workshops with big corporates, but also mid-sized – is the notion that more and more organisations in corporates would like to have what they call bank grade type of detection.

And bank grade means that while you understand the additional all rise over warning cyber-attacks, the question of, how do you translate this risk into better protecting business payments, means that for example you profile all the payments, you have the ability to intervene.

How many of – you know, it’s a question to our audience around this virtual podcast – how many of you have the ability to interdict on a payment if there is a higher risk attached to it?

I think these types of advancements around introducing interdiction, introducing scoring, introducing additional compliance elements to payments in the business environment will become a strong and viable issue in the coming years.

James Richardson: Totally. And I don’t think that we should see that disappearing either. It’s here to stay and we’ve now got to adjust to how that continues to evolve.

It’s almost kind of rating your business and appreciating that the way in which you used to do things may have been okay in the past, but this – we live in a world of cloud, we live in a world of SAS, everything gets kind of continuously updated; it used to be things would be updated, software would be updated maybe once a-year or every 2 years, and perhaps that’s kind of the defence mechanisms, the measures that people would put in place, their strategy for defending against payment fraud would’ve aligned to that.

This is a new world we’re living in, where it is expected that you are just going to be updating just constantly. We shouldn’t be surprised in updates coming out, and businesses need to think of themselves as a 2.0 or a 3.0; the rate of change is just so significant. You’ve actually got to adjust your ability to consume the new information and act on the new information in a far higher speed than we’ve ever had to before.

And that means you’ve got find new areas, new sources of information so that your organisation can learn, and you’ve got to understand the different levels of technology that can help support your strategy as well.

And I don’t see external cyber-attacks disappearing, but I do find it interesting that authorised push payment fraud is something that continues to increase year on year, and is probably one of the biggest growing threats that organisations face when it comes to payment fraud.

0:15:15 And the difference between that and external cyber-attack would be someone’s trying to compromise your organisation and generate a non-authorised payment, whereas an authorised push payment fraud is trying to convince you that it’s legitimate and get you to make an authorised payment. And that is far harder then, for banks and for those involved in the settlement process to actually manage, because everything’s real-time

So, we should be mindful of both of those things and be very aware, and the Barometer, I think is very helpful in being able to see the different sizes of organisation and what their kind of response is to the different types of fraud.

They’re certainly seeing something like authorised push payment fraud increase continuously, is something for organisations to be mindful of.

And actually – and I’m sure we’ll talk about how the regulations are starting to change around in the UK – but it feels like there’s hope; it is not a situation where we should feel like there’s nothing we can do, there is very much opportunity for organisations to kind of jolt themselves into action on this.

Jack Gianella: Yes, absolutely. It’s just like being on your mobile banking application, isn’t it, you almost can't believe that a couple of years ago you weren’t able to see the person you wanted to pay actually owned that bank account and you could confirm it inside the application, and now you can do that, it gives you that great peace of mind, doesn’t it?

If it’s okay, I’m going to pivot us away from the fraud piece into what happens afterwards, and talk about recovery rates. So, we know that businesses are losing money to fraud, can we talk around how much we’re able to recover from fraud once it’s actually happened. Maybe I’ll come to you first, Omri.

Omri Kletter: So, yes, I agree. We start to say about Confirmation of Payee, and I think first of all, 58% - obviously that’s the benefit of such a strong product of this moment, or it helps us to really see things, so, obviously we need to take it almost as a starting point for our discussion.

And I think 58% is a significant number, actually; it’s more than half, but it’s also to your point, should it be higher? I think that’s almost kind of implied in your question. What I think the statistic tells us is that it’s also a bigger responsibility in some cases for banks to do more, right?

And we’re seeing it; confirmation will be a great example of the notion that we as an industry can do more in order to imply the end client. That would be true for consumers, also for small or medium businesses. And we’re seeing more and more, I believe, tools, where the corporates, or the consumers are more involved in the fraud journey, moving forward.

And I think to a certain degree, we can almost imagine a scale, and on the righthand side we have banks with their super sophisticated tools, and as alluded to before, we’ll see more and more corporates adopting bank grade type of technology.

Well, I’m expecting us to see more capabilities coming on top of the existing tools, existing treasury tools, existing payments tool, that will allude to some of fraud and financial crime.

So, I’m expecting, as you know, we are investing heavily in making, for example, our PTX platform, our treasury platform stronger for fraud and financial crime. The notion that if I now am executing a payment, I want my treasury or PCM tool to be able to do additional checks is critical to what we do.

James Richardson: Totally. Never has it been more true to say if you’re not going forward, you’re going backwards, and in this scenario, it matches that environment perfectly.

You have got to keep with the pace, and I think actually, this aligns to my comment earlier about this jolt into action of thinking of a 2.0 or a 3.0. But it’s not just about layering on some new things, it’s about thinking I’ve got to be able to run faster than I’ve ever run before in order to match the pace of how the fraudsters are acting.

And by the way, the fraudsters, they’re not sitting in the UK necessarily right outside your organisation, watching what you do and when you go, they may well be the other side of the world, and that’s the model that we all live in.

0:20:03 And technology is on their side, yes. That’s important to- the fraudsters have got access to machine learning capabilities and advanced technologies that will support their ambitions, because they’re thinking of their organisation, their outfit as a business, and they’re trying to grow. It doesn’t make it right, but it’s the reality of what we’re facing.

So, yes, it’s encouraging, looking at the Barometer that people want to do more. I think the question that hopefully they’re thinking is, “Well, I want to do more, I’m ready to do more, what shall I do?” And no doubt the Barometer will give them some good thoughts about their peer groups, what other organisations are doing, whether they’re small, medium, large or enterprise, what people are thinking.

But the key is to consider that if you were swimming upstream previously, you’re now swimming upstream and the current’s getting faster, and that’s really the mentality to sort of adjust to.

There is some good news in all of this that does support the change that organisations need to make. There was a Which super complaint raised a few years ago which has resulted in really attacking authorised push payment fraud.

Now that’s taken years, which is so frustrating for all of us in the industry to kind of wait and see how long it takes for these initiatives to roll out, but the good news is, we’re actually starting to see it, we’re starting to see the solutions bear fruit and support consumers, and now starting to support corporates.

So, I would really encourage the audience to really check their sources and make sure that they’ve got access to the latest views of the technology that’s coming down the road to support them because it’s going to be transformational, and already is.

Omri Kletter: So, the recovery point is a sore point, I think, in the industry, and it could become even tougher with more and more vehicles moving into real-time engines. And we’ve definitely seen the shift in the UK when faster payments had been introduced, and so on and so forth.

I think it’s a good reminder of the importance of interdiction as a tool from a recovery perspective. The reality is that with real-time vehicles, the ability to recover is becoming a challenge because the money is already moving.

We are, by the way, hearing from many of our customers, talking about 4 or 5 [ ___0:22:53] before we get into a cash-out, and the speed is so dramatically different, that it’s becoming a challenge.

I think the reality is that recovery is a viable tool, especially if you build a chain, you know, a strong line of communication with your banks, and banks between themselves. I’m expecting the industry and the regulator to do more around it, and I think we should definitely watch this space.

But if there is something we can take from these interesting statistics for the Barometer, is, it underscores the importance for interdiction to a certain degree better be safe than sorry.

We’re seeing more and more cases of transactions that should’ve been held for additional review before it goes into the later steps in the process where we know it’s becoming harder and harder to stop and recover them.

James Richardson: Well said, Omri. And I speak, like many of us, we’ll get to speak to people out there making payments as well as have our ear on the industry as to what’s going on, and it’s interesting to kind of get both sides of that coin.

And there’s a much greater appetite for users or approvers that just want the comfort that they know who they’re paying. It’s as simple as that, “I want to know who I’m paying is who I’m expecting to pay.” They don’t want the complication, and they don’t want to wait 48 hours for checks, they just want to know real-time who is it that I’m paying?

And when you call it out like that, it’s not a big request, but these things get confused, they get confused and lost in elongated processes. The technology historically hasn’t been able to support such a simple request.

But the good news is, those things are now starting to emerge, and Confirmation of Payee is, well, frankly a fabulous answer from the industry to be able to support that for both banks and for corporates.

0:25:05 And Omri, you said it best about what is bank grade technology that’s appropriate for corporates, and there’s much greater appetite in organisations wanting to be more in control of their own destiny.

Why? Because they may have multiple bank relationships, they want to be doing the right thing in taking more responsibility for checking is a payment fraudulent, but also am I paying a sanctioned entity. And all of those things give greater control to the individual that’s looking to make the payment.

So, I think a perfect storm is a brilliant phrase that encapsulates the technology shift, the appetite from the community that are making payments, and the industry supporting it.

I think we will look back at this particular moment in time in maybe 4 or 5 years and we will look at it and think how on earth did we accept the situation that we are in? How on earth did we accept that it’s okay for us to think that we’re just going to have to write off the cost for fraud? How is it okay that half of businesses are not getting their money back?

This is not an acceptable situation for us to be in, in 2021, but we’ve become desensitised to it because organisations haven’t had the control and have just been fed the answers by the banking community.

Now, I do think we’re in for a shake-up. I think that will happen over the next couple of years, and I think it goes back to Omri’s brilliant comment about a perfect storm; it’s all related.

I think what we’re going to see is the banks are going to be under more and more pressure to provide recovery of losses, and they’re not going to want to do that, and will just absorb all of the cost, so there will be conditions attached to that, such as how do you know that you’re paying the person that you’re meant to be paying?

Now, all of this will create friction in the market, but I think it will be positive. It will provide capabilities for people making payments to actually make the decisions that they’re yearning to, which is, “Am I paying the person that I expect to pay?”

If you ask most people, “If you could have that control, would you accept liability?” I think most people would say, “Yes, that’s reasonable.” When it becomes unreasonable is when I don’t know, I could be hoodwinked, I could be convinced to make a payment to someone else.

So, my summary is, we should never be satisfied to give one penny away to a fraudster. For any moment in time that there is 1% left on this chart, I will remain unhappy, but I think this is something that is going to take a shift.

But it is coming together; we should hold firm on the plan, but it’s going to take the industry, especially corporates to really create the movement across the banking community to give them access, to give them what they are yearning for, because people want it, and it will make a change.

Jack Gianella: Yes, so true, James, and as we said, we started the podcast with businesses feel fraud is part and parcel of running their business; we want to educate that that just doesn’t have to be the case, does it?

And we’ve seen within the Barometer over the next 12 months, medium, large and enterprise sized businesses are all making mitigating fraud risk their number 1 priority.

So with that in mind, I’ll just ask you to summarise for us very briefly. Is there anything we haven’t been through in terms of best practices that we could leave our listeners with from listening to the podcast today; anything we haven’t been over?

Omri Kletter: Don’t feel alone is a big one. Don’t feel alone. There is a notion to take a step forward to engage [ ___0:29:26]. Think engagement with peers, engagement with your payments partner, or with your solution vendors.

This is such an important thing. We are obviously in a COVID area, we meet less face-to-face. We might have less interaction, and we certainly we live this Barometer, this podcast, it’s all a reminder of the importance of us as being in this industry to engage.

And it’s also a reminder, by the way, the final thought that fraud is a living thing; it changes, it requires us to be up to date, it requires us to change and to adapt and constant change is the only constant player in this world today.

0:30:13

James Richardson: Well said, Omri. And I think my perspective is also to say don’t worry, don’t panic. I think it’s our duty to inform people of some of the things that are out there that they should be paying attention to.

My comments would be, really make sure you’ve got a number of sources, really reflect on your model that you’ve used, and scrutinise it, test it, road test it and actively look for what’s coming down the roadmap from technology suppliers to help support you.

And of course, we know Bottomline are right in the mix of that with both payments and fraud and financial crime technologies that support, but it’s not just us that will be part of that puzzle, and it’s also the education and the information that people can soak up.

I think if I reflect back where we were a few years ago, it felt a lot more like we were at this kind of unconscious incompetence, feeling our way around one of the issues that people should be focussed on.

That may be unfair in some regard, but if I think of where we are now, I think the industry has a much firmer grip, and organisations have a much firmer grip of where we need to focus.

Situations like COVID in the last year have no doubt accelerated both challenges and solutions, and I think we’re now at a point where we can move into sort of conscious competence and really change some of the needle when it comes to the report findings.

And I think I would take comfort as well; there will be organisations looking to their peer groups to see what they’re doing, but just don’t stand still, actively look and find a number of sources that can help support you in your fight against financial fraud.

Jack Gianella: Absolutely yes, that makes a lot of sense. I think for me personally, for what it’s worth, helping your staff be able to find this sort of fraud, an area that we’ve all been talking about over the last x amount of minutes, utilising those technology solutions and not relying on processes.

We’ve talked about the new remote environment, dogs and cats and children walking all over the place and able to distract – and obviously promoting different ways of working, and if there’s any way that you can help your staff to cope with that sort of thing, then all the better.

I’m going to put you gents on the spot just for your final thoughts, if that’s okay, as we look to tie up today’s podcast. So, James, I’ll come to you first, are you able to just sum up your main takeaways from this year’s Barometer in terms of fraud?

James Richardson: Firstly, please take your time to read it. It’s a really solid Barometer this year, and I’ve been fortunate enough to be part of the Barometer for the last few years, and every year it just seems more on point.

I think everywhere, it’s worth looking at these Barometers and surveys to see what organisations, what their perspective is on certain situations. So, it’s compelling, it’s well worth the read, and it will only take perhaps 20 minutes to read through.

Create a plan. Whether that plan is just to review and test, or it’s review and act, but just build some momentum and really analyse what’s going on around you. Never has the world looked more different in fighting fraud and financial crime than right here, right now than any previous year when we’ve done this.

And we always sign off, saying, check your defences and do your reviews. It’s never been more prevalent than right now. So that would be my summary; read the report, read the Barometer, check your findings and build momentum and act.

Jack Gianella: Thank you, James, that’s amazing. And yourself, Omri?

Omri Kletter: Absolutely, there is almost nothing to say after that, it’s such a good summary. I would add one thing, and I said before, it’s a good reminder that fraud is a living thing. It’s a good reminder that fraud, anything that’s [ ___0:34:47] are actually part of greater forces impacting it.

And there is definitely a good reason to read the Barometer as a result of this year’s call for action. And if there is one or two critical calls for actions that I really want you to extract, is one is, what are we doing in better monitoring internal risk with all the things that around that, to which extent we have at least the data being collected.

0:35:17 And the second thing, do we have the ability to interdict on a payment? Can we say our organisation is better being safe than sorry with the right tools in place?

And I think the different statistics, the different questions and the amazing answers provided back to this Barometer puts these two points as very clear call for action as an industry, and let’s have this engagement thing with it.

Jack Gianella: I would like to say a big thanks to James and Omri for joining me today. Thank you, guys. For any of our listeners that want to read the full 2021 Business Payments Barometer from Bottomline, it’s now downloadable from bottomline.com.

Unfortunately, that’s all we have time for today, but in the meantime, you can listen to more episodes on All Things Payment at the touch of a button, using your preferred podcast provider. For now, take care and we’ll see you next time.

(Music)

Female: The Payments Podcast from Bottomline Technologies.

END AUDIO

 

GET IN TOUCH

Want to learn more about PTX?

Give us a call.

Our payment experts are here to help.

0118 925 8250

Chat with us.

Chat with one of our payment experts. We'll recommend the right solution for you.

See how we can drive your business forward.

Tell us a bit about you and your business and we’ll get back to you with all the information you need.

curved shaped