The Podcast Transcript

John Gaffney: Greetings, and welcome to The Payments Podcast. My name’s John Gaffney. I’ll be your host for this episode, which centres around the intersection of payments modernisation, and fraud detection and prevention. Let’s break it down further. Businesses all over the world are well aware of the innovations in instant payments, cross-border payments, and financial messaging. But the question is, are your fraud detection and prevention technologies keeping pace with the innovations? That’s just one of the questions I’ll be asking our guests, and let’s introduce them now. First Ruud Grotens. Based in the Netherlands, he’s Bottomline’s Head of Solutions Consulting, and has held several senior-level positions in the risk compliance and security areas. Ruud, thanks for joining us.

Ruud Grotens: Thanks for having me, John. Glad to be here and have this conversation with you and Eric.

John Gaffney: Yes, and joining us also from the other side of the pond is Eric Choltus, from our Charlotte, North Carolina office. Eric is the Global Product Management for Commercial Payment Fraud, here at Bottomline. Like Ruud, he has decades of experience in this space, and has much more patience than I do because he’s a Six Sigma Black Belt. Which I could never achieve. But Eric, I want to welcome you too.

Eric Choltus: Thanks, John. I’m excited to be here today as well. I look forward to this conversation with Ruud.

John Gaffney: That Six Sigma Black Belt. I’ve taken a couple of courses and I’m like, “Wait a minute. I’m a journalist and I can’t do it!” Anyway, I want to start us out with some semantics, because I think they’re very important here. Payments modernisation is, kind of, our umbrella issue here. But what we’re here to discuss is how to keep pace with it, correct? From a fraud perspective.

Ruud Grotens: Absolutely, John. Payments modernisation is a combination of new rails and new technologies. And I think the two most important developments currently are (1) real-time payments, and (2) the ISO 20022 payments messaging standard. Real-time payments differ in shade from traditional clearing. A settlement is done immediately, usually around ten seconds, instead of hours, or a couple of business days. And this also implies that payments are irrevocable, meaning that when payment is sent, it can’t be cancelled or reversed anymore.

Some people have the perception that real-time payments result in more fraud, and faster fraud. And I’m sure we will come back to that later in our conversation, John. The other development I mentioned is ISO20022. Which is a global payment messaging standard, with the ability to better structure data and enrich that data. Including information about the purpose of the payment, original source, ultimate beneficiary. ISO20022 will become the universal standard for payment systems, eventually. Of course, there is some delay in the introduction of it. But it’s very promising when it comes to payment fraud detection and prevention.

John Gaffney: So, on a general level, I mean, you certainly described some things that are going on. A lot of dynamics in this situation here. Are you encouraged that fraud defence can keep up with all this innovation, and are there any obstacles to this, in your opinion?

Ruud Grotens: Yes. To become ISO20022 compliant, there is quite some impact, as legacy technology will need to be reviewed. Systems that can’t process the ISO20022 format need to be updated, replaced, or converted. And there are a lot of investments needed to become ISO20022 compliant. But on the other hand, it’s worth all the effort because ISO20022 standardises the payment message format. Resulting in more structured data, so, it will help to make use of better data, that results in better analytics for fraud prevention and fraud detection. And for the most part, real-time payment systems are based on the ISO20022 standard already.

So, altogether, this makes a significant difference in the fight against financial crime. And to answer your question, John, that’s why I am encouraged that fraud defence can keep up with payments innovation.

John Gaffney: Eric, let’s go to you. How would you answer that question, and do you share Ruud’s, if not excitement, encouragement?

Eric Choltus: Yes, I mean, I absolutely share that excitement. I think this shift that we’re seeing to ISO20022 is one of the largest shifts that many of us will see in the payments industry in our lifetime. And I’m excited about it. I think it presents the opportunity for additional information to detect fraud. So, for example, with some of the payment rails like TCH RTP, that is on the ISO20022 format, payers and payees can chat. And that’s part of the transaction, messaging.

So, you think about the ability to ingest that information. Not only does it simplify the overall accounts payable process, because it standardises the format of that information, but it gives additional information to investigators, to really understand what’s going on behind the scenes and whether or not the transactions are fraudulent. So, yes, it’s very exciting.

John Gaffney: So, outside of the data angle, or within the data angle, there’s a lot of excitement about ISO as a way to message back and forth. But what are some of the other things about the data that you think make it a more secure platform?

Ruud Grotens: From a payment fraud point of view, structured data and standardised payment messages make it easier to mine that data. And that gives you the ability to provide better fraud detection and prevention analytics. There are examples where banks use ISO20022 fields to share fraud scores from the sending party to the receiving party. And that enables the receiving party to better judge borderline cases.

But financial institutions can’t just think about the 1% of bad actors. They also need to think about the 99% of good actors. So, the quality of data, and how you leverage the insight of that data. I believe that makes the difference between stopping payment fraud on one hand, and improving the customer experience on the other hand.

John Gaffney: Okay. Interesting. Eric, there’s a perception that I read, or hear about, that says real-time payments, because they’re irrevocable, are vulnerable to fraud. Could you address that, please?

Eric Choltus: Yes, I hear that a lot when we speak to current customers and to banks. You know, I would respond to that like this. On the one hand, real-time payments are very similar to other payment rails when it comes to detecting fraud. But on the other hand, there are some things that the fraud software platform needs to be able to do. So, for example, the fraud detection and prevention platform needs to be fast. It needs to be able to analyse the payment and all the information. And respond back in enough time to meet the overall SLAs for the real-time payment.

But the fraud system also needs to be able to detect complex patterns and stop the payment in real time. That's really important. It also needs to have the ability to change workflows based on time of the day. You know, think about it… fraud investigators are working normal business hours like everybody else. What happens when a real-time transaction comes in, outside of those working hours? Does the fraud system have the ability to change the workflows and the decisioning, based on the hours of the day? So, that’s another component.

And then, a few other things to consider are, the fraud system needs to be able to ingest and process all the additional data elements that come with these faster payment transactions. For example, I mentioned earlier the ability for payers and payees to chat. So, that’s an example of additional data elements that need to be ingested, so that you can properly analyse whether a transaction looks suspicious or not.

And then finally, the fraud system needs to be able to learn and adapt, based off what the investigators are doing and how they’re disposing of the alerts. And then the system needs to be tuned on a regular basis. I think, if all those things happen, then you can absolutely detect fraud in real-time payments, just like you can in other payment rails. So, the technology exists. It’s just a question of making sure that organisations are leveraging it.

John Gaffney: So, Eric, let’s stay with you. How does that compare to other existing rails right now, and their fraud vulnerabilities?

Eric Choltus: Yes, that's a good question. The newer payment rails, like TCH RTP, FedNow, and many others, are already ISO20022-compliant. But there are older payment rails that haven't yet switched over. Like, for example, Nacha ACH. There’s currently no timeline to convert to ISO20022, but they do provide a mapping guide to facilitate the translation of ISO payments into ACH.

And they do that because it’s probably less important there, the standardisation of payments onto the ISO20022 format. It’s probably less important on that rail than it is, for example, on high-value wires like CHIPS and FedWire. Where a larger percentage of those transactions are cross-border payments. So, there, you know, if you think about it, the synergy with other countries, and making sure they’re all using the same protocol, is much more important.

So, it's not really that the existing payment rails are vulnerable to fraud. It’s just that, fraud detection on these non-ISO rails won’t benefit from the standardised, structured data elements that allow for more efficient fraud detection.

John Gaffney: Well said. So, Ruud, while we’re discussing problems and threats… Interesting that the UK Finance Report which came out recently found that credit card fraud is actually dropping. Any thoughts about why that might be happening?

Ruud Grotens: Yes, that’s a good point, John. This is the result of what is called Strong Customer Authentication, or in short, SCA. Which is actually two-factor authentication for online payments or contactless card payments. It’s part of PSD2 (the Payment Service Directive) which is a set of laws and regulations for payment services in Europe, including the UK, to comply with Strong Customer Authentication requirements where payment systems and payment flaws on websites and apps have to be updated.

And that is because, when a suspicious payment is detected, customers need to take extra steps to prove that they are who they say they are. They are actually being challenged, right? So, to increase the security of the payment, the SCA mandates that the customer must provide additional identification through two out of three aspects. That is about (a) something they know, such as a password or a PIN code, (b) something they are, so, it tests their fingerprint or face recognition, or (c) something they own, such as a mobile device.

And you’re right, John. In the UK, according to Barclaycard Payments, 73% of retailers have seen online card payments declined since the introduction of Strong Customer Authentication in May 2022. That is good news. But there’s also some not so good news, and it is that the study also showed that 28% of businesses in the UK are still not fully compliant with the regulation. And it does remain concerning that so many are still yet to become fully compliant.

John Gaffney: Interesting. So, let’s go where only the brave will go, which is cross-border payments. Which are also on a very innovative, more modern, track. So, Ruud, what happens when real-time rails meet cross-border payments?

Ruud Grotens: Yes, then I would say there’s still some work to do, John. Because most countries planned their own national schemes for real-time payments on their own domestic clearing systems. And as a result, many of these national schemes stop at the national border. So, it ends where the system ends. And that is why most real-time payment schemes are limited for domestic use only.

But there are a couple of exceptions, of course. An example is SEPA instant payments. These are ISO20022 compliant, cross-border, real-time payments, currently in use by 36 member states in Europe. But there’s a limitation, and the limitation is that it only supports one currency, and that is the Euro. And another interesting scheme to look at is P27 Nordic Payments. It’s often referred to as SEPA Plus, as it’s based on the SEPA standards. And the participating countries are Sweden, Norway, Denmark and Finland. They all have their own currency, and today they also have their own national real time payment schemes.

But P27 will support real-time, cross-border payments across these four countries. So, when P27 is launched next year (because it’s not live yet), it will be the world’s first real-time payment scheme that will also allow cross-border and cross-currency payments within ten seconds. And John, in my daily job, I notice that people often think that SWIFT GPI, the Global Payments Innovation, also covers real-time cross-border payments. While SWIFT has indeed greatly improved their GPI with transfer times down to less than an hour. But it’s not real-time.

Therefore SWIFT GPI is more focused on transparency, and tracing where a payment currently is. But real-time payments was not the goal of SWIFT GPI.

John Gaffney: So, Eric, it’s not as complex in North America, but it’s certainly just as important. Could you talk to that a little bit?

Eric Choltus: Yes, absolutely. I mean, you know, the way I look at it is, cross-border payments are just, like, shaking hands and speaking the same language. And that’s where ISO20022 really helps, right? It allows cross-border payments to eventually all speak the same language, once all payment rails’ formats move to that standard. So, there’s a lot to be said for that standardisation and efficiency. You know, for both the speed and efficiency of processing the payment, but also for fraud detection.

And SWIFT, you know, to Ruud’s point, it’s a great example of that. You know, they’re migrating from what they call their MT message formats to 2MX, which is basically an ISO20022 format. And they’ve mandated clear deadlines for switching over. As we all know, there’s nothing better than a deadline to motivate organisations to bite the bullet and make all the changes necessary to comply with that mandate.

But getting everybody on board is important. And it’s all happening, one rail at a time. So, that's really important for cross-border payments.

John Gaffney: I like that, ‘one rail at a time’. I’m going to steal that. Let’s go to cloud migration. So, Ruud, if I’m a bank, or a non-financial services business, and I’m migrating to the cloud as I’m supposed to. Does that open up fraud opportunities, or does it shut them down?

Ruud Grotens: Yes, good question. I think it’s important that banks risk assess the applications they want to host. They should risk assess regulatory concerns, such as data residency. Where’s the data stored? Is it in another country? What are the laws under which the data is stored? What about data privacy laws? Can I host PII data (personal, identifiable information), or should I keep that running on-premise?

But banks should also risk assess security concerns, such as concentration risk, protection of data, and cyber-attacks. And from that point of view, I think a bank should work with a hosting partner who has experience, and a track record, when it comes to hosting applications for financial institutions. Especially when it comes to security, and in particular cyber-security protection. It’s important that a hosting partner is compliant with security standards. Have backup and recovery systems in place and the necessary certifications in place.

And because it’s their core business, hosting partners are working at a much faster pace compared to individual banks. So, the security standards of their data centres are very high. It’s unlikely that financial theft or data theft will happen because of a data centre deployment.

So, yes, in short, I think there should be no concerns for banks when they work with the right hosting partner. But, and this is very important, banks remain responsible to assess risk and compliance issues associated with the cloud, and their hosting partner.

John Gaffney: Okay, well said. So, Eric, I know you’ve had some conversations about this with some banks, with some big banks, actually. So, obviously, we don’t want to divulge their names, but could you give us a flavour of what some of those conversations are like?

Eric Choltus: Yes, absolutely John. You know, we speak to banks all the time, to get their perspective on what they’re seeing, as it relates to fraud and payment modernisation. And they likewise like to hear from us, as to what we’re seeing. I like to break it down into, you know, seven things that we’re seeing in the market.

The first is, we’re seeing an increase in attack surfaces. What does that mean? The volumes are up, especially digital payment volumes, are up. There’s a whole bunch of new payment rails, like we’ve talked about in this conversation. And there are new capabilities. Again, like that payer/payee chat. And many more capabilities that just increase what we call the attack surfaces that can be leveraged by fraudsters and fraud organisations. So, that’s one.

Two, payments are faster. We are seeing all these new, faster payment rails emerging. Some of them already in place, some of them still coming, like FedNow in 2023. You know, what that means is there’s less time to investigate. These payment rails are available 24/7, 365 days a year. They’re irrevocable, so, like we talked about earlier, it adds some additional challenges and considerations from a fraud perspective.

Number three, we’re seeing a high increase in social engineering fraud. Fraudsters are working together. Between social engineering and data leaks, it increases their ability to impersonate. So, we’re seeing a lot of impersonation fraud. To the point, even, that it’s been called an APP (Authorised Push Payment) fraud epidemic in some places.

Number four, we’re seeing some real sophistication in the attacks. So, for example, deepfake voice and deepfake videos. Imagine an accounts payable employee receiving what they think is a video or a voicemail from their CEO, or from their manager, telling them to execute a wire immediately. And that actually happens to be a deepfake video that was created by a fraudster. So, the technology and the sophistication is increasing.

Number five, we’re hearing from banks that they’re being forced to do more, with less. So, that means containing losses and staying within their operating budgets is more important than ever. Taming their data, making sure that they’re really understanding their data, organising it, and ingesting it properly. And then finally, attracting and retaining talent. Just like all other areas of the workforce these days, attracting and retaining talent is difficult.

So, given all of that, number six. Data is absolutely king. What do we mean by that? It means that banks, and other organisations dealing with fraud, really have to understand the difference in data between, for example, retail and commercial. And make sure to not treat them the same. They’re very different, and you have to ingest the right data points for each of those types of transactions, to really be sure to optimise your fraud detection parameters. So, ingesting the right data elements, and the additional data elements, is absolutely key.

And then last, but not least, number seven: What we’re hearing from banks is they have to do all this and deal with all this at the same time as continuing to manage the customer experience more than ever. Meaning, they have to detect fraud without impacting the customer experience. Without creating what’s called ‘too much friction’ in the entire process, which is a very tricky balance for them. So overall, it's a tricky environment.

But the technologies and the capabilities are out there for banks, and large corporates, and other organisations, to properly detect fraud.

John Gaffney: Wow, great points. Ruud, any reaction to any of those?

Ruud Grotens: Yes John. Today we have spoken about payments modernisation and fraud defence. And as Eric said earlier, the technology exists, there is payment fraud detection and prevention technology available that can accommodate real-time payments. ISO20022 and its performance and security needs.

So, seeing fraud as an obstacle to adopt real-time payments is a short-sighted approach, in my view. The primary functionality to consider for financial institutions is a real-time, risk-based payment fraud detection solution. That will minimise the impact on non-risky client behaviour on one hand and maximise the impact on high-risk behaviour on the other hand.

But payment fraud will never disappear entirely. It’s that balloon effect. When you put fraud measures at one place, fraud moves to another place. Fraudsters are becoming smarter, and Eric gave a few good examples of that. And we know that fraud rates are highest when new real-time payment schemes are rolled out.

So, from a payment fraud perspective, it's also important to consider a solution that can keep track of fraud loss. How much was recovered? How much fraud loss was prevented? And this is important, because the lesson learned is that organisations that know the extent of their fraud losses, are better at reducing their losses.

John Gaffney: Well said. Alright, gentlemen, that is a wrap on this episode of The Payments Podcast. My name is John Gaffney, again, and we have been talking with Ruud Grotens and Eric Choltus from Bottomline’s Risk Compliance and Security Practice. Gentlemen, I’d like to thank you for joining us. I hope everybody listening will check us out next time, wherever you listen to your podcasts. Thanks again. Bye.

footer curve