The Trend in Payment Fraud Can’t be Ignored

Rich Williams: Managing exposure to fraud continues to be a key priority for many businesses, but why is it still such a common problem? We are back for the third and final episode on this year's Business Payments Barometer, reviewing what financial decision makers had to say about the impact of payment fraud and financial sanctions and what the next 12 months are looking like from that particular perspective. Hello, I am Rich Williams, host of the Payments Podcast, and with me today is James Richardson, Head of Market Development for Fraud and Risk at Bottomline. Hi, James, and welcome back to the podcast.

James Richardson: Thanks, Rich. Great to be here.

Rich Williams: So, James, we have seen some notably consistent trends across the past five years of the Barometer, and I suppose it is good news to see that security and fraud prevention, as it was deemed at the time, is still in the top three drivers of change, but does this mean that it is still on the mind of businesses of all sizes?

James Richardson: Yes, it is a great question. Yes is the simple answer. Probably more so now than before, as a result of the current COVID situation, which I am sure we will go onto. It has been in the top three drivers since the start of this survey a few years back, so I am not surprised that it is still there, and it is absolutely right that it is still very much top of mind for businesses. That is a good thing because it is as vital as ever, and I guess, related to COVID, is a great example of how unfortunately this is seen as, dare I say it, a fabulous opportunity for fraudsters who are always looking for an inroad, an angle, and they don't stop in a pandemic. (Laughter) There is no break; there is no holiday. It is actually just seen as a really strong commercial opportunity, if I use those words in a really negative sense, that fraudsters can prey on the goodwill, the behaviour, the morality of good people. There was a report by Action Fraud that came out at the end of May. So bearing in mind this would have only been for a couple of months, but even highlighting then over £4.5m worth of fraud in the UK just specifically related to the COVID situation, well over 10,000 victims, and I think that just amplifies that this sort of situation just isn't going away. I think it is right, therefore, that security and fraud prevention remain towards the top of the boardroom list of topics.

Rich Williams: Yes, you almost took the words out of my mouth there, when you said that unfortunately, in situations of gravity, and you would like to think that humanity will bring people together, people see opportunity there, to exploit the weaknesses of humankind. It is quite a worrying statistic that I noticed, was that over half of businesses view financial loss as part and parcel of running the business or, I suppose, a cost of doing business, if you prefer to term it that way. What are your thoughts on that comment, James?

James Richardson: (Laughter) It is almost a bit of a worrying statistic, I agree with that. I am not surprised though. There is a danger that we have almost become a bit numb to it, and you used that phrase: 'It is the cost of doing business'. Businesses are baking fraud or the risk of fraud, the risk of fraud losses, into their costs. Ultimately, all of that just gets passed onto people that are buying, and that is a really sorry state of affairs, I think. So it is 58% of businesses that view financial loss as part and parcel of running a business. That doesn't make it okay, that doesn't make it all right that we are living with that stat, and, by the way, I don't think that many organisations are comfortable with that. I think it is a really honest response as to where we are in the industry as a whole, that we haven't quite got to grips with solving it yet. I think, yes, there are differences, depending on your size of organisation, and I think, just to add to the woes for a moment, (Laughter) 47% feel that there is little that they can do to recover the funds that get stolen, but on the positive side, if we are to look at the future, over ⅔, so 69%, of organisations do think, do think, that there is more to mitigate against the fraud risk. So I do believe that this is- It is great to see the opinion and the view of hundreds of organisations across Great Britain that give us this great insight into what is going on across the economy. Clearly, the majority of people aren't happy that we are baking fraud cost in, but the goods news is that we believe that there is more that can be done to mitigate it. So the future can only be better.

Rich Williams: I suppose it goes hand in hand, doesn't it? Much like insurance, no one wants to think that they will be involved in an accident, but you put steps in place to make sure that, should it happen, there is something that you can do to protect yourself.

James Richardson: Definitely, and I think, Rich, on that point, I remember a few years back, the debates were, are we going to be impacted by fraud? Then it moved from it is not a question of if, it is a question of when, and then that has transformed to how many times am I going to be impacted? So I think that level of certainty, just it is expected, right? So it is a question of how many times am I going to get defrauded and how many times can I actually make sure that I can catch it before it becomes an issue?

Rich Williams: Sure, an awareness of the fact that it is inevitable to a certain extent is a good trend to see, and while we are talking about trends we have seen that year-on-year there has been an increase in the number of successful attempts made to defraud a business through various tactics. Now, is that a trend that has been consistent in this year's report, or have we seen any changes?

James Richardson: Well, actually the percentage has dropped, so it has gone from 45% to 34%. So if you look at those in percentage drop terms, it is about ¼. So that is good, that is actually a positive response to this year's survey, but I would caveat that. Whilst it is down, the hit value is actually up, so organisations that are being hit, whilst there has been less hit in percentage terms year over year, the values that they are getting hit by have actually gone up, so people are losing more.

Rich Williams: So that is not particularly great news, but just to move away from the percentiles, although they are clearly important, let's put some monetary figures on this. What have this year's financial losses to fraud been looking like, based on the report that we did this year?

James Richardson: Yes. So small businesses, Rich, they are losing 14% more than this time last year. So that is now just under £100,000, and I think you have got to ask yourself £100,000, that is pretty significant irrespective of the size of the business, let alone a small business. So that has increased by 14%. Medium and large organisations, they have actually been hit harder, so that is 33% and 38% harder than the previous year, 2019. A large organisation, just to put that into context, that is now set to look an average of £263,000, set to lose £263,000. 54% of large organisations say, "There is little that we can do to recover the loss." So let's just put some of those things in context. You have got the fraud incidence dropping, which is good. That means we are catching more, because I don't believe for one minute that the fraudsters are slowing up. If anything, they are increasing, they are ratcheting up. So we are getting better, but it is important that the fraud values themselves, when we are talking about just under £100,000 for small businesses, ¼ of a million for large organisations, these are not insignificant sums.

Rich Williams: So it is a good point, James, because you mentioned that £100,000 is significant for a business of any value, of any size. So is there any trend in the scale of organisation and the amount they are being defrauded by at the moment?

James Richardson: Yes. Actually, enterprise organisations, the incidence dropped around 13%, and they are losing around 4% less. So it is not all bad news, but I think it is important to look at these things directionally. So small, mid, large businesses, getting hit more. Enterprise organisations are able to arguably act. Whether it is a little bit quicker, whether it is having different types of defences in place, I think there is something there that is going on that the rest of the community in industry should certainly be looking at.

Rich Williams: So let's dig into that in a little bit more detail. Any fraud of any kind or any scale is clearly something that you want to reduce the impact of. So what are these larger enterprise organisations doing and can that be replicated across the board for even the smaller companies?

James Richardson: Yes. So it is a really good point because I think there are things that organisations can do irrespective of the size, but there are certainly a couple of measures that enterprise organisations, and we see this year-on-year, Rich, but that based on the report this year seem to be doing, if I use the phrase, better than some of the others, than some of the other sizes. So 27% of enterprise-sized organisations are using automated employee behaviour and compare that to 18% of small businesses, that is quite a difference, actually. So you are coming up to nearly a ⅓ , just over ¼ of enterprise organisations using some degree of employee, user behaviour monitoring, and 57% of enterprise organisations are using bank account validation and verification. I think I just say two things to those items. One is it is actually a lot more affordable than organisations, irrespective of size, will think it is. The technology has been around for quite a while, access to the technology across the industry, there are a number of players out there that will help and support those areas. Certainly, Bottomline, as a payments, fraud and financial crime provider, that is something that we have been doing for a while and we see all sizes of organisations using it.

Just related to that, in the employee behaviour piece, if you think about the climate we are currently in with COVID, you have got employees in charge of payments, treasury, payroll , everyone is working at home. Now, I am not saying that everyone is a fraudster, that is not what I am saying, but it is important, and we have always said this year-on-year, that you have got the right balance in check between believing that all your threats are on the outside versus what is on the inside. I think solutions like employee behaviour monitoring, it is not just about being Big Brother and checking fraud isn't happening on the inside. It I also being supportive of the employees that are involved in pushing payments around the community and making sure that there is no coercion going on, that people on the outside aren't influencing people on the inside. So it is pretty helpful with that.

Rich Williams: And that is the thing in terms of being helpful. We are generally a species which is very prone to wanting- There is a desire to help people and that is what the fraudsters take advantage of. We are more vulnerable and more aware of the care needed in the community right now, particularly due to COVID, which gives a bigger opportunity for people to exploit that nurturing, care and response that we are naturally predetermined to do. Now, you mentioned validation and verification earlier, and that is certainly not something new, particularly to Bottomline. Now, there is a fairly new initiative that has been launched called Confirmation of Payee. Are they the same thing or is there a bit more difference between those two items?

James Richardson: Yes. So Confirmation of Payee is actually an industry initiative. You will also hear it abbreviated as CoP or COP. It actually came about as a consequence of a 'Which?' super-complaint a few years back, and it is the industry's response to that super-complaint. It is basically about authorised push payment fraud losses, which is the fastest growing fraud activity, certainly within the UK. £450m in 2019 and we are set to smash that in 2020.
What it is about is knowing who you are paying when you are making retail payments. That is the phase 1 of it. So when you and I are making payments through your mobile app, depending on the bank, because it is a scheme that is based on voluntary momentum in the main, but we are certainly expecting to see more banks sign up to this, it gives you a prompt to say, 'Are you sure that you are paying the right person?', based on putting the name in place. So the sort code and the account number are really helpful in making the payment, and the account name is actually not used at all in today's world, and what Confirmation of Payee does is it joins together the account name and says that 'Rich Williams actually is linked to this sort code and account number', or could be linked.
This is really helpful because fraudsters are out there taking full advantage of the fact that the account name doesn't have to match when it is going through Faster Payments or direct into BACS. So that is Confirmation of Payee, Rich. The challenge is that it is a multi-year initiative, isn't fully mandatory, is based on voluntary action by the banking community. Whilst we fully applaud the top six that have signed up for this and supporting its retail customers, you have got to think well, what about the rest of the economy, (Laughter) what about the corporates? What Bottomline have been doing is offering validation and verification services to help with these sorts of questions about who am I paying at various points in the payment process? We have been doing that for a few years now, and it is great that we have fully supported the Confirmation of Payee, and we will certainly be supporting our customers with that over time, as it all gets rolled out into the wider economy.

Rich Williams: Now, I believe that the awareness of that initiative, and, as you said, it is a multi-year approach, we found that only ½ of the people surveyed had actually heard of CoP, which is a fairly worrying statistic. So is it just that there is a lack of education out there or are there more nuanced things going on here in the background?

James Richardson: Yes. I think this is a real challenge because if you think about the payments industry, I have been in this industry for over 15 years and I think there has been more change in the last 3 than there has in the previous 15. A lot of individuals are having to keep track of what is actually changing. If you see payments as it is almost a bit back office, the changes in the payment infrastructure, don't really feel like they affect you, it is actually a moment to lift up and look at what is going on across the industry. Not just to continue to make sure that you are going to be able to make payments the same way, but actually there are some new services coming out which give you the option for far greater competitive differentiation.
The problem or the challenge is how this information is absorbed by organisations, so how do people keep up to date with the latest information and the latest trends? So it is quite worrying that not many organisations- Take the stat about small businesses. One in five haven't heard of request to pay, Confirmation of Payee, and enhanced data. These are three really interesting services that could completely transform how a small business thinks and operates and services its customers. So it is not just about payments being an operational back-end activity. These new initiatives can actually change how an organisation structures its behaviour with its customers and use it to its advantage. So it is a challenge (Laughter) as to how people keep up to date and educated on it, but, certainly, enterprise organisations, and you probably expect it, they are a little bit more savvy on the whole in keeping up to date with some of those latest trends. But we are part of the industry, and, I have got to say, there is so much jargon, so many buzzword conversations that take place, and we end up being a bit immune to it. So it is helpful to have the reminder, frankly, that businesses don't always remember what you are talking about. We have got our own part to play in making sure that people understand it.

Rich Williams: So, aside from a resource such as this podcast itself, how else can businesses better educate themselves about what is going on in the environment, James?

James Richardson: So I think what has been shown quite high up, actually, as a response in the Barometer is that businesses do rely on their banks for information, for up-to-date information, and that is fine. That is absolutely fine, and we would really welcome people to think about where they are getting their sources of information from. Actually, if you use just your bank, think about what if you are multi-banked? Is your bank actually joined up with the latest services that are coming down the line? Because, dare I say it, not all of them are. Not to say the banks are doing a bad job. I think, actually, the banks are doing a brilliant job. It is a tough gig to get education out on latest services, and what you have got to bear in mind is that some of the services might be eating into some of the banks' lunch money. So will the banks be advertising everything, or will they be advertising things that make sense to them to keep their clients? I think this is where the savvy business leader, the savvy financial professionals, the savvy treasurer, will be looking at multiple sources. I think it is great that Bottomline do the Payments Podcast, and I think there are many sources like that. Clearly, none as good as Bottomline's Payment Podcast, Rich, (Laughter) but it really is important that people look for other sources of information, not just the bank. So organisations like Bottomline, brilliant. We have got to keep doing our bit. Find some other trusted payment partners that are really- Whether on LinkedIn, whether on Twitter, whether you are getting podcast information. Some do videos. It is a much more open community than it ever used to be, and you don't have to be a client in order to get access to the information. It is seen as being much more freely available now, and I think that is great.

Rich Williams: So you mentioned the banks there, so that is a fitting time to move on to sanction screening. Now, for the last few years the subject of financial crime has been increasing amongst corporate businesses. Back in 2019, we discovered that a little under ¾ of financial decision makers agreed that responsibility for sanction screening lies with the banks solely. Now, did this year's results show the same outcome or are people changing their mindset on that point, James?

James Richardson: Now, I love this question that goes to the respondents, and I have been watching this very closely over the last few years. The reason why is that I have been a really firm believer in the last few years that what goes to the banks goes to the corporates, and it is only a question of time. So sanctions in this year's report, the question was, as you said, about the discovery that little under ¾ of financial decision makers agreed that it was the responsibility of the banks to do it. So let's flip that for a second. So the inverse is to say that ¼ believed that they should take some responsibility. This year, it has gone up from ¼ to 56%. So what it is showing is that you have gone from ¼ of organisations that believe they should take more responsibility to half believing that they should take more responsibility in the sanctions checking. Now, this, I think, is a really interesting point because I think organisations are waking up to the fact that the banks are always going to do it, that is not going to change, but you would far rather get insight to whether or not you are paying a criminal or a sanctioned entity before the money goes out the door.
Part of the reason for that is that if you make the call and you catch it early, then the money is not leaving your account. The money is staying with you. As soon as you start pushing it out and the banks pick it up, they may well catch it, but you are then into a process of the banks' sanctions response team looking at what has happened. Number one, nothing is ever completely guaranteed, and it is the organisation's responsibility to make sure that they are not paying sanctions entities. If the money goes out the door and they are paying a sanctions entity, you are not talking about fraud, okay? You are talking about a financial crime, and financial crime has a consequence. You could now be fined, you could go to jail, and I think this is certainly an area that we have been looking at over the last few years because we work with banks, we work with corporates, and we have certainly been seeing more corporates take responsibility for sanctions checking before the payments go out the door. We have seen that year-on-year, and I was really pleased and encouraged to see half of the corporate respondents saying that they felt that they should have more responsibility to sanctions check. So I think that is a really great encouragement, and we have seen that go year-on-year, Rich.

Rich Williams: Now, we were talking earlier about the incidence of fraudulent attempts and we chopped that down into size, and I will ask the same question again, or a very similar one. How does what you have described depend on the size of the organisation in question?

James Richardson: Yes. So I think you probably expect it, but enterprise organisations responded with 79% saying that they were willing to take on more responsibility compared to small organisations saying 62%, but I have got to be honest. 62%, that is a lot higher than I was expecting to see. (Laughter) I think it is all directionally great, and the theme for me that is growing and continues to be the trend year-on-year is that organisations want to be more in control of their money, they want to be more in control of their own destiny, they want to be more in control of knowing who they pay, and it is not just about knowing whether they are paying a fraudster. They also want to get greater insight earlier on, whether they are paying a financial criminal, and they want to make sure that they are doing their part with playing by the legalities, as they should. It is not just the bank's responsibility. So larger responses coming back from enterprise organisations, which is great. I think all of this, it is a willingness underpinned by regulation. That is certainly the case for enterprise organisations who will have teams responsible for understanding regulation, understanding the governance around payments, but for smaller organisations I don't think it is as much about the regulation. I think it is about their reputational risk, it is about their understanding of commercial losses, and, as I said before, just wanting to be more in control of knowing who they pay.

Rich Williams: James, thanks once again for giving us a bit of insight today into the fraudulent or anti-fraud statistics, if you like, into the 2020 Business Payments Barometer, and no doubt we will see you at some point again on the podcast in the near future.

James Richardson: Thanks Rich.

Rich Williams: So if you are interested in reading the full 2020 Business Payments Barometer, you can download it from the all-new Bottomline.com website. Unfortunately, that is all we have time for today. In the meantime, you can listen to more episodes on all things payments at the touch of a button using your preferred provider, and we will see you all next time.