As payments technology speeds up, fraudsters are champing at the bit to get a piece of the pie. Faster payments mean faster fraud. But what does this mean for businesses who are considering embracing real-time payments? What steps should they be taking to embrace digital trends whilst ensuring their payments are kept safe and secure in the process? Chris Gerda and Jessica Cheney share their insights and advice with our listeners.
NACHA Takeaways: Developing A New Payments and Security Mindset
The Payments Podcast, from Bottomline Technologies.
John Gaffney: Payments technology has sped past what would be considered a normal growth curve and has given businesses more efficient options to manage their accounting and other functions, but guess what? Fraudsters are even faster than technology.
Security technology has also accelerated to meet payments innovation, especially as the business world continues to stay with a hybrid working model, but, as fast as innovation can move, fraudsters are faster. These dynamics are moving B2B payments and security beyond simple technology. They're necessitating an entire new mind-set for considering payments and security partners, as well as executing on the strategies it takes to move forward.
What is that new mind-set? Hi, I'm John Gaffney. I'll be hosting today's Payments Podcast, titled ‘Developing a new payments and security mind-set'. I am joined by Chris Gerda, Risk and Fraud Prevention Manager for Bottomline, as well as his colleague Jessica Cheney, Vice President, Product Management and Strategic Solutions, at Bottomline.
We'll discuss this emerging mind-set as it applies to new developments in fraud prevention, customer relationships, and new payment platforms. Now, Chris, we'd like to start with you, welcome.
Chris Gerda: Thanks, John.
John Gaffney: We recently wrapped the National Automated Clearing House Association event, better known as NACHA. Security was certainly high on the agenda. Your session at the show focused on developing a holistic view of payments and security. Now, in the wake of that show, what are some of the things you think will define the future of security and fraud prevention.
Chris Gerda: I think there are quite a few things. One that comes to mind –I think it resonated at NACHA in a lot of different presentations, even the keynotes– is that security is becoming more personal.
When we think about, “What does that actually mean?” I think you look at the T-Mobile breach that happened in the last two weeks, where we have cell phones across the country, their numbers, names of the people, social security numbers, but then the PIN numbers that actually go to secure those cell phones, the SIM cards within them.
That's a really personal type of attack. As we saw last year with businesses, and COVID, and work from home, our personal lives collide with our business lives. I think we're going to see a lot more personal security needed to secure everything within our lives. Not just things at home but also our businesses, from our emails, our personal emails and personal cell phones that we may dually use for business purposes, and then also the communication that we have on a personal level with a customer, that social engineering angle that fraudsters use to identify those weak links. It’s all very personal levels.
You could see almost, like in the past two to three years, the regulatory guidance and news from banks, the way they're interacting. It's not just banks that are responsible for stopping fraud. Now the corporates are much more involved in stopping fraud.
Then it's not just the corporates that are becoming involved, it's the employees individually that are becoming more keen, more open, more knowledgeable about it, because it's impacting their personal lives. We're getting emails to our personal email addresses about clicking on bad links for COVID. Now we're all starting to come together to be stronger.
Really, it's not just passing it or rolling it downhill, all the way down to the employee from the bank, through the corporate, but it's really what are we doing now, as a group, to invest in becoming more secure?
Very particularly, I think digital identity solutions that are securing communications, new payment innovations that are designed to be more secure, are really first and foremost. So, I think, if there's one resonating, overall factor, it’s security is becoming more personal, and, to be able to get better at it, it's embracing the digital, embracing that innovation.
John Gaffney: Chris, also, one of the things I took away from your panel was the importance of being proactive rather than reactive in these situations.
Chris Gerda: Yes, I think that's being forward-thinking, being proactive, is having time in your day to be thoughtful about slowing down a payment, looking more critically at an email. Something like that is being very proactive, but also part of every accounts payables person's job today is always… It's morphing, so a big piece of your job is actually being part of innovation projects, digitisation, implementations with providers, reviewing and exploring new providers to improve efficiencies in security.
That's the proactivity, but also, on a human level, that security becoming more personal, it's communicating with your vendors proactively: “We will never do this,” or, “We will never ask you for this. The way that we want you to communicate with us is through a secure portal.”
Maybe it's the real-time payment messaging, or maybe it's a platform like Paymode-X to submit invoices. So, they take that email that's becoming so breached and such a target from fraudsters, out of that equation. They get down to a more personal level where they can trust one another so that it stays proactive and not reactive.
You're reacting when you're doing reconciliation to detect fraud. You're reacting if you're doing last-second payment monitoring after a payment has left the door and then you get an alert, right? That's a reactive type of monitoring, way further downstream than you actually want it in your game plan. Being proactive is taking things to a personal level, and that’s securing communication, which ultimately one of the things I talked about was securing not just payments but securing relationships.
Relationships are personal, so, if you think about it holistically, how am I securing that relationship from how I talk to a vendor, from the payment, to the invoice, to the type of payment that I send them? You can really break it down and remove those social engineering angles that a fraudster is trying to take advantage of.
John Gaffney: Excellent, Chris. Thank you, and a great segue to Jessica Chaney. Welcome, Jessica.
Jessica Cheney: Thank you.
John Gaffney: The NACHA event also put real-time payments at the top of its agenda. I know that's a topic near and dear to your heart. There seems to be a mind-set that real-time payments aren't as secure as other payment methods. I know that you don't agree with that, but why is there this myth about securing real-time payments?
Jessica Cheney: Definitely, I don't agree with that. The desire to speed up the transfer value has never been, and never should be, in conflict with making those payments secure. Nobody wants to be responsible for making a fraudulent transaction faster. So, as Chris and I talked about, those security basics – and Chris just mentioned proactive security basics – are even more essential when you deal with real-time payments.
Chris also just reiterated that concept of focusing on relationships versus transactions. That concept is extremely important and facilitated by real-time payments in a couple of different ways:
One: dealing with the relationship with your customers. Authentication protocols are essential for real-time payments. You need to review and update these often. They are the keys to the front door, so this first step is the first step in defending yourself against a fraudulent payment being made. You need to make sure you know you're dealing with your legitimate customer, and these legitimate customers have previously been entitled to create a real-time payment.
Real-time payments can still be scanned for watch-list items. They can be subjected to transaction limits, to behavioural analytics, to multifactor authentication or one-time passcodes. All of those things are the things that Chris was talking about in terms of being proactive instead of reactive after something, a problem has occurred. The required speed of these transactions only comes into play after all of those security measures and hurdles have been cleared.
Secondly: probably more towards the point of Chris's focusing on relationships versus transactions, is the area where real-time payments facilitate interacting in a different way with a company's customers, their suppliers, or their training partners.
The TCH Real-time Payments scheme really took this to a different level when it introduced, within its message sets and workflows, the ability for a receiver of a payment, or the receiver of a request for payment, to ask the sender of those items a question.
They refer to this as ‘Request for Information’, but it is the ability and provides a mechanism for a two-way communication in that secure channel because it's in the same rail that the funds actually traverse, as well. That can be used to validate those relationships between the parties.
This replaces the old-fashioned way of communicating out of channel, via phone calls or emails. It avoids the opportunity for business email account compromise. The transactions occur on the real-time payment network and are conducted through an authenticated session on the bank's online treasury management solution.
In addition to that, those transactions are then recorded, audited, and available for either party in the future. So, clarifications such as details on amounts, or invoice numbers, or the purpose of payment, can all be conveyed in that way, but those are pieces of data that only parties that had a previous relationship would know and can be used to actually validate that relationship.
So, definitely real-time payments are as secure, if not potentially even more secure, than some other types of payments. Definitely more secure than writing a cheque and putting that cheque in the mail.
John Gaffney: Well said. Jessica, let's stay with you here, because one of the things you mentioned during the NACHA discussion centred around a concept called ‘conversational payments’. Could you unpack that a little bit?
Jessica Cheney: Sure. That's exactly what I was actually just describing. We just have started to refer to it as ‘conversational payment’ because, within that supported message set and workflows, is that ability for two parties that are part of the exchange of value to actually communicate with each other as part of that payment network.
A couple other things I'll highlight here. Receivers of payments have the ability to send something that's optional, called a ‘payment acknowledgement’. It's an electronic confirmation that they've received someone's payment. If desired, it has the ability to carry text that can act as a ‘Thank You’ note.
I mentioned previously the ‘Request for Information’ message, where the receiver of a payment or a request for payment has the ability to ask a question of the sender. That mechanism, again, in a secure channel, it can be used to validate the relationship between the parties. They can replace the multiple phone calls or emails that many accounts payable or accounts payables clerks placed.
By the way, have you ever seen one of those people's desks? They have sticky notes everywhere, or notes written on paper invoices that get filed away somewhere. But, in these real-time electronic communications, these interactions are attached to the payment record or attached to the request for payment itself, and can easily be retrieved in the future if there are questions.
So, the user experience that’s associated with these, and why we call them ‘conversational payment’, is very chat-like or text-like. So, the exchanges are very easy to accommodate, but they have that added value of constantly, or in perpetuity, being attached to the payment record. So, they can easily be recalled for any audit purpose, or just for clarification purposes in the future.
John Gaffney: Okay, thank you. No more Post-it notes, okay. Chris, one of the things I keep reading about is this urgency around fraud prevention, which is certainly understandable, and all the solutions out there to address it, but I'd have to believe, for a company that's integrating this, it's not that simple. So, how would you counsel a bank or a corporate to navigate these decisions and find their way toward picking the right partner?
Chris Gerda: That's a great question. Definitely two different conversations: counselling a bank versus a corporate. When I'm talking about the corporate perspective, Jessica just mentioned, thinking about the receiving a payment, if you receive a payment, you can give an acknowledgment back to that payer that you received a payment. That is an assurance to that payer, which really eases their anxiety. That’s really a relationship. That's that security is becoming more personal.
Now think about what if you put a rule around that? What if the rule said, “Every time I've sent this vendor a payment, they always gave me an assurance back, and then, 50 times later, they didn't send me an assurance back, and the system sees that there was a recent bank change”?
Man, that's like a red flag right there, so now you're going to look at your process: “Did I update that banking information correctly? Let me call my vendor. Where is my Post-it note real quick with their phone number? Right, it's on the past invoice. I don't even need to look for it. I'm going to call them on a verified line, and I'm going to make that relationship question connection.” If it turns out to be okay, that relationship is going to be a lot stronger because they could see how much you valued that money getting to them securely.
That is the definition of innovation in payments. When you're either thinking about, from a corporate level or a bank level, “How do you evaluate a partnership?” one of the first things that you want to ask a partner is about their security and their security innovation. It has often been like a taboo, a backend process, so, “What's your security in this solution?” That's almost happening after the sale cycle is nearly complete, evaluating it.
For banks, bring your compliance and your fraud experts into the conversation about payments innovation. For corporates, make it part of a jobbed role, a description, to have the time to put into evaluating and asking those questions of partners, and understand that you're faced with a lot of decisions, right?
I've got all these different rails being created for different types of payments. You have Clearing House Real-Time Payments. You have FedNow. You have some coin stuff being talked about. What's going on?
One thing to really recognise is that for these ecosystems, these payment ecosystems, to work, they actually have to be connected. An analogy, maybe, would be, like, so I like rollercoasters and I'm often going, “Okay, I'm getting into the park. Which one do I get in line for? I may not have time for both, because the lines are, like, two-and-a-half hours, so which one am I going to pick?”
I pick one, and it’s a hard decision. Then I regret it halfway through the line that I might not get to ride the other one, but when you think about it from a, “Am I picking the right real-time payment solution? Clearing House, Fed, what the heck is the difference? What am I doing?” understand that you're not picking the wrong one. They're both in the same amusement park. They have to play together to work efficiently. There's not an exclusivity between one and the other. They're going to connect those rails because they're creating an ecosystem for all payments.
If we did not do that, we would not be secure. We'd have a silo over here and a silo over here. One of the tenets of security is to de-silo that so that you can be more secure together to have those assurances, to have rules that function in one ecosystem.
That's really important to recognise that the decisions you make are important to, one, ask the security questions. It's not taboo. Dig in five times. Re-ask the same question twice. Make sure you're getting the same answer. Two, understand, when selecting payment innovations, that those ecosystems are probably connected.
When you're evaluating a partner, you should be looking at, “Are they innovative? Are they making something new with this data, and are they going to be able to scale with my programme? Are they actually doing something interesting?” That's probably some just advice all around.
John Gaffney: Great advice, thank you so much. Jessica, let's go back to you and back to the payment side of the ledger, and talk about communications again. I know that real-time payments have the ISO 20022 standard attached to it. You've talked about some of the data and some of the messaging that can turn a transaction into a communication, but why is it so important for banks to embrace this standard in particular?
Jessica Cheney: Great question. First and foremost, the selection of a standard was critical in doing this. The fact that the standard that was selected is ISO 20022 is also important as part of this. A lot, we talk about communication and message sets.
Every payment system in the world has some type of system-to-system communication message set built into it, but the ISO message set bridges not only the needed system-to-system communication but expands that to that personal communication that Chris was talking about earlier. It actually has, within it, message standards that address how humans interact with each other versus how systems interact with each other.
Landing on that standard that allowed people to do that was important. Having a standard that sets expectations for all parties in the transaction flow, the sending and receiving financial institutions, their technology providers, the scheme operators, having a way that we all know what our role is, what is expected, what's accepted, and how those interactions can be supported, is important.
That's why this is actually being able to be that interconnected ecosystem that Chris talked about previously. Being able to have that standard allows for interoperability because other schemes know how to interact. The message that is also flexible enough to enhance that communication, but in such a way that it's easy to adopt and implement as well.
You're not learning… This will give my age away a little bit, but EDI was a great message set, but it was like learning a different language. ISO 20022 is much easier to understand from a layman's perspective. It's easier to actually apply business concepts to.
So, I think that's really why it was important for us to, as an industry, land on a message set and a standard like ISO 20022, and why it has taken a little while to gain the traction that it has. But it is now the de facto payment standard worldwide, whether we're talking about real-time payments or otherwise.
John Gaffney: Interesting. We're talking mind-sets here. You mentioned interoperability, which is a big word, a buzzword, relates to so many things in the payments and commerce world. How does it relate to real-time payments, Jessica, and some of the decisions that Chris described earlier?
Jessica Cheney: Interoperability, along with standardisation, was one of the two key tenets that, at least in the US, the market set out to tackle as lessons learned from why previous attempts at changing the payments industry hadn't been successful.
I sat on the Federal Reserve's Faster Payments Task Force while we created those guidelines for what we wanted to see in the next innovation in payments in the US. Interoperability was one. I can't tell you how many times that came up.
I think that's the key because, again, we went into designing this new change. I say, “We.” That’s capital ‘W’. We, as an industry, went into putting this ecosystem together, knowing that interoperability wasn't just a buzzword, it was the key to success.
That has really manifested itself in the way that The Clearing House has brought out the RTP network, in the way that the Fed is designing FedNow, in the way that other commercial entities that are really part of this ecosystem, like early warning, and Zelle, and MasterCard Send, and Visa Direct, all of those ancillary services that have grown up around the concept of real-time payments, have really embraced interoperability.
It's not just a buzzword. You see that Zelle is now clearing transactions via The Clearing House. The Clearing House and the Fed have had conversations to make sure that their adoption and implementation of the ISO message set is interoperable and not just something that we've talked about.
John Gaffney: Excellent. Thank you, Jessica. Chris, we're going to come back to you to wrap this conversation. You said at the beginning that, when you're talking about the future, we need to be proactive rather than reactive. In your NACHA presentation, you discuss future-proofing fraud prevention. If you had to pick three steps companies can take to future-proof their systems, what would they be?
Chris Gerda: I could pick ten, but I'll try. I'll limit it to three.
John Gaffney: Okay, come to five.
Chris Gerda: Take it back to basics, right? Make sure you educate on business email account-compromise fraud identification, and understand that thoroughly. Understand that you can never rely on documentation. You must rely on digitisation.
That brings me to number two, right? To be in the digital identity world, to stop these types of scams, you have to have the mind-set toward innovation. That requires trust and evaluation of providers, and that’s going to lead you to efficiency and security coming together.
That is actually a concept that generally, sometimes, doesn't liken one to one, right? Usually, if you have too much security, your efficiency goes down. If you have too much efficiency, your security goes down. So, in the case of the correct way to do innovation – particularly real-time payments, ACH networks like the Paymode-X authenticated network – we combine efficiency and security into one package. We do that, effectively, by adding the digital identity pieces for BEC fraud identification. That is critical, those two pieces.
Then, when we get to number three, number three will never change. It is to have some sort of centralised incident or suspicious activity reporting in all of your payables processes, whether that's one email distribution list where anyone has a big, red button to slow payment down, to get a second set of eyes.
That's a cultural shift for some organisations. It puts pressure on them to get payment discounts, get something out the door. If we always have that ability to be heard when there is an incident, and have people that can make decisions, cut through red tape, and make sure that security is the number one thing that is checked off before we send a payment, then we should do that.
That’s simply centralised reporting so that you can get someone to assist you if you feel socially engineered or pressured, or you get that weird email. That's critical for every organisation to have, particularly corporates, governments. Banks already have those types of things in place, but put those down on your to-do lists.
John Gaffney: Chris, you did a great job getting from ten to three.That was fantastic.
Chris Gerda: Yes.
John Gaffney: I know that must be hard for you in your job, but very well said. Thank you to you and Jessica for sharing your thoughts with me and our listeners. Unfortunately, that's all the time we have for today, but, in the meantime, you can listen to more episodes focusing on all things payment related. Or pop over to 'bottomline.com', and we'll see you all next time.
Ready to chat?
Learn how to protect and transform your business for the journey ahead
Our solution experts are here to help.+1 (800) 472 1321
Chat with us.
Chat with one of our solution experts. We'll recommend the right product to fit your needs.
Let us help maximize your payments reach.
Tell us a bit about you and your business and we’ll get back to you with all the information you need.