Industry and Regulatory Roundup: Fraud

Blog Post created by sarahrutherford Advocate on Mar 9, 2018

USA: Survey Reveals that US Banks Stopped Nearly $17 Billion in Fraudulent Transactions in 2016

On January 24, the American Bankers Association (ABA) issued its 2017 Deposit Account Fraud Survey Report. The survey showed a substantial increase in attempted fraud as the nation’s banks stopped nearly $17 billion in fraudulent transactions in 2016 compared to $11 billion in 2014. While fraud attempts against bank deposit accounts were up 48% over the two-year period, fraud losses increased at a slower pace of only 16%, costing the industry $2.2 billion in total losses in 2016 compared to $1.9 billion in 2014. US banks stopped $9 out of $10 of attempted deposit account fraud in 2016.


According to the ABA survey, debit card fraud accounted for 58% of industry loss, with the majority of cases involving counterfeit cards, card-not-present transactions or lost or stolen cards. At 35%, check fraud was the second most common fraud type. Other channels, including online banking and electronic transfers like wires and ACH payments, accounted for 7% of industry losses.


The survey also revealed that fraud attempts increased in all categories, especially in non-debit electronic channels. The volume of fraud attempted in other channels but stopped by banks more than doubled from 2014 to 2016. And while debit card fraud losses remained consistent with previous surveys, check fraud losses saw their first increase since 2008, surging by 28% to $789 million.


The survey sampled 138 banks of different sizes. A copy of the annual survey results can be purchased from the ABA.


USA: Secret Service Issues ATM “Jackpotting” Alert to Financial Institutions in the US

As reported by numerous media sources, in late January the US Secret Service issued a confidential alert warning ATM owners and operators that criminals were conducting “jackpotting” attacks on standalone front-loading ATMs. The targeted ATMs are routinely located in pharmacies, big box retailers and drive-thru ATMs.


The jackpot schemes involve thieves posing as ATM technicians who often replace the original hard disk of the ATM with a disk that mirrors the ATM’s own software.  The fraudsters can then remotely control the ATM and force it to spit out cash like winning slot machines. The cash is then collected by hired runners. Jackpotting attacks have been long been reported across Europe and Asia. The Secret Service alert is in response to what is believed to be the first known attacks in the United States.


The Secret Service recommends that banks contact their ATM service providers for the latest security updates and patches to mitigate the risk from these attacks, to ensure proper physical security controls limiting access to the machine and to monitor for communications failures and alarms. The Financial Services Information-Sharing and Analysis Center is also issuing information on the attacks. FICO® Card Alert Service is a tool that can be applied as it uses industry-leading predictive analytic software and investigative techniques to pinpoint ATM and debit card transaction fraud early to spot fraud at its inception.


Europe: PSD2 Becomes Law Across the Eurozone

The Second Payment Services Directive, better known as PSD2 became law on 13 January 2018. From this date, banks across the Eurozone have had to give regulated third parties access to bank account information via APIs. This move to more open banking will see third parties, known as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), set up a variety of new services for consumers, such as the aggregation of account information and payment initiation across multiple accounts. For fraud managers, the addition of third parties into account management is likely to be a concern, as it will alter the fraud data available, on which fraud decisions are based. FICO has responded by developing a PSD2 analytics model for the FICO® Falcon® Platform, which is available now and is already helping clients adapt their fraud operations to the altered data landscape created by PSD2.


PSD2 also looks to reduce payment fraud. On 13 January, the two-year countdown to the regulatory use of strong customer authentication to secure payment accounts and transactions began. For payment service providers, the need to use strong customer authentication must be balanced with providing a smooth experience for consumers. To do this, it is likely that PSPs will want to limit the use of strong customer authentication as much as possible. For that to happen, they need to keep their fraud levels below specified reference rates and they need to monitor and report fraud rates to the regulator. This is an extra consideration for the fraud department and a strategic approach that balances the requirements of the law with the experience of customers will be needed.


There is a wealth of PSD2 information available on our corporate website.


USA, Eurozone, Australia: Introduction of New Real-Time Payment Schemes

November 2017 saw the launch of real-time payment schemes in both the USA and the Eurozone. The Eurozone launched a cross-border real-time payments scheme called SEPA CT Inst. Available in all Single Euro Payments Area (SEPA) countries, individuals and businesses can now send irrevocable payments of up to €15,000 in less than 10 seconds.


Meanwhile in the USA, in November, bank-owned The Clearing House sent the first real-time payment via the first new payments scheme to be developed in the USA in 40 years. While transaction volumes and values are currently low, The Clearing House is aiming for ubiquity by 2020.


The latest national real-time payments scheme is Australia’s The New Payments Platform which was launched to consumers on 13th February.


Banks in countries with new real-time payment schemes can look to learn from the experiences of earlier schemes such as the UK Faster Payments Scheme, which launched in 2008 – particularly when it comes to the fraud that evolves in a real-time payments environment.


European Union and Beyond: New Privacy Laws Have Far-Reaching Effects

In May, the General Data Protection Regulation (GDPR) comes into law. GDPR is wide-ranging in its remit, not least because it is applicable to any data subject (person) who is in the EU. This means that it applies to organizations that are not based in the EU; for example, a US bank with customers who are living (even temporarily) in an EU country would need to comply with GDPR.


Some have expressed concern that the processing of customer data to detect and manage fraud will be affected. It is worth noting that GDPR does not always require a data subject’s consent to process their data — legitimate business interest and compliance with other national regulations are also legitimate grounds to process data.


There is an intersection between PSD2 and GDPR that banks should be aware of. Under GDPR, data subjects may raise a subject access request, requiring the data controller — for example, their bank — to provide back to them all the data they hold on them. PSD2 mandates that any action that could increase the risk of fraud uses strong customer authentication to verify that the person presenting themselves is the legitimate customer. Payment service providers should, therefore, consider how they implement strong customer authentication in the case of subject access requests under GDPR.


Latin America: Caribbean Tax Havens and New Threats

On December 5, EU ministers added 17 countries to a list of non-cooperative tax jurisdictions for failing to meet tax governance standards. Four of them are bathed by the Caribbean Sea. The Panama Papers, FIFA case, Brazilian “Car Wash” and other scandals involving multinational companies, banks, politicians and even governments, demonstrate how LAC is still a fragile region in terms of corruption, money laundering, drug trafficking, sexual exploitation and smuggling. Nevertheless, things are changing and getting better, albeit slowly, whether because of political reasons, economic pressures from worldwide trading, convincing new foreign investors about transparency, economic instability, loss of taxes, reputational risk, social costs or any other international pressure. Regardless of the reason, local governments and regulators are now more concerned about keeping the economies of emerging countries growing and prepared for the disruptive market.


When we talk about the disruptive market and new technologies, LAC countries not only face challenges to comply with new regulations but also to prevent cyberattacks and fraud. WhatsApp, for instance, is the most popular social media messaging app in LAC. It has been used as one of the main channels for phishing, malware dissemination, badvertising and fraud. In Brazil, for instance, there were more than 44 million identified threats last year.


All countries are suffering from more sophisticated crimes being created every day, even when artificial intelligence and complex schemes to counter cyberattacks are used. According to an ESET Latin American Security Report (2017), the number of reported ransomware cases grew 131% in 2016 and the Inter-American Development Bank (IDB) puts the cost of cybercrime in LAC at US$90 billion per year at least.