1,000 Victims Per Week Costing Over £60M in 2014
Over 1,000 people were victims of online banking fraud each week in 2014, with a total cost of over £60 million*. This was an increase of 48% over 2013, and the figures are likely to be even higher in 2015. Banks do not automatically refund victims of online fraud, so it is often the individual who suffers the loss. In my view, as someone who investigates bank and card fraud, the banks are failing to properly protect us from the risks associated with ‘faster payments’.
‘Faster payments’ enable ‘faster fraud’ and the new Payment Services Directive (PSD2) which has already been approved by the European Parliament and is due to be implemented in the UK next year will, in my view, increase the risk.
In response to this risk I am proposing the introduction of a ’24-Hour Delay’ on higher value payments by personal customers to new payees.
How Does Online Bank Fraud Happen?
Online bank fraud happens in a variety of ways but I am focussing on just two:
- when the fraudster persuades the account holder to transfer their money into a new ‘safe’ account, that is not actually safe at all!
- when the fraudster gets direct access to an account and transfers the money themselves.
But there is a vital common factor.
Immediate Payments To New Payees
Before a customer makes the first online payment to a new payee the payee’s details need to be created within the customer’s account. The current ‘faster payments’ service then immediately allows payments to be made to the new payee. This ability to create a new payee and then immediately make substantial payments to that payee is being exploited by fraudsters.
Convenience Or Security?
Broadly speaking I agree that being able to make an online payment to anyone at a moment’s notice, and for them to receive that payment within a few minutes or even less, is very convenient.
But is that convenience worth the price that we pay by giving fraudsters a faster route to stealing our money?
It’s A Trade-Off
Are we willing to accept a trade-off between:
- a very slight reduction in convenience
- in return for a significant increase in account security?
I believe that the overwhelming majority of bank customers would say ‘Yes’ if given that choice.
WHAT IS THE 24-HOUR DELAY? (24HD)
Put simply, 24HD would allow you to create a payment to a new payee at the same time as creating the payee but it would then hold that payment in your account and not release it for 24 hours. There would be an exception being low-value payments that would be paid immediately.
Won’t This Be Very Inconvenient?
Most people’s immediate reaction is that this will be very inconvenient but:
- it will only apply for 24 hours following the creation of a new payee
- it won’t apply to low-value payments
- the money won’t leave your account until the end of the 24HD.
So now ask the question: “When did you last make a payment of:
- more than £250 (or €400) to a new payee
- but didn’t have the full payment details
- 24 hours in advance of needing to do it?”
24HD will still allow the customer to create the payment at the same time as creating the new payee, so they won’t have to go online twice. The system will simply delay the payment for 24 hours from the creation of the payee. The money will stay in the originating customer’s account until it processed through the normal Faster Payments system, so there will be no loss of interest.
Why Will This Reduce Online Fraud?
24HD will reduce online fraud because it creates an opportunity for the victim to stop the payment before it even leaves their account. When the new payee is created the bank notifies the customer by text and email. This message should also include the account name of the payee as held by the payee’s bank. The customer then has 24 hours to notify the bank that they did not create the new payee and have any payments stopped.
Low Value Payments
24HD would always allow ‘low value payments’ of up to £250 (or €400), subject to the funds being available. This recognises that there may be circumstances, such as a night out with friends, when one person pays for something but everyone else needs to pay them for their share.
Optional Or Mandatory? Default Setting?
It is important to recognise that whilst 24HD will give substantially enhanced account security it may not be suitable for a small minority of personal customers or for most businesses. The recommendation is that it should be optional for all account holders, with the default setting of ‘active’ for all personal accounts. If an account holder wants to ‘turn-off’ the option then they must give 7 days notices through a higher security procedure.
It’s Not Entirely The Bank’s Fault
The increased risk of fraud from ‘faster payments’ is not entirely the fault of the UK banks. Much of what the banks do, or don’t do, is governed by the Payment Services Directive (PSD), which is a European policy, and the Payment Services Regulations (PSR), which is the UK legal framework.
In October 2015 the European Parliament approved PSD2. They claim that PSD2 will: “boost competition and innovation while improving consumer protections”, but in my view the extension of ‘faster payments’ across Europe will actually increase the risk of online fraud because it will make it easier for the fraudster to transfer the stolen money directly to another European country.
PSD2 needs to be amended to allow banks to incorporate a ‘24-Hour Delay’ to enhance customer account security.
12th February 2016
* Figures from Financial Fraud Action UK / IT Governance March 2015 – read more