Looking Forward: Top 8 Fraud Trends for 2020
December 18th, 2019
As we reach the end of the year, it’s a good time to review what happened in 2019 and turn our attention to the New Year. In this blog, I’ll cover a few of the key fraud related themes we’ve seen in 2019 and then look at predictions for 2020.
Looking Back: 2019
2019 in the UK was in large part about Authorised Push Payment (APP) Fraud, with the Contingent Reimbursement Model (CRM) coming into force, and disagreements about future funding pushed into 2020. At this point we’ve yet to see if the CRM is making anti-difference to fraud levels over the benefits to consumers. It is likely that they have continued to rise in H2 2019.
We’ve also had the recent Treasury Committee report with a number of recommendations of varying degrees of usefulness. I don’t think we will be seeing too many of these recommendations implemented, notably the blanket 24-hour delay on new payments won’t happen and neither will retrospective refunds. This is because the first will have a large negative impact on competition and innovation in the payments space, and the second takes valuable resources away from solving the problem in the future.
The other significant theme has been PSD2. In the end, the 14th of September was something of an anti-climax with enforcement of SCA for e-comm pushed into 2021 going on the FCA’s approach. However, going with the EBA’s recent opinion as of 31st December, we will likely end up with the changes in pace ahead of September/October 2020 to avoid the key online shopping dates and the income this generates. This means 2020 will continue to be dominated by PSD2.
Moving across the pond to the U.S., 2019 has been all about real-time payments, with Zelle, Venmo, Real Time Payments (RTP) from The Clearing House and FedNow in the future. As in the UK, there is also a trend to authorised frauds. Here the social engineering is impacting across the payment types, with similar elements to the UK for Zelle. However, the Business Email Compromise (BEC) is the big fraud trend massively impacting businesses and corporations. With press reports of cases as high as $29 million and the use of deep fake voices behind some of the successful attempts, it’s likely this will continue.
The other key trend we’ve seen in the U.S. is synthetic identity fraud. For the uninitiated, this is when a real name is mixed with a new address and added to an existing credit account. Low and behold a couple of months later, this has a good credit rating! The ease of undertaking this in the U.S. means this is a huge issue. It also one given legitimacy by credit repair firms.
The Top 8: 2020 Fraud Trend Predictions
Looking into 2020, what are likely to be the biggest fraud trends? I’m not going to make too many big leaps, as I think 2020 will largely see an evolution, rather than revolution in fraud trends and typologies.
1. APP and the CRM will continue to be a big issue in the UK in 2020. The Confirmation of Payee (COP) solutions will be delivered, probably a little late or in the case of Open Banking, on time but with a ‘managed rollout.’ Whilst this is a welcome addition to the armoury, this will likely mean fraudsters slightly alter their methods, rather than see a large reduction in losses. Further, I predict lots of confusion as clients are told ‘Mum’ doesn’t match the account!
We will get an agreement to funding the no blame scenarios and the CRM will become a defacto regulation in the UK (and may become a law, although that’s more likely to be 2021), with many of the small organisations joining in Q1 and Q2. Hopefully the funding agreement will help align the incentives for preventing fraud across the ecosystem.
2. For all the above points, authorised fraud, via social engineering, will continue to increase in all jurisdictions. To reflect this, we will see many banks take the view that even if they are not actually liable for the fraud, they will be active in investments to prevent it and will refund in many cases, as we see even in the U.S. market.
3. This leads neatly onto a related theme we’ll see more of in 2020 across the globe: fraud and AML convergence. This isn’t about corporate structures, but more about viewing these as more linked than in the past and bringing real time to AML. Real time inbound payment profiling and interdiction to help stop the flow of fraudulent monies, such as BEC moving out of the first mule, will start to happen in 2020. This is a must in the UK due to the CRM, but South Africa and other countries are already on a path to this, too.
4. PSD2 and Open Banking will continue as a key theme into 2020 and beyond. There will be a flurry of activity in Q1 as the first real rollout of SCA for eComm starts. This will mainly see SMS One Time Passcodes (OTPs), although we will see some app-based authentication and a move to biometric authentication later in the year.
Open Banking will start to expand, though this will continue to be fairly slow and won’t be restricted to Europe with both regulatory and business driven developments across the globe. We are likely to see fraudsters trying to exploit this in many ways, including using general customer confusion as a social engineering hook. This will also start to show up as more asymmetry between T1 and T2 and the FinTechs in terms of systems and overall fraud prevention capabilities.
5. There will be a move to Card Not Present (CNP fraud), despite the PSD2 changes. It looks like CNP will continue to rise, as this is the final opportunity for fraudsters to abuse ecommerce with essentially no authentication in Europe. With the EU-wide mandate for 3DS 2x in September, we’ll see increased net losses for issuers as more transactions are secure. It’s likely we will see something similar as U.S. merchants also take up 3DS2.2 to combat further increases as Europe secure towards the end of the year.
Growth may slow or even reverse for a time, but SIM Swapping and Porting will continue to rise as SMS OTPs come in for card transactions. My expectation is that there will be a further rise in SIM Swaps and Porting to undertake ACTO.
6. In both the UK and the U.S., increasing identity theft and synthetic ID fraud will continue to rise, exploiting the lack of identity infrastructure and the increased levels of authentication brought in by PSD2 in Europe. This will be across all types of fraud, as it protects the fraudsters compared to first-party fraud and results in larger returns. This could be heavily felt in the move to increased POS lending, combining both CNP and Synthetic ID frauds and exploiting this area of rapid growth.
7. New services such as Request to Pay (RtP)/Request for Payment (RfP) due to launch in both the UK and U.S. are likely to be abused. Voice Banking such as Alexa, chatbots, messaging apps and IOT payments will all have an effect. By providing more channels for social engineering and increasing customer confusion, this also impacts the fraud profiling capability by increasing the attack surface and the volume of data to be profiled.
8. Finally, we will see an increase in old favourites that have previously fallen out of favour, such as cheque fraud and direct debit refunds. Cheque fraud is on the increase in the UK and the U.S., exploiting both changes to processing such as image clearing and remote deposit. This fraud also exploits the siloed nature of cheques/checks and the lack of investment compared to higher growth, genuine customer channels.
To combat these threats, financial services firms should take a layered approach to tackling the fraud and wider financial crime implications by investing in technology that can help them build out a fraud hub. Linking all customer transactions together and enriching them with the best external endpoint data will improve customer profiles and allow them to make intelligent, risk- based decisions.