There is a very interesting argument developing in the British financial services sector at the moment, an argument that is being watched around the world wherever “authorised push payment” (APP) fraud is escalating to crisis levels (eg, Australia, where consumers lost a record amount of more than three billion dollars to scams last year). The British banks have been pushed into signing up for something called the “Contingent Reimbursement Model” (CRM) which means, essentially, that if you send money to fraudsters, the bank has to give your money back. This is unsustainable and it cannot be remedied without action on digital identity.
Just as in the US, where Zelle fraud is becoming a very serious problem, UK bank customers are losing enormous sums of money to fraudsters who trick them into sending money via instant payments. The UK’s Payment Systems Regulator (PSR
PSR
That may not sound unreasonable, but the regulators has said that this will be a high bar that will only apply in a small minority of cases and that it will “never apply where a victim’s vulnerability is a factor” in the fraud. So if a bank calls a customer to tell them that they are being scammed and blocks the transfer, but the customer insists that the transfer go ahead, then the bank will still have to pay up
(This will, by the way, have the entirely expected consequence of encouraging banks to close the accounts of vulnerable customers, a process that appears underway.)
The regulator will set a cap of around half a million dollars (£415,000 to be precise) on reimbursements, a figure that will account for the overwhelming majority of these frauds in the UK. And there are a lot of them. Fraud is the most common crime in the UK and almost all frauds originate on social media, so you maybe unsurprised to learn that Facebook, WhatsApp and Instagram (ie, Meta) account for an astonishing one-sixth of all recorded crime in the UK. And that’s only the recorded crime. I couldn’t even hazard a guess at how many minor social media grifts go unreported every single day.
An example of the kind of scam that is rampant and exacerbated by instant payments is the romance scam. The Federal Trade Commission (FTC) notes that with the rise in online dating the scams have into more sophisticated “long cons” to win the trust of victims. And how do the scammers reach these victims? Yes, social media. According to the FTC, the most popular way criminals reached out to their victims last year was through Instagram and Facebook, which together accounted for more than half of scams.
British bank TSB says that Meta platforms, including Facebook, account for four fifths of the frauds that they have to reimburse, so it seems reasonable to ask if Meta and the mobile networks should chip in. Matt Hammerstein, CEO of Barclays UK, reinforced this view recently, saying that their data reveleed that “tech platforms – particularly social media – are now the source of almost all scams” (my emphasis).
The banks are asking why they have to carry the can when most of the frauds they see originate on social media platforms that could do a little more to validate their participants and are facilitated by telcos that allow number spoofing. And, frankly they have a point. How will raiding banks help to reduce fraud? I haven’t the slightest idea. The reimbursement model is primarily focused on ensuring good outcomes for fraud victims and it does nothing directly prevent APP fraud.
In theory the pressure to reimburse and the liability shift should push financial institutions to take steps to prevent scams, but banks already have rigorous and very expensive KYC for their account holders and AML in place around transactions. Law enforcement has neither the resources nor the expertise to hold back this tide of fraud. Apart from the moral hazard of absolving consumers of responsibility, the British model will surely make the country a honeypot for fraudsters hoping to scale up using ChatGPT and its ilk.
Looking For A Solution
I think one area where we might see some progress, and some opportunity for fintechs, is Down Under. The Australian Securities and Investment Commission (ASIC) has already announced a cross-industry code that will soon hold banks, telecommunications operators and social media platforms responsible for consumer safety and make them liable to reimburse people who lose money through scams.
I hope that a consequence of this liability shift is that social media platforms will have to do some kind of customer due diligence (CDD). This does not mean that the social media platform will have to do know-your-customer (KYC) checks, but it does mean that social media platforms will have to establish that someone knows who is behind a handle.
In Australia, the land of the consumer data right (CDR) and the multi-bank ConnectID program, I think it is entirely possible to implement a privacy-enhancing solution across the mass market that can be implemented right away: The next time a consumer logs into Facebook or Meta or Whatspp, the platform can bounce them to a bank login of their choice. After they have logged in, their bank can generate a credential that contains no personal information whatsoever but means that a scammer can be connected to a real person under a court order. Let’s have banks and Big Tech work together to do finally do something about fraud.
Read the full article here