As per the recent NICE-Actimize report[1] Account Takeover fraud (ATO) grew YoY between 2021 to 2022 by more than 35% while at the same time, Authorized Push Payments (APP) overtook ATO (by share of the cumulative amount of attempted incidents) by 12% - APP 56% vs. ATO 44%.

This shift from ATO towards APP is assumed to be the result of improved defenses around customer authentication (e.g. via device fingerprinting). Nevertheless, the problem remains, and with it shifting to APP it becomes even more difficult than before for the FIs to distinguish the fraudulent transaction from the genuine one.

As if the above wasn't enough, the government in the UK has pledged to give the Payments Systems Regulators (PSR) authority to force FIs to reimburse the victims of APP fraud[2][3]. The final version of the document is still being prepared, but there are already some practical exceptions in the available early versions. While this is not a widespread approach globally, it is expected that due to the continuous increase in fraud losses, it will be adopted by other countries as well.

As a result of such initiatives, FIs will have to adopt more advanced techniques to be able to detect fraud, like

• more granular behavioral profiles,
• multiple entities (accounts, cards, channels, devices, etc.),
• network-based techniques as well as
• machine learning (ML) algorithms focused on specific use cases (account takeover, mule accounts, bust-out fraud, card not present fraud, cheque fraud, etc.)

While all of the above is most probably on the table of relevant business stakeholders with a well-defined roadmap, there is one area that is rarely considered but could substantially complement the above-defined steps - allowing the customers to manage their own risk exposure. This is the same concept which is applied in cyber security aiming to reduce the exposure or attack surface.

Such strategy usually entails various actions like

• temporary or permanent disabling of certain functions available to the user
• "hardening" of the devices (computers, servers, mobile) by removing functionality that is not generally used by users to perform their work but could be abused by an attacker
• restrict access to resources based on the users' group membership privileges
• etc.

Similar to the above, FIs can implement functionality that will allow customers to manage or restrict the use of products, channels or services.

For products, customers could temporarily block the use of cards, or disable the option to apply for a pre-approved loan.

For channels, customers could disable login to Internet banking from outside of the home country, or completely disable e-channels if the customer is elderly and only interacts with the bank through branches.

For services, customers could block on an ad-hoc basis:

• international transactions on cards,
• funds transfer above a certain amount,
• transactions against certain merchant types,
• funds transfer to unknown beneficiaries.

Another option for services could be a "hardening" approach by adding mandatory requirements for Step-Up authentication for customer-defined transactions (e.g. required MFA for CNP transactions by default).

From the overall customer portfolio, only a small fraction of customers will probably be eager to jump on using these functionalities. But here we could leverage our marketing capabilities and target selected customers or segments (high net worth individuals, politically exposed persons, elderly, etc.) who might be priority targets or be more susceptible to fraud. 

Since FIs - as part of required fraud detection capabilities - are already doing entity profiling required for anomaly detection, this same data could be easily utilized for e.g. generating a list of elderly customers owning credit card that wasn't used outside of the country for the last 6 months and we can promote an option (show them a message when they login to Mobile Banking or Internet Banking) to temporarily disable international transactions to reduce their fraud risk exposure.

There are many similar scenarios that could lead to a significant reduction in customer fraud risk exposure. Another benefit of this approach is that we are giving the customers control over what services, products, and channels are enabled for them so these restrictions will be: 

• more accurate as customers will enable them based on their future use expectations
• increased friction as a result of these restrictions will not damage the customer's perception of the bank, as it was them who enabled these restrictions

References:

[1] https://info.nice.com/2023-NICE-Actimize-Fraud-Insights-Report.html

[2] https://www.reuters.com/business/finance/uk-banks-told-reimburse-customers-tricked-by-scams-2022-09-28/

[3] https://complyadvantage.com/insights/app-fraud-reimbursement-what-should-your-firm-do-next/