In many of my discussions around emerging payments, two topics generally always come up: contactless and real-time payments. And given my interest in payments fraud, the discussion usually steers into two questions: Will contactless payments result in increased card fraud? And do faster payments mean faster fraud? While only time and data will ultimately reveal those answers, we can look to the UK Finance's Fraud the Facts 2019 report for some insight into those questions since the United Kingdom is further along on their contactless and real-time payments journeys than we are.
In the United Kingdom, in-person contactless payments have not led to an increase in card fraud losses. Contactless POS payments, through either a mobile device or a card, represented 36 percent of all card transactions in 2018, yet they accounted for less than 3 percent of overall card fraud losses (and just under 28 percent of the face-to-face fraud losses). The fraud rate on contactless transactions has remained steady and low for three consecutive years at 2.7 basis points, or 2.7 pence (£0.027) for every £100 spent. This compares very favorably to the overall card fraud rate of 8.4 basis points, or 8.4 pence (£0.084) for every £100 spent. Fraud for contactless transactions has been mitigated in the United Kingdom through the establishment of floor limits above which a PIN is required, the requirement of PIN verification after a cumulative spend threshold is reached, and the implementation of a security feature that randomly requires cardholders to input a PIN during a transaction to prove that the cardholder is in fact in possession of the card.
The fraud situation for faster payments in the United Kingdom is not quite as rosy as that of contactless payments. Since 2017, UK Finance began reporting on authorized push payment (APP) fraud. In this type of fraud, which includes email account compromise, a victim is tricked into sending money from their bank account to a fraudster's account. In 2018, APP fraud represented 30 percent of the total reported fraud losses. And of the APP fraud, faster payments was used in 93 percent of the fraudulent transactions and 71 percent of the fraudulent value.
I can't claim that faster payments is driving APP fraud or leading to "faster fraud," but it is rather obvious that faster payments is the preferred payment method of fraudsters conducting APP fraud. This should be an alarm for the payments industry in the United States as we continue on our faster payments journey. To mitigate APP fraud with faster payments in the United Kingdom, the industry is working to implement a new-account name-checking service that Pay.UK has introduced. Confirmation of Payee checks the name associated with a routing and account number. This service is not a perfect solution—it won't help if the fraudster uses or opens an account under the name of the actual intended recipient. But it definitely will prevent fraud losses in cases where the account information does not match the name of the intended recipient, which is currently more often the case than not.
So as we continue moving toward contactless and faster payments in the United States, I think we can learn from those across the pond about the need for controls to mitigate fraud in these emerging payments. Floor limits for PINless transactions and velocity controls are part of the U.S. contactless payments experience, but what about faster payments? Does a name-checking service like the one being implemented in the United Kingdom make sense? What controls should be implemented to help prevent fraudsters from using faster payments to commit APP-related frauds, especially email account compromise?