In my family, we refer again and again to the Somebody Else's Problem Field (SEP), defined as follows in the classic science fiction series, The Hitchhiker's Guide to the Galaxy:
An SEP is something we can't see, or don't see, or our brain doesn't let us see, because we think that it's somebody else's problem. …The brain just edits it out, it's like a blind spot.
Around the home, the SEP is useful for explaining why something isn't happening or has gone missing. For financial institutions, the SEP creates challenges in fighting authorized push payment fraud.
Financial institutions, of course, understand the requirement of Reg E to refund customer funds in the event of unauthorized payments fraud. That's their problem, clearly visible. Authorized fraud, which occurs outside the payments system because it does not involve compromised credentials, is another beast entirely. It's somebody else's problem.
Or is it? Do consumers know the difference between unauthorized and authorized payments? You can answer this question: Most consumers don't know the difference and even those who do think authorized fraud is somebody else's problem. In light of this perception, I've been hearing a lot lately about the imperative for receiving banks and payments providers to fight authorized push payments fraud. These responsibilities are relevant for customer satisfaction and retention at sending banks and for reputation risk at receiving institutions.
Let's take a step back to a time before the authorized fraud is attempted. Account opening fraud, at the soon-to-be receiving bank, can create the destination for payments where the sending accountholder (the victim) is duped or intimidated into paying. Criminals create money mule accounts at receiving institutions, receive push payments from victims, and then—shazam!—drain the funds from the receiving account almost instantly.
Therefore, controls on the account opening process can help to prevent authorized fraud. In 2022, US banks reported that new account openings increased as a source of identity-related fraud: 36 percent of episodes in 2022, compared to just 13 percent of episodes in 2019, according to a recent report. In earlier years, account takeover was associated with more identity fraud (see the chart). Today, with more accounts opened remotely, it's more plausible for criminals to use stolen or synthetic IDs.
The report shows that more financial institutions are taking action to mitigate ID-related fraud at account opening. Here are some tools that grew in popularity from 2021 to 2022:
- Email risk assessment
- Phone number risk assessment
- Challenge questions to identify bots
- Automated risk scoring
- One-time password
- Geolocation
Sci-fi author Douglas Adams advises that a towel is "the most massively useful thing an interstellar hitchhiker can have" because of its practical value. It's a blanket, a weapon, a hat, a distress signal, and more, and Adams's fans celebrate Towel Day this week, Thursday, May 25.
Like a towel, the tools listed above have the potential to be massively useful. But adoption is not universal. About 60 percent of the surveyed banks have adopted email risk assessment for new account opening. The others are currently in use by fewer than half of the surveyed banks, so some work remains to be done.