Fantastic article in the New York Times last weekend: Fraud is Flourishing with Zelle: Banks Say it is Not Their Problem. Today, I want to give a few brief thoughts on what issues must be addressed.
After Citibank began imploding in 2007, I left and joined my first start up: 41st Parameter (Sold to Experian in 2013). Our focus was fraud and we had a powerful toolset and board. We even had Frank Abinale as senior advisor (ie Catch Me if You Can). As a banker, I managed fraud as a line item to be accepted; it was a “cost of business”. Frankly I never spent much time with the fraud teams. All that changed when I accepted the role of leading Sales and Marketing (of a $200,000/yr revenue start up).
Bank fraud teams are made up of a tenacious bunch, with backgrounds in: technology, crime fighting, military intelligence, retail, and psychology. In most banks, fraud is managed in 4 big categories (see Experian article): account opening/ID theft, account compromise, transactional/1st party, and 2nd party/familial fraud. How big is the problem? In the US, fraud numbers amongst banks are not shared externally. The UK is different, with all banks participating in the UK’s shared fraud report.
The core business of banking is risk management, of which fraud is one element. Managing fraud within banking is both competitive and collaborative. The former head of fraud for JPMC was a Brit and told me his bear in the woods metaphor for investment in fraud fighting:
If a bear comes into your campsite and is set to devour a camper you don’t have to be faster than the bear, just faster than at least one other camper. (the bear is fraud).
Smaller banks are thus unable to match the billion dollar investments that the large banks make (see my blog on perfect authentication). As fraud migrates to the weakest link.. they become bear food.
By far the largest and most worrisome fraud tidal wave that developed, in my time at 41st parameter, was the UK’s launch of faster payments in 2008. We were working with 2 of the 3 largest banks in the UK. At its launch, one bank was losing over 12M GBP per day. The schemes were numerous, but just as the banks planned for launch of RTP over 2 yrs.. The fraudsters also had time to plan and establish tens of thousands of shell accounts. Bank fraud technology, processes and expertise had no time to catch up. Nor did consumer education. The bear got everyone in their sleep.
It was not only a loss for banks, consumers saw the press and their own issues. Faster payments became a dangerous weapon in your bank account, and even today, 14 yrs after launch, Faster Payments represents only 2.1% of UK payment volume (note BACS is 3 day ACH, CHAPS is same day ACH).
The NYT did a great job with examples of fraud. A family member of mine was hit by the “call center scheme” outlined in the article. She and her husband are missionaries in Mexico, serving the homeless and needy in Tijuana. My cousin was called by someone impersonating a Wells Fargo employee and told to transfer money to another account as hers was compromised. Their entire life’s savings of $12k was wiped out, and the bank offering no recourse.
I can see both sides of it. The bank view is that Zelle is like cash. If you knowingly transfer money to another person, it is not the banks problem. There is no way they can create a fraud system to catch something you intentionally do. US consumers have grown accustomed to the protections offered to customers and don’t care about fraud. This is the real issue (IMHO).
Time in payment clearing is like a giant shock absorber. If you hit a bump, the car (ie bank) can manage it. Three day ACH works very well in this model. The originating bank can see unusual activity, and put the payment on hold while they contact the customer. Today, 80% of of Zelle’s $490B in volume is to people that account holders know very well. Scammers and fraudsters know how to push buttons to make you do the things that you would not normally do.
Personal example. I received a call from an emergency room doctor that my son had been in a car accident and is in intensive care. He walked me through his maladies. My heart was racing. Then he asked for my insurance information. Then he has for a Zelle transfer. Yep.. not only was “the doc” calling from his cell phone.. He didn’t mention his hospital .. and now he wants money. I caught my breadth and read him his rights like Liam Neeson did in Taken.. At which he hung up.. Then I called my son (who was fine).
Yesterday, there was a tremendous research piece on this topic from Ken Suchoski (Autonomous/Berstein). Fraud systems in banking require alignment from all parties involved:
- Originating Banks
- Receiving Banks
Paypal, Visa, Mastercard, Amex have all spent billions creating reliable fraud systems with operating rules establishing accountability. The top banks have also built shared fraud infrastructure in Early Warning (the owner of Zelle). There are hundreds of fraud controls within the Zelle system today, however none of them are tuned to stop a consumer from making a purposed transfer to an account they know nothing about.
Within the payment networks, each bank issuer was responsible for their own fraud management, with network rules and compliance. Issuing banks had the power to decline charges from specific merchants or based upon abnormal spend patterns (ie stolen card). Merchants with high fraud rates had larger holdbacks, and were put on notice of losing their ability t0 accept. There is active reporting and enforcement. Over the last 50 years of cards (and 25 of PayPal), networks have become a network of trust, with operating rules driving action by aligned parties parties. The reward? Consumer Trust!
Today, Zelle operates too much as a “bank club” working to appease their owners. Rules, reporting and enforcement are left to members. To expand, as a potential competitor to the networks, Zelle must move beyond bank adoption and product. They must establish trust and operational success through rules, enforcement and consumer education.
The line in the sand of consumer responsibility, should be redrawn. It should be Early Warning’s job to coalesce banks around some specific actions, as the Zelle brand is taking a big hit. Don’t wait for the banks to agree.. Set out the mandatory rules and a deadline. That is how V/MA do it. For example, my recommendations:
- Inform consumers on the Zelle screen with new mandatory language (on new beneficiary). Zelle is real time and fraudsters love it. Don’t be duped into initiating a transfer. No bank employee will ever ask for you to initiate anything. “You are responsible and will bear the loss of any transaction you initiate”.
- Optional Screen/Verify Recipient – provide tools to consumers. Banks have the data. Consumers can initiate transfer based upon phone or email. Banks know everything about the beneficiary – broker that information with the consumer. For example – Create a 2 way verify, a shared password for first time transfer “the consumer has asked that we verify your identity” can we share with them your name and address.
- Delay “new account” transfers pending fraud screen. First time transfers (ie new beneficiaries) will not be real time, but operate under 3-5 day rules.
- Have consumers request a fraud screen prior to sending the payment, a version of #3. Perhaps an optional service with a fraud score.
- Enable a social/repetitional number that beneficiaries care about. Similar to eBay merchants. What is the reputation of the beneficiary?
- As a corollary to #1. If the consumer persists in initiating a payment above $x to an account they have never engaged with there must be a new transactional agreement warning “this payment is immediate and irreversible.. you understand and accept these conditions .. you have also reviewed material on how fraudsters use Zelle to defraud you… “
- Receiving banks place funds on hold for any accounts opened less than 12 months, or with more than $xx in zelle inbound activity. Manage receiving accounts like holdback with new merchants. This is basic stuff.. and speaks to the lack of bank rules and enforcement by a weak service provider.
- Shared reporting. Who is responsible for initiating fraud? Where are fraudulent receiving accounts held.
- Enforcement and penalties. Focus first on receiving banks.
Don’t stop there.. Fraud is the most insidious, adaptable and permanent feature of banking. The ingenuity of the human mind is unfathomable. It will evolve.
As the CEO of Accept Payments (just launching), I can tell you that speed and finality are NOT consumer value propositions. There must be a some other driver for real time, CDBCs and crypto to succeed. For example while we can accept crypto as payment, I’ve turned if off as the only user base looking to use it is either in China (looking for hard assets) or want to remain anonymous. Trust in the counter-party is key to success of any payment system, as is active enforcement with economic incentives.
To “defeat” Mastercard, Visa, PayPal (MVP) and Amex in consumer trust is a very hard undertaking. You not only need to solve a problem they don’t solve, you must also surpass the investments made by every participant in their network(s) with a BETTER economic model. Good luck with that.
© Starpoint LLP, 2022. No part of this site, blog.starpointllp.com, may be reproduced in whole or in part in any manner without the permission of the copyright owner.