Deep Dive: Security In The Time Of Faster Payments

When credit cards first debuted in 1920s America,they brought with them myriad benefits. Consumers no longer had to carry hard currencies, and they could make purchases using money they expected to earn. In turn, businesses could more easily sell higher-priced items.

While the benefits were great, the innovation came with its share of risks, too. For instance, prior to a law passed by Congress in the mid-1970s, companies could mail consumers activated credit cards without their consent. Such activities resulted in criminals stealing cards from prospective users’ mailboxes and racking up fraudulent debt.

These fraudsters have since found a variety of other ways to take advantage of credit cards, such as skimmers and hacking attempts, phishing ploys, physical theft and more.

Now, demand for faster payments options is taking off worldwide. The U.K.’s FPS transferred £1.7 trillion ($2.25 trillion USD) in 2018 alone, for instance. It’s not just direct participants who are taking advantage of these payments schemes — financial services providers such as Fiserv are also working to extend access by offering FIs real-time payments connectivity and processing solutions.

Businesses and consumers are increasingly using real-time payments solutions for everything from payroll disbursements to settling insurance claims. Faster payments services reduce risks by providing cash-flow visibility and quick verification. Additionally, they give FIs better analytics and reduce retailers’ concerns over payments reversals or cancellations. If preventative measures aren’t taken, however, faster payments could open the door to more fraud and cyberattacks.

Risk reduction

The U.K.’s FPS enables the almost immediate transfer and availability of funds between the scheme’s participating banks. That kind of speed can have a big impact on consumers, governments and companies — especially SMBs.

Slow-moving payments strain SMBs’ already-limited budgets, creating cash-flow issues. According to a 2017 YouGov survey, 65 percent of SMBs in the U.S. would consider switching to banks that offer real-time payments capabilities. Among those SMBs, 74 percent are interested in receiving customers’ settlements in real time and 54 percent found importance in making such payments to their vendors and suppliers.

On top of assisting SMBs, faster receipt and availability of funds can help organizations and individuals better respond to sudden developments. Governments can quickly disburse emergency relief funds, and employers can deliver speedy payments to temporary hires or transmit rapid payroll corrections.

With traditional payment methods, there are waits between when transactions are authorized and when funds are finally disbursed. Real-time systems, however, could move the funds as soon as payments are processed, meaning that recipients do not need to worry about reversals or cancellations and that payers do not face uncertainty about whether the funds have been removed from their accounts. Additionally, there is less risk that recipients will accidentally overdraft by spending money they are owed but have not yet received.

Fraud opportunities

It’s clear that faster payments can solve plenty of problems, but they can also introduce new ones.

Rapid, irreversible payments limit the time FIs have to conduct fraud checks before clearing payments, increasing the risks of fraud and cyberattacks. Suspicious activities might be discovered only after the funds have been sent, leaving FIs unable to revoke the transfers.

Before the U.K. introduced FPS, payments took hours or even days to reach recipients’ accounts, giving FIs time to examine the transactions and respond to anything suspicious. Once payments started moving in seconds, however, fraud instances quickly shot up. The value of online banking fraud loss nearly tripled from 2007 to 2009 after the U.K. launched FPS in 2008.

According to a report, real-time payments schemes that use global messaging standards could incur new risks. These messaging standards attach more data to the transactions. While this information is useful for invoice reconciliations, payments tracking and more, cybercriminals could use it to transmit malware embedded in the payments attachments or links.

Security strategies

Faster payments aren’t all doom and gloom, though, and proper security measures can help businesses reap the benefits of real-time payments schemes with fewer detriments. The U.K., for example, tamped down on FPS fraud with updated processes and approaches. The Payments Council reported that losses with FPS were barely higher than losses associated with checks by 2013, and were actually lower than those for card payments.

Among the tools that may have helped decrease fraud for the FPS were behavioral biometrics, which allow organizations to monitor how users typically move through webpages or apps, including their key strokes or cursor movements. Behavioral biometrics became widespread in the U.K. in 2015 and were used in most of the country’s banks by 2016. The result was a 24 percent decrease in fraud from 2016 to 2017.

Other industry recommendations include tightening authentication methods and transaction monitoring, as well as studying incoming and outgoing payments to detect unusual activities.

Customers can also assist in the fight against fraud. FIs can enable them to set transaction limits for real-time payments, and send them in SMS alerts should transactions above those amounts be requested.

Additionally, FIs should, in some cases, hold payments when transactions appear suspicious, but not strange enough that they should be blocked.

Some real-time payments schemes are already doing this. Australia’s New Payments Platform, for instance, requires 95 percent of its transactions to be responded to within 15 seconds. This allows for transactions to be high risk but not so risky that they would be declined without further consideration — to be held, reviewed and then either declined or approved. Transactions are often approved, with low-risk suspicious activity flagged for later examination and follow-up.

Real-time payments systems promise to ease SMBs’ cash-flow pains, provide assurances to retailers that their customers’ payments won’t bounce and furnish corporations with payments tracking and other data. Unlocking these benefits without also opening the door to more widespread attacks requires carefully examining security procedures for everything from customer authentication to the transmission of payments data.