Security & Fraud

SchoolsFirst Federal Credit Union’s Lesson In P2P Security

Usage of Zelle surged in 2018, with $119 billion exchanged in P2P transfers on the platform. That volume has attracted fraudsters eagerly trying to cash in by tricking users into making fraudulent transfers. In the new Digital Fraud Tracker, Amy Hsu, VP of product management and research analytics for SchoolsFirst Federal Credit Union, explains how the firm is working to keep its P2P offering off limits to fraudsters, yet friction-free to its members.

A financial dispute between two University of Pennsylvania freshmen roommates that took place 10 years ago sparked a financial revolution. P2P app Venmo was born out of that argument, changing how friends, family members, co-workers and acquaintances split bills and loaned money.

Now, a decade after its launch, Venmo is sharing the P2P stage with other players, Early Warning Services’ Zelle being the most notable among them. Although only 60 banks and credit unions (CUs) have made Zelle available to their customers, approximately 230 have signed up for the service. While some larger financial institutions (FIs) have joined the platform, regional community banks and CUs account for 85 percent of Zelle’s participants. Additionally, according to the company’s latest figures, its users made 433 million transactions valued at $119 billion during 2018 — up from 247 million transactions valued at $75 billion a year earlier.

P2P services like Zelle and Venmo have become popular because they enable quick transfers, but they come with risks. Last year, fraudulent activities on Venmo cost 40 percent more than what the company had anticipated, totaling approximately $40 million. Zelle has also been exploited for fraudulent purposes, with The New York Times reporting that some users were tricked into sending money to fraudsters who were taking advantage of certain vulnerabilities in the service. In one instance, a user transferred money to purchase concert tickets from a Craigslist posting. While the money was successfully moved, the user never received the tickets.

Unfortunately, banks offer little recourse to those who are tricked into authorizing fraudulent transfers, but several FIs have begun educating users on how and how not to use Zelle’s P2P transfer capabilities. Among those FIs is Santa Ana, California-based SchoolsFirst Federal Credit Union, which currently has about 863,000 members and holds approximately $15.2 billion in assets. SchoolsFirst began offering Zelle’s services to its members via its mobile app in June of last year. Amy Hsu, vice president of product and research, recently spoke with PYMNTS about how the CU makes its members’ Zelle transfers both seamless and secure.

“There are two sides,” Hsu said. “First, we want the payment to be as secure as possible with risk mitigation. At the same time, we want balance for the members, so that it’s frictionless and seamless.”

A P2P Balancing Act

Bank customers use Zelle for a wide range of transactions, such as sending rent to landlords, splitting restaurant tabs among friends or paying babysitters. According to Hsu, this is also the case for SchoolsFirst’s members — those employed by the California educational system and their family members.

While SchoolsFirst believes Zelle is an efficient way for its members to exchange funds, Hsu wants them to feel as though they can trust the service, meaning the CU must make it secure without being too cumbersome to be used effectively.

“The biggest challenge is balancing fraud control with members’ user experiences, so that we’re challenging them when we should, but not every single time they try to do every little thing,” she said.

Early Warning reviews a long list of criteria focused on fraud preparedness to assess interested FIs before they can offer Zelle on their platforms. Many FIs allowed to offer the service, including SchoolsFirst, end up implementing additional security controls to detect and manage potential fraud. For SchoolsFirst, those controls include a two-step security process.

The first security check occurs when users log into the CU’s mobile app with usernames and passwords. The second step, which is completed in real time as users log in, involves the service running a series ofbackground algorithms to confirm that users who arelogged in are the legitimate owners of those digital identities. These algorithms review several different factors including the amount and frequency of transactions, users’ IP addresses and their geographical locations.

Hsu said that, so far, this level of security makes Zelle easy to use while remaining out of sight and mind
for users.

“All this stuff is happening with fraud and risk protection on the back end — behind the scenes — so we’re not burdening the members,” she added.

Educating Educators On P2P Security

Zelle, according to Hsu, enables SchoolsFirst to compete with other financial services players by providing its members with access to fast-acting financial products. But these new services give the CU new responsibilities, such as having to educate members about how to keep their funds safe when using Zelle. To do so, the CU sends its members newsletters and marketing inserts to raise awareness about the potential risks and advise them to make transfers only to recipients they trust, like family and friends, as opposed to paying for an online purchase from a marketplace like Craigslist.

Some of these safeguards are also built directly into SchoolsFirst’s app, Hsu noted. Users receive messages for scheduled transactions, reminding them that they should only make P2P transfers to trustworthy parties. The app also sends users text messages and email alerts whenever money is transferred, allowing them to confirm each transaction’s authenticity.

SchoolsFirst’s members aren’t the only ones learning more from the addition of Zelle — the CU has been able to use the data gathered during these first nine months of implementation to improve its algorithms, enabling it to more effectively fight fraud. Its focus, however, ultimately remains on finding the right balance between frictionless user experiences and thorough security.

“We came up with what, we thought at the time, [was] the best combination of the two, but as we learned … we [adjusted] the parameters in the background,” Hsu said, adding that the CU will make further changes as necessary as more members use the service and new use cases, problems or threats emerge.

“It’s an ongoing, evolving process, not a one-time deal,” she explained. “We’re constantly learning with experience.”

In the fight against P2P-based fraud, education is avaluable resource. Promoting greater understanding about potential risks is an important first step in keeping services like Zelle both fraud- and friction-free.


New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.