Digitalisation and the immense surge of eCommerce is fostering a dramatic increase in online fraud, particularly authorised push payment fraud (APP). And, with this comes an important question: Who should be liable?
Just over the past year there has been a global crisis around scams and financial fraud, as seen in recent research:
- UK: saw a 71% increase from 2020 to 2021 with £583 million in APP fraud losses
- US: experienced a 70% increase in fraud losses within a year, totalling at $5.8 billion
- Australia: 2021 saw more than $2 billion in fraud losses
- Brazil: in 2021 banks reported more than £1.3 billion in fraud losses
- India: lost 604 billion rupees ($76 billion) to fraud last year
This is made more complex when taking into account the numerous versions of fraud, and where they could stem from, such as online and social media platforms. Consequently, this explosion in fraud is forcing big banks and, now, big tech to re-evaluate who is responsible for the losses incurred. News flash: big tech believe banks to be liable while banks believe big tech are.
This is an incredibly challenging question to answer, particularly in a digital-first world with so many existing fraud schemes, such as phishing and romance scams ; and each scam has a different starting point, which challenges liability.
In order to pick this apart, it’s vital to evaluate the payment types being used, for example P2P payment schemes and platforms like Zelle or Venmo. These pose a significant threat as the customers can initiate instant payments to unvetted payees – which is where banks could argue that big tech should be liable for the losses.
Picture this, a woman is incredibly active on Facebook, sharing intricate details of her life online; this includes her holiday pictures, her children’s milestones and even her house renovation. This type of information gives a fraudster enough to go off to initiate a conversation and begin an impersonator scam. The fraudster convinces the woman that they are from her bank and that, due to suspicious activity on her account, she must immediately transfer a sum of money to another account. Despite several warnings from her bank, she transfers the money and, in doing so, authorises a payment to the fraudster.
Who is liable in this scenario? Is it Facebook for allowing fraudsters to use the platform in order to initiate scams? Is it the woman who was negligent in making sure the other person was legitimate? Or is it the internet provider who enabled all those involved? Clearly, each step of the digital landscape enables fraud in some way, which blurs the lines of liability; ultimately, blaming solely the bans is a very linear solution to a digital, future forward problem.
Big Banks fighting back
With the increase in online fraud, banks are beginning to fight back against being given sole liability of the victims’ losses. Particularly as, in the UK, banks currently use a contingent reimbursement model, which is practically a voluntary code that banks follow that reimburses victims of online fraud.
However, putting the full onus on banks is short-sighted, especially with the development of digitalisation and the inevitable introduction of smart homes and the Metaverse. These factors will change the way that fraudsters operate, and as a result, create more vectors for attack. How can any entity expect banks to bear the full brunt of online fraud, when digital vulnerabilities expand the threat landscape?
The ‘Polluter Pays’ Framework – what is it and how could it help?
In their attempt to avoid taking on full responsibility, large UK banks have proposed the ‘polluter pays’ solution. This is, essentially, a solution borrowed from environmental law, which puts the responsibility for damages on the polluter. In the case of online fraud, this would push liability onto big tech firms such as Apple, Meta and Alphabet, meaning they would have to contribute toward a reimbursement fund for fraud victims and take some of the weight off of big banks.
This type of initiative would encourage big tech to address the fraud that occurs on their networks, although logistically it’s not as simple as it may sound. The framework does not appear to be working within environmental law, so why would it be any different when it comes to banks and online fraud?
How then, can banks address the issue and force big tech to understand and take liability for the part they play in online fraud? This in itself is a big challenge.
The ‘polluter pays’ framework would be the most efficient and most likely scenario which would help banks share liability for online fraud losses. However, in order to achieve this, they must lay the groundwork by reporting fraud losses by the source from which they stem as opposed to by the type of scam that occurred. In working together to label the source of online fraud, banks could compile enough evidence that could impact governments and consumers in re-thinking the liability issue. For example, a headline that states ‘Fraud originates on Facebook/Twitter/Instagram/etc.’ would have a more significant impact on consumers, which would push big tech into taking accountability where necessary.
This being said, in order to successfully implement the ‘polluter pays’ framework, banks must play the long game. Fortunately, there are several things they can implement immediately to reduce and prevent authorised payment fraud:
- Confirming payment to the payee – each bank must do everything in their power to confirm the legitimacy of the payee before allowing a customer to transfer a sum of money from their account – particularly if it is a significant amount. One way to do so is to check that the name of the payee is the same name as on the receiving bank account.
- Using security solutions – to prevent transaction fraud, banks should be implementing fraud detection and prevention solutions that monitor all transactions for anomalies.
- Alerts – customers should be receiving alerts in real-time, which provides them with education and scam prevention tips – especially before they finalise a transaction. Giving customers the chance to consider and understand their transactions before approval, could make them re-evaluate their actions and double check any payments.
- Delaying P2P payment– the majority of P2P payments don’t require instant transactions. In line with giving customers some time to re-consider their payments, banks should implement a delay of several hours and impose pound/dollar amount limits for transfers to align with their risk appetite and strategy.
- Behavioural biometrics – behavioural biometrics should be implementing for all transactions, not just unauthorised ones. There are certain tells that these solutions can pick up on that could be flagged as suspicious and alert banks to their customers potentially being targeted by a fraudster. For instance, they will likely behave differently when entering information more slowly than they usually do. As such, behavioural biometrics can go a long way in prevent fraudsters from succeeding in their malicious attempts.
Digitalisation will only continue to evolve and, with it, bring more opportunities for fraudsters to exploit weaknesses in security. The Metaverse, for instance, will likely be causing fraudsters to froth at the mouth with the prospect of vulnerabilities and gaps they can use for their benefit. As such, banks must begin developing their polluter pays frameworks today and report fraud by its source. Regulators must begin implementing long-term, sustainable plans for fraud prevention and detection as soon as possible, in order to take liability off big banks and understand that there are multiple players. Technology companies are part of the fraud ecosystem, and the sooner this is taken into consideration, the sooner big banks and big tech can work together to get ahead of the problem – before the next phase of the Age of Experience, the Metaverse, is fully formed and riddled with vulnerabilities.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.