Series 5 Episode 5: Money mules and fraudsters - stepping up the financial crime response

Transcript

Andrew Strange: Hi everybody, and welcome to the latest episode of Risk and Regulation Rundown, the podcast where we share our views and insights on hot topics in financial services, risk and regulation. I'm Andrew Strange, and I'm returning to host this episode in the absence of Tessa who will be back next month. Today we're going to focus on financial crime and fraud, which is an area I actually know less about, so I'm really looking forward to learning something from our two expert guests. We have Alex West who leads our banking and payments fraud team, and Ben Luddington, a director in our financial crime team. Welcome to you both.

Alex West: Thanks Andrew.

Ben Luddington: Hi Andrew.

Andrew: Let's just do a brief background on what we're talking about today. So, authorised push payment fraud regulation is a comparatively new topic that seems to be rapidly going up the regulatory agenda, both in the UK and actually globally. UK finance figures published in October this year suggested that losses had reached £240 million for the first half of 2023 when the number of cases was actually up 22%. Australia is reported to have $3.1 billion lost to scams last which was an 80% increase, and in Singapore, scams have become so rampant, they've overtaken most other types of fraud and form a significant portion of overall crime in 2022. It's perhaps therefore unsurprising that in the UK the payments systems regulator is now acting in a bold new way to change the payment industry culture, to improve fraud prevention and focus on protecting consumers and businesses. And in June of this year it confirmed it will require payment service providers to reimburse losses in all but exceptional cases. Against that backdrop with the intensified focus on this issue from government and regulators in society, Alex, what are some of the implications for financial services firms and how has this market responded so far?

Alex: Thanks Andrew. I think the first point to make here is that fraud and scams specifically is an area that banks and the payment industry at large has been focusing on for a really long time, so this is nothing new in some senses. The ten largest banking groups have operated a voluntary scheme, the contingent reimbursement model since May 2018, which has been supporting the reimbursement of customers that have fallen victims to these scams. You referenced the UK finance, half your report that was published in mid-October, and of the 240-odd million that was lost to scams, 152 of that has been reimbursed to customers. So while new regulation is coming down the track, actually there's a significant programme of reimbursement already happening. And as well as that reimbursement regime, there's been a very wide range of other initiatives to improve customer awareness. There's the UK finance take five campaign which has been around for quite a long time now, as well as education campaigns launched by individual banks. And at the end of October there was a scam awareness week run by the BBC in collaboration with Stop Scams UK.

So lots of activity about raising awareness of this issue. But there have also been technical implementations. So things like the confirmation of PAYE rollout, more specific customer warnings on transactions, and other technical implementations to reduce losses. But it's still clearly an area of significant challenge and criminals are becoming much more effective at deceiving victims. We recently did a piece of research of how AI is being used in this regard, and it's obviously a significant problem.

Andrew: Okay, that's interesting, we might come back to that. But Ben, first let me bring you in here. How are regulators thinking about these issues themselves? What are their key concerns and how have their expectations on firms changed?

Ben: Thanks Andrew. So, it's a very timely question. So, just last month, October, the FCA published the results of its review of money mules. The FCA regard money mules as integral to moving funds derived from the proceeds of fraud. So, if you tackle in money mules in some ways you are tackling the root cause of fraud. And essentially the FCA concluded that firms need to do far more to detect money mule type behaviours. And in particular, the area they pulled out was in-bound receipts rather than just monitoring outbound payments. So what are they asking firms to do? Essentially it's to do two things. First thing, strengthen the controls at onboarding and to design monitoring systems to identify common money mule type behaviours. And secondly, I think this is the one that we've probably all seen, is to proactively raise the consumer's understanding of the risk of money mules and how you might fall foul of it. One thing to understand here is probably the sheer scale of the problem. So in 2022, which is the last time we got any reliable figures, 39,000 accounts were reported to the FCA as being linked to money mule activity. So it's a very big problem.

And I think you've got to remember that there are real significant human consequences to that. Individuals are lured through the promise of low risk and easy money, often disguised as fake jobs. And they find that once they've started down that path, their credit rating is destroyed, their financial stability is shot, they may be subject to criminal prosecution and in some extreme cases, physical harm from the organised gangs involved. So there’s really serious consequences. So what's the FCA asking firms to do? It looked at what they're doing currently, and it's identified some really great uses of technology, and particularly, sort of, emerging technology such as geolocation, facial recognition and device profiling. And it's called that out as really good behaviour. However, as with all things, the picture was not uniformly rosy. A number of things they said firms needed to get better at. The first which is perhaps more troubling is governance, overall governance, around fraud issues, risk assessment, how people identify the risk of money mules within their business and MI. Further work needs to be done on controls around onboarding, particularly to identify some red flags. One way they called out repeatedly is why firms are not investigating people with virtual addresses. So, this is where people are using a mail box or a PO box rather than a real physical address.

Again, they specify controls around monitoring and in particular that inbound receipt needs looking at. And lastly, training. Whilst all of these things were called out, and particularly the adoption of technology was broadly praised. I think the regulator has noted, and I think this is probably quite a valid concern, that many of the banks that they spoke to couldn't explain how their technology worked and why it had pulled out alerts. And I think the view of the regulator is that if you don't understand the rationale behind an alert, you would not be effective at preventing fraud. So I think that's quite a lesson for firms to take on board.

Andrew: Okay, that's very interesting. We take a lot about regulation, but it really hits home where you're talking about potential physical danger of people, that makes it very real. I don't have that problem in Solvency II usually. Alex, do you want to come in on that at all?

Alex:  Yes. I think the first thing I'd say on money mules is that there is a potentially very powerful use of technology to prevent this kind of issue or at least to detect it. And this is where the APP regulation dovetails with what Ben was talking about with the FCA. And I think the first thing to say is for the vast majority of APP fraud perpetrated in the UK, it goes through the faster payments network, and there is the potential to use data on faster payments to trace very effectively where money moves through that system and to isolate automatically where those mule accounts are. And there are initiatives being run by a whole range of technology companies to create that visibility, support banks to identify complex patterns of muling, but also to provide that intelligence to law enforcement. And I think looking to the future, the potential to move to a more disruptive policing model where we can identify people at risk of becoming mules, reach out to them with sort of cease and desist type approaches, that could be extremely powerful I think. The connection to the APP regulation as well is that one of the most significant changes that's coming in next year with the PSR's requirements will be a split of liability between the sending and receiving bank for an APP fraud case.

In the contingent model, the voluntary code that exists at the moment, the sending bank, the bank of the victim, has to reimburse, or reimburses the customer in full. And the argument the PSR is making is that isn't right because part of the responsibility, as Ben says, is on the onboarding controls and the KYC and the AML prevention of the receiving bank. So, going forward from October next year, the liability to reimburse the customer will be 50/50 split sending and receiving bank, and that's a significant change, not least because it means banks that have traditionally not had so much exposure to reimbursement will have an uncalculated liability coming their way as inbound claims are received. So, really big change. But I think positive, to Ben's point, I think it's going to incentivise the right approach on mule detection and tightening up of onboarding controls.

Andrew: It's interesting reflecting on some of the wider regulatory regime that I see on a daily basis, there is clearly, on some occasions, a tension between innovation and competitiveness and consumer protection. And actually, you were talking about faster payments, which is innovation, but actually there's a direct impact on consumer protection and therefore the risk that consumers have. So that's quite interesting as one parallel.

Alex: Yes. And I think if you think about faster payments that were introduced, what, back in 2003, 2004, the system was built for speed and to provide customers with instantaneous payment capabilities. I think looking back on that, perhaps more fraud related controls could have been built in at the start. But that's very easy to say in hindsight. But we're now catching up and rebuilding those capabilities. But, yes, there's always a tension between speed, customer friction and robustness of control.

Andrew: Thanks Alex, that's great. So what are some of the key challenges for firms in responding to this regulatory pressure?

Alex: Yes. I think the first key thing is that I referenced the contingent reimbursement model that effects or currently encompasses the ten largest banking groups. The new regulation will expand the coverage of the reimbursement regime from those ten very big banks to every payment service provider that operates few faster payment. So, goes from ten to about 400. I think the first thing is just the scale of the coverage of this is very, very different. So, for the vast majority of people that need to comply with this, it's going to be something that's totally new. Building the operational capability to receive claims, to investigate those claims, that's something that many organisations just won't have already and is something that now they have about twelve months to start building with the deadline for implementation having been pushed back to October next year. I think what that means is that whereas historically for these kind of organisations fraud has been a purely financial risk, it's moving it very much towards being a compliance risk. So, I think we can expect the FCA to pay very close attention to some of the metrics that are going to be published about loss rates and reimbursement, and I think more generally we're seeing the FCA being much more assertive when it comes to fraud, so potential for compliance and regulatory follow up if organisations aren't getting this right.

On a much more practical level there are things that organisations are thinking about right. So, how are they going to set standards and policies around what they will reimburse, how does that tie into the requirements around customer caution and affect definitions of gross negligence. How will they manage first-party claim frauds. I think most of the organisations I work with are worried that people might put in false claims for reimbursement thinking that's itself a good way of getting money back from a bank, and we're working with some innovative technology providers to help mitigate that risk. And then generally building the operational capability to settle claims between sending and receiving back, that's something which no one has had to do yet and is something entirely new that the industry has to build. Lots of operational development needed to comply with the regulation in a relatively short period of time that's left.

Andrew: Interesting, and building on that, Ben, one of the things I was thinking was, Alex talked about compliance risk and so on, but actually is there not a potential risk here that if you're an organisation that doesn't respond to this and doesn't do the right thing, that other banks will begin to, I suppose, de-bank a bank, can you de-bank a bank? But the difference between larger firms who are already in this market and new, innovative firms, that must be a challenge for people.

Ben: I think Alex has probably raised some of this already, but for the largest firms which were already participating in the contingent reimbursement model, I think they have a good handle on what they need to be doing and the areas they need to be focusing. However, for those wider firms that have now been brought within the net, I think they face really significant challenges. Not least it's going to be the level of appropriately qualified resource that's in the market to operationalise these new processes. And for some firms, rightly or wrongly, fraud has not been high on the agenda for many firms. And as a result of these changes, some of them are only now beginning to think through what it means for their business model. And I mean that in the wider sense, so not just operationally, how are we going to handle some of these processes? But for many of these payment firms who run on very tight margins, this may actually start to look at the commercial impact of their business model. So I think it's challenging times and people need to be acting now to get their head around these issues.

Andrew: Yes, absolutely, thank you.

Alex: Andrew, just on that as well, I think we're starting to see some quite interesting technology being deployed around the point you were making as well about how do you start thinking about not just the risk of what your customer is doing at a point in time, but the risk associated with the account you're sending money to. So we're some quite innovative solutions to risk assess outbound payments. I think we're going to see more technology being applied to withhold payments, to slow down payments in some cases, and I think to your point we're going to see a lot more risk-based decisioning from payment providers about who they want to send money to at what speed, at what volume, velocity etc. So, probably more customer friction coming and slowing down payments, but probably for the benefit of us all in the long run.

Andrew: Yes, it's interesting, that really is that innovation versus risk point again, fascinating. So, I mean, clearly lots going on here, but what are the wider related issues and debates circulating around this topic from your contacts with clients and regulators?

Alex: I think the broader question, right, is how you tackle the issue of fraud and scams at source, and questions about whether reimbursement is the right way to go given that it could potentially incentivise fraudsters or potentially make customers less risk aware as they're making payments. One person said it to me last week, you can't keep mopping up the floor, you've got to turn off the tap. Personally, I don't think there's any other way of so quickly reducing the harm to consumers. I think reimbursement is the right way to go, but how it's funded needs to evolve over time. So whether that's a change to the 50/50 split and a rebalancing of where liability sits between sending and receiving bank, I think that's one option. I think bringing other sectors into the funding model is also something that certainly the banking industry is pursuing, so whether that's tech companies or telcos somehow contributing into that, clearly a point of debate. I think there are also much broader questions about things like data sharing. So how can you tackle fraud and scams at the source by blocking scam content or by improving in-network filtering and payment detection. And the government's economic crime plan that was published earlier this year has an action around public to private data sharing as an example of that. And I referenced earlier that broader question around disruptive policing, I think more generally as a society, we need to adopt a different approach to tackling fraud. Someone said to me the other day, 'You can't nick your way out of this problem, you can't just arrest people, it's not just about prosecutions, although that's really important, we need a much broader range of interventions across all sectors and law enforcement to tackle this problem at an early stage.'

Andrew: Okay. I mean the funding one is interesting. If I think back to my role before PwC when I was in a trade body, and we debated long and hard about how the financial service compensation scheme should be funded, and lots of debates even at that stage around risk-based metrics. So actually, if you have a risk profile as an entity that means you potentially have unwittingly facilitated more fraud, then maybe your bills should go up, but that rewards the good players and maybe penalises the poor players, so interesting.

Ben: I think though, Andrew, all of the cost at the moment is being born by the banks. And there are some other major players here, and Alex has already referenced them, which are the social media giants and the telecom companies. Almost all of these APP frauds have some element of involvement with either the telco or the social media companies, and it's where they start. And at the moment they're not really bearing any of the pain of solving the problem. So, I think to successfully solve the problem of APP fraud, we have got to bring them into the solution. I don't know what that looks like, but they are definitely part of the solution and we need to figure out what part they have to play in it.

Andrew: Yes, that's really interesting, Ben. I mean, does the Online Harms Bill have some relevance on this as well?

Ben: Yes, it does include those players, but how that is going to play out in practice, I think we're all waiting to see how it works in reality.

Andrew: Okay. Watch this space. Okay. So, in terms of capturing the receiving bank, what are some of the broader implications and trends that we could see emerge in the market as a result of this? Alex?

Alex: I think there are some practical matters that receiving banks, well, all banks need to be thinking about at the moment. So, how do you actually operationalise compliance with this model? I think we might all be surprised where liability ends up sitting where the money mule accounts sit, I think it's perhaps easy to assume that they sit in the smaller players with the more digital footprint. I'm not sure that's necessarily going to be the case and the metrics that are going to be published later this year are going to be fascinating to get a view of that. But I think, thinking about onboarding controls, as Ben said, that's absolutely important, how do you prevent bad actors getting into the system? And then also looking at transaction monitoring capabilities to shut down mule accounts very quickly. I think you referenced broader implications, I think how we move to a world where mule accounts and fraudsters get shut down very quickly, but at the same time avoiding a situation where they move into some kind of grey economy which is then outside of the infrastructure of monitoring and our ability to detect them. I think there is a very real question about as you identify mule accounts, what you do. Is it better to have them in the system but being monitored closely? Or is it better to have them all move on to crypto where it's much harder to monitor, for example? I think there are some big questions about how we tackle this issue more generally.

Ben: I think what you're going to see is banks beginning to change their risk appetite. Now you've introduced additional costs, people are going to look at ways to mitigate that. And one of those will be perhaps not taking on customers that might exhibit some or remote examples of mule-type behaviour. You will see potentially changes to the firm's risk appetite. And maybe the riskier customers they will introduce more friction into the journey, so it will take longer. And it may take longer for all of us. So, there will be potential downsides to this approach. I think where you're going to see that particularly is in mass affluent and high net worth individuals where there may be some other financial crime risk factors which have to be considered, such as where their income comes from. All of that is also going to add to that friction of onboarding. So, I think you're going to see quite a few changes to those processes in the coming years and months. And lastly as we've spoken about all along, operationally things have got to change, new processes have got to be built, and in particular, that claims process. And I don't think anyone as we sit here today knows exactly what that's going to look like going forward.

Andrew: No, that's interesting. And you're right, consumer duty has got to have a significant bearing on this in terms of firm's risk appetite and the approach to more vulnerable consumers as well. So, yes, really interesting, lots to think about there.

Alex: Just one point on that customer friction point of view. I think there's a really interesting parallel of what we've seen across card payments and on our e-commerce journey where if you go back five or six years, we were used to simply entering our card details, making a payment and the transaction went through. We all now totally accept that we'll have two-factor authentication on most payments, in-app confirmation of payments. And generally speaking, I think what research shows is that customers have become much more comfortable with additional security measures, or even they expect security measures to the point it can create a lack of trust if they're not there. I think friction in a payment journey is not necessarily a bad thing and it's not necessarily something that customers will dislike. I think it might actually strengthen it. The piece we also haven't talked about, which is kind of a big topic to bring up perhaps towards the end, but is what this all means for businesses, because at the moment all of the protections that we've talked about apply to consumers, small businesses, charities, small charities. But I think there's also a very big question out there about what protections do businesses have which are increasingly being targeted by these social engineering scams and perhaps have more money in the bank such that the losses can be greater. So, lots more to come I think in terms of regulatory developments in this area.

Andrew: Okay. That's really interesting. And I know there are other debates at the moment around things like the ombudsmen and the scope there as well. So, yes, really interesting. I think it's probably a topic we, by which I mean Tessa, will have to come back to at some stage in the future. So thank you both. Thank you very much. This has been a really valuable discussion and I actually have learnt about APP fraud and the associated risks, the huge amount of work that a variety of firms are going to have to do as a consequence of this, and what appears to be a really rapidly evolving regulatory regime and supervisory expectations as well. It's beginning to feel very real for people. To our listeners, I hope you've also enjoyed this conversation, and thank you for joining us. As always, please subscribe to future episodes and rate and review the series as it helps other listeners to find us. If you'd like to hear more from us on risk and regulation, please look out for our publications which are on our website and we'll pop a link into the show notes. Otherwise, we, well, Tessa, will be back next month with our next episode. Thank you.