Authorized push payment fraud is expected to become a bigger headache for financial institutions in the coming years, and it’s unclear whether they are prepared to address the rising threat, an industry report published this month suggests.
APP fraud involves fraudsters deceiving a consumer, who unwittingly authorizes a payment to an account from which a criminal can access the funds, according to ACI’s Scamscope report published earlier this month by payment software company ACI Worldwide and the research firm GlobalData. ACI predicts this form of fraud in the U.S. will exceed $3.03 billion in 2027, up from $1.94 billion in 2022.
That means the U.S. will have more of this type of fraud than any of the other six countries reviewed by ACI for the report. Australia is predicted to have the second most APP fraud, valued at $1.5 billion, followed by the U.K. ($934.7 million), Brazil ($635.6 million), India ($611.9 million) and Saudi Arabia ($81.5 million), the report said.
As for how consumers are being scammed, the two most common forms of APP fraud reported by victims were being asked to transfer funds to buy a product, as well as being asked to transfer funds to invest in a product or company, according to ACI’s Dec. 5 report. Other methods included sending funds as an advance for a product or service; transferring funds intended for a romantic partner; and transferring funds on behalf of a senior company employee, ACI said.
An ACI spokesperson said the company relied on its own online consumer survey of 50,000 consumers worldwide as well as government, corporate, industry association and news reports for its data, without providing details.
Real-time payments speed up fraud
Given more financial institutions are adopting FedNow, the Federal Reserve Bank’s recently launched instant payments network, real-time payment capabilities could catalyze more of this type of fraud as those push payment services facilitate faster fund transfers, said Cleber Martins, ACI’s head of payments intelligence and risk solutions.
To address the threat of rising APP fraud, financial institutions must scrutinize incoming funds as well as outbound funds so that they can spot possible mule accounts, Miami-based ACI noted in its report. Scammers gain access to the traditional financial system through mule accounts, meaning accounts generated through fake identities or misuse of accounts held by real people.
Financial institutions have spent decades primarily concerned with the funds exiting the bank, but they should concentrate their attention on criminals creating new accounts and disappearing with illicit funds, Martins said.
More than half of APP scam losses in the U.S. were valued at $1,000 or less and about one-fifth were $200 or less, according to ACI. When sums are so low, they likely will help criminals evade detection, the report said. Fraudulent transactions at those lower amounts are somewhat more challenging to detect, in part, because they may be roughly the same amount as legitimate transactions, said Troy Huth, a director at the New York consulting firm Auriemma Roundtables.
Identifying APP fraud transactions will likely require banks to hire more staffers to monitor the incoming funds as part of their fraud loss plan, Huth said, adding that some financial institutions have already begun doing so. However, when investigating such fraud at scale, it can be difficult to determine whether account holders who report APP fraud are complicit in the scam in exchange for some of the proceeds, he added.
“It makes it more difficult for the institutions to monitor every single transaction because it just inundates their fraud [detection] shops trying to look at every single one,” said Huth, who is based in San Antonio. The criminals try to “become that needle in a haystack in hopes of flying under the radar,” as opposed to gaining visibility by engaging in a big-dollar transaction, he said.
While financial institutions may begin to bear the brunt of APP fraud liability, Huth contended other companies involved in the transaction, perhaps social media and telecommunications companies, should also be held responsible for promoting or facilitating the APP fraud transactions.
Combatting APP fraud
Regulators could step in to apply more pressure on banks and payment platforms to address APP fraud, including monitoring inbound funds and detecting mule accounts, Huth said. Agencies that could play a role might include the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency and the Department of the Treasury's Financial Crimes Enforcement Network, he said. Some financial institutions are opting to do so before it becomes a mandate, he added.
Lawmakers have been paying close attention to how banks reimbursed defrauded customers. In October 2022, Sen. Elizabeth Warren (D-Mass.) sent a letter to CFPB Director Rohit Chopra, calling his attention to rising fraud rates on Zelle, the peer-to-peer payments tool operated by the bank-owned company Early Warning Services. She urged the agency to update its regulations regarding how banks reimburse scammed account holders.
Regulators could pay attention to how their counterparts in other countries navigate regulatory responses, the report said. For instance, in the U.K., regulators have instituted a new policy under which financial institutions at the initiating and receiving ends of a payment must share the cost of reimbursement for victims.
In its report, ACI also proposed several approaches financial firms could take to address the APP fraud issue, including sharing and harnessing anonymized data to improve fraud detection systems and enhancing their know-your-customer criteria.
FedNow has also contemplated steps to mitigate payment fraud, including allowing financial institutions to limit the value of transactions or choose the criteria by which transactions are denied.
Even when FedNow pushes up the volume of instant payments, some financial firms may not devote increased resources to their fraud detection staffs, ACI noted. Therefore, financial institutions should deploy artificial intelligence and machine-learning to profile account holders’ behaviors. Some institutions have already begun sending customers text alerts to verify transactions between new payees, ACI said in its report.
Pressure is mounting for regulators to act, Martins said. “From the bank where the money is leaving, they have just a portion of the visibility,” explained Martins, who is based in Sao Paulo. “They cannot do the work on their own so they need the bank receiving the money to take accountability as well.”