Financial institutions are facing a flood of fraud, from push-payment scams to business email compromises to bad checks. Nonetheless, they’re often stymied in trying to work together to root out bad actors.
That was painfully clear to attendees listening to several panel discussions at the Nacha Smarter Faster Payments conference last month. The industry event attracted about 2,100 payments, bank and credit union professionals between April 27 and April 30 in New Orleans.
Push-payment schemes, also known as credit-push fraud, that move over Nacha’s ACH and other electronic payment rails have been particularly problematic. In these situations, consumers and companies are duped into sending payments to criminals under false pretenses, but because they do so voluntarily, it’s more difficult to combat.
It’s become a pain point partly because the financial system revolves around monitoring for crooks sending payments, not those receiving them. Today, “mule” accounts belonging to unsuspecting holders are used by criminals to receive funds that are quickly drained.
Payments fraud in the U.S. is a multi-billion-dollar problem, especially among elderly consumers, according to the Federal Trade Commission. Fraudsters tap social media and artificial intelligence to their advantage to prey on consumers and corporate clients alike, with schemes becoming increasingly sophisticated.
Tim Thorson, a senior vice president of payments risk at Regions Bank, lamented the problem during a Nacha panel discussion regarding that organization’s plan to implement new rules addressing fraud.
“Credit-push fraud can take a small business down, and I've seen it happen, and I know probably many people in here have, and that's an extremely anti-social thing to happen to a small business, because the country's built on small businesses,” Thorson said.
Perceived legal barriers
Part of the problem is that federal and state laws intended to protect customer confidentiality and thwart money-laundering may be interpreted in ways that hamper communication between financial institutions.
“I wish there was something that we could do amongst ourselves that would amount to something of a safe harbor, where we could talk to each other the way we used to before all the privacy laws came down 25 years ago,” Thorson said. “We're still paranoid about divulging the information on a mule (account), for instance, on somebody clearly taking money that didn't belong to them.”
Fraudsters aren’t protected by such laws, but it’s often difficult to determine quickly whether fraud between different institutions’ accounts is happening. That’s where more communication might help.
“One of the things that we identify as a potential roadblock to some potential sharing is just the sense that folks are not clear what they can share with law enforcement, and how really, they can work together to try and make a broader difference,” Scott Anchin, a vice president of operational risk and payments policy at the Independent Community Bankers of America, said during a separate panel discussion.
Anchin’s trade group created a task force with representatives from some 50 community banks nationwide to discuss fraud, he said during the panel focused on enabling institutions to work together. The cohort has also partnered with the non-profit International Association of Financial Crimes Investigators to create a guide for bank members, he said.
Financial institutions’ ‘cultural’ problem
Even though banks share staff contact information through a Nacha registry designed to connect workers from different banks and credit unions, such registries aren’t always complete or up to date, often frustrating employees who try to use them.
All too often bank employees trying to reach industry peers may have access only to a customer service line that devolves into a series of deadends. The situation may become more difficult when banks are intermediaries for unlisted fintechs.
Nacha panelists noted a “cultural” problem in the industry with banks and workers not interested in talking to peers, for whatever reason, including potentially competitive instincts.
“Instead of putting your direct line (in the registry), you put the call-tree-hell (number) because you hope that nobody will sit through it, but that doesn't get us anywhere,” said William Mills, a vice president for deposit and ACH operations at Premier Banks in Maplewood, Minnesota.
Mills, who spoke on the Nacha rule panel, said he endured conversations with 18 different bank representatives at a large financial institution over four hours to resolve one issue.
Conference attendees suggested larger institutions may be more guarded because they’re seeking to safeguard their proprietary data.
When asked about banks sharing information to combat fraud during an interview last month, JPMorgan Chase’s payments technology head, Sri Shivananda, pointed to the government as the linchpin for information-sharing, via the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency.
As for JPMorgan’s role, he seemed to favor maintaining an edge on rivals. “We have a competitive advantage on the data that we see through the number of transactions that we support on the platform,” he said.
Missing government coordination
A major government public campaign to call attention to the rising fraud problem, or to address it, has been lacking, some panelists contended.
There is no federal government office coordinating a response to this multi-billion-dollar crisis, said Paul Benda, an executive vice president of risk, fraud and cybersecurity policy for the American Bankers Association. The situation reflects a “complete and utter failure” of the national government to spearhead a nationwide solution, he said.
For its part, Nacha is implementing new rules to address the mushrooming payments fraud, asking financial institution members to submit plans for procedural changes. The rules aimed at changing financial institutions’ processes and policies are being phased in, with additional deadlines next year.
Unfortunately, many financial institutions aren’t ready to make the improvements, according to Dominic Plumeri, who audits banks on the ACH Network in his role as vice president of member services at not-for-profit payments association Southern Financial Exchange.
Nacha is also seeking to spur more information-sharing among its members by adding a new online means of connecting with each other to report fraud and attempt to recover funds.
In addition, some financial institutions are turning to outside software vendors to help develop technology to flag potential account problems, sometimes based on changes in payment behavior, like increases in volumes or values being received or sent by customers.
In the meantime, though, speakers at the conference said they fear losses are contributing to an expansion of organized crime rings, fueling the problem.
Karen Helmberger, director of fintech and payments at the industry fraud-fighting organization FS-ISAC, emphasized the personal and financial tolls the crimes take on people.
“We are losing generational wealth across the sector in this country and it’s going to these scam facilities wherever they may be,” said Helmberger. She urged attendees to focus not on the uncomfortable feelings they have about communicating, but rather on the “really bad things” that happen when they don’t.
