Faster Payments, Weaker Authentication?
Mounting pressure on the UK banking industry to offer customers near real-time payments resulted in the 2005 resolution to introduce Faster Payment Services (FPS). The initiative, agreed by 13 members of the banking community and the Office of Fair Trading, will come into force on 30 November 2007 and aims to address the growing need to service Internet and telephone banking customers with more efficient money transfer processing. While the benefits of such a service are widely recognised, member banks have yet to address one crucial issue – how will they successfully authenticate the source of payment within the vastly reduced transaction processing time? If banks fail to address this challenge, they could find themselves open to an increased amount of risk, which the fraudsters will only be too happy to exploit.
Under FPS, Internet and telephone banking transfers between banks could occur in near real-time and standing orders will be processed on a same-day basis. The current three working days, from the initiation of the payment to the recipient getting the funds for inter-bank transfers, will effectively be abolished by those banks who have signed up to the initiative.
To date, the 13 faster payments member banks are progressing rapidly with their implementation projects ahead of the November 2007 deadline. While there are still some banks and building societies that remain outside the initiative, those who have committed to FPS represent over 95% of payments made in the UK. Faster Payments has been designed to replace those transfers that currently incur float, i.e. those that banks earn interest on during the lengthy three-day transfer period. The initiative should help the banks to improve customer satisfaction. Modernising and streamlining the payments systems will also ensure that banking in the UK is a thoroughly attractive and competitive proposition, particularly in the run-up to the single euro payments area (SEPA).
While member banks have accepted the rationale and benefits that faster payments will bring, especially from a customer service point of view, they also need to be aware of its impact upon their fraud and risk modelling solutions. Current clearing and settlement cycles give banks ample time to authenticate the source of a payment and to detect patterns of behaviour that could indicate criminal activity before money actually leaves the banking system. Faster payments will eliminate this delay and significantly increase the bank’s exposure to electronic fraud. Put simply, current systems are not up to the challenge of receiving a payment instruction from a variety of different channels and strongly authenticating that person to prove they are who they say they are within the 15-second transaction processing time.
The effect of this change will be felt on many levels. From a basic cost point of view, it exposes the bank to higher risk from fraud and money laundering. It is also a concern that if consumers lose confidence in the security of Internet and telephone banking, they will revert to using payment methods that rely on higher branch interaction resulting in higher costs.
However, potentially more damaging could be the effect on customer satisfaction should the customer fall victim to fraud. According to APACS, nearly 15 million people in the UK now use the Internet to access their bank accounts, yet one in four people who submit banking details online fail to check whether a website is safe and secure. Such research indicates that consumer awareness of rising risk to online fraud is surprisingly low, further emphasising their absolute reliance on banks to take a strong lead in combating this cyber crime.
The infrastructure to support faster payments is being built through a joint venture between Voca and Link Interchange Network. Once banks have adapted their in-house systems to support FPS, there will be close regulatory scrutiny and auditing of the entire transaction lifecycle. If security failings that heighten the risk of being exposed to fraud are perceived to exist, it could have a negative impact on the brand equity of the bank.
With the FPS implementation deadline rapidly approaching, banks must act now to address the potential threat to security that the initiative will create. An unexpected bi-product of faster payments is that for the first time, it provides a solid business case for investing in two-factor authentication. While always generally supportive of the benefits two-factor authentication can bring, especially in the battle to fight cardholder-not-present fraud, banks have not had any immediate incentive to invest in this technology. FPS will fundamentally change this attitude, as when it goes live later this year the member banks will be instantly vulnerable.
By making customers strongly authenticate themselves using an unconnected smart card reader, the banks will have the identity confirmation required before the transfer is initiated. The sub-15 second transaction processing can then proceed without identity fraud being a concern. With the new APACS CAP standard for two-factor authentication readers, banks can use a common platform that offers strong user identification within a cryptographically secure environment.
Two-factor authentication has already proven its worth in combating cardholder present fraud head on since the introduction of Chip and PIN in the UK in 2005. According to APACS, there was a reduction of nearly £60m in counterfeit and fraud on lost and stolen cards in 2005 compared to 2004 thanks to Chip and PIN (a drop of 24%). With the impending FPS deadline later this year, banks must learn from the successes of strong authentication security for face-to-face retail transactions and implement the same technologies to safeguard customers against online attacks. In the same way that the cost of cardholder-present fraud supplanted the cost of investing in the technology required to combat it, it is likely that banks will come up against the same argument for Internet and telephone banking transactions.
Added to the pressure to strongly authenticate money transfers under the Faster Payments initiative, it is equally important to the security of transfers under faster payments to track and securely record each step in the lifecycle of a payment. This will enable the bank to ensure the integrity of each payment and all associated data. The recorded information can then be legally audited in line with regulations. The banking industry is currently facing multiple step-changes designed to address the growth in payment channels and rising demand for transparency and flexibility from customers. By combining strong user authentication and a secure audit trail on a single platform, banks can simplify their security systems across the enterprise and move towards a solution that better addresses impending legislation such as Faster Payments and SEPA. Conflicting integration and security, inherent in a ‘silo’ approach to business development, can be avoided and banks can respond quickly to emerging regulatory requirements.
Faster payments will create important opportunities for the introduction of new products and services by banks, encouraging them to adopt systems that manage information and security from a central database. Reducing the siloed storage and retrieval in the payments world will make it easier to provide the customer with a consistent experience across all points of service and allow for better risk management through the use of combined data.