As Europe continues to adopt the single euro payments area (SEPA) framework, much of the media attention to date has focused on the implications of harmonisation, better regulation and standardisation of the relationship between payment providers and payment users. However, there has been relatively little discussion about how SEPA influences other industry topics, such as payment fraud and risk. A survey carried out last year by Experian Payments into payment fraud within UK corporates found that 98% of corporates questioned do not plan to enhance payment fraud counter-measures following the introduction of SEPA. It is widely acknowledged within the financial services community, however, that SEPA will bring associated security risks if the right systems and procedures are not put in place. So, with the majority of those corporates surveyed (86%) reporting payment fraud directly to their banks, a lack of security considerations could have a significant impact on wholesale banks.
It is not just the banks and corporates that are looking at the new payments framework as an additional invitation for fraudsters to take advantage of easier cross-border payments. The European Commission recently revealed its intention to create a Payment Systems Market Expert Group (PSMEG), with the aim of gathering high-level input on specific payment issues from stakeholders in the payment industry. Several areas are of particular interest to the group, with payment fraud prevention and the development of payments policies in the context of SEPA being the main focus.
The PSMEG is to provide assistance to the European Commission in the elaboration of legislative acts and policy initiatives regarding payment systems. In the meantime, though, the greater transparency being championed by SEPA for conducting transactions between countries and across borders is creating new and difficult challenges for financial institutions and their corporate customers, which could ultimately have an impact on their reputation.
At a time when US and European economies have been thrown into recession due to the credit crisis, banks must prevent further bad publicity and actively combat the growing lack of trust among consumers. In order to remain competitive and to protect their brands, banks need to demonstrate that they can cope with any new risks post-SEPA, in particular as fraud activities in recent years have moved to non-EMV areas, such as cardholder-not present (CNP) transactions and Direct Debit (DD) payments.
Direct Debit Fraud
There is still widespread misunderstanding about the nature of DD fraud even on a domestic level. That is, that a DD fraudster will pose as a legitimate DD originator. The reality is that DD fraudsters are much more likely to pose as legitimate customers either by stealing someone else’s details or by using a fictitious account that passes modulus checks but doesn’t belong to anyone. The fraudster will exploit the weaknesses of the scheme to obtain money, goods or services through pretending to be legitimate consumers, not legitimate businesses.
The telecoms industry provides a prime example of the challenges around payment fraud. From petty criminals to organised gangs, the telecoms industry has suffered at the hands of fraudsters for many years. Obtaining a mobile phone and contract by fooling identity checks is common practice for fraudsters – both as a money-making initiative and as a means to communicate for free.
The Communications Fraud Control Association (CFCA), the global telecoms industry’s fraud body, reports that mobile phone companies suffer more than £25m in lost revenues annually through fraud. In addition, IDC indicates that as much as 50% of bad debt among European telecoms companies is a direct result of fraudulent activities. This figure looks set to soar once cross-border DDs become a reality.
Criminals conduct mobile phone subscription fraud by setting up unauthorised DDs on third-party bank accounts or using stolen and/or made-up account and sort code details. The typical checks employed by a mobile operator are not made against an up-to-date database, therefore allowing fraudsters using false details to slip through the net, ultimately giving them the means to start making mobile payments.
Fraud involving DDs is currently possible because the systems in place to check the accuracy of customer-supplied personal and bank information are limited to checking that the bank account data appears to be valid rather than actually confirming that this is the case. With SEPA DD (SDD) on the horizon, both banks and their corporate customers will need to ensure the right measures are put in place in time.
Simply checking whether bank account data is correct and that the name and address supplied matches a form of ID is not sufficient. Knowing exactly who the customer is at the point of data entry by using an authentication solution can reduce the opportunity to fraudulently obtain a handset in the first place.
Enhancing Data Security
One way to enhance data security is by implementing real-time data validation solutions. These will not only satisfy companies’ desire to cost-effectively improve security but will also help manage customer expectations around the secure handling of their payments data without inhibiting the speed of purchase or payment. Such solutions need to be capable of linking and verifying three elements: the customer, their bank account details and their address. There are many solutions currently available that can validate bank account details. However, it is only recently that it has become possible to verify consumer-provided bank account data against a reliable reference for the supplied name and address in real-time and on an international scale. By linking these three key pieces of information at the point of capture, operators can now conduct more efficient, effective data verification and so reduce their fraud losses.
Not only will these data validation solutions apply to SDD payments but also to the UK’s Faster Payments Service (FPS). Despite the fact that the FPS has had a successful start among the 13 founding clearing banks since its launch in May 2008, the very speed of the Faster Payments process is still posing serious security and fraud concerns for banks and their corporate customers. From mid-2009, corporates will have the option to directly initiate Faster Payments via Direct Corporate Access (DCA). In order to handle the changed timescales, corporates will need to make significant changes to their current payment systems and processes; this will include ensuring that fraud is properly handled as Faster Payments cannot be simply revoked once made.
Through the relevant data validation tools, corporates should be able to confirm that beneficiary accounts support receipt of Faster Payments and eliminate transaction errors prior to submission of a payment order. This will be particularly beneficial for industry sectors with a high number of suppliers such as large manufacturing companies, insurance and consumer credit companies as well as the public sector. In addition, SMEs will be able to manage their cash flow much better as they have the option to hold funds in their accounts for two to three days longer.
Conclusion
Fraud considerations, especially in today’s competitive climate, need to be top of the agenda for financial institutions and corporates in the run-up to SDD implementation and the full roll-out of Faster Payments in the UK. As such, corporates have to identify potential weak spots where fraud might occur during the process of acquiring or changing customer payment information. Preventing fraud is like repairing a burst pipe – it is only when all the holes have been plugged that there will be no leakage. Connecting an individual’s identity to their bank account and address is one solution. As the next stage of the SEPA framework approaches, it is only by linking these three pieces of information that corporates can really be sure of their customer information, and more importantly the source or destination of their customer’s funds.