Back to News
Smaller FIs are vital to the UK and protecting them from APP Fraud losses should be a priority
Thought Leadership· 7min July 31, 2024
Let’s start with something I hope should be self-evident – the UK’s thriving financial services landscape is a good thing and the variety in our financial institutions as well as the services they offer to consumers and businesses is something to be celebrated.
That said the new PSR regulations have a potential unintended side effect that could put the survival of some of these institutions at risk, in the form of liability for APP Fraud losses. The new regulations have been built to protect consumers and achieve that through guaranteeing refunds in the majority of cases – with the consumer being refunded by their bank and the cost of the refund being shared equally between the victim’s bank and the bank of the account that received the fraudulent payment. This sharing of liability means institutions that previously were not involved in refunding the victims of APP Fraud now bear 50% of the cost – and considering reported APP Fraud losses in the UK in 2023 were £478m (which is recognised to be under-reported) this is a high bill to pay
These new regulations have been built with two principles in mind:
01
Consumers should be protected from loss in nearly every instance.
02
The responsibility lies with the banks involved in the transactions and those institutions should take every step possible to prevent fraud.
Unfortunately for some institutions there are a few reasons why they are both at greater risk of being targeted by these criminal organisations and have a greater challenge at being able to identify those bad actors and prevent them from being successful.
01
Focus on account acquisition: Smaller financial institutions are built on acquiring customers with generally a focus on optimised customer experience. Criminal organisations look for ways to create accounts they can manipulate and target institutions in this acquisition mode. Evidence has shown that even rigorous customer authentication is still likely to be able to be overcome where the mule is either willing or being forced to as a victim of human trafficking themselves. A new institution with a focus on new account creation is likely to have a higher percentage of bad actors.
02
Inbound screening maturity: Typically identifying fraud has been built using controls on the outbound leg whereas smaller financial institutions need adequate controls on the inbound leg – building mature and effective controls on the inbound leg is a challenge that few institutions, even tier 1s, have mastered yet.
03
Lack of reliable insight: Smaller Fis also have, by definition, smaller customer bases. Larger financial institutions use models trained using customer and payment data to identify the likelihood of a payment being fraud to manage their risk. If you have a small customer base and low numbers of fraud labels, then you are left to use attribute thresholds and static rules which generate high numbers of false positives that result in high operating costs and customer friction.
Ultimately these points make a perfect storm where smaller Fis are at significant risk of being impacted by the new regulations and have less ability to protect themselves. The other point to make is that with tighter operating margins a refund of the maximum liability of £415,000 per claim would be highly damaging to a smaller financial institution, having to fund 50% of this liability limit.
Financial institutions of all sizes both want and need to play their role in preventing fraud and ensuring their services are only used for legitimate purposes, but given the challenges outlined above, the question should be how can a small financial institution be effective at playing a role in preventing fraud – and how does that align with managing the new liability that they will be exposed to.
What does a good solution look like?
Smaller financial institutions need access to a service that uses collaborative intelligence, rather than just their data, to identify risk based on multiple institutions data in a single model. This enables an FI to utilise a risk score that recognises when their accounts are displaying fraudulent behavioural characteristics that have been built on known fraudulent behaviours from across a wider network. They also need a model which has been built to score both outbound and inbound payment risk. Collectively, this provides protection for the FI before the loss becomes a liability.
In the last 12 months Form3 have partnered with Feedzai in developing a collaborative intelligence model that has been built on UK faster payment data and, crucially, inbound and outbound fraud labels. This unique model has proven to be highly effective at identifying inbound fraud. In live production with customers since May, we are identifying 70%+ of all confirmed fraud value on inbound payments at standard false positive rates that are operationally viable.
This is a game changer for smaller Financial Institutions as they can adopt all the benefits of a large model trained on a wider data set than they would normally have access to. They can also onboard quickly with accessibility through Form3’s Fraud API with no need to retrain our model in onboarding, effectively meaning the FI can realise the full vaue of the service from day one. The model also only uses the fields in the faster payment message removing the complexity of data transformations. Based on these elements financial institutions of any size could still adopt the model before the new regulations become active on 7th October.
Written by
