(Last Updated On: January 12, 2024)

Takeaways from UK Regulatory Actions to Combat APP Scams

Regulatory Actions that Reduce Scam Victim Losses

Author:
•  Ken Palla, Retired Director, MUFG Union Bank – Courtesy of BioCatch

Article Abstract

“Global Insights: Learning from UK Regulatory Measures to Combat APP Scams”

Non-UK financial institutions can glean valuable insights from the UK’s regulatory approach to combatting authorized push payment (APP) scams. Beyond the focus on reimbursement, key lessons include the importance of developing standardized scam reporting metrics, implementing controls to prevent scams, and active participation in industry associations for intelligence sharing.

The UK’s emphasis on controls like Confirmation of Payee and transaction-specific interventions serves as a model. Proven measures like anomaly detection, behavioral biometrics, and effective warnings demonstrate practical ways to protect customers globally. Financial institutions are urged to take a proactive role in eradicating consumer financial scams.

What Non-UK Financial Institutions Should Take Away from UK Regulatory Actions to Combat APP Scams

Part 2

In my previous blog – Part 1, I shared the key observations and industry response to the final UK PSR scam reimbursement requirements expected to go into effect in October 2024. In part two of this series, I will discuss why banks outside the UK should be paying attention to these important changes. 

There is much to learn from how financial institutions in the UK are dealing with consumer financial scams. Although most of the focus has been on the voluntary and soon to be mandatory APP scam reimbursement, that may not be the most important point.

So far, there is some movement around the world to follow what the PSR is mandating in the UK. In the US, Early Warning Services, the company which operates the popular Zelle money transfer app and is owned by seven major banks, agreed in 2023 to establish reimbursement for limited impersonation scams under certain circumstances, with the reimbursement to be made by the receiving bank. In May 2023, the Australian government talked about requiring reimbursement for scams. But their Scams Code Framework consultancy, released late last year, is more focused on banks, telcos and internet platforms adding controls to help prevent financial scams. In Europe, the proposed 3rd Payment Services Directive (PSD3) discusses reimbursement for bank impersonation scams involving faster payments.

Three Lessons Learned from the UK

So, what can non-UK financial institutions take away from what is happening in the UK? Here are three recommendations that banks around the world can do today to get ahead of the scammers and the regulators.

Develop standard and consistent reporting

The UK, in conjunction with the banking community, regulators, and payment associations, is developing strong reporting on consumer scams. This is a basic step every financial institution needs to have to understand the full magnitude of how customers are being affected by financial scams. Some standard reporting metrics might include:

  • What type of scams are the customers involved in (e.g. impersonation scams, romance scams, investment scams, etc.)?
  • How is the scam working (e.g. via payment rails, cash withdrawals, money movement to crypto exchanges)?
  • How much money did they lose?
  • How long did the scam take place?
  • How did current bank controls help or prevent the scam from occurring?

In tracking and reporting scams, a standard scam taxonomy should be used, where possible. In the US, the Federal Reserve is adding scam taxonomy to its Fraud Classifier model. In 2023, the Euro Bankers Association (EBA) created the EBA Fraud Taxonomy to improve fraud reporting and facilitate information sharing across countries.

Add controls to identify and reduce scam losses

Even better than scam reimbursement is scam prevention. The UK regulators have forced several new controls be added including Confirmation of Payee, scam and transaction specific interventions (e.g. specific online warning at the time of a transaction or specific action by branch staff at the time of a large cash withdrawal), and money mule account controls. If you are outside the UK, there is no need to wait for your regulator to mandate scam controls. You should do it because you realize the magnitude of financial scams (e.g. over $8 billion per year in the US alone) and the serious impact to your customers.

I think as part of a sound financial ecosystem, consumer financial scam controls are a minimum requirement for financial institutions in 2024. These controls should cover three areas: 1) the actual authorized payment transaction or cash withdrawal; and money mule behavior around 2) account opening (online and at the branch) and 3) around inbound/outbound transactions for checking accounts/current accounts. Detecting and removing money mule accounts are critical as they serve as the backbone to facilitating consumer financial scams.

Get involved

Get involved with industry and trade associations and FS-ISACs, a global intelligence sharing community solely focused on financial services, with over 5,000 members in more than 70 countries. These associations provide opportunities to network with peer institutions to share scam information and learn from others.

Proven Controls to Stop Scams

The good news is there are a number of proven controls that exist today. Many banks are using anomaly detection and behavioral biometrics to alert on possible scam transactions (both online and the call center or at the branch) as they take place. The UK has good examples of actionable warnings that are presented to customers in real-time. For instance, for purchases made on Facebook Marketplace, Santander UK now asks customers if they have seen the item in person before authorizing a payment.

Outside the UK, some banks are already instituting similar measures. National Australia Bank has seen their payments prompt initiative, driven in part with the use of behavioral biometrics technology, get customers to stop and think before sending a payment. The bank was receiving over 2,500 calls a day from customers reporting scams and fraud and now see nearly $300,000 AUD in payments abandoned daily after customers receive the warning messages.

For online account opening, there are good solutions for bot detection to prevent automated bots from opening new accounts, behavioral biometrics to detect suspicious patterns of data entry and solutions that can analyze the customer PII data to detect stolen PII, synthetic IDs and other forms of fraud. A secondary benefit of strong account opening controls is the reduction of operational costs to close these bogus accounts.

For detecting actual money mule accounts, this requires tracking both the inbound and outbound transaction activity and looking for anomalies (e.g. a new account and $50,000 comes into the account and is immediately transferred out, or an existing account with constant low dollar amount activity and suddenly there are frequent large payments). Also, looking for user behavior anomalies, such as changes in the user’s mouse activity, typing patterns, or navigation preferences may indicate a change in account control. One large U.S. bank detected over 50,000 mule accounts in the first year after deploying behavioral biometrics.

Summary

In many ways, the UK has become a laboratory for the rest of the world, ever since they introduced faster payments over ten years ago. Even with more regulation, eliminating consumer financial scams is proving difficult. In many cases, the scams are being driven by international organized crime syndicates. Governments and International groups, including Europol, are starting to identify and take down some of these organizations. But as the UN has reported, there may be hundreds of thousands of scammers, often coerced individuals themselves, participating in these elaborate scams. So, financial institutions need to take a leading role in fighting the problem, whether there is reimbursement involved or not.

One of the biggest challenges for financial institutions is understanding how scammers get their customers to initiate these authorized payment transactions. There is real psychology used by these scammers to convince consumers there is a real romance, a real investment opportunity, a real threat to their bank account or a relative in a serious situation. Understanding how all this works needs to be incorporated into your solutions. And when you wonder why you are doing this, keep in mind the consumers, your customers, who have lost their life savings, college money for the kids, are so emotionally fraught after a large scam loss, they often have long-term mental health and trust issues. In the most extreme cases, financial scams have even led to suicide.

Every financial institution plays an important role in eliminating consumer financial scams.

Two to three years from now, what will a victim say their financial institution did to help them?

SCARS Resources:

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

Opinions

The opinions of the author are not necessarily those of the Society of Citizens Against Rleationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.

Disclaimer:

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org