How Financial Institutions Can Detect and Prevent APP Fraud 

Fraud in all its forms has grown at a staggering rate. As criminals grow smarter and more sophisticated, financial institutions must find innovative ways of outpacing their assailants – and protecting the victims of these opportunistic attacks.

According to the Payments System Regulator (PSR), Authorized Push Payments (APP) fraud is a growing issue in the UK, exceeding – for the first time – credit card fraud. £355M was lost to APP scams in the first half of 2021, up by 71% compared to the first half of 2020. But this is fast becoming a £1bn problem for the industry, despite the fact that many victims never report being scammed.

The proliferation of these attacks has reinforced that the current ways of detecting fraud are falling short, and financial institutions need to reconsider how scams such as APP fraud are detected.

But first – what exactly is APP fraud, and what does a typical scam look like?

What is APP fraud?

APP scams happen when a person or organization is tricked into transferring money to a fraudster who is posing as a genuine payee – and can be highly distressing for those who fall victim to them.

While the pressure is on banks to protect unsuspecting victims, stopping these attacks means getting to the root of the problem which, in the case of APP fraud, is online platforms and social media sites where 70% of scams originate. Fraudsters use modern means of technology and are becoming increasingly sophisticated, targeting wherever is ‘on-trend’. For instance, we are already seeing the use of QR codes as a form of targeting victims (quishing), and the metaverse will likely become a digital playground for fraudsters – if it isn’t already.

The challenge APP scams pose for financial institutions

In light of the staggering rise in APP fraud, banks around the world are under increasing pressure to protect their customers.

In order to help tackle the devastating implications of these scams, the PSR have set out three key measures.

1. The reimbursing of victims

In April 2018, the PSR set up a steering committee to create an industry code which provides reimbursements for victims of APP fraud. The Contingent Model (CRM) Code came into effect in May 2019, but is as yet non-statutory and voluntary.

However, the CRM code is likely to become mandatory for all banks in the future, which will lead to increased costs. As Innovative Finance states in response the PSR APP Fraud consultation:

[Reimbursements costs] are estimated to be the equivalent of wiping – at minimum – a tenth of PSPs’ (Payment Service Provider) revenue, according to data points drawn from our members and the wider FinTech ecosystem.

While the CRM code marks an important step in tackling APP fraud, it also presents a further challenge for banks. Proposals may inadvertently increase the total amount of fraud and attractiveness of the UK as a market of choice for scammers, creating an uptick in APP fraud levels.

But until the CRM Code comes into effect, the playing field for banks is far from level. Fraudsters will more likely target digital, or challenger, banks that have opted to apply less stringent fraud detection measures, such as COPs (Confirmation of Payee), in favor of improving the overall consumer experience.

2. The publication of fraud data by banks

Reputational and consumer experience are both key for retaining or winning business. The PSR’s claim that they will make fraud data publicly available is a growing concern for banks as not only will customers and competitors be able to see how susceptible they are to fraud, but fraudsters will also know which banks have the weaker controls for them to exploit.

3. Improved intelligence sharing

While the industry establishes the best way to improve intelligence sharing, one solution is to leverage the power of context to create a mechanism for notifying and investigating suspicious activity sooner.

The PSR suggested that a better alternative to tackling scams such as APP fraud might be to “develop industry-agreed principles for the two-way sharing of specific elements of data, at strategic points within the payment journey. This could use APIs outside the transaction and could therefore include other data – for example, highlighting suspected mule accounts to receiving PSPs.”

Industry groups such as the Joint Working Group (which includes UK Finance, Pay.UK and a number of PSPs) are partnering to assess which specific data can be shared and at which strategic points within the payment journey. If the area of concern is around the making of a payment, then tools like

Decision Intelligence (DI), which identifies suspicious payments by leveraging context, can be part of the solution.

By using internal and external data to build networks, beneficiary banks can be notified of suspicious activity, alerting them that certain transactions require further attention. These beneficiary accounts can then freeze funds, stopping them from being sent elsewhere, cutting off the fraudster – and protecting further victims of fraud.

Overcoming APP fraud with advanced technology

The most successful scam detection and prevention results are being achieved by the banks who:

• Apply Entity Resolution to consolidate datapoints around people of interest to generate a single customer view.

• Leverage Advanced Analytics technology to identify fraud tactics and spot subtle patterns quicker than a human investigator.

• Analyze more data. Using AI, banks can bring together internal and external data types on one platform for analysis.

• Consider accounts that are more susceptible of falling victim to scams. Although indicators viewed in isolation may identify scams, there is a risk of false positives, and it’s often too late to prevent the fraud occurring.

APP fraud is showing no signs of abating. In fact, organized crime syndicates are using extensive and increasingly sophisticated APP fraud tactics. Now, the onus is on financial institutions to protect customers – and combining data with advanced technology is proving to be the most effective defense.

Adapting to a World of Digital Fraud