Skip to main content

Fraud Prevention 2.0: How Neo Banks Are Setting New Standards

 


Preventing fraud is a major concern for every financial institution. Banks, in particular, must ensure that only the rightful account owner accesses their account and that no incorrect payments are made. This involves tackling issues such as identity theft, accidentally misdirected payments, and Authorised Push Payment (APP) fraud. While a few years ago, this was limited to implementing more complex authentication methods, today banks use a multitude of techniques to protect their customers. This is especially important as banks try to avoid that increased security impacts user experience and leads to more customer questions and complaints to the bank’s customer support. More and more, fraud protection is being considered a competitive differentiator, rather than a necessary cost.

Let us explore in detail the different techniques deployed by modern banks.

Ensuring the Right Person Accesses the Account

This is the first step in avoiding fraud. Unfortunately, it is easier said than done, especially as customers are typically not very security aware. They create security risks by using the same password everywhere, not sufficiently protecting their email accounts used for password resets, not securing their phones, clicking on malicious links, sharing secret credentials, and oversharing personal details on social media, which enables advanced social engineering. At the same time, customers often complain about restrictions on usability due to security measures and may leave the bank because of them.

Therefore, banks must be very inventive with authentication, trying to minimize the impact on usability while still ensuring sufficient security. Additionally, they need to educate their customers about certain security risks.

  • Multi-Factor Authentication: One of the primary methods of securing user accounts is through multi-factor authentication (MFA). This approach requires users to provide multiple forms of verification before gaining access to their accounts. MFA can include:

    • PIN codes and passwords

    • One-time codes sent via email, SMS or authenticator apps

    • Biometric authentication, such as fingerprint and facial recognition

    • …​

  • Risk-Based Authentication: Risk-based authentication (RBA) takes security a step further by monitoring user behaviour to detect potential anomalies. Based on this, authentication can be reduced (e.g. for some actions only a PIN code could suffice), while for others, additional authentication methods can be enforced. This method leverages artificial intelligence (AI) to analyse patterns that are not easily captured by traditional rule sets.

    RBA analyses several factors to effectively identify suspicious behaviour and prevent unauthorized access. These factors can include:

    • Geo-location

    • Type and sequence of previous actions executed

    • Next action requested (e.g. a consultation does not need the same level of security as initiating a high-value payment)

    • Mouse movements, keystroke patterns and even how the customer holds his mobile device

    • Browser model and version

    • IP address and operating system

    • Hardware device

    • …​

For more information, see my previous blog: "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" (https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html).

Preventing Incorrect Payments

Preventing unauthorized access to bank accounts is not sufficient to protect against fraud. Numerous fraud cases also involve victims being manipulated into making payments to fraudsters, typically through social engineering attacks involving impersonation.

Examples are

  • CEO fraud, where criminals pose as the CEO (or another high ranking executive) of a company and urgently ask an employee to transfer money.

  • Invoice fraud, where real invoices are replaced with fraudulent ones containing different bank account numbers or false QR codes, resulting in payments to another account.

This type of fraud remains common, as many banks do not protect their customers well against these attacks. Increasingly, regulators and governments (e.g. the EU with the Instant Payments Directive and PSD3 mandate) are pushing for better solutions.

Typical measures include:

  • Extra Controls and Warnings: Banks can implement additional controls and warnings when users make payments to new recipients or transfer large amounts.

  • Verification of Payee (VoP): This service verifies the recipient of a payment to ensure the funds are going to the correct person, preventing both APP fraud and accidentally misdirected payments. Companies like SurePay, OB Connect, Worldline, Tell Money, iPid, and Banfico offer this service.

While the above practices are becoming common in the financial services industry and are often mandated by regulators, innovative banks are taking extra steps to protect their customers. Recently, several new features have been announced by neobanks.

Some examples:

  • Check If You Are Being Called in App: Earlier this year, both ING in the Netherlands and Monzo in the UK introduced a new feature allowing users to see immediately if the bank is calling them. This avoids phone fraud, where fraudsters impersonate the bank to obtain secret credential information.

  • Known Locations or "Leave Your Money at Home": Monzo introduced this feature, allowing users to specify trusted locations, such as their home or workplace, where transactions can be safely conducted. Transactions attempted outside these pre-approved locations are automatically blocked, providing a geographical safety net against unauthorized transactions.

  • Trusted Contacts: Trusted Contacts introduces a social validation step into the transaction process. Customers can invite a trusted friend or family member to verify transactions that exceed a certain limit. This additional layer of scrutiny helps prevent fraudulent transactions by involving someone the customer trusts. This feature was also recently introduced by Monzo.

  • Secret QR Codes: Also introduced by Monzo, this feature allows customers to generate unique QR codes, which can be scanned in the app to authorize significant transfers. This code can be stored on a separate device or printed, ensuring that even if a phone is stolen, unauthorized transactions cannot proceed without the QR code. This dual-device requirement adds a robust layer of security.

  • Selfie Verification: Revolut has introduced Wealth Protection, which requires a selfie verification for withdrawals from investments. This verifies the identity of a customer against the selfie ID checks completed during the initial sign-up, significantly hampering fraudsters' attempts to transfer money out of savings accounts, even if phone security has been compromised.

These new technologies and innovative features are interesting to test out. However, the user adoption of these features remains to be seen, as they are currently opt-in. The ease of enabling these features and ensuring they are used correctly by customers will be critical. For example, secret QR codes are only effective if stored securely on another device.

In any case, in the fight against fraud, financial institutions must continuously innovate and test new security mechanisms to stay ahead of fraudsters and ensure the safety and trust of their customers.


Comments

Popular posts from this blog

Transforming the insurance sector to an Open API Ecosystem

1. Introduction "Open" has recently become a new buzzword in the financial services industry, i.e.   open data, open APIs, Open Banking, Open Insurance …​, but what does this new buzzword really mean? "Open" refers to the capability of companies to expose their services to the outside world, so that   external partners or even competitors   can use these services to bring added value to their customers. This trend is made possible by the technological evolution of   open APIs (Application Programming Interfaces), which are the   digital ports making this communication possible. Together companies, interconnected through open APIs, form a true   API ecosystem , offering best-of-breed customer experience, by combining the digital services offered by multiple companies. In the   technology sector   this evolution has been ongoing for multiple years (think about the travelling sector, allowing you to book any hotel online). An excelle...

Are product silos in a bank inevitable?

Silo thinking   is often frowned upon in the industry. It is often a synonym for bureaucratic processes and politics and in almost every article describing the threats of new innovative Fintech players on the banking industry, the strong bank product silos are put forward as one of the main blockages why incumbent banks are not able to (quickly) react to the changing customer expectations. Customers want solutions to their problems   and do not want to be bothered about the internal organisation of their bank. Most banks are however organized by product domain (daily banking, investments and lending) and by customer segmentation (retail banking, private banking, SMEs and corporates). This division is reflected both at business and IT side and almost automatically leads to the creation of silos. It is however difficult to reorganize a bank without creating new silos or introducing other types of issues and inefficiencies. An organization is never ideal and needs to take a numbe...

RPA - The miracle solution for incumbent banks to bridge the automation gap with neo-banks?

Hypes and marketing buzz words are strongly present in the IT landscape. Often these are existing concepts, which have evolved technologically and are then renamed to a new term, as if it were a brand new technology or concept. If you want to understand and assess these new trends, it is important to   reduce the concepts to their essence and compare them with existing technologies , e.g. Integration (middleware) software   ensures that 2 separate applications or components can be integrated in an easy way. Of course, there is a huge evolution in the protocols, volumes of exchanged data, scalability, performance…​, but in essence the problem remains the same. Nonetheless, there have been multiple terms for integration software such as ETL, ESB, EAI, SOA, Service Mesh…​ Data storage software   ensures that data is stored in such a way that data is not lost and that there is some kind guaranteed consistency, maximum availability and scalability, easy retrieval...

IoT - Revolution or Evolution in the Financial Services Industry

1. The IoT hype We have all heard about the   "Internet of Things" (IoT)   as this revolutionary new technology, which will radically change our lives. But is it really such a revolution and will it really have an impact on the Financial Services Industry? To refresh our memory, the Internet of Things (IoT) refers to any   object , which is able to   collect data and communicate and share this information (like condition, geolocation…​)   over the internet . This communication will often occur between 2 objects (i.e. not involving any human), which is often referred to as Machine-to-Machine (M2M) communication. Well known examples are home thermostats, home security systems, fitness and health monitors, wearables…​ This all seems futuristic, but   smartphones, tablets and smartwatches   can also be considered as IoT devices. More importantly, beside these futuristic visions of IoT, the smartphone will most likely continue to be the cent...

PSD3: The Next Phase in Europe’s Payment Services Regulation

With the successful rollout of PSD2, the European Union (EU) continues to advance innovation in the payments domain through the anticipated introduction of the   Payment Services Directive 3 (PSD3) . On June 28, 2023, the European Commission published a draft proposal for PSD3 and the   Payment Services Regulation (PSR) . The finalized versions of this directive and associated regulation are expected to be available by late 2024, although some predictions suggest a more likely timeline of Q2 or Q3 2025. Given that member states are typically granted an 18-month transition period, PSD3 is expected to come into effect sometime in 2026. Notably, the Commission has introduced a regulation (PSR) alongside the PSD3 directive, ensuring more harmonization across member states as regulations are immediately effective and do not require national implementation, unlike directives. PSD3 shares the same objectives as PSD2, i.e.   increasing competition in the payments landscape and en...

Trade-offs Are Inevitable in Software Delivery - Remember the CAP Theorem

In the world of financial services, the integrity of data systems is fundamentally reliant on   non-functional requirements (NFRs)   such as reliability and security. Despite their importance, NFRs often receive secondary consideration during project scoping, typically being reduced to a generic checklist aimed more at compliance than at genuine functionality. Regrettably, these initial NFRs are seldom met after delivery, which does not usually prevent deployment to production due to the vague and unrealistic nature of the original specifications. This common scenario results in significant end-user frustration as the system does not perform as expected, often being less stable or slower than anticipated. This situation underscores the need for   better education on how to articulate and define NFRs , i.e. demanding only what is truly necessary and feasible within the given budget. Early and transparent discussions can lead to system architecture being tailored more close...

Low- and No-code platforms - Will IT developers soon be out of a job?

“ The future of coding is no coding at all ” - Chris Wanstrath (CEO at GitHub). Mid May I posted a blog on RPA (Robotic Process Automation -   https://bankloch.blogspot.com/2020/05/rpa-miracle-solution-for-incumbent.html ) on how this technology, promises the world to companies. A very similar story is found with low- and no-code platforms, which also promise that business people, with limited to no knowledge of IT, can create complex business applications. These   platforms originate , just as RPA tools,   from the growing demand for IT developments , while IT cannot keep up with the available capacity. As a result, an enormous gap between IT teams and business demands is created, which is often filled by shadow-IT departments, which extend the IT workforce and create business tools in Excel, Access, WordPress…​ Unfortunately these tools built in shadow-IT departments arrive very soon at their limits, as they don’t support the required non-functional requirements (like h...

An overview of 1-year blogging

Last week I published my   60th post   on my blog called   Bankloch   (a reference to "Banking" and my family name). The past year, I have published a blog on a weekly basis, providing my humble personal vision on the topics of Fintech, IT software delivery and mobility. This blogging has mainly been a   personal enrichment , as it forced me to dive deep into a number of different topics, not only in researching for content, but also in trying to identify trends, innovations and patterns into these topics. Furthermore it allowed me to have several very interesting conversations and discussions with passionate colleagues in the financial industry and to get more insights into the wonderful world of blogging and more general of digital marketing, exploring subjects and tools like: Search Engine Optimization (SEO) LinkedIn post optimization Google Search Console Google AdWorks Google Blogger Thinker360 Finextra …​ Clearly it is   not easy to get the necessary ...

The UPI Phenomenon: From Zero to 10 Billion

If there is one Indian innovation that has grabbed   global headlines , it is undoubtedly the instant payment system   UPI (Unified Payments Interface) . In August 2023, monthly UPI transactions exceeded an astounding 10 billion, marking a remarkable milestone for India’s payments ecosystem. No wonder that UPI has not only revolutionized transactions in India but has also gained international recognition for its remarkable growth. Launched in 2016 by the   National Payments Corporation of India (NPCI)   in collaboration with 21 member banks, UPI quickly became popular among consumers and businesses. In just a few years, it achieved   remarkable milestones : By August 2023, UPI recorded an unprecedented   10.58 billion transactions , with an impressive 50% year-on-year growth. This volume represented approximately   190 billion euros . In July 2023, the UPI network connected   473 different banks . UPI is projected to achieve a staggering   1 ...

AI in Financial Services - A buzzword that is here to stay!

In a few of my most recent blogs I tried to   demystify some of the buzzwords   (like blockchain, Low- and No-Code platforms, RPA…​), which are commonly used in the financial services industry. These buzzwords often entail interesting innovations, but contrary to their promise, they are not silver bullets solving any problem. Another such buzzword is   AI   (or also referred to as Machine Learning, Deep Learning, Enforced Learning…​ - the difference between those terms put aside). Again this term is also seriously hyped, creating unrealistic expectations, but contrary to many other buzzwords, this is something I truly believe will have a much larger impact on the financial services industry than many other buzzwords. This opinion is backed by a study of McKinsey and PWC indicating that 72% of company leaders consider that AI will be the most competitive advantage of the future and that this technology will be the most disruptive force in the decades to come. Deep Lea...