Payment fraud remains a hot topic in the financial services industry (cfr. my blog "Payment Fraud Exposed: Top Techniques and How Financial Institutions Respond" - https://bankloch.blogspot.com/2025/01/payment-fraud-exposed-top-techniques.html for more info). Despite significant investments in fraud detection and prevention, fraud continues to rise. Fraudsters are becoming increasingly sophisticated, leveraging tools like generative AI and operating in a more professionalized manner. Simultaneously, regulators are holding financial institutions increasingly accountable for customer losses resulting from fraud.
Currently, fraud is primarily tackled through two key methods:
Customer education – Banks, federations and governments run awareness campaigns to inform customers about risks and best practices (e.g. a bank will never ask for your PIN or password, and you should never access your bank via a link in an email, but always through the official URL).
Fraud detection systems – Advanced platforms using complex rules and AI to identify and block anomalous payments based on detected patterns.
While both are essential pillars in combating financial crime, it’s time to bring these two worlds closer—by increasing real-time interaction with customers during the payment process.
It’s important to distinguish between two types of fraud:
Account Takeover (ATO) fraud – where the fraudster gains control of the customer’s account and operates as the legitimate user.
Authorized Push Payment (APP) fraud – where the actual user is manipulated into sending money to a scammer.
In ATO fraud, user interaction during the payment process isn’t helpful since the fraudster is already in control. However, dynamic risk-based authentication can play a crucial role. As soon as abnormal behavior is detected—during login, navigation, or transaction initiation—additional authentication can be triggered. For more, see my blog "Multi-Factor Authentication and Identity Fraud Detection in the Financial Services Industry" - https://bankloch.blogspot.com/2020/02/multi-factor-authentication-and.html for more information.
This involves evaluating various factors such as IP address, geolocation, operating system and version, browser fingerprinting, device behavior, and navigation patterns. Deviations shouldn’t result in automatic blocking—there may be legitimate reasons—but should prompt extra verification: PIN, biometric ID, personal questions, side-channel confirmation (e.g., email or call). Users can also configure user-defined self-protection settings like transaction limits or geographic/time-based restrictions.
For APP fraud, the challenge is different, as the customer is the one initiating the payment. In these cases, additional authentication doesn’t help, as it is the right customer initiating the payment. Today detection typically only occurs after the payment is submitted. This reactive approach is inefficient and often disruptive, especially in false positives.
What if we could move the fraud check forward—right to the moment the user initiates and signs the payment? This strategic shift could deliver several benefits:
Earlier fraud detection: improving operational efficiency and customer satisfaction.
Real-time feedback loops: confirmed fraud cases (and confirmed false positives) can train the detection engine more effectively, allowing to protect the institution also better from similar scams at other customers.
Improved customer education: well-timed warnings work better than general awareness campaigns.
Enhanced trust: users feel better protected and more engaged.
To enable this “pre-scoring” mechanism at payment initiation, several adjustments are needed:
Fraud engines must integrate directly with front-end channels like mobile and online banking.
Thresholds for fraud checks at this stage should differ from those applied post-submission—more conservative but less invasive.
The engine should provide a fraud score and a recommendation: from extra authentication and dynamic warnings to awareness questionnaires or even triggering a 4-eyes principle (e.g. requiring co-signature).
In critical scenarios, the system could prompt immediate outreach—such as an automated call to the customer routed to support staff.
Front-end systems must be adapted to act on the fraud engine’s responses—displaying alerts, questions, authentication steps, or enforcing dual approvals.
Additionally, we could explore a few other ways to collaborate with customers in avoiding fraud:
Verification of Payee (VoP): This service verifies the recipient of a payment to ensure the funds are going to the correct person, preventing both APP fraud and accidentally misdirected payments. Companies like SurePay, OB Connect, Worldline, Tell Money, iPiD and Banfico offer this service.
Undo accidental payment: Offer a 10 to 60-second window after payment confirmation during which users can cancel the transaction. Mistakes—like adding an extra zero or sending money to the wrong recipient—are common. This feature provides a brief but valuable opportunity to correct them. Monzo has recently implemented this capability.
Check the Call: Enable customers to verify whether they’re genuinely receiving a call from their bank. This helps prevent scams where fraudsters impersonate bank representatives. ING and Monzo have both introduced this feature.
Assess counterparty risk: When dealing with an unfamiliar counterparty, it’s essential to assess their trustworthiness, solvency, and liquidity. Capilever’s Counterparty Risk Assessment (CPRA) offers individuals a way to evaluate this risk before proceeding with a transaction.
For more innovative techniques from neobanks tackling fraud, see my blog "Fraud Prevention 2.0: How Neo Banks Are Setting New Standards" (https://bankloch.blogspot.com/2024/07/fraud-prevention-20-how-neo-banks-are.html).
These approaches aren’t just about stopping fraud—it’s about stopping it smarter and sooner. By moving checks to the moment of payment initiation, institutions can respond faster and work in closer partnership with their customers to outsmart fraudsters.
Comments
Post a Comment