Combating instant payments fraud in the EU

The financial industry is moving rapidly towards instant payments - in the EU, 7.6 billion instant payments were made in 2023, and this is projected to nearly triple to 21.2 billion by 2028. But the speed of change has introduced new fraud risks that banks and payment service providers (PSPs) across the EU need to address quickly.

Fraud teams are already seeing worrying trends. Authorised Push Payment (APP) fraud is growing quickly across Europe, worth up to €2.4 billion and growing by up to 25% each year. Customer service teams are also handling more fraud-related complaints.

Ultimately, people and businesses want the same protection they trust from traditional banking, even when money moves in seconds rather than days. But achieving this balance between speed and security will be difficult.

In this article, we’ll uncover the key fraud threats facing instant payments and how banks and PSPs can protect their customers while continuing to provide an excellent customer experience.

Today’s fraudsters combine social engineering with sophisticated phishing attacks to exploit bank and PSP payment systems. They may send convincing fake emails and text messages that can trick people into revealing personal information. They create new counterfeit identities. They may use psychological manipulation techniques to bypass security and take over one-time passwords. Or they may even use AI to create targeted attacks based on social media data.

Their impact is huge. Over €1 billion of fraudulent credit transfers were sent by PSPs within the EU and EEA in just the first half of 2023. During the same period, card fraud across the EU and EEA totalled €633 million.

While losses from fraud continue to add up, the use of instant payments is growing even faster. By 2027, nearly 28% of global electronic payments are expected to be processed in real-time. And with over half of European e-commerce sales now made using a smartphone, fraudsters are finding new ways to attack.

The challenge for banks and PSPs is to strengthen their fraud prevention measures fast enough to keep pace.

The features that make instant payments great for customers also appeal to fraudsters... money moves in seconds, funds are available immediately and payment systems work 24/7. These seem like perfect conditions to commit fraud at any time.

Banks and PSPs face three main challenges:

• Less time to detect fraud: With payments processed in less than 10 seconds, fraud systems need to work incredibly fast to detect and stop fraudulent payments.
• No ability to recover funds: Money can be withdrawn immediately after payments complete, which makes recovering funds almost impossible.
• International complications: Instant payments made between countries involve adhering to multiple regulations (e.g. reconciling incompatible screening requirements), which can make fraud prevention harder.

Since most card fraud (71% of total fraud value) and a large share of credit transfer (43%) and direct debit (47%) fraud involved cross-border transactions in 2023, this makes it a particularly challenging issue to address.

Money muling involves people allowing their bank accounts (knowingly or unknowingly) to be used to move stolen money. ‘Muling’ has become a key part of modern financial crime, helping fraudsters quickly move and hide money.

Instant payments have made money muling easier than before:

• Stolen money can move through several accounts in minutes, before anyone notices something’s wrong
• Money can cross borders instantly, making recovery complicated due to different legal systems
• Current fraud monitoring systems are designed for slower payments and often miss suspicious instant payments
• Most bank customers don’t understand how money muling works, leaving them especially vulnerable

The threat is so great that the need for banks and PSPs to adapt to the increasing challenge of money muling has been highlighted by The European Banking Authority (EBA).

Preventing fraudsters from entering the payment system is a major challenge. To meet it, banks will need to incorporate multiple layers of security to identify fraudulent activity before money leaves customers’ accounts.

The following approaches should be considered:

• Better identity checking: Banks can use biometrics (e.g. fingerprint scanning and facial recognition) and analysis of how customers typically use their accounts to verify whether the person making a payment is genuine. The EU Payment Services Regulation (PSR) also requires PSPs to implement monitoring mechanisms that analyse historic payment transactions, including “environmental and behavioural characteristics” that are typical of a customer’s usage.
• Instant monitoring: Banks can use AI systems to spot unusual activity in just milliseconds. In fact, the European Commission’s Payment Services Directive 3 (PSD3) highlights the importance of transaction monitoring that makes full use of innovative technology like AI.
• Protecting vulnerable customers: Banks should set up special monitoring for groups at higher risk (e.g. students, elderly people and those facing money troubles).
• Education campaigns: Banks can help their customers understand money muling risks and how to stay safe online and offline.

New regulations like the proposed PSD3 and PSR are raising the bar for fraud prevention in the EU. These upcoming rules aim to better protect consumers and businesses from the growing threat of financial fraud.

Recent regulatory developments require banks in some markets, such as the UK, to reimburse fraud victims quickly when fraud occurs (unless there’s clear evidence of customer negligence). This approach will create a safer banking environment because it ensures customers aren’t left bearing the financial losses from scams. It also encourages banks to invest in better fraud prevention systems.

Three particularly important trends are emerging:

• Enhanced security requirements: The European Commission will be extending the compulsory IBAN/name checking service (Confirmation of Payee) to regular credit transfers, and also reinforcing Strong Customer Authentication (SCA), which is “already producing spectacular results” in reducing fraud.
• Shared liability: The EU is considering following the UK’s approach of split liability between the bank of the payer and the bank of the payee. If done, this would incentivise the receiving bank to combat fraud too, encouraging a more comprehensive approach to fraud detection across the entire transaction chain.
• Improved transparency: PSD3 aims to combat payment fraud by enabling PSPs to “share fraud-related information between themselves” and increasing consumer awareness of how their banks handle fraud and reimbursement. It’s hoped that this will foster accountability within the industry.
• Securing the first critical step of the online payment with Verification of Payee: VoP directly tackles this problem by adding a simple but effective verification step to the payment process.

Meeting these requirements will require significant investment in technology and processes, leveraging technologies such as machine learning and real-time transaction analysis.

Banks and PSPs will need to review their existing systems, update their fraud detection processes and train employees on the new requirements. They’ll also need to develop clear policies on what’s considered ‘normal customer payment behavior’ and establish guidance on the appropriate security checks needed for different transaction types and risk levels.

To address the evolving challenges of instant payments, G+D Netcetera has developed a comprehensive security framework that combines cutting-edge technology with practical implementation.

Our solution includes:

• Strong authentication: We implement advanced security protocols, including FIDO standards and secure tokens, to create robust defences against authentication compromises. This approach shifts the security burden from users to technology, significantly reducing the risk of unauthorized access even when customers are targeted by convincing scams.
• Behavior analysis: Our SDK analyses how users interact with their devices during registration and when making payments, creating unique profiles that are difficult for fraudsters to copy. By employing the latest techniques, we can strengthen security without compromising user experience.
• Smart transaction monitoring: Our systems analyse payment patterns in real-time, identify anomalies that may indicate fraudulent activity. They also adapt to new fraud patterns as they emerge, and provide predictive fraud prevention. This comprehensive approach enables us to spot suspicious transactions in milliseconds, keeping pace with the speed of instant payments.

Through better technology, industry cooperation and customer education, we can deliver both the speed and security that modern banking needs.

Want to learn how G+D Netcetera can help your bank implement secure real-time payments? Get in touch with our experts.