Facing the Reality of Real-Time Payments: Are Anti-Fraud Protections Up to Speed?

Behind the screens of online commerce, money may not be moving as fast as it appears. It has taken years to implement payment-system upgrades to enable actual real-time transaction processing.

More than 60 countries have made the leap to at least some extent. The U.S., the world’s biggest economy, has been playing catch-up mainly through a private-sector initiative, The Clearing House’s (TCH’s) RTP platform. The Federal Reserve’s FedNow Service, with an initial phase-in set for July, promises to take real-time payments further into the business and consumer mainstream – and with them, a new and crucial test for fraud detection and prevention technologies.

FedNow “will enable financial institutions of every size, and in every community across America, to provide safe and efficient instant payment services,” Fed Governor Michelle Bowman said in an August 2022 speech. Bowman and other officials have repeatedly asserted that the FedNow project is separate from consideration of a potential central bank digital currency, although she added, “My expectation is that FedNow addresses the issues that some have raised about the need for a CBDC.”

While more than 100 countries are exploring CBDCs, according to the Atlantic Council, opposition is mounting in the U.S., mainly among Republican politicians voicing concerns about government overreach and surveillance. One proposed bill would bar the Fed from even launching a pilot.

According to a Cornerstone Advisors study, coming into 2023, 13% of U.S. banks and credit unions had deployed real-time payments, and another 30% planned to go live with them this year. Of those 30%, 36% planned to use FedNow; 28% both FedNow and TCH’s RTP; and 13% the TCH offering alone. The latter has been in operation since 2017 and has more than 120 participating institutions.

Source: The Clearing House

In remarks June 13 at the Transform Payments USA conference in Austin, Texas, Graham Steele, assistant Treasury secretary for financial institutions, said the presence of two operators will attract more banks to real-time payments along with the benefits of competition, innovation and, when necessary, system redundancy to ensure resilience. He said that the U.K.’s Faster Payments Service, which was introduced in 2008 and processed 3.9 billion payments last year, has been transformative in terms of “speed, efficiency and inclusivity.”

Steele added that faster payments require “responsive risk management, error identification and fraud response,” and the fraud scenarios are “more complex and intricate than in traditional deferred-settlement payment systems.”

Real-Time Risks

As stated by the Fed’s Faster Payments Task Force, which issued a “call to action” back in 2017 for “ubiquitous faster payments” by 2020, “There is not only a greater demand for speed, but also for secure handling of payment data.” A key risk management concern is that “with some current payment methods, there is a lag between the point when a payment is authorized and when the funds are debited and credited, with finality, to the payer and payee’s accounts. This leads to uncertainty in managing account balances and creates a risk that the payment could be reversed or canceled.”

Enter artificial intelligence (AI) and machine learning (ML).

Grant Vickers, head of financial crimes strategy for AI vendor WorkFusion, pointed out that sanctions screening and other alerts must be automated to keep payments flowing in or near real time and “deliver a seamless customer experience.” The risks and compliance burdens escalate when transactions go across borders.

With the expectation that real-time payments will be growing exponentially, “it has never been more important for organizations to leverage all the tools at their disposal, including AI, to ensure fast, seamless screening and continuous monitoring to identify potential financial crime activity for both domestic and cross-border payments to ensure customer experience and prevent regulatory violations,” Vickers wrote in a Payments Journal article.

Playing to AI’s Strengths

Recently announced cases in point include AI-powered transaction monitoring from Fenergo, following its 2022 acquisition of Sentinels, to instantaneously detect suspicious activity and reduce false positives; and NICE Actimize’s Money Mule Defense Solution, which “utilizes deep learning models and purpose-built expert features” to detect irregular money movements, whether intentional or unwitting, in real time.

Sudhir Jha of Brighterion

“It is not only feasible, but essential, to use AI/ML to combat financial crime and fraud,” says Sudhir Jha, senior vice president of Mastercard and head of Brighterion, a long-established AI innovator that the global card and payments organization acquired in 2017.

Noting that financial fraud management was one of the earliest applications of AI/ML tools, Jha adds, “Ability to establish patterns and profiles, predict behavior and detect anomalies are the strengths of AI/ML technology – and they provide a good foundation to build a comprehensive solution for fighting fraud and reducing risks.

“Accurate and sophisticated AI/ML models can do this without impacting too many good customers and transactions - which is a critical priority for most organizations.”

Reaction Time Shrinks

Matthew White, co-chair of the Financial Services Cybersecurity and Data Privacy Team at law firm Baker Donelson, focuses on the high stakes of speed “compound[ing] many of the challenges in combating fraud. These payments are processed immediately and are irrevocable,” he explains, not allowing time for conventional, albeit well-seasoned, fraud detection and prevention measures, “or the ability of a consumer to recall the transaction.”

Matthew White of Baker Donelson

What’s more, White says, “when a fraudster receives funds in a real-time transaction, they can withdraw the funds (and generally move them somewhere else) immediately, which makes tracking and recovering fraudulent payments much more difficult.

“This means that fraudsters can exploit vulnerabilities in real-time payment systems or manipulate individuals on either side of a transaction (usually either convincing someone to submit to the fraudster a real-time payment, or modifying the payment information to divert funds into the fraudster’s account), and steal money before anyone realizes what has happened.”

Essential Accuracy

There is a tradeoff between eliminating friction in a transaction and allowing for stepped-up authentication or other measures to ensure safety.

“Some real-time payments networks have limited claw-back in the event of fraud occurring through scams or account takeover,” says David Stewart, director of financial services in SAS’s Fraud and Security Intelligence Global Practice. The need to both authenticate the sender and validate the receiver to minimize fraud risk makes “real-time decisioning essential for all parties in a transaction. That puts a premium on the accuracy of the data and decisioning tools.”

“If the algorithms are not accurate, incorrect results can cause privacy harms” to individuals, as well as regulatory non-compliance, undiscovered fraud and other problems, says Rebecca Herold, CEO of Privacy and Security Brainiacs in Des Moines, Iowa. “If the data input to them is used by other organizations, the risks of noncompliance with multiple legal requirements, as well as exposures and breaches of personal data, are also significant.”

Biometrics Boost

Biometrics software is increasingly used to spot synthetic identities, phony credit applicants and bogus payment transactions in real time, according to Domingo Guerra, executive vice president of Incode Technologies in San Francisco.

“AI-powered biometrics enable consumers to link difficult-to-spoof identity characteristics” such as facial templates or fingerprints to a payment card and facilitate contactless payments, Guerra says. “It is much harder for a thief to replicate a person’s physical characteristics than it is to misappropriate other forms of authentication credentials.”

Because it is more secure than passwords or token-based authentication, biometric verification can meet a high standard for identification while upgrading banks’ historically manual, delay- and error-prone compliance operations, where they are exposed to regulatory penalties. (See Financial Crime and Compliance: Regulatory Responsibility Is Not Just on Banks.)

The Onboarding Stage

Hal Lonas, chief technology officer of digital identity company Trulioo, highlights three areas for application of AI and ML tools: upfront verification, re-verification, and the monitoring of device signals and velocity of transactions.

Hal Lonas of Trulioo

Chief information security officers (CISOs) “need to consider how much friction they want to apply through various points in the system,” Lonas says. “It’s not one-size-fits-all, and we must be flexible and thoughtful in the approach.

“Ultimately, the more verification you do upfront in the onboarding process, the more likely institutions are to catch fraudsters before they get in.” And firms must be on alert for synthetic or fake identities and when changes are entered in customer information, which can be an opening for compromise.

AI in Perspective

Despite AI’s undeniable advances and advantages, Martin Markiewicz, co-founder and CEO of anti-financial crime technology company Silent Eight, warns against blind faith and complacency: “To effectively combat fraud, it’s important to have a comprehensive and multifaceted approach that includes a combination of technology, processes and training.

Martin Markiewicz of Silent Eight

“This is where the AI conversation often falls down,” Markiewicz maintains, “with the view that unless it can do everything, it’s just not worth it. The best AI tools and implementations work perfectly and remove a huge burden from investigators, which creates bandwidth for the cases that AI cannot resolve.”

Meanwhile, “Regulatory expectations are catching up to the real-time pace of the digital economy,” notes Cynthia Printer, director, financial crime compliance and payments, LexisNexis Risk Solutions. “Regulators are signaling that they expect companies to equally apply the technology expertise they use to accelerate business growth to how they manage fraud and compliance risk. Regulators expect businesses that can facilitate instant payment transactions to be capable of leveraging technology to manage risk in real time as well.”

"No AI system can replace human intel,” says Braden Perry of law firm Kennyhertz Perry. “But it can assist in monitoring for risk. Accessing large amounts of data into a usable form for human review can make a daunting task more efficient. But while managing risk is imperative, over-managing risk can also hinder business practices. So it’s imperative that BSA/AML [Bank Secrecy Act/anti-money laundering] staff are capable of striking the balance of managing risk and procedures while ensuring the business is functioning correctly and securely.”