Roundtable Q&A: Challenges of Fraud Prevention in the Digital Banking Era

The rise of fintech applications has made digital payments more convenient for customers, but it has also created new complexities in addressing fraud. Our roundtable discussed the challenges of fraud prevention in the era of digital banking. The conversation highlights the factors banks should consider in the ongoing struggle to balance innovation with security. To mitigate fraud, panelists emphasized the importance of:

• • Educating customers on risk factors
  • Understanding risk tolerance through data and analytics
  • Building strong customer relationships

Moderator:

Chris Couch, Phelps, Partner

Panelists:

Mel Channell, Trustmark Bank, Senior VP and Director of Corporate Security

Jeff Powell, First Horizon Bank, Senior VP and Corporate Counsel

Note: The comments in this article and accompanying video were made on May 18, 2023. This transcript has been condensed for brevity and clarity. Click here to watch the full discussion.

Chris Couch: A recent paper by the Minneapolis Federal Reserve explored issues with payments currently in fraud. They said the rules fundamentally place loss in the hands of the parties who are in the best position to avoid that loss. Do you agree?

Mel Channell: Fraud mitigation is a challenge. There’s no doubt about it. Check fraud has been around forever, but the paper is now meeting the digital world. We’ve created this digital environment for customers, and now legacy fraud is hitting it. So you have to make decisions to prepare. I do believe responsibilities for fraud prevention are fair. Are they worth challenging and discussing? Yes, they are. They will probably change as we move forward.

Chris Couch: Given that we have a legacy system in checks meeting the digital world, do you see areas of contradiction and gaps where the legal overlay doesn’t necessarily lead to fairness?

Jeff Powell: We are a historically check-driven system. Lots of things are based on the Universal Commercial Code (UCC). I agree with what the Fed was referencing about finding the weakest link. However, as new payments technologies have come into play, you have a varying degree of payment rails: card networks, ACH, and many hybrid approaches where a check can start as a check and convert to an electronic check. With all these options, there’s a question of who is in the best position to stop the fraud — is it the receiver, the merchant or the customer? In the past, when a check was deemed not payable, it was a battle between the two banks for who was responsible. Now it’s a little bit harder.

Chris Couch: Do you have an opportunity to deal with that from a documentation perspective? For example, through account holders’ agreements? 

Jeff Powell: Absolutely. There are ways to examine statements and set forth different requirements for products to enter positive pay and various security procedures for online banking. There are ways to contract to take control. The regulators have a differing opinion on how much you can contract away. But you can set up the rules for customers.

Chris Couch: In an environment where it is so easy for consumers to transact through apps, not through a bank, does that create an operational challenge for banks, particularly for fraud?

Mel Channell: It does create a challenge. It takes extra headcount to manage that process. Consumers already believe that because you’re the bank, you should pay it back regardless. We have to do a better job educating consumers. We have to figure out how to manage the mitigation of fraud. It gets back to knowing your customers. Years ago, small banks, they knew their customers. They knew their spending habits. They knew their checks. As you get more digital, that doesn’t happen. The larger you get, you can’t examine every transaction. Now, you have to have a system that learns their behavior. You also have to look at every payment channel. 

Jeff Powell: Managing fraud is a difficult process due to various payment channels and different timelines involved. It requires a lot of effort to identify issues, and it's a challenge to keep customers happy while meeting regulatory requirements.

Mel Channell: The question of what constitutes reasonable security and what practices are ordinary and reasonable is important. Will we need to add an extra layer of security for customers in the future? For example, having a hard token as opposed to a soft token?

Chris Couch: The Federal Financial Institutions Examination Council (FFIEC) issued guidance a couple of years ago encouraging multi-factor authentication. How are you facing this challenge?

Jeff Powell: You have all this pressure to combat fraud and there are things you can do to shore that up. At the same time, there is pressure from the customer-facing side to make things more seamless. The whole fintech industry is geared toward making payments faster, quicker and less challenging. Less fumbling around in your pockets for your four-digit code that changes every 15 seconds. A lot of the time, those are competing interests. There's a tension between providing secure transactions and making things quick and seamless for customers. There’s always going to be fraud. There needs to be a baseline effort, but recognizing spikes in fraud and vulnerabilities is crucial.

Chris Couch: One thing that’s interesting to me is check fraud. We’re seeing a huge amount of check fraud across our customers. Checks have been around forever. What’s going on?

Mel Channell: The world is cyclical. Years ago, we saw a spike in card fraud, so everyone was focused on card fraud. Our card rails have done a great job because we learned behavior. You learn where fraud occurs. The squeaky wheel gets the grease, and when the attention was on cards, fraud shifted to checks. With check fraud, a huge problem is theft in the mail. The U.S. Postal Service is making changes. They're going to change the mailboxes and do other fixes, but it’s not going to stop overnight. Things will improve when we start getting more analytics in place at the time checks are deposited. This is where real-time comes in.

Chris Couch: You’re talking about some hefty technology.

Mel Channell: It is hefty technology. You need strongly experienced third parties and to build great relationships with them. Technology is not going to replace people. You need the indicators, but also need people to look at the results and say, “this is a problem.” We’re expected to protect the consumer, and technology is the only way you get there.

Chris Couch: Shifting back to the idea of who is responsible for losses, if checks are taken out of mailboxes and fraudulently deposited through online software, who bears the loss? 

Jeff Powell: It depends on a number of factors. Was it the original check? Was there a forged signature? How was it presented? Was it altered in some way? Any of these may change how the process is handled. It creates a lot of complexity and takes a lot of hours to sort out.

Chris Couch: Under the UCC, banks have the ability to reduce or extend the time customers have to review bank statements to report fraud. With online bank statements posted in real-time, is there an opportunity for banks to limit their liability by reducing the deadline for reporting fraud to zero days? 

Mel Channell: I’m in favor of it. Anybody that does online banking is logging in every day. That said, I don’t foresee it happening unless the industry, as a whole, wants to do that. Not all of our customers do online banking.

Jeff Powell: I question if it’s possible to change the notice window without guidance from regulatory agencies. There’s a question of what the official record of the transaction is and when the notice begins. Is it when the transaction is posted online or when the monthly notice is sent? There’s always going to be a batch delay, even for real-time systems.

Chris Couch: As we move more toward real-time digital banking, courts are revisiting issues that appeared settled. Some rulings suggest customer agreements are not the end of the discussion. Can banks still trust the notion of a reasonable security procedure?

Jeff Powell: Yes, but should every bank take a fresh set of eyes to those procedures? Absolutely. It needs to be a frequent review. The industry has gotten lazy in relying on basic security questions and passwords. The challenge is to figure out when to create security enhancements. In a perfect world, we would risk-rate everyone and have different positions based on dollar amounts. We do have systems in place to tailor risk based on certain limits, but there's more to it. There have been some cases in the past where expert witnesses from other banks were brought in to compare facts, but it's not a common practice. However, it wouldn't surprise me if it became more prevalent. The challenge is that when we compare, larger banks with substantial technology budgets may be the ones setting security procedures. This could create an advantage for them while others struggle to keep up.

Chris Couch: Smaller banks with around $250 million in assets can't possibly keep up.

Jeff Powell: Interestingly, the new payment technologies and fintech introductions are influenced by the European model, where card-based transactions are prevalent. In the U.S., we have been primarily check-based until recently, when debit cards and ACH transactions gained popularity. The new payment rails, like faster payments, introduce more fraud, but they also provide real-time data for tracking purposes. That gives you a better picture of where the money is going.

Chris Couch: So, banks have the data. How can banks use that data as a shield to prevent fraud rather than as a broom to clean it up?

Mel Channell: Learning from the fraud trends in Europe is important since they often reach the U.S. after a few years. Financial institutions, especially larger ones, are ahead in terms of data analysis and knowing how to detect and prevent fraud. They have buildings full of data scientists. However, understanding customer behavior takes time and depends on factors like account activity, logins and check-writing patterns. Identifying red flags in the digital world, such as login locations, becomes crucial. But it's a challenge when customers provide unsatisfactory answers during fraud investigations. Are you going to lock them out or just put their account on watch? We need to find a balance between protecting the customer and preventing fraudulent activities. It takes data and it takes learning customer behavior.

Jeff Powell: It’s also about the kind of fraud you want to prevent. Many types of fraud involve customers willingly sending money. Data can be used to notify customers that a transaction was made, but it can also be used to warn customers about bad actors. Data can be used in many ways.

Chris Couch: Does customer education play a role?

Jeff Powell: Many payment apps have a high share of fraud related to customers misunderstanding that the payment is in real-time. Once you hit send, the money is gone. Banks are in a relationship-oriented business. Smaller community banks have an advantage in quickly identifying suspicious activities due to their knowledge of customers and locations. For real-time payment systems, verifying accounts and managing risk become critical factors.

Chris Couch: We’re in a world where you can open accounts from anywhere in the country. Is knowing your customer realistic for many banks?

Mel Channell: It is a challenge. You don’t get to know your customers personally. The challenge is properly authenticating customers. Anything a customer can do, a bad actor can do, too. You have to be thoughtful when you design the systems.

Jeff Powell: I think it’s a balance. You have to understand who your customers are and understand the risk profile and development of your products. If you’re headquartered in Tennessee and suddenly have 1,000 accounts in one area of California, how did they come? How did they stumble onto your website? You’re not marketing to them. So, it really is a development of a product and securing it. It's about understanding what activity you're getting and what risk that poses, and then being able to respond to it.

Chris Couch: We’re seeing more banks who have these technical products designed for commercial customers who are putting consumers in them. For example, high net worth individuals. That’s challenging because generally consumer law will win, but it’s still a customer-driven need. How do you address that?

Jeff Powell: It is something that faces us every single day. Your commercial systems are a lot more sophisticated than your normal retail systems, and they're just not designed for consumers. From sharing of information to linking of accounts, it is challenging. There are layers of complexity. Customer education is key, and banks need to decide on this. It's a challenge to match different products and layers across customer types. I wish there was clear regulatory guidance to avoid risks like initiating funds transfers out of a consumer account. As it stands, some customers won't understand the risks until something bad happens.

Mel Channell: Customer education is key. If we combine personal and business accounts into one platform, customers really need to understand the exposure. It's a hard discussion. Customers may not understand the risks involved in giving administrative level credentials to bookkeepers or accountants. The various payment systems can be confusing, and mistakes can happen. You better have analytics in place to identify the fraud.

Chris Couch: Considering all we’ve discussed about the potential for errors in digital payments, are we in a universe where banks are absorbing losses even if they are not in the best position to avoid them?

Mel Channell: We are finding ourselves in that position. Reputation is always at stake, and there are battles between the banks over interpretation and where to place responsibility. Banks will face challenges, but they need to adapt to the changing demands of customers. People want services quicker. The tolerance for waiting has dropped.

Jeff Powell: In a way, banks are being asked to insure against mishandling by service providers. There is a lot of trust by customers that when something is entered into the system, it will go to the right place. There are so many on-ramps and off-ramps to the various payment systems that when someone makes a mistake (either the customer or a provider) it comes back to the bank. Ultimately, it’s a risk that banks accept as part of the business. It falls on the bank to figure it out. We find ourselves increasingly being positioned to act like a small insurance company, covering third-party service providers."

Chris Couch: What I’m hearing through all of this is there is nothing new under the sun. Fraud has always been around. What is different now is that technology is blending the payment rails, and fraudsters are taking advantage of this confusion. It sounds like the primary mitigation tool may not be technological, but may be relationships. Knowing your customers.

Jeff Powell: While there is always hope for a white knight technology that will make fraud go away, I just don’t think it’s there. Technology alone is not the solution.

Mel Channell: Smaller institutions know their customers better and can manually address issues. Larger institutions rely more on technology and software provided by third parties. In the end, though, knowing your customers and building relationships are the keys to mitigating fraud.

Please reach out to Chris Couch or any member of Phelps’ Business or Finance and Lending teams with questions or for advice and guidance.