Online banking has been quickly evolving into an immediate payment world, and consumers have come to expect the ability to instantly send and receive funds. Banks know these services are no longer a “nice to have” option, and if they can’t meet the demand, customers will move elsewhere. This convenience for customers has also made committing fraud more convenient for criminals as witnessed by the increased volume and effectiveness of scams targeting banks and their customers.
Whether an unauthorized or authorized payment fraud, the issue of customer reimbursement is top of mind for banks around the globe. In this paper, we will explore how eight countries handle the reimbursement for fraudulent unauthorized and authorized payments. As banks in most countries generally cover reimbursement for unauthorized payments, this paper will put a greater emphasis on what happens to reimbursement for authorized payment fraud.
Summary of Key Findings A summary of the key findings on customer reimbursement for financial scams is below: 1. Most countries do not reimburse for authorized payment fraud. Only two countries (UK and the Netherlands) have some voluntary process to consider reimbursing for authorized payment fraud. Some US banks will also voluntarily consider reimbursement for authorized payment fraud. 2. Most countries will reimburse for unauthorized payment fraud, but several countries (Singapore and Canada) require the customer to have been very diligent in protecting their online accounts before there will be reimbursement. 3. Several countries (UK and Singapore) are exploring including both the ‘sending’ bank and the ‘receiving’ bank in the reimbursement solution. The logic is the receiving bank has commercially reasonable security responsibilities to detect anomalous and fraudulent inbound transactions and so they should share in the reimbursement. 75% of scams start on social media, auction sites or dating apps 4. Once the UK and Dutch banks started to reimburse for authorized payment transaction scams, they came up with some innovative solutions to help prevent customers from falling for these scams. These solutions include Confirmation of Payee, behavioral biometrics and small payment delays, if the risk score is high. Since the customer is oftentimes on the phone with the criminal while doing the online transaction, their behavior is subtly different, but detectable. The payment delays can be enough to get the customer off the call with the criminal, and hopefully the customer realized what happened and calls their bank to stop the payment. 5. The UK Contingent Reimbursement Model (The “Code”) has a very broad definition of authorized payments scams for which they will reimburse. It includes more than just consumers and includes romance scams as well. 6. The UK banks want the large tech firms (e.g., Google, Facebook) and telcos to become part of the scam reimbursement process, since many of the scams start on social media or in bogus ads. Data from multinational financial leader Barclays showed that over 75% of scams take place on social media, auction sites or dating apps. Telcos play a role in the way of spoofed phone numbers and spoofed text message which clearly help ‘legitimize’ the social engineering aspect (e.g., bank impersonation) of these scams. The newly introduced Online Safety Bill in the UK Parliament proposes to require a new ‘duty of care’ for these large tech firms. 7. There is talk in many countries about adding new regulation to provide reimbursement for authorized payment scams, but only the UK and Singapore are taking action. 8. Regulators in two countries (UK and Singapore) have actually prescribed controls for banks to deploy to help prevent these financial scams and the associated losses.