Woman facing fraud liability moving dollars from bank to piggy bank

When it comes to online fraud, who bears fraud liability? That's the pressing question for governments, banks, and, most recently, big tech. Answering that question is urgent because scams and financial fraud, particularly authorized push payment (APP) fraud, are in a global crisis. The numbers speak for themselves:

  • UK: £583 million APP fraud losses in 2021, a 71% increase from last year 
  • US: $5.8 billion fraud losses in 2021, a 70% increase from 2020
  • Australia: more than $2 billion in fraud losses in 2021 
  • Brazil: more than £1.3 billion in reported fraud in 2021
  • India: 604 billion rupees ($76 billion) lost to fraud in 2021

We know the shift to digital social spaces, eCommerce, and new payment types is driving this explosion in fraud. But what we haven’t figured out is who is responsible for fraud losses. 

Factors Slowing Down an Authorized Payment Scam Solution

Determining liability is challenging in a digital-first world because so many fraud schemes exist. There are romance scams, impersonation, employment, and so on. The list is endless. Each of these types of scams has a different starting point. Some might initiate via email or text. Others start on a social platform. Still others on an eCommerce site or even in an app store.

We also have to look at payment types. P2P payment schemes and platforms, such as Zelle or Venmo, pose a real threat because customers initiate instant payments to unvetted, unknown payees. Once the customer hits send, that money is gone. 

If a scam originates and develops on a dating app (big tech) and is paid out through Zelle (banks), who should be responsible? Big tech says the banks, and the banks say both. 

Fraud Liability: A Scenario Born of Technology

While regulators, banks, and big tech argue over who is responsible, the courts are starting to weigh in. Sweden’s Supreme Court recently ruled that a phishing victim was not liable for fraud losses despite being found to have acted with significant negligence. But is it fair to place the liability solely on the bank?

Email service providers deliver phishing emails enabled by internet service providers. Why aren’t those technology companies liable for failing to protect their users or for allowing fraud to flourish on their products? Let’s dig into this a bit more. 

Let’s say a woman, we’ll call her Ines, is active on Facebook. She posts pictures of her children and talks about their milestones. She shares her vacations online. Her new kitchen renovation? Yes, she posted about that too. 

Roger, a fraudster, is also active on Facebook. He’s been following Ines’s posts. You might even say he’s been studying them. Soon, Roger has enough information about Ines that he reaches out to her pretending to be her bank. He knows so many things about her that she doesn’t even question his legitimacy. He tells her she needs to transfer money from one account to another because a fraudster has accessed her account. 

She believes him so wholeheartedly that even when she receives texts and alerts from her bank, she ignores them. She transfers the money as instructed. Except, of course, there isn’t an issue with her account. She’s just authorized a payment to a fraudster. Roger wastes no time; within minutes, he withdraws Ines’s money.

So who bears the financial responsibility for fraud?

In this scenario, is Facebook responsible for allowing scams on its site? What about the app store where Ines downloaded the Facebook app? Or perhaps it’s the internet service provider who enabled all of these players? And what about Ines herself?  Does she bear any responsibility for failing to protect herself from scams?

The digital landscape is varied, and each step has the potential to enable fraud. Why then should banks be solely responsible for online fraud? The truth is making banks solely liable for online fraud is a last-century, linear solution to a digital, future-forward problem.

The pressure to make banks liable for online fraud is mounting, and banks are fighting back

There is no simple answer for who is responsible for online fraud today. In the UK, banks use the contingent reimbursement model, which is a voluntary code to reimburse online fraud victims. But they don’t always reimburse victims of APP fraud, typically reviewing them on a case-by-case basis. The US doesn’t have a rule yet, but that will likely change. The Consumer Financial Protection Bureau (CFPB) is soon expected to make an announcement that will prod banks into reimbursing P2P money transfer scam victims. This would essentially categorize P2P fraud as authorized payment fraud. It’s unclear if that announcement will come with regulations. 

While the CFPB’s intentions are pure, these changes will likely cause new fraud. Remember, fraudsters thrive via innovation. If and when the CFPB treats P2P fraud as fraud instead of an authorized payment, expect to see a surge in first-party fraud, also known as friendly fraud. 

Furthermore, putting all the onus on banks is short-sighted. Regulators must look to the near future when smart homes are commonplace, and the Metaverse is a real thing. How can any entity expect banks to bear the brunt of the exponential growth of digital vulnerabilities?

Implementing Polluter Pays Framework for Fraud Liability

Large UK banks recently proposed a polluter pays solution for online fraud. Polluter pays is a principle borrowed from environmental law, which makes the parties who produce pollution financially responsible for the damage that pollution causes. In the case of an online fraud polluter pays framework, tech companies such as Apple, Meta, and Alphabet would contribute to a reimbursement fund for fraud victims. 

The obvious pro to a polluter pays solution is that it incentivizes big tech to address fraud. The cons to polluter pays surrounds its enforcement and logistics. The planet is on fire; polluter pays isn’t working. Would banks fare any better with their model? 

In the best case scenario, one where big tech sees fraud as part of their ESG responsibilities, a polluter pays model will take years to develop. Questions surrounding governance and geographies aboud, and we haven’t even touched on how data would be safely shared across industries or how fraud would be identified. 

How Banks Can Bring Big Tech to the Fraud Liability Table

If banks are serious about implementing a polluter pays framework, they must lay the groundwork for it. An impactful way to do this is to report fraud losses by source, not by the scam type. If banks worked together to label fraud sources, that evidence would impact governments and consumers. 

Imagine the impact on policy if banks can clearly demonstrate the source of fraud. 

“Phishing scams” has little emotional resonance with consumers. But a headline stating “Fraud originates on Facebook,” for example, certainly would. 

4 Solutions Banks Can Implement Today to Stop Authorized Payment Fraud

Asking for a policy is a start. Reporting fraud by source is an incredible start. But what can banks do right now to fight authorized online fraud?

These are solutions that exist today that can help stop authorized online fraud. 

  1. Confirmation of payee. Every bank should do as much as they can to confirm the legitimacy of the payee before allowing customers to transfer payments to new payees. This includes checking that the name of the payee is the same name on the receiving bank’s information. 
  2. Transaction fraud. Banks should have fraud detection and prevention solutions that monitor each transaction for anomalies. 
  3. Customer alerts. Alert customers in real-time, providing education and scam prevention tips before approving a transaction. This allows customers some time to consider and understand that the transaction they’re attempting to initiate might be a scam.  
  4. P2P payment delay. Instant payments mean instant fraud. Most P2P payments don’t require an instant transaction. Implement a delay of several hours with all P2P payments, and impose dollar amount limits for transfers to new payees; align the limits to the bank’s risk appetite and strategy. 
  5. Behavioral biometrics. Behavioral biometrics isn’t just for unauthorized transactions. If a customer is reacting to information they’re receiving from a fraudster, they will likely behave differently, such as entering information slower than they usually do. Implementing behavioral biometrics goes a long way in preventing fraud. 

If authorized fraud is bad now, wait until we’re all in the Metaverse.

There’s debate about what the Metaverse is, but not that it is; the metaverse is coming. And before that, we’ll have mass adoption of smart homes — refrigerators that tell you when to order milk, thermostats that regulate your home’s temperature, and a slew of other conveniences. If fraudsters salivated at the pandemic-driven shift to digital, the prospects of the metaverse has them frothing at the mouth. 

Banks should build their polluter pays framework today. They should report fraud by source today. And regulators should look to a long-term, sustainable future for fraud prevention and detection today. They can’t, in good conscience, put the onus for fraud liability solely on banks. Technology companies are part of the fraud ecosystem. Leaving them out of the solution does little to motivate their leaders to use their powerful technologies to help fight fraud and protect consumers. It’s also tremendously short-sighted; if we don’t get ahead of this problem today, we have little hope of blunting fraud in the next phase of the Age of Experience — the Metaverse.