ACH Crime Prevention: PayGuard and FPAD
Fortifying the Financial Arsenal Against Fraud
Welcome to The Engineer Banker, a weekly newsletter dedicated to organizing and delivering insightful technical content on the payments domain, making it easy for you to follow and learn at your own pace.
Welcome to another insightful episode of The Engineer Banker! In today's discussion, we delve into the dynamic world of ACH systems, exploring their evolving capabilities in the ongoing battle against fraud within connected institutions. This article will be followed by another in which we explore how banks can effectively employ and integrate these crime prevention capabilities.
Automatic Clearing Houses (ACH) and Clearing and Settlement Mechanisms (CSM) around the world have undergone a substantial transformation, adapting to the evolving landscape of electronic payments. This evolution extends well beyond the traditional clearing process, incorporating new capabilities and infrastructure enhancements.
One of the most significant developments in the ACH realm is the introduction of "Request to Pay" (RTP). This feature empowers payees to send payment requests to payers, adding flexibility and interactivity to the payment process. RTP enables payers to exercise greater control over the timing and nature of their payments.
Furthermore, some ACH systems have embraced the concept of aliases and proxies for account numbers and International Bank Account Numbers (IBANs). This innovation enhances convenience by allowing users to employ user-friendly identifiers instead of sharing account details.
Real-time payments have also emerged as a core feature, enabling immediate fund transfers between accounts. This functionality proves invaluable for urgent or time-sensitive transactions.
Lately, security has been a paramount concern in this evolution. ACH networks have implemented advanced security modules, leveraging technologies like machine learning and artificial intelligence. These modules operate in real time, swiftly identifying and preventing suspicious transactions to safeguard against financial crimes like fraud and money laundering.
Until the advent of instant payments, the primary focus was on fraud in card payments, as it is the most widely used payment method in both physical and online commerce. In the case of card fraud, unlike account-to-account payments, the bank or card issuer has complete autonomy to investigate and monitor their customer's payment transactions. For each transaction a customer makes, the issuing bank pre-approves the transaction based on the cardholder's balances, credit, or risks, as well as the characteristics of the merchant. Therefore, in the event of fraud, the bank has the most relevant data and information about the card's transactions, enabling them to analyze and investigate the entire transaction process.
This is not the case with account-to-account payment transactions, where the issuing bank of the transfer only has data about its own customer, and funds are transferred to an unknown beneficiary account, unknown to both the issuing bank and the customer. This complicates autonomous fraud analysis and investigation by the issuing bank. Furthermore, in case of fraud, funds can be transferred to various different accounts and subsequently move to new accounts within the banking system, making the information available to the issuing bank very limited and hindering proper monitoring of the transactions.
Analyzing a money laundering cycle that involves multiple banks can be a daunting task. Each bank typically possesses only a partial view of the overall transaction flow, making it challenging to identify suspicious activities in isolation. However, the central ACH infrastructure holds a unique vantage point in this regard. With access to a comprehensive overview of transaction data across connected institutions, the ACH is ideally positioned to detect and analyze intricate money laundering schemes, particularly those involving mule accounts.
In the illustration below, we present a visual representation of a bank's transaction graph visibility. The nodes represent the accounts and the edges represent the transactions. The bank can only see its internal accounts and external accounts that make transactions with its internal accounts. Every red account and red transaction are invisible to the bank.
For all these reasons, sectorial collaboration among banks is crucial to prevent fraud in account-to-account payments, protect customers, and ensure the security of their transactions. Banks need to share information and data to combat fraud, and this sharing cannot be partial or bilateral; it must be approached collaboratively, securely, and at a neutral point by all banks involved.
The recent announcement of Iberpay's Payguard functionality is a testament to the ongoing evolution of payment systems. Just as ACH networks have been adapting and enhancing their capabilities, Iberpay's Payguard represents a significant stride in fortifying payment security within the financial sector. Payguard, developed by the Spanish payment system operator Iberpay, exemplifies the industry's commitment to bolstering cybersecurity and fraud prevention efforts.
Payguard employs advanced fraud detection and prevention measures, safeguarding both financial institutions and consumers against a spectrum of cyber threats and serves as a sentinel against fraudulent transactions, offering real-time monitoring and risk assessment capabilities. For an introduction to Mule accounts you can read our introduction in the following article:
Another project with shared goals is EBAโs FPAD. The European Banking Authority's (EBA) Fraud Prevention and Awareness Division (FPAD) is a pivotal initiative designed to fortify cybersecurity and combat fraud within the European financial landscape. It operates as a multifaceted entity focused on various facets of fraud prevention, detection, and response.
The European banking landscape is in the midst of a substantial transformation, largely influenced by the recently published preliminary perspectives on the scope and requirements under PSD3. This development is shaping the direction of the market, emphasizing the need to enhance and refine the payment ecosystem. While PSD3 garners significant attention, the introduction of the Fraud Pattern and Anomaly Detection (FPAD) functionality, spearheaded by EBA CLEARING, stands out as a critical component in the ongoing efforts of Financial Institutions to manage and mitigate payment fraud risks.
FPAD, short for Fraud Pattern and Anomaly Detection, represents a pan-European initiative aimed at delivering tools for fraud prevention and detection. It comprises two key components: the implementation of an IBAN verification check, akin to the Confirmation of Payee (CoP) scheme in the UK, and the creation of a fraud detection model. These components work together to assess the probability of fraud risk within a payment based on performance and attributes within the payment message.
FPAD's overarching objective is to empower users of STEP2 and RT1 systems, allowing them to supplement their individual risk assessments with insights into patterns and anomalies at a central infrastructure level.
EBA CLEARING, at the forefront of this initiative, has recently issued specifications for the FPAD functionality. They have also launched a developer portal equipped with a sandbox, providing valuable support for users in developing and testing FPAD's application programming interfaces (APIs). This journey commenced in early 2023, following the release of a blueprint and subsequent user consultations. STEP2 and RT1, both pan-European retail payment systems processing SEPA Credit Transfers, Direct Debits (STEP2), and SEPA Instant Credit Transfers (RT1), are operated by EBA CLEARING. FPAD collects and analyzes vast amounts of STEP2 and RT1 data related to fraudulent activities, including patterns, trends, and modi operandi.
As preparations for the FPAD functionality's go-live intensify, nine banks from six countries actively contribute to the data model training during the analytical pilot phase. This phase aims to develop models for identifying fraud patterns and qualifying anomalies in collaboration with users' feedback.
The introduction of FPAD marks a significant milestone for European banks. It addresses the growing need for heightened security and more robust tools to combat fraud, particularly in the context of the rapid growth of instant payments. FPAD represents a unified approach where banks across Europe unite to bolster fraud-fighting capabilities within the SEPA perimeter.
FPAD, powered by APIs, represents a remarkable advancement for European banks. Beyond fraud detection, it fosters an integrated, efficient, and secure banking ecosystem, vital as instant payments become the norm. However, successful implementation relies on how banks connect to this system. Transitioning to an API-driven approach is crucial for seamless integration with advanced systems like FPAD, especially for institutions with legacy payment architectures.
The introduction of FPAD exemplifies the collaborative spirit of European banks, setting a benchmark for the global banking community in combating fraud and ensuring customer safety and security.
Similar initiatives to Payguard and FPAD have been emerging in various parts of the world, especially within Automated Clearing Houses (ACHs) and financial institutions. Here are a few examples from different regions:
NACHA's Phixius: NACHA, the organization responsible for managing the ACH network in the United States, has introduced Phixius. It's a platform designed to facilitate secure data sharing between financial institutions and other entities to streamline the verification of account information, reducing fraud and errors in ACH payments.
SWIFT's Payment Control Service: SWIFT, a global provider of secure financial messaging services, offers a Payment Control Service that enables financial institutions to screen and control their payment messages in real-time. It helps identify and prevent fraudulent or non-compliant transactions.
RBI's Bharat Bill Payment System (BBPS): In India, the Reserve Bank of India (RBI) introduced BBPS to facilitate the bill payment ecosystem. BBPS includes fraud prevention measures and standardized protocols to secure bill payments made through various channels.
Payments Canada's Real-Time Rail (RTR): Payments Canada is developing a Real-Time Rail system in Canada, which is expected to include advanced fraud detection and prevention features to safeguard real-time payments.
In the ongoing fight against financial crime, initiatives like FPAD (Fraud Pattern and Anomaly Detection) and Payguard are instrumental. They disrupt and deter money laundering schemes, especially those involving mule account chains. As the financial landscape evolves, these initiatives, driven by technology and collaboration, promise a more secure future for the global banking community, ensuring the integrity of financial systems worldwide. Stay tuned for the next episode where we will see how banks can use these new ACH fraud functionalities.