FedNow is Coming to America

Finally, a full-blown consumer faster payment system, built by the Federal Reserve over the past few years, will be available to consumers (and businesses) this summer. A great headline and story. But there are two other headlines from this month’s UK 2023 Fraud Strategy that we need to know:

• 97% of Authorized Push Payment (APP) frauds currently occur in the UK’s Faster Payments System.
• Authorized transaction scams are now 54% of the total fraud/scams in the UK.

Unfortunately, we know what happens in the UK, does not stay in the UK. So, with faster payments, the types of fraud and scams seen in the UK will come to faster payments in the US. And to be truthful, a lot is already here. So, what does all this mean for faster payments in the US?

With all the news about APP scams, almost all of it occurs on the faster payment rails. So, we should expect a high volume of consumer financial scams to occur with FedNow. And, for the first time, scams losses (deceptive, but authorized transactions) are bigger than fraud losses (unauthorized transactions) in the UK. And we need to remember, that, unlike Zelle, each financial institution is responsible for the creation of the web/mobile pages and most of the security around the faster payment transactions.

FedNow will also provide some security to help prevent fraud and scams. Some fraud managements controls will be available at launch and according to the FedNow website “The Fed plans to roll out additional anti-fraud measures in 2024 and beyond. One feature under consideration, for example, would enable FIs to activate a control setting that rejects payments that exhibit unusual frequency patterns or cumulative value over a period of time. Other updates under consideration would leverage the FedNow Service network to monitor for aggregated concentrations of inbound and outbound activity (a sign of potential mule activity) and use machine learning to score transactions.”

For APP scams, keep the following in mind:

1. It is the customer actually doing the transaction.
2. Customer behavioral analytics is key to help to detect the customer under a level of stress/duress.
3. Look to the age of the customer when assessing the transaction. Senior citizens are especially vulnerable to these scams (e.g., grandparent scam).
4. Obviously strong transaction anomaly detection is paramount. And use online transaction nudges (e.g., a popup with a warning ‘is someone on the phone directing you to do this transaction’?) with suspicious transactions and maybe the first new FedNow transaction.
5. Use your telco provider to check if customer is on an inbound mobile call while doing the transaction. A long call is also a good data point.
6. Consider doing a confirmation of payee check (does the payee name match the name on the receiving bank account?). Consider other beneficiary intelligence such as age of account, number of high value payments to account etc.
7. In 2023, deepfake audio and video is getting really good.When the grandparent gets the call from the grandson about a DUI car wreck or kidnapping and needing money, the voice will sound real—because the fraudster copied the grandson’s voice from Tik-Tok and AI-cloned it.So, expect the victim to really believe the scam/be scared if the fraud analyst calls to verify the transaction.

For unauthorized transaction fraud, keep the following in mind:

1. There are still millions of breached credentials available for ATO attacks. And your FI must have credential stuffing attack controls in place.
2. SMS OTP is still the primary (and weak) consumer authenticator for banks.There are countless ways to steal OTP codes and also ways to bypass the OTP Challenge.Attacking SMS OTP has been proven successful in high dollar crypto account takeovers. Basically, assume the initial logon authentication is breached.Best practice is to use strong Multi-Factor Authentication (MFA) which is more secure than SMS OTP.But realistically, this takes time to deploy.
3. Provide continuous authentication during the online session. Be looking for man-in-the-middle and remote access attacks.
4. For mobile, include 1) detailed location tracking to catch the obvious fraud (e.g., phone is located in Jamaica) and 2) verification that mobile phone, where bank app is located, is owned by the customer.
5. Watch for high dollar counterfeit checks (a big deal in 2023) being remote deposited and then exfiltrated via the FedNow rails.
6. Check for malware on the mobile phone.
7. There will be more mobile phones stolen from customers so fraudster can do FedNow transactions.

Financial institutions will also need to up their game in detecting and removing money mule accounts.The massive number of money mule accounts is reason number one that fraudsters are so effective with fraud and scam activity. The UK banks and some larger US banks have good programs in place for money mule detection.Some key considerations:

1. Sharing data about known money mule accounts should become more common by all FIs. There are solutions that help with this data sharing.Proper processes protecting PII data makes data sharing viable.
2. Tighten up online account opening to prevent stolen PII and synthetic IDs from being used to open accounts.
3. Use data analytics to look for existing bogus checking accounts—almost a revalidation of the accounts looking at email addresses, phone numbers and other data. Once a fraudster gets passed the account opening process, they will change some information (or the initial account opening process may have been weak).

Something to copy from the UK 2023 Fraud Strategy is to slow down faster payments when the FI has some concerns about the transaction being legitimate. And especially watch the first faster payment transaction.

Two additional consumer protection controls to consider:

1. Give customers the option for ‘how fast’ is Faster Payments?Maybe, if I am a senior citizen, four hours is fast enough.
2. Start with FedNow turned off.Require an additional authentication step to turn it on. Notify the customer via email or text when it is turned on. Also consider allowing a delay before it gets activated (e.g., one hour or one day).

These consumer protection controls will help prevent authorized payment transaction scams where the fraudster is using pressure and intimidation to get the customer to execute a quick transaction.Give the customer time to rethink what is going on during a scam. The best control is when a scam transaction is never executed.

In closing, yes, there is big excitement that US financial institutions will be able to offer real faster payments starting this summer. And, yes, there are many unfulfilled use cases that FedNow solves.But before you smell the roses, take a virtual visit to the UK to see how quickly this wonderful story can turn to dust, if you are not prepared for the increased fraud and scams coming your way. There are sound fraud controls to help – particularly those that can understand user behavior across an entire session to detect signs of coercion or unusual payment transactions.

One saving grace associated with the risk of FedNow deployment in 2023 comes from Peter Tapling, U.S. Payments expert and member of the U.S. Faster Payments Council Board Advisory Group: “FedNow will not grow like Zelle. The rate of adoption of FedNow is dependent upon the speed at which FIs make products available to their customers to use FedNow.”

About Ken Palla

Ken Palla was a Director at MUFG Union Bank, where he managed online security threat analysis and researched/implemented online security solutions from 2005-2019. He was responsible for assessing current controls, identifying security gaps, finding/selecting solutions, and implementing chosen solutions with a virtual team in multiple locations. Ken also worked with Enterprise Fraud on fraud forensics to help understand the root cause of online security issues.

Ken is currently consulting for online security with banks and vendors and on The Knoble Scam Committee and is a member of the RSA Conference Program Committee. He has recently written white papers on online scams, FFIEC guidance and online authentication.