Reading between the lines of the FCA's letter to payments firms
British regulators' warning about fraud and AML is more specific—and consequential—than at first glance.
On March 16 of this year, the UK's Financial Conduct Authority (FCA) sent a letter to CEOs of nearly 300 payments institutions and electronic money license-holders operating in Britain. It was unambiguous: the FCA believes companies are not fighting fraud and money laundering effectively, with "swift and aggressive action" to follow if reforms are not undertaken. Stern letters from regulators are nothing new, and it's no secret that they seldom have much staying power. But this letter is different due to the context surrounding its sending. The payments space is currently losing a battle against an emerging type of financial crime, and legislation requiring reforms and threatening repercussions is expected soon. To live up to their forward-thinking image, neobanks, challenger banks, and payments institutions everywhere need to take the FCA's warning about fraud and AML seriously—and start acting.
Why the FCA matters
It could be easy for many in the large and multinational finance industry to quickly dismiss this event: after all, this letter was issued to a relative handful of companies by an agency with jurisdiction in a single country. But despite being a UK organization, it's good to keep in mind that the FCA is roughly analogous to the better-known Securities and Exchange Commission (SEC) and Federal Deposit Insurance Corporation (FDIC) in the United States—no lightweights.
In this situation, recommendations out of the FCA are particularly significant because the UK is a focal point of fintech innovation. Over 2,500 operate in the UK, ranking it third only behind the US and China, and one third of similar firms worldwide are focusing expansion efforts on the UK market. In other words, international payments firms or payments firms wishing to do business internationally will almost certainly be affected in some way by developments in Britain, so this month's letter to CEOs should be treated as an early and strong indication of which way the wind is blowing industry-wide.
Not just fraud, not just AML
In particular, the British authorities noted widespread, severe shortcomings in two key processes: AML and fraud protections. AML procedures commonly showed "failure to carry out and/or to evidence adequate KYC/due diligence". Concerning fraud, examined businesses suffered from "a high proportion of customer accounts being used to receive proceeds of fraud" and "backlogs that have led to fraud reports from consumers not being actioned within a reasonable timeframe by relevant staff". Despite presenting fraud and AML as individual but related concerns, the FCA is actually implying that the two are inseparable. So much so, in fact, that modern payments providers and e-money institutions need to guard against the combined, simultaneous threat of fraud and money laundering working together to strengthen and perpetuate one another.
By now, bad actors have made exploiting standard KYC processes and rules-based monitoring system vulnerabilities in digital-first payments into a science; perhaps its most notable form is authorized push payment (APP) fraud. By straddling these two areas, APP fraud relies on multiple points of failure building on one another throughout the scheme. For example, the accounts victims send their funds to are often created using fraudulent synthetic identities: a mix of stolen and forged identity documents that fool onboarding processes over and over. Another account may be genuine but hacked or in on the scam: their infrequent forays into money laundering stand out suspiciously from their normal practices, yet carefully sidestep transaction monitoring triggers. In as little as a few minutes, funds can be laundered through any variety of money mule accounts: though such movements themselves should be worthy of suspicion, these too often evade traditional rules-based systems. The final weakness shows up after hours or days: by the time an overloaded AML investigator has sorted through a backlog of cases, the fraudster is long gone.
This tactic has proven incredibly damaging. In the first half of 2022 alone, APP fraud represented 41% of all fraud losses in the UK, a 30% increase over the same period in 2020. The tens of thousands of affected customers were defrauded of £249.1 million, only around half of which was ever recovered. A twist of the knife: while victims are reimbursed if funds are taken from them, banks have typically considered victims who personally authorize payments ineligible for reimbursement.
Consequences are coming
With instant payments options only growing in number and the scale of digital fraud mounting, APP fraud is now an issue at national and international levels. In the UK, the Financial Services and Markets Bill introduced earlier this year before Parliament intends to guarantee reimbursement by companies to affected customers coupled with publication of how—and how well—companies protect against APP fraud. Should this legislation pass, companies could face an implementation period of only a few months starting later this year. And companies won't just be on the hook for reimbursements: accompanying fines and reputational damages will be near certainties.
Unsurprisingly, a ripple effect is already starting even without a UK law definitively in place. High fraud rates are already resulting in reputational and usability fallout, with financial services of all types insulating themselves from regulatory entanglements by blocking attempts to transfer funds from electronic money institutions with sustained fraud problems. In the US, payment scams and lack of reimbursements are $440 million issues being discussed in the Senate. And our Prague branch, for example, is already hearing from the Czech finance sector that it's not if but when European regulators will make reimbursing APP victims obligatory.
So for those who are listening closely, the added context of uncontrolled fraud and looming legislation in fact makes the FCA's message highly specific: payments providers everywhere must act now against APP fraud by breaking down the siloes between fraud and AML controls (or FRAML)—failing to do so won't be pretty. Luckily, the FCA's warning also outlines an ideal solution.
Why the FCA is essentially asking for AI
First things first: regulators expect responses to be fast. The processes and programs that oversee customers from onboarding to transaction monitoring may be underperforming in countering these kinds of financial crime, but they're also specialized, intricate, and expensive—especially when factoring in the time to retrain applicable staff and get them up to speed. Ripping out everything root and branch simply isn't an option. Nor, of course, is a slapdash solution that would still leave companies vulnerable to regulatory action and reputational impacts. The key will be to augment existing systems to the greatest possible extent.
Such augmentations have a broad remit: since the fundamental issue with APP stems from the dual threat of fraud and money laundering, protections will need to be upgraded end-to-end, from onboarding to investigations and everything in between, with a FRAML mindset. Put another way, only limiting exposure to money mule accounts by making KYC onboarding more comprehensive in conjunction with adaptable behavioral detections to catch those already in the customer base will effectively kneecap the hinge points that allow APP fraud to succeed.
Resistant AI was established as APP fraud began to create further damage in the field, so it's no coincidence that this threat has influenced our products. You might even say that our Document Forensics and Transaction Forensics, though capable of working independently, were always intended to work in tandem against these combined threats. Together, the layer of AI they provide enables real-time, perpetual KYC at all the vulnerable points that APP fraud targets, without disrupting customers' existing systems.
Our Document Forensics, for example, examines uploads on both individual and collective bases to identify forgeries and reused genuines. For just one of our payments customers, 82% of onboardings are automatically handled by these KYC checks alone, stopping over 100 attempts at creating money mule accounts per day with an accuracy and scale human reviewers can't match.
Transaction Forensics, meanwhile, uses adaptable anomaly detection rather than inflexible rules to identify unusual activity patterns as funds move. Unusual and often undefined activities can be brought to the attention of investigators in real time with high precision, pinpointing the wrongdoing that everyone knows is going on but have so far been failing to identify with traditional systems. Behavioral analysis can be added into the mix by factoring in other traces customers leave—and with every additional data point our AI becomes more capable of picking out red flags from normal activities. Three times the number of transactions suggestive of money laundering can be identified compared to rules-based outputs, all in real time, making nabbing even well-disguised money mules more possible than ever.
In the end, a relatively simple overlay of AI can prevent synthetic money mules from being created and prevent money from being moved in suspicious patterns…short-circuiting APP fraud altogether. And it all can be plugged into existing systems in weeks rather than months or years.
Act now with AI
The takeaway is that the FCA's letter isn't an alarm that can just be snoozed—it's an unavoidable klaxon signaling what's to come for everyone in the business of moving money. Reading between the lines, it's obvious that APP fraud is the driving concern for the FCA, fintechs, and traditional banks alike, making legislation to address it consequential no matter your size or location. To halt and prevent damaging APP scams, the challenges of fraud and AML must be addressed simultaneously and rapidly. Resistant AI has the way to do just that.