Skip to content
All Blogs

APP scam reimbursement: Reduce your risk with behavioral biometrics

Author: Serpil Hall


The recent announcement from UK-based PSR (Payment Systems Regulator) is causing quite a stir in the banking industry. The new legislation will require PSPs (Payment Service Providers) to reimburse customers for losses incurred due to Authorized Push Payment (APP) scams beginning in 2024. This new legislation is a result of the growing number of APP fraud cases in the UK, surpassing 95,000 cases in the first half of 2022. The focus now is how banks and PSPs can reduce their APP scam reimbursement risk - and behavioral biometrics is the key.

APP fraud, also known as bank transfer scams or bank transfer fraud, is a type of fraud where individuals are deceived into authorizing a payment to a fraudster. It involves manipulating and exploiting victims to willingly transfer money from their own bank accounts to accounts controlled by the fraudsters, or mule accounts. APP fraud is now the most common type of fraud in the UK, with H1 2022 gross losses of £249.1 million. The reimbursement plan requires PSPs to reimburse all APP fraud victims 100% - split 50/50 between the issuing bank and the receiving bank if they’re found guilty.

This applies to banks, building societies, and any institution with an Open Banking license – which incorporates about 400 PSPs in total. While the largest banks and PSPs have an additional requirement to provide bi-annual data demonstrating their overall performance in terms of preventing or reducing APP fraud, all PSPs will have to obey the legislation and reimburse victims of APP fraud. The potential financial impact is dramatic, placing a significant burden on banks and PSPs to implement effective fraud prevention strategies that protect their customers and minimize APP fraud liability. And with that liability split equally between the issuer and the receiver, there’s no room for apathy or negligence.

What does the PSR reimbursement policy mean for banks and PSPs?

  • Higher reporting requirements
  • Confirmation of Payee/Name Match requirement
  • Upcoming data and risk indicator sharing
  • Increased burden on protecting customers
  • PSPs will need to have strong fraud prevention measures in place
  • Real-time fraud prevention is critical
  • The ability to identify and trace mule accounts will dramatically reduce risk

Keep in mind, traditional fraud detection technology doesn’t collect data for user information – it’s great for transactions, and identifying transaction-related fraud, but what about when the fraud comes from a legitimate bank user or customer? How much do you know about their behavior, so you’re prepared for anything? You can reduce unnecessary friction in everything – the user experience and your fraud prevention measures, by using behavioral biometrics to truly know your customer (KYC). The more you know your customer, the more you collect about their day-to-day activities and navigating behaviors, the more you can stand out from your competitors by achieving a holistic view to enable active fraud and scams prevention. The key to this is putting systems in place to reduce the threat, and limit costly reimbursement of scam victims due to ineffective fraud prevention strategies.

Reduce APP fraud to reduce reimbursement liability

The best way to reduce APP reimbursement liability and meet the requirements for PSRs new legislation is to detect and prevent APP fraud in real-time. Large banks typically have transactional monitoring to run checks on payers and recipients in real-time, but it’s just that - transactional. It’s a very black and white system that can’t connect any context, previous interactions, or strategic insight. They also use the Confirmation of Payee (CoP) protocol, which will be mandated for the PSPs under the new legislation. While this helps eliminate some fraud, it’s only a fraction of the solution.

Leveraging Account Information Sharing, which is part of the UK Finance Initiative, can also help minimize fraud risk by bringing in other relevant data to help flag suspicious transactions – such as the date a recipient bank account was opened, the age of the account, the account type, and the account balance. This helps PSPs identify and prevent fraud based on known risk factors.

The best fraud solution for combatting APP scams is to build a 360° of individuals and their behavior across all connected accounts to support higher-level fraud detection and prevention that analyzes more than just a single transaction. The more information the better.

The critical question is how will you know the difference between a legitimate victim, and a fraudster? While the above tools help, the best way for banks and PSPs to meet the burden of protecting customers and preventing fraud is by layering in behavioral biometrics. Behavioral biometrics refers to the analysis of a user's behavior when using a device or application, such as the way they type, swipe, and hold their phone. This technology can detect anomalies in user behavior that may indicate fraudulent activity, such as a different typing pattern or a different device orientation from usual.

Behavioral biometrics amplify fraud prevention for all fraud types – including APP fraud. There are often indicators of fraud before the transaction – such as using a device to access a UK account from abroad or changing the password on a third-party (mule) account before conducting transactions. Layering behavioral biometrics enables banks and PSPs to identify and prevent APP fraud by analyzing the user's behavior before, during, and after the payment process to compare “me vs. me”. For example, if the user's behavior during the payment process is different from their usual behavior, this anomaly could indicate the user is being coerced or manipulated into making the payment.

It all comes down to how well you know your customer – by layering behavioral biometrics into your fraud prevention strategy, along with mule account tracing and anomaly detection, banks and PSPs can dramatically reduce their liabilities under the new PSR requirements – not to mention improving the customer experience.

*NOTE: This article originally appeared on LinkedIn

Subscribe to our blog for regular updates!