How does Open Banking embrace being ‘open’, without leaving the door open to the criminals? Sarah Rutherford, senior marketing director at FICO looks at how financial services providers need to adapt their fraud platforms to mitigate the new risks associated with Open Banking.
As adoption of Open Banking in the UK picks up speed – users in the UK have grown from one million in 2020 to three million this year – the opportunities for criminals are also increasing. And this presents a real conundrum for the financial services sector.
Open banking was unveiled to improve financial inclusion, increasing competition in financial services and enabling third-party providers to offer valuable new services to consumers and business customers alike.
Access to the opportunities Open Banking can offer hinges exclusively on customers consenting to share personal information with a wider number of companies.
This fundamentally alters the relationship between account providers and their customers as well as provides the opportunity for new service providers to enter the market.
It also provides criminals with new opportunities that are the real challenge for the financial services sector – and the economy as a whole. Below are some of the techniques deployed by fraudsters it’s worth being aware of:
Masquerading as a service provider
Criminals may set up a website pretending to be a service provider, either a fictitious one or a cloned impersonation of a genuine site.
Tasty incentives such as cash-back, rewards or discounts could be used to tempt customers to the services they pretend to offer; once money has been deposited it’s hard to recover.
Using a legitimate service provider to facilitate money laundering
Money mule networks gain faster traction in countries offering instant payments, as these help move and transfer funds far faster than law enforcement can track.
Tactics to evade detection often include sending money through previously used payees. In many cases these account holders are directed by a so-called ‘mule herder’.
Setting up a service provider for money laundering
Most service providers are required to complete due diligence in the shape of anti-money laundering (AML) checks. But criminals can set up a seemingly valid service provider that carries out fake regulatory and/or authorisation checks.
In this way, money laundering checks can be avoided for those accounts that are in control of a criminal organisation.
Creating a bogus service provider to ‘harvest’ data
Most frauds rely on the capture of customer information. By creating a bogus service provider, criminals can extract personal and financial information for use in other criminal operations.
Attacking service providers instead of account providers
Customers’ financial data could be held outside the account provider and be in the hands of a service provider.
In many instances, service providers will have fewer resources to protect and maintain the security of their systems, making them a more attractive target than the actual account providers.
All of these examples require a fair amount of time and effort to set up, however they also highlight the steps fraudsters are prepared to take.
Account providers must still take primary responsibility for fraud prevention and anti-money laundering, but they’re also obliged to be ever-more vigilant to suspicious activity taking place on their customer accounts.
Open Banking complicates matters as it blurs the relationship between the account provider and their customers, as new service providers now own more of the customer-facing interactions.
Information made available to account providers to help make informed fraud prevention and AML decisions are often altered, with Open Banking transactions often containing information that may not have been previously seen within the payments’ ecosystem.
Account providers cannot respond by increasing security for those customers who use third-party providers.
Clearly, it would also be anti-competitive to impose extra impediments on customers serviced in this way, as the additional checks aren’t applied to consumers continuing to access their accounts directly.
It means techniques like behavioural profiling become far more important in fighting fraud that results from account providers who share financial data with third parties.
As Open Banking initiatives gain momentum, account providers must ensure their fraud platforms are fully fit for purpose.
These platforms must give providers the flexibility to build and deploy AI and machine learning analytics that rapidly adapt to changes in behaviour by legitimate customers, while spotting and blocking criminals.