Aussie Fraud Reporting Exchange; the Good, the Bad, and the Ugly (Truths).

Yesterday, the Australian Banking Association (ABA) announced a ‘Fraud Reporting Exchange.’ Today I unpack what that could mean, including the good, the bad, and the ugly (truths).

The Fraud Reporting Exchange (FRX) will be run through the Australian Financial Crimes Exchange (AFCX) - and hopefully that’s all the acronyms out of the way!?

To understand why this is (potentially) a big deal, you have to understand what the current process is for banks to fight fraud and scams and - importantly - share data with one another, and track and recover funds.

The Current State...

Many are billing the new FRX as essentially a way to communicate, and while it is, the implication from many that this is a first belies the fact that banks have been communicating for a long, long time.

Right now, banks become aware of fraud and scams in four ways. In order of most common to least, they are:

1. Through one of their own customers - a victim - reporting it;
2. Through their own detection and monitoring processes;
3. Through a victim at another bank reporting it, and that bank reaching out;
4. Through a law enforcement request.

In practice, 1/2/3 are all happening all the time and the rate at which they happen changes. Some banks are great at this already and would consistently find a lot of fraud pre-emptively, while others aren’t as good and rely more on customer reports (their own, and others banking elsewhere). 4 barely ever happens, or rather, it’s barely ever the FIRST indicator a bank has… and this is okay. Banks call victims, and victims call banks, and banks co-ordinate between themselves - there’s no need to involve police initially.

So,?when and how?do banks communicate presently?

There’s no uniform process, which is a part of the problem, but essentially it’s via backchannels - phone numbers and emails. There are teams at each bank that have a tightly guarded list of contacts elsewhere, and once they’ve confirmed fraud they use that to begin the lengthy and arduous process of retrieving funds that have left their institution.

This is imperfect for obvious reasons:

• Phone calls can be missed;
• Supporting this model with qualified staff 24/7 is burdensome (so many banks don’t);
• It’s mired in privacy and other legal concerns, so mostly banks will not really “talk” on these calls - there’s a few yes/no questions only that can be asked, and a freeze of any funds is a serious ask that isn’t undertaken lightly.

There’s some less obvious issues too…

• While bank A is talking to bank B, banks C through Z are none the wiser. They may have customers falling for the same fraud, or the same fraudster may be operating a separate account at their bank - and they are none the wiser.
• Fraud teams use the tools they’ve been dealt, which more often than not are a blunt instrument. Freezing one specific transaction is often not possible - and they have to apply account level freezes. This drives complaints, customer contacts, and involves a lengthy “he said, she said” discussion where the recipient of funds is asked to prove their provenance.
• If an account isn’t blocked expeditiously, then other banks whose customers may transfer to it are also at risk, and the funds can be ‘walked’ around or even offshore to make recovery that much harder.
• And yet, obviously, blocking an account isn’t an action taken lightly. Often banks have a policy of not doing it unless they’re either extremely suspicious, or they have a (formal or informal) confirmation that funds in an account will be the subject of a dispute.

If this all sounds hopelessly rigid, it can be, but honestly… the banks and their fraud teams do a pretty good job.

If you’re here to throw stones at their processes you’ll have to go through me, because the fact is, if they froze everything that “could” be fraud, Australian commerce would be stymied ridiculously.

Would you be happy for your business account to get frozen for a week because of one angry or confused customer? Even if you answer ‘sure,’ you can be equally ‘sure’ that such an imposition will lead to legal threats, AFCA Complaints, and closed accounts from difficult and costly-to-obtain customers, so it’s fair enough that banks don’t freeze all things all the time on a whim.

Putting all this aside for a moment, the other awkward part of this is… what if funds are gone? Scoffing at fraud and underestimating fraudsters has become a favourite pastime of many non-experts who demonise the banks and say they “aren’t doing enough...” but fraud culprits know their targets and often the systems they work through extremely well. Once stolen, the funds are not left well enough alone like buried pirate treasure - they're moved around, quickly, like a shell game at a carnival. Incidentally, this is why fraud and money laundering are related - this movement of funds = money laundering!

So the entreaty to "do more," for those of us familiar with banks’ internal processes, begins to sound much like the lyrics from Creedence Clearwater Revival’s “Fortunate Son...”

And when you ask 'em, "How much should we give?” Hoo, they only answer, "More, more, more, more!"

So - how could the FRX help?

As with so many initiatives, it really depends on implementation.

If this really is just a comms platform, which is competing with the already-near-real-time communication banks have via phone, then it’s fair to say this won’t disrupt very much. Early trials suggest it makes time to investigate faster and retrieve funds with less argy-bargy for fraud teams. This isn’t nothing - time is of the essence when you’re looking to freeze funds, and the easier their lives are the more fraud they might catch - but if that’s all it is, it’s not?that?exciting.

On the other hand, the opportunity is there for this to be extremely disruptive.

What if it’s essentially a database of securely stored account details and transactions, where ‘red flags’ are crowd-sourced, that banks can build into their detection systems?

Let’s play this out.

Right now, if customer A calls Bank A and reports a scam, where they sent funds to Customer B at Bank B,??this is what happens:

Bank A tries to call Bank B, and eventually succeeds. It’s then up to??Bank B to apply a block to that account - which they may or may not do. In the meantime, Banks C, D, E and so on have no clue that the account at Bank B is suspect - nor that the Customer B may be a fraudster (either hiding behind a stolen identity or acting through a so-called ‘mule’).

What if customer A’s complaint - even unresolved - was able to be shared with other financial institutions? They may be able to screen for relevant payments and place a 48 hour hold on processing them, flagging to their customers the potential fraud and giving a much-needed buffer for investigation.

If the banks all subsequently clear their concerns, there’s no real harm, but if they prevent the transactions AND Bank B’s customer is a fraudster, they’re no longer reliant on them applying a block to have prevented the loss. It isn’t overstating it to say that in fraud, minutes and hours count; it’s often the case that funds scammed on Thursday are gone by Friday.

This opens up a few exciting possibilities, which we’ll now talk about…

The GOOD

Alongside the immediate uplift you might expect from crowd sourcing your intelligence - allowing sending banks to take that much-championed “protector” role much more effectively - there’s a few other great things which flow from this.

For one, you can build rules which automatically take into account this fraud intelligence and remove the cost burden of employing bank workers 24/7 - or plug the gap in coverage for banks which don’t currently have this.

For another, the shared dataset presents significant opportunities for machine learning adoption. The problem with machine learning is that it’s a bit like a child raised by wolves - it only knows the things it’s seen. So, much as you wouldn’t expect a wolf-child to make their bed or do their homework straight away, a machine learning model trained only on one bank’s data will not be effective at predicting fraud that occurs in a wider ecosystem. The opportunity here for public/private collaboration is significant, especially if as some predict we’re moving toward a future where transactions are shared en masse via API (as already happens, albeit via manual or batch upload, with all international transactions and cash transactions at financial institutions which have a value of over $10k).

And lastly, another great thing about this data sharing is that, together with an industry code in development right now which should stipulate how much exactly banks have to do in terms of proactive detection, this will finally put to bed the idea that “banks aren’t doing enough.”

That said, if you believe in fairy tale endings you’ll be sorely disappointed- this is no silver bullet. Fraud and scams will still happen, and they’ll even still happen at scale and with some tragically large losses to individual victims. Which brings us to…

The BAD

We’ve already touched on this, but even totally real time communication once a fraud or scam is detected is not going to solve everything - because of the inbuilt delay, and the fact that nothing and no-one is perfect (except my lovely wife, Mrs Raven).

Fraud and scams are like an illness of the financial system, so it’s fitting to look to the medical industry for illumination of these points.

If you design a system that functions perfectly - seamless, real-time communication between medical specialists - will all preventable deaths be prevented?

Of course not. Even the most immediate referral from doctor to specialist to hospital won’t always help, especially if patients don’t present until they’re in the advanced stages of an illness… and even if they come in early, recognising signs through education campaigns, everything cannot function perfectly. Surgeries go wrong, illnesses are misdiagnosed, accidentally sub-optimal treatments result in unfortunately sub-optimal results.

It’s bizarre that we recognise and allow for this, conceptually, in medicine where the stakes are literally life or death, and yet cannot do the same when it comes to financial crimes…

There’s other issues too, which are less to do with timeframes and more to do with parties - specifically, those left out. FinTechs.

This initiative, while fantastic, doesn’t currently seem slated to extend beyond “banks” which is a problem for 2 reasons.

Firstly, FinTechs generally sit on a treasure trove of data, and some of them have world leading detection strategies that would make for excellent signals here. Failing to include them would be a missed opportunity of tragic proportions.

But secondly… fraudsters are like sand. They get in all the cracks. If you make bank to bank fraud harder, without strengthening the system overall, you don’t “solve” the issue - you push it to another sector. Fraudsters won’t throw their hands up and quit, they’ll start using FinTechs for receiving and dispersing their ill-gotten gains.

This opens up several alarming possibilities, each almost as bad as the last.

1. FinTechs and crypto exchanges - both of which are often faster, cheaper, easier than banks already - become a preferred fraud and money laundering avenue, en masse. Congrats, you just upgraded the bad guys from guns to lasers.
2. As a result of this, or even in fear of it, banks ‘red flag’ FinTech accounts. Freedom to transact is limited, competition impeded, innovation is punished.
3. Many FinTechs have one single collection account for their entire pool of customers. I’m not defending this practice, which is extremely imperfect, but it’s legal so long as the customer and entity funds are segregated. And freezing, black listing, or slowing down transfers to this account, impacting ALL customers, due to one customer being the subject of a fraud investigation… well that’s not great.
4. Putting aside FinTechs, this is extremely similar to many merchants and businesses - again a point I referenced earlier. If you receive many legit transfers into your account from different parties, this is a potential sore spot.

All these outcomes are potential negatives and pitfalls of the FRX, but they don’t even touch upon what it won’t deal with at all. Which brings us, finally, to…

The UGLY Truth

There’s far more reasons to proceed than there are to allay, especially when banks are under fire for supposedly “not doing enough” (insert eye roll here), but it’s worth noting issues that this won’t and can’t fix.

For instance, many frauds operate by co-opting the victim (or even many victims, such as a mule to help you launder funds). When this happens and it causes a delay in reporting, which is virtually every time, the best laid plans fall down. In fact, banks currently DO detect a LOT of fraud that victims assure them isn’t fraud… until much later when it turns out it was. At that stage, the horse has bolted and the victim unlocked the gate. It’s only the truly unreasonable that advocate for BANKS to be held accountable for the subsequent equine decline - and the FRX won’t really help in these situations.

Similarly, this won’t really solve for the “high end” frauds… it will absolutely frustrate the “one scammer scamming many victims for $1000” scenario, but not so much the “one victim losing $300,000” scenario. This is because a “clean” account, or a new willing mule, is easy enough to come by, and fraudsters with a willing and cashed up victim will soon realise that an untarnished account works best. And so, while the aggregate amount of fraud may or may not change, what won’t probably go down is the average loss per victim. In fact, I’d bet the opposite, and that it’ll be cold comfort for those losing their life savings to say “ah, but the economy overall is better off!”

Note, for those who accuse me incorrectly of having no sympathy for victims - this is where those industry standards can come in. A bank missing an out-of-character and rapid transfer of a huge portion of a huge amount of a retiree's wealth, for instance... they may very well have a moral case to answer. Of course, that's if they haven't done that ever elusive 'enough...'

Aside from the scale and adaption of fraud and fraudsters, there’s also several items that are contingent not only on the FRX itself, but how participants use it’s data. One example: if the FRX operates based on account number (which it may), or if it goes further and yet some banks wrongly focus only on that data (which I’m willing to bet at least some will), that leaves the door quite open. What about one “bad guy” opening 100 accounts and receiving 100 separate fraud payments - 1 per account? None of those would be prevented if account details are the sole focus, and unfortunately for everyone really, fraudsters are nothing if not experimental.

Another issue with the banks and participants themselves is that, for better or worse, fraud isn’t always a clear cut “us vs them” calculation. There’s a touch of the prisoners dilemma at play here, which will have some impact, sometimes. For instance, will a bank that has both the sender and recipient self-report this? There’s an argument that they should - for the greater good and to put others on notice that the recipient is sus, and the victim perhaps vulnerable. But when they don’t stand to benefit directly from this, and indeed may have the idea that the more accounts they list the worse they appear to other stakeholders… will they? I’m willing to bet that some will, but all? Hmmm. Giant corporations don’t have the best record of telling on themselves, so we’ll see.

Lastly, and this isn’t necessarily bad but it sure is ugly - this will underscore the paramount importance of KYC. Each of the scams and frauds perpetrated through an Aussie bank account constitute a breach of sound KYC, if not technically then at least in spirit. How poorly this is done by many institutions in Australia is a shame, and the benefit of fixing it would be to stem the flow of far more illicit funds than just ‘fraud.’

So then you’re against it?!

Au contraire, mon frère! This piece isn’t remotely intended as an attack on the FRX, the ABA, Aussie banks or the AFCX - it’s a good idea. And it?could?be great.

But it’s never a bad idea to caution against taking media releases at face value, or to advise against half hearted implementation; where the tyre meets the road is where things either stay on track or go horribly wrong.

Realistically and ultimately, there really is no “solving” fraud and scams - there’s just getting to a point we can all live with. As a matter of practicality, that has to include some personal accountability - eschewing that and constantly attacking the banks is a fools game, especially when it’s done without a single clue about what they already do (hint: a lot).

And, somewhat ironically, selling FRX as a magical cure-all and preaching the end of scams in the land down under is about as correct as selling snake oil for baldness…

I don’t know about you, but I’m here to fight scams - not tell fairy tales. FRX is a start, but not the end.

By Luke Raven - views all my own.