Banks need to help address scams, not just cover their assets!

I was waiting to see what others thought about the ASIC review of Australian bank responses to customer scams, in April, hoping you’d be less disappointed than I am. But I must have missed any meaningful discussion.

The ASIC review into bank customer fraud in Australia and the “Big 4”’s response preparedness is well-intentioned. Customers certainly need help in reducing the number and impacts of scams and fraud. The trauma caused is often intense and the results of these scenarios are typically long-lived and life-changing.?

Scams, and primarily digital scams, need a coordinated response across banks, telcos, government agencies and others, and it’s great to see the establishment of the National Anti-Scam Centre under the ACCC. We wait to see if it will have any teeth to make anything meaningful happen. I hope they will be open to suggestions.

The ASIC review finding, that banks don’t have joined up responses to scams across their customers and channels, is not surprising. From years working inside these and other banks, I know that any enterprise alignment is challenging and a bank’s response to customer-enabled scams can tend to be reactive and defensive (if not denialist). But the good news is that it sounds like the ASIC review may have spurred banks into getting better organised.

Customer interest groups that are looking for customer support and financial insurance are well-intentioned but may however be unrealistic in achieving the level of cover that banks will provide. But I’m supportive of the conversation, which is critical.?

Unfortunately, the ASIC review and proposal comes at the problem from the normal response for regulatory investigations… reporting. This is completely the wrong angle in looking to address customer-interaction initiated scams and fraud.?

Fix the right problem, with a broadly useful solution!

Whilst better reporting may be part of the overall approach, by the time we report data and notice scams, the money’s gone and so are the scammers. The reporting process will rarely be fast enough to stop the scam,? and the “immediate” payment mechanisms that we invested so heavily in, here in Australia (using the New Payment Platform), makes it easier to move and use the funds multiple times domestically, if not internationally.? This process is typically called “layering” in money laundering terminology.

To illustrate how we could have better thinking about addressing scams, we need to think about the whole (typically digital but also physical) scam interaction and the resulting funds transfer. A funds transfer can be broken down into 5 simple phases, architecturally called a “value chain”, which I’ve tailored to this discussion.

1. Agree the need for the value exchange (the reason for the transaction)
2. Confirm the amount, payment mechanism to be used (cash, card, account) and the involved accounts and arrangements (invoice reference, source and target accounts etc.)
3. Initiate the payment instruction using the appropriate channel and bank service
4. Clear and settle the funds between the banks involved, using a payment mechanism
5. Sort out failures, disputes and recourse, based on reporting and other interactions with the banks involved

The ASIC proposal looks to attack the problem in stage 5, after everything has happened. Trying to unpick everything that’s happened and who’s responsible for what is never going to be easy.

The review seems to imply that being able to slow or halt the payment process, in Stage 4 (make a payment), would be a good thing. Surely, that creates a massive complexity into multiple payment mechanisms that are supposed to be as efficient as possible (with all the banks being monitored on their levels of “straight through processing”).

There are suggestions in the review that complicating the payment process and the use of a Confirmation of Payee (COP) service would help, impacting stage 3 (Initiate Payment). Whilst a stand-alone COP service would be broadly useful, past history, based on Australia’s penchant of copying solutions from the UK, implies that the COP solution will be embedded in a payment mechanism, NPP most likely.

The initial problems I see with such a COP service are:

• The COP service won’t be accessible or reach the target accounts on all payment mechanisms. Scammers will look to use those payment mechanisms that don’t support this service.
• Bank accounts can be quite differently named and doing some form of account name “fuzzy matching logic” is going to be very hit-and-miss, creating a poor customer experience.
• Any non-match will just create the opportunity for more interactions between the scammer and the customer - allowing the bank to wash their hands of any responsibility.
• Any user experience impact will be on the vast majority of customers using immediate (NPP-based) payments.
• The cost and effort to include the POC impact consistently into the myriad of bank channels and interfaces is significant.
• Trying to control inappropriate use and sharing of personal data would need to be included (we had the same problem with the use of PayIDs - see later).

This solution (which was implemented with considerable expense in the UK) sounds like a poor “band-aid” if you ask me. It will just introduce massive friction into the customer payment experience, without addressing the scam itself.??

So, looking at the value chain, it would be sensible to address scams in Stages 1 or 2 for all sorts of good reasons (commercial, financial, social and mental health). The broad benefit of addressing the early phases of a transfer value chain starts to address the identification of the parties involved in all sorts of transactions (businesses, delegates and people), those that are doing the paying and being paid (invoices, arrangement, payment reference), for normal and dodgy transactions, whilst also improving trust in the payment process and reducing operational overheads for banks.?

So what do we need?

Trusted digital interactions between people and with organisations

Stage 1 is where scams get started, and there are lots of potential ways that we get fooled into agreeing to exchange value (money, information, images or anything else). Of course, we should make sure that we are interacting with known people, organisations and their delegates or (more often) “things”. So it’s reasonable to say that we need to be sure of who is involved and why. Commentators (and the review) who propose that “digital identity” (whatever you think this is) is critical for addressing scams, are quite correct; and let’s not forget that the verification of people and organisations involved can help both digital and physical interactions. But this is only part of the story.

Recently, The Age business section had a terrific description of a $25m scam [apologies, it’s subscriber restricted] where email addresses were compromised and target account details were changed for a massive payment. The fraudster had established a “legitimate” business in Australia (with a Big 4 bank account), which sounded very similar to another organisation in the US, using identity data and email access stolen from a person in Australia. The difference wasn’t picked up by the US bank when asked to initiate a payment to the Australian organisation.?

What do we take away from this story…?

• Decide how much trust you need. This was a high value transaction. It’s not necessary to have the scale of trust when buying a coffee.
• SMSes and email access are too easily compromised and used maliciously.
• Know Your Customer processes of banks are still too easily compromised and not easily tested or externalised subsequently.
• The association of people with organisations is important to be able to trust.
• Account details shouldn’t be shared without cryptographic proof and verification of ownership.
• A Confirmation of Payee (COP) solution would not have helped - any Australian solution wouldn’t support international payments originating from elsewhere and COP solutions don’t verify relationships.
• The close relationship of the organisations involved needs to be registered and provable.
• Don’t imagine that all the digital checks are joined up, technically. We need to be able to check a relationship or presented credentials, without forcing a “horror network” on everyone.
• Don’t rely on knowing information about the person or organisation. It’s more than likely available online and shouldn’t be depended on?
• Most importantly, human factors need to be understood and any vulnerabilities addressed for critical transactions (online and in person).

Whilst digital identities and, more specifically trusted and verifiable data, could be helpful, most interactions are specific. Scammers will be looking to avoid being authenticated by a trusted third party and they’ll be looking to use low trust interaction mechanisms (email, SMS, social media etc.). You need to be able to trust who you’re dealing with and, most importantly, you should be using a secure communication solution that ensures that the counterparty is who they say they are with you, continuously and especially at critical points (revalidation shouldn’t be a problem).?

Ideally, the information and credentials shared with you, to prove who you’re dealing with is who they say they are, must be cryptographically (digitally) signed to prove the information being provided…:

• Was issued by a trusted source.
• Was given to them [this is essential as scammers have typically already achieved identity theft].
• Is about them, and not someone or something else.
• Hasn’t been changed or tampered with.
• Is still valid.

Luckily, cryptographically secure and authentic solutions exist that can verify a person is who they are and that they are a delegate of a known organisation.? The best ones of these do so, without you having to ask their bank, their social media provider or even their governments. Having and sharing Verifiable Credentials (VCs) is where these “decentralised” solutions are better placed than any others to provide specific outcomes and broad adoption.?

Solutions that use VCs use global standards to align and interoperate disparate initiatives, whilst providing authenticity, integrity and confidentiality with privacy. But there are different technology options and the resulting ecosystems do need governance and operational alignment.? But VC-based solutions are real and they’re deploying across the world, with the New South Wales state government leading the way.

Identifiable and verifiable transaction and account details

We need to be able to share our details within a value transfer transaction with security, authenticity and integrity, whilst also addressing data privacy. The sort of information that will need to be shared includes:

• Agreed financial arrangements, contracts etc.
• Identification details, including our personal information and those of any organisation.
• A relationship credential that proves that we can act on behalf of someone else or an organisation.
• Bank account (card or wallet) identification information that is owned (or accessible) by me or the organisation.
• Any other trustworthy information that makes regulatory compliance easier for those involved.

The primary challenge with sharing information is that it needs to be interpretable by the recipient. That’s where data standards, the identification of different issuers and equivalence of this information, across jurisdictions, comes in.

The problem we tend to create, when sharing transaction information, is by linking or even embedding these details into the payment process. Whilst a payment may need to be linked to the transaction, the data included in a payment is visible to a lot of systems and people involved in the payment process. But that’s a whole different topic (solvable using the same verifiable credential based technology) for another time.

We thought some years ago that identifying an account using an email address or phone number sounded like a good idea. The use of a PayID “alias” has been useful as a bank account identifier, but it’s been open to scams and privacy breaches itself. The use of personal information (even if not private) just causes identity thieves to target softer arrangements and we’ve ended up with sim-swap scams and email compromise as a result. We mustn’t allow this to continue and PayIDs need to implement verifiable arrangements (preferably using Decentralised Identifiers - DIDs - and VCs) that can be shared digitally, as soon as practical.

To Conclude…

For us…?

• Only share what you really need to.
• Don’t expect information about you to be private.
• Get independent verification of who you’re dealing with - ideally from a regulator or government entity.
• Use those platforms and solutions that give you interactions that are cryptographically secure (encrypted and signed messages) between you and the other party;
• Demand an appropriate level of authentication of the other party;?
• Use a solution that authenticates the shared data using independently governed solutions.
• Demand that those involved in addressing the challenge think about it holistically

And for banks…

• Get organised and think about the scam and fraud challenge across the customer identification, interaction and channel strategy; not in the payment process.
• Stop using links in emails and SMSes - even if it seems ubiquitous, using these insecure mechanisms “grooms” insecure customer data sharing practices and expectations.
• Work out how we can stop organisation identity and organisation delegate fraud. Solutions like the vLEI from GLEIF will help.
• Use the opportunity to upgrade trust between the bank and your customers, promoting the use of point-to-point cryptographic security, on device biometrics and your own apps.?
• Give your customers something they can use widely for payment and identity purposes. A customer’s bank (account) credential can be useful for all sorts of reasons, whilst allowing this to be shared securely and specifically for a transaction - this is actually a much better confirmation of payee solution.
• Please don’t complicate or slow down the payments process. It’s the wrong place to try to fix this. Remember, there are multiple payment mechanisms (and these will be increasing in the future). Any solution should be able to be applied, irrespective of the payment mechanism used.?
• Work out how much customer scams you’re able to “cover” depending on the level of security provided by your customer solutions.?

Thanks again to ASIC for the review, but there are different and better ways to start to address scams. Let's hope we can get this moving, together.

Sezoo

#verifiablecredentials

#decentralisedidentifiers