Nordic banks should brace for a spike in fraud attempts as they work to release a new real-time payment system, according to Andrew Barnett, Nordea Bank Abp's head of fraud management and former head of retail fraud prevention at Royal Bank of Scotland Group PLC.
Speaking at InsightFinance's Payments & Fraud conference on Feb. 5 in Copenhagen, Barnett urged the banks behind P27, a pan-Nordic, multicurrency payment infrastructure due to go live in 2021, to avoid rushing into the launch and to be prepared to turn the solution back off "if we don't get it right."
"With any new technology, fraudsters will try and attack it. And your authentication solution is not going to stop it," he said.
P27 will enable banks across the Nordic region to clear payments and settle accounts within seconds. The independent company behind the solution is owned by Danske Bank A/S, OP Financial Group, Skandinaviska Enskilda Banken AB, Svenska Handelsbanken AB (publ) and Swedbank AB (publ), as well as Nordea.
Barnett made the comments based on his experience heading up retail fraud prevention at RBS when the U.K.'s largest banks in May 2008 launched the Faster Payments scheme. It replaced the long-established BACS system, bringing down the transfer time between banks from three working days to a few seconds.
"We went live on May 27, 2008, we were massive in the media, it looked fantastic," Barnett said. "And then it went really, really wrong."
The new system was quickly exploited by fraudsters, with online banking fraud losses in the industry increasing by 164% in less than two years after the launch.
Fraud fund recovery rates, meanwhile, fell from 45% in 2007 to 10% in 2008, and further down to 4% in 2009, said Barnett. It caused "significant damages" to the industry and the reputation of the payment scheme.
Learn from mistakes
Barnett urged the banks behind P27 and other new payment systems to learn from U.K. mistakes by putting fraud at the forefront of the agenda and taking the time needed to get it right.
"We are getting some pushback from P27, because they just want to get it out, they want to get that positive press. But we will keep challenging them on that," he said.
The lack of investment in fraud detection technology was one mistake U.K. banks made ahead of the Faster Payments release, and they were poorly prepared for the scale of attacks that were to come, according to Barnett.
At the time, RBS decided to build its own in-house solution, he said, which with a high level of false positives failed to sufficiently detect fraudulent payments. Barnett advised Nordic banks to look for third-party technology providers, especially given the market has more experience with real-time fraud detection now than in 2008.
Collaboration crucial
Another mistake seen in the U.K. was the lack of collaboration between the participating banks. While they worked together to launch the scheme, the cooperation ended with its implementation, Barnett said.
"As an industry, we've just got to work together. Being able to share mule accounts, IP addresses and things like that will allow us as a community to really stop this more quickly," he said.
Barnett also highlighted the importance of spotting trends before releasing a new solution. Ahead of the Faster Payments launch, for example, RBS noticed an increase in phishing attempts and malware, which turned out to be fraudsters gathering credentials that could be used for attacks at a later point. He said the bank also experienced a significant rise in the number of new accounts being opened, another sign that fraudsters were preparing to "cash out fast" as soon as Faster Payments went online.
Finally, once live, the industry should be ready to switch the new system off should it face major problems, Barnett said. He hinted that the U.K.'s Faster Payments scheme could have benefited from such a move, but that politically it came with too high a reputational risk to do so.
"As an industry, if we really do see a huge attack that we're not able to cope with, then we should be brave and honest and go out there and say 'we got this wrong,'" he said.