Banks need to address scams, not just cover their assets!

I was waiting to see what others thought about the ASIC review of Australian bank responses to customer scams, in April, hoping you’d be less disappointed than I am. But I must have missed any meaningful discussion.

The ASIC review into bank customer fraud in Australia and the “Big 4”’s response preparedness is well-intentioned. Customers certainly need help in reducing the number and impacts of scams and fraud. The trauma caused is often intense and the results of these scenarios are typically long-lived and life-changing. 

Scams, and primarily digital scams, need a coordinated response across banks, telcos, government agencies and others, and it’s great to see the establishment of the National Anti-Scam Centre under the ACCC. We wait to see if it will have any teeth to make anything meaningful happen. I hope they will be open to suggestions.

The ASIC review finding, that banks don’t have joined up responses to scams across their customers and channels, is not surprising. From years working inside these and other banks, I know that any enterprise alignment is challenging and a bank’s response to customer-enabled scams can tend to be reactive and defensive (if not denialist). But the good news is that it sounds like the ASIC review may have spurred banks into getting better organised.

Customer interest groups that are looking for customer support and financial insurance are well-intentioned but may however be unrealistic in achieving the level of cover that banks will provide. But I’m supportive of the conversation, which is critical. 

Unfortunately, the ASIC review and proposal comes at the problem from the normal response for regulatory investigations… reporting. This is completely the wrong angle in looking to address customer-interaction initiated scams and fraud. 

Whilst better reporting may be part of the overall approach, by the time we report data and notice scams, the money’s gone and so are the scammers. The reporting process will rarely be fast enough to stop the scam,  and the “immediate” payment mechanisms that we invested so heavily in, here in Australia (using the New Payment Platform), makes it easier to move and use the funds multiple times domestically, if not internationally.  This process is typically called “layering” in money laundering terminology.

To illustrate how we could have better thinking about addressing scams, we need to think about the whole (typically digital but also physical) scam interaction and the resulting funds transfer. A funds transfer can be broken down into 5 simple phases, architecturally called a “value chain”, which I’ve tailored to this discussion.

The ASIC proposal looks to attack the problem in stage 5, after everything has happened. Trying to unpick everything that’s happened and who’s responsible for what is never going to be easy.

The review seems to imply that being able to slow or halt the payment process, in Stage 4 (make a payment), would be a good thing. Surely, that creates a massive complexity into multiple payment mechanisms that are supposed to be as efficient as possible (with all the banks being monitored on their levels of “straight through processing”).

There are suggestions in the review that complicating the payment process and the use of a Confirmation of Payee (COP) service would help, impacting stage 3 (Initiate Payment). Whilst a stand-alone COP service would be broadly useful, past history, based on Australia’s penchant of copying solutions from the UK, implies that the COP solution will be embedded in a payment mechanism, NPP most likely.

The initial problems I see with such a COP service are:

This solution (which was implemented with considerable expense in the UK) sounds like a poor “band-aid” if you ask me. It will just introduce massive friction into the customer payment experience, without addressing the scam itself.  

So, looking at the value chain, it would be sensible to address scams in Stages 1 or 2 for all sorts of good reasons (commercial, financial, social and mental health). The broad benefit of addressing the early phases of a transfer value chain starts to address the identification of the parties involved in all sorts of transactions (businesses, delegates and people), those that are doing the paying and being paid (invoices, arrangement, payment reference), for normal and dodgy transactions, whilst also improving trust in the payment process and reducing operational overheads for banks. 

So what do we need?

Stage 1 is where scams get started, and there are lots of potential ways that we get fooled into agreeing to exchange value (money, information, images or anything else). Of course, we should make sure that we are interacting with known people, organisations and their delegates or (more often) “things”. So it’s reasonable to say that we need to be sure of who is involved and why. Commentators (and the review) who propose that “digital identity” (whatever you think this is) is critical for addressing scams, are quite correct; and let’s not forget that the verification of people and organisations involved can help both digital and physical interactions. But this is only part of the story.

Recently, The Age business section had a terrific description of a $25m scam [apologies, it’s subscriber restricted] where email addresses were compromised and target account details were changed for a massive payment. The fraudster had established a “legitimate” business in Australia, which sounded very similar to another organisation in the US, using identity data and email access stolen from a person in Australia. The difference wasn’t picked up by the US bank when asked to initiate a payment to the Australian organisation. 

What do we take away from this story…?

Whilst digital identities and, more specifically trusted and verifiable data, could be helpful, most interactions are specific. Scammers will be looking to avoid being authenticated by a trusted third party and they’ll be looking to use low trust interaction mechanisms (email, SMS, social media etc.). You need to be able to trust who you’re dealing with and, most importantly, you should be using a secure communication solution that ensures that the counterparty is who they say they are with you, continuously and especially at critical points (revalidation shouldn’t be a problem). 

Ideally, the information and credentials shared with you, to prove who you’re dealing with is who they say they are, must be cryptographically (digitally) signed to prove the information being provided…:

Luckily, cryptographically secure and authentic solutions exist that can verify a person is who they are and that they are a delegate of a known organisation.  The best ones of these do so, without you having to ask their bank, their social media provider or even their governments. Having and sharing Verifiable Credentials (VCs) is where these “decentralised” solutions are better placed than any others to provide specific outcomes and broad adoption. 

Solutions that use VCs use global standards to align and interoperate disparate initiatives, whilst providing authenticity, integrity and confidentiality with privacy. But there are different technology options and the resulting ecosystems do need governance and operational alignment.  But VC-based solutions are real and they’re deploying across the world, with the New South Wales state government leading the way.

We need to be able to share our details within a value transfer transaction with security, authenticity and integrity, whilst also addressing data privacy. The sort of information that will need to be shared includes:

The primary challenge with sharing information is that it needs to be interpretable by the recipient. That’s where data standards, the identification of different issuers and equivalence of this information, across jurisdictions, comes in.

The problem we tend to create, when sharing transaction information, is by linking or even embedding these details into the payment process. Whilst a payment may need to be linked to the transaction, the data included in a payment is visible to a lot of systems and people involved in the payment process. But that’s a whole different topic (solvable using the same verifiable credential based technology) for another time.

We thought some years ago that identifying an account using an email address or phone number sounded like a good idea. The use of a PayID “alias” has been useful as a bank account identifier, but it’s been open to scams and privacy breaches itself. The use of personal information (even if not private) just causes identity thieves to target softer arrangements and we’ve ended up with sim-swap scams and email compromise as a result. We mustn’t allow this to continue and PayIDs need to implement verifiable arrangements (preferably using Decentralised Identifiers – DIDs – and VCs) that can be shared digitally, as soon as practical.

For us… 

And for banks…

Thanks again to ASIC for the review, but there are different and better ways to start to address scams.