Adoption of ISO 20022 benefits nearly everyone: central banks, banks, clearinghouses and even financial users. Everyone, that is, except fraudsters.
And that’s good news, because right now criminals may seem to be winning the cybercrime war. The FBI’s Internet Crime Complaint Center said cybercrime cost the U.S. a reported $6.9 billion in 2021. Of that, business email compromise (BEC)/email account compromise (EAC) complaints accounted for adjusted losses at nearly $2.4 billion.
With BEC/EAC, criminals trick accountholders into sending funds to a compromised or impersonated account. In an instant, the money is gone. And there’s often little recourse or chance of recovery.
What needs to change?
Data plays a critical role in preventing and detecting crime. More is better.
Cybercrime perpetrators can flourish by leveraging weaknesses in proprietary messaging standards for payments. For example, strict character limits make it difficult to clarify payment beneficiaries. For fraudsters, less information traveling with a transaction means there are more opportunities to deceive payers and payees.
And speed benefits fraudsters, too. Since payments are moving faster, fraud can move faster, making it more difficult to detect fraudulent activity.
ISO 20022 can help crack down on payment fraud and cybercrime by increasing information flow and coordination between parties. For example, the new messages raise the number of characters banks can use to send remittance information from approximately 100 to nearly 9,000 characters.
Proof it works
Financial institutions have a responsibility to check (sometimes double- and triple-check) that money is being exchanged legally between parties. To do so, beneficiary banks need more information to understand the intended recipient (and the intended purpose) of a payment. Contextual data fields within ISO 20022 support stronger verification.
In the UK, the Faster Payment System runs on ISO 8583, which allows up to 18 characters in a beneficiary’s name. Certainly, not enough data to verify the recipient of a large sum of money with confidence. In 2020, Confirmation of Payee (CoP) was introduced to confirm payee details. Fraud dropped significantly in institutions that used CoP.
According to published reports, Lloyds Banking Group saw a 31% reduction in scams among customers who used the service. After two years, Lloyds research showed that transactions sent without CoP were up to 100 times more likely to be reported as fraudulent.
More support comes from the Netherlands. The Dutch version of CoP, SurePay, launched in 2017. By conducting billions of name checks, the Dutch reduced fraudulent IBAN payments by 81%. It also saw a 67% drop in misdirected payments.
Name-checks (and other data verifications) don’t take lots of time to be effective. Increased due diligence may take as little as 0.1 second longer.
Tighter Connections Tighten Security
Having fewer characters doesn’t necessarily mean a payments messaging scheme is unsecure. But it does lower confidence. There is less data to interrogate and more opportunities for fraudsters (or typing errors) to misdirect money.
Even non-ISO organizations like Nacha agree that greater and better information-sharing can counter fraud. Nacha’s updated risk management framework is largely built around coordination and sharing data.
More data per transaction results in greater visibility and fewer opportunities for fraud. Market infrastructures with more data per transaction (like ISO 20022) will become harder targets for fraud, while clearings with low volumes of data could become easier targets. (Criminals may be smart, but they prefer the easy jobs.)
What’s the point of being interoperable, faster – and easier for criminals to use? Moving to the global standard of ISO 20022 delivers many compelling benefits. Stronger fraud protection is near the top of the list.