Managing P2P Payment Risk in a Real-Time Environment

Jun  13 
Brenda Waggoner  Senior Writer, Fiserv  

New research shows perceived security is the strongest predictor of P2P use

People appreciate convenience and access to anytime, anywhere money movement – strong value propositions for person-to-person payments. Recently released research from Fiserv shows security is also important in attracting new P2P users.

Expectations & Experiences: Consumer Payments, the most recent quarterly consumer trends survey from Fiserv, found that perceived security of person-to-person (P2P) payments – how safe people think the process is – is the strongest predictor of whether they'll use the service.

P2P payments through a financial organization are viewed as secure by 52 percent of consumers with banking accounts. But for some, nagging security concerns remain. Sixteen percent of those who don't use P2P say security concerns keep them away.

Those perceptions can be hard to change.

"People hear when things go badly, especially when consumers are victimized by scams," said Derek Swords, vice president of electronic payments for Fiserv. "They don't hear when things go well – when money moves easily and securely time after time after time."

Fiserv found 52 percent of consumers with a banking account has used a P2P service to transfer money to another person in the past year. To reach P2P's nonusers, security is critical. Here are three best practices for managing risk in a real-time P2P environment.

Implementing real-time P2P capabilities means thinking differently about fraud prevention and risk management

1. Focus on Real-Time Risk Management

Many financial institutions are establishing a real-time connection through Zelle®. As a first foray into a real-time payment environment, Swords said, it's a capability financial organizations are developing, especially as expectations in that space continue to grow.

Still, the launch of any new financial service, product or capability attracts criminals looking for new ways to defraud people.

"P2P is attractive to fraudsters and real-time P2P is even more attractive," Swords said. "Anything they believe will make it faster to get away with money will get their attention."

"Implementing real-time P2P capabilities means thinking differently about fraud prevention and risk management," Kannan Srinivasan said. The vice president of risk strategy and analytics for Fiserv said financial institutions will need to view tools, infrastructure and processes through a new lens.

With real-time payments, the time from initiation to availability of money takes seconds rather than hours or days. When all of the processing and network steps are considered, the payment must be completed within a second at most, including validation, accounting and fraud detection.

When a consumer initiates a P2P payment, the payment provider takes into account factors such as the person's device, profile change, transaction history, behavior, mobile carrier and more. Based on the data and specific risk of a transaction, financial institutions can employ step-up authentication methods such as one-time password verification or secure two-way SMS. Transactions with elevated risk can be automatically held for additional security review.

"Real-time transactions," Srinivasan said, "require real-time fraud detection and mitigation infrastructure, including security measures that reassure consumers while protecting funds."

2. Lock the Front Door

If a criminal were at your door, would you open it? Of course not. In the same way, vigilance in locking down access to account information across all channels and processes is crucial. In a real-time world, that includes online banking and new-account origination.

Fraudsters look for ways to take over customers' and members' accounts, often with online banking credentials. Once that happens, they can use any number of money-movement products. But, Srinivasan said, criminals prefer the fastest way, which is generally a P2P product.

So, how do you work to safeguard accounts without disrupting the customer experience?

It begins with onboarding. Any vulnerabilities in the account-opening process will likely be tested. Make sure the people you are bringing in are who they say they are. Robust risk management technology, tools and processes can help.

Next, review and tighten your account login process. Srinivasan said financial institutions with lower-than-normal fraud incidents employ strong login detection processes, including two-factor authentication tuned to detect any deviations from what is normal or expected. Has the user changed a password recently? Is someone using a device not associated with the account?

Criminals often use call centers in their account takeover attempts. Good security practices include careful consideration of policies and protocols for such tasks as password resets, adding new people to existing accounts and authenticating users to remove transactions or even suspend accounts.

"If I call my bank to reset my password, and they ask my mother's maiden name or last four digits of my Social Security number, that's not enough," Srinivasan said. "Fraudsters already have that information."

Help consumers understand when it’s appropriate to use P2P payments and ask them to be vigilant

3. Educate Your Customers or Members

Financial institution-based services such as Zelle are introducing new users to P2P payments, particularly older age groups. That’s likely due, Swords said, to the visibility and access of P2P payment capabilities in online banking platforms and the inherent trust most people place in their bank or credit union.

Consumers just getting used to making and receiving P2P payments may not understand how the service is different than paying by debit card, for example. New behaviors and a rapidly evolving payments space heighten the need for education of staff and consumers, including appropriate uses of P2P.

Educating consumers to take precautions when using P2P – and frequently reinforcing that message – is an essential component in preventing fraud. Safety and security messaging can be easily woven into financial institutions' consumer marketing and communications for P2P. 

P2P is about sending money to friends and family – people you know and trust. Using it in that way will enhance its security and help discourage fraudsters, especially those looking to exploit P2P's real-time payment capabilities. Services such as Zelle have safeguards and prompts in place to help prevent people from making mistakes, but consumers are responsible for the payments they make. 

"Help consumers understand when it's appropriate to use P2P payments and ask them to be vigilant", Swords said. As with any consumer payment service, educating people is the front line of defense against P2P fraud. Urge them to regularly review their banking statements and credit reports for unusual activity. If a consumer isn't expecting a payment, it's best to use caution and a healthy dose of skepticism.

Alert consumers to the perils of social engineering, which relies on manipulating people into giving up personal information. Consumers should be careful about sharing too much information online, especially financial information and data that could be used in account takeovers.

"Especially as they adjust to sending money in a new way," Srinivasan said, "remind consumers to be aware, alert and protective of their accounts."

The Security Balancing Act

Guarding against fraud in a real-time payments environment can be tricky. A wrong step and you have a false positive. A faulty step that way, and money is sent erroneously. Swords said finding the right footing is just part of doing business in an evolving payments environment.

"The techniques and risk models used two years ago are different than what we use today," he said. "Staying ahead of fraudsters is challenging, and real-time capabilities set the bar higher."