The real-time-payments (RTP) revolution in the Middle East is gathering steam. ACI Worldwide’s recent Prime Time for Real Time report predicts the United Arab Emirates’ RTP volume will rise from 1.2% of overall transaction volume in 2021 to 6.4% by 2026, and from 3.2% of non-paper transactions to 10.4% inside the same period. This trend will be accelerated in part by the UAE Central Bank’s implementation of its Instant Payment Platform (IPP) next year.
The UAE’s GCC neighbors are already reaping the benefits of RTP. Saudi Arabia’s Central Bank’s debut of real-time transaction platform Sarie in April last year led to payment volumes of 175 million and estimated cost savings of US$23 million across businesses and consumers, as well as US$166 million in additional economic output. Bahrain, an established RTP market, saw 142 million real-time transactions in the same year, with cost savings of US$39 million and economic impact of US$246 million. And currently, the Central Bank of Oman is preparing the groundwork to support linkages between its Real-Time Gross Settlement (RTGS) system — the principal payment platform of the Sultanate of Oman — with the cross-border payment systems of the Gulf Cooperation Council (GCC), as well as the wider Arab region.
These are the right kinds of impact. But around the world, the flip side of the growing popularity of RTP is emerging — fraud. And among RTP practitioners, APP (authorised push payment) scams are coming to the fore as the greatest threat. APP fraud schemes follow the social-engineering techniques used in phishing cyberattacks to trick victims into sending real-time payments to con-artists. Unfortunately, in such scams, one of the greatest advantages of RTP becomes the greatest weapon of the fraudster. RTPs are, by their nature, settled payments, which means all clearing has occurred and they are not subject to dispute or reversal. So, by the time a targeted individual or institution discovers they are a victim, it is already too late.
Time for reflection
Analysis of RTP schemes show more mature markets to be the hardest hit by APP scams, and the trend indicates that these offenses may soon surpass card-related fraud as the greatest source of losses. In the Middle East, RTP is just gathering momentum, so the region’s businesses and consumers are less-tempting targets for criminals. However, as we have seen, the future for real-time transactions is looking bright here, so it is only prudent that we take steps to ensure the con-artist’s future is not equally bright.
Headlines from other parts of the world point to losses far in excess of the average card fraud. As RTP moves funds directly from bank account to bank account, scams can often result in the loss of life savings. And since real people initiate real payments from their own accounts, APP fraud is notoriously difficult to flag and stop. But the sooner efforts are initiated, the sooner banks and authorities can begin the journey of continuous improvement that is needed to thwart the criminals.
The cautionary tales of other countries give the GCC and wider Middle East a head start. Real-time payments infrastructure must include the capability to monitor both outbound and inbound payments because this is the only way to identify and shut down the mule accounts that serve as intermediary stations between the victim and the criminal. Shutting down the mule accounts severely hampers the scaling of scams since it takes considerable time to set up replacements.
Time to change
In addition to ensuring that activity can be monitored, industry regulators and RTP providers must consider the question of liability. Consumers will not use RTP systems for long if they think their life savings can evaporate without hope of redress. Where regulation is lagging, banks must at least be able to demonstrate their monitoring capabilities (which will also improve their ability to comply with regulations when they are eventually introduced). In any event, the issue remains — APP fraud is invariably committed using the RTP provider’s products and services. If only for the sake of economic progress, regulators are bound to hold the provider responsible for any losses.
So, having established the challenges and the risks, what is the solution? Providers must blend advanced technology with a new risk-oriented culture. Enterprise-level risk-management solutions can now be hosted in the cloud or provided as managed services. They are built for the risk landscape described above and allow banks to rapidly demonstrate prudence. Meanwhile, RTP providers’ risk-oriented cultures will necessarily give way to a community-led approach to dismantling fraud networks. The insights of many participants will be of vital importance to any technology solution that tries to find patterns in criminal behaviour. Federated machine-learning use cases are gaining acceptance as banks and regulators find ways of sharing information without violating customer privacy. Today, it is possible to access real-time information pools, leading to more accurate fraud signals, all without exposing underlying data. Machine learning algorithms rely on rich, expansive, representative data sets to train effectively, so the combination of internal and external sources is critical for complex outputs such as the identification of a mule account.
This network intelligence approach also allows individual branches of banking groups to be benchmarked for the frequency with which they are targeted and the particular kinds of fraud that occur using their RTP infrastructure. This information can be used to guide the development of new controls — such as additional authentication or even slowing down the customer experience — to allow payers more time to complete the process and assess the risks.
Time is money
Regional banks have something that their global peers never had — time. Time to consider the ramifications of fraud on the ongoing acceptance of nascent RTP services. Opportunities for economic growth may be squandered if APP scams are allowed to take root as they have done elsewhere. The adage of “a stitch in time saves nine” is eminently applicable here.
