Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank image

Will Regulation Drive Action? Reimbursement and Liability in Online Scams, A Conversation with Ken Palla, Retired Director, MUFG Union Bank

S1 E29 · Scam Rangers
Avatar
443 Plays11 months ago

In this episode we take a look at the activity around regulation with regards to online scams in the US, UK and Australia, following comprehensive analysis done by Ken over the last year. The overall outlook is pretty positive. We see a lot of good attention, especially in the UK, and we are optimistic about the future of protecting consumers. However, there is still a lot more to be done.

To learn more about Ken and his work, follow him on LinkedIn: https://www.linkedin.com/in/ken-palla-09b585/


This podcast is hosted by Ayelet Biger-Levin  who spent the last 15 years building technology to help financial institutions authenticate their customers and identify fraud. She believes that when it comes to scams, the story starts well before the transaction. She has created this podcast to talk about the human side of scams, and to learn from people who have decided to dedicate their lives to speaking up on behalf of scam victims and who take action to solve this problem. Be sure to follow her on LinkedIn and reach out to learn about her additional activities in this space.   https://www.linkedin.com/in/ayelet-biger-levin/ ScamRanger: https://scamranger.ai/

Recommended
Transcript

Preventing Money Mule Accounts in Banking

00:00:00
Speaker
They had a tool, and just with that, they found money mule accounts. And there's other ways on account opening that you can find things. You know, bot detection, credential stuffing. I mean, they're almost like certain things should just be mandated that should just be standard controls.
00:00:17
Speaker
That's where the FFIC used to be so good at that. And then they just, I don't know what's happened, but the last guidance they came out with, I thought was very watered down. It didn't even address scams and that had been occurring and there was nothing said about

Gaps in the Banking Ecosystem

00:00:31
Speaker
it. Receiving bank, nothing.
00:00:32
Speaker
We have a responsibility to have a sound banking ecosystem. And I think we have some gaps in that today. And it has to do with consumers, has to do with consumers losing money. And I'm not saying here that we reimburse them. I'm not going into that one.

Introducing ScamRanger: A Tool Against Scams

00:00:48
Speaker
But we can definitely have more controls to help mitigate these.
00:00:53
Speaker
This episode is brought to you by ScamRanger. ScamRanger enables you to empower your customers to protect themselves against online scams. Go to scamranger.ai to learn more.
00:01:09
Speaker
Scam Rangers, a podcast about the human side of fraud and the people who are on a mission to protect us. I'm your host, Ayelet Bigger Levine, and I'm passionate about driving awareness and solving this problem.

Ken Paula on Financial Fraud Developments

00:01:27
Speaker
Today's scam ranger, Ken Paula is a veteran in the financial fraud management space. He's already been a guest on the show at the beginning of the year. And I'm so excited to have him on today to close out the year with me. Hi, Ken. Welcome back to the podcast. Thank you very much. Always fun to be here. So as I mentioned, Ken was already a guest on the podcast episode five, unpacking the regulatory landscape around online scams.
00:01:57
Speaker
And today I wanted to invite Ken to have that conversation again, because a lot has happened in the last year. So before we dive into details, Ken, I would like for those who haven't had a chance to listen to episode five, if you can just briefly give us a little bit about your background and your experience in the financial space and in particular online fraud and scams.

Online Security Management at MUFG Union Bank

00:02:20
Speaker
Sure. So I'll talk about my online security space. All that other stuff goes back decades. But since 2005 to 2019, I was at MUFG Union Bank. And there I managed online security for both retail and commercial users. And that had everything to do with identifying gaps in our security, finding solutions, selecting vendors, implementing the vendors, and continuing that cycle again every year, analyzing where we had gaps, and finding new products again.
00:02:50
Speaker
I retired in early 2019 and I've been consulting about maybe 20-30% of my time for some banks and a lot of vendors. And a lot of what I've been doing is writing. So it's been kind of fun for me because when I worked I never had a chance to write. So I've been writing a lot of white papers and blogs with a particular focus in the scam space. So looking at what the scams are.
00:03:13
Speaker
how the regulators are dealing with them, what type of results we're seeing as a result of this very serious pain point. So a lot of the writings, some of you who are listening to this may have picked up some of the blogs that I've put out through a number of different vendors. So it's been fun for me to kind of do this in-depth research and know much more about an area than I did when I was actually working full time.
00:03:38
Speaker
First, actually, before we get into the conversation about the evolving regulatory landscape, one of the questions that I wanted to ask you, and I know that full disclosure, I guess, we've both been involved to some extent in the scams group within the Noble. I think you had more involvement than myself, so we can talk about that too. But we know that there are many numbers floating around with regards to the size of the problem.
00:04:05
Speaker
The FBI reported $10.2 billion worth of scam losses. The FTC reported $8.8 billion in fraud scam losses. In the UK, the numbers are different. I think the numbers that we see are 485 million pounds lost to APP fraud, so authorized payments alone.
00:04:29
Speaker
And the global anti-scam alliance actually took a different lens. Instead of relying only on reported scams, they actually did a proactive survey asking those under-reported scam victims as well and concluded that it's over a $1 trillion problem globally.
00:04:47
Speaker
And my question is,

Challenges in Scam Reporting Taxonomy

00:04:49
Speaker
one of the complaints I've been hearing from various outlets, be it social media, be it banks, is the lack of unified taxonomy. So when law enforcement talks to a financial institution and when a social media company talks to a telco, they're not talking necessarily about the same thing.
00:05:07
Speaker
because of the lack of common taxonomy. And I know there has been some attempt by FedNow and the Noble that we mentioned and PayUK and other global and local organizations to define a unified taxonomy. Where are we with that?
00:05:23
Speaker
So first off, I want to make one comment on the numbers that you threw out. One of the big problems with what is the right amount, the dollar amount of fraud scams out there in the US around the world, is the fact that most people get embarrassed when these occur and they don't even report them.
00:05:39
Speaker
So when you see these numbers that are reported scams, like the 8.8 billion or the 10 billion in the US, that's people who reported in that this happened to them. But there's a whole bunch of people who don't report because they're just clearly embarrassed about what's happened to them. And many people lose a lot of money. You tend to think of.
00:05:57
Speaker
two or three thousand dollars but think about seven hundred thousand two million dollars so that's one thing it's very difficult to say so that one trillion dollar number that to me strikes as being a little bit on the high side and what's the assumption there i don't know.
00:06:12
Speaker
You know, we have all these numbers floating around and because the specific reports were done to these organizations, but when we have the need to really understand the size and the growth, it's not only what the current number is, right? It's how, what is the trend and how is this growing? The fact that we also need to take action with the scams requires some common taxonomy around

UK's Scam Reporting vs. Other Countries

00:06:36
Speaker
the scams.
00:06:36
Speaker
So taxonomy, that's a difficult thing. The Federal Reserve came out with some taxonomy, the fraud classifier a couple of years ago, but it didn't include scams. So it was really more about the unauthorized payment transactions, and that's what their taxonomy was all about. Now, they've been clarifying that in the last 12 months. Mike Timoney and some others at the Fed have pulled together people back together and said, look, we need to really get taxonomy on scams.
00:07:03
Speaker
So they've been working on that. I don't think they've finished that off yet. You're right at the noble. I did put some taxonomy together that basically, you know, details it out. But country to country, it's going to be different. Probably the best example is in the UK because there's more reporting on scams.
00:07:23
Speaker
The whole thing about scams, these authorized push payments, and by that I mean bank impersonation scams, police impersonation scams, romance scams, investment scams, all of that falls under the authorized push payment scams in the UK. That's been a problem and it's been focused, a big spotlight for probably the last four or five years. As a result, there's more reporting on what these scams are. So I think that's one country you can go to
00:07:51
Speaker
and then they have a good reporting of the various categories. Elsewhere, it's still kind of a gray area. They talk about scams in general. When the FBI puts out its IC3 statistics, it'll talk about romance scams, investment scams, and maybe impersonation scams, but still kind of at a higher level. So it is a challenge
00:08:13
Speaker
to have common taxonomy and it's also a challenge to understand the amounts. I think what's clear, there's no doubt in my mind, the scams continue to grow.

Industrialization of Scams in Southeast Asia

00:08:24
Speaker
Now you ask, why do they continue to grow? Well basically what we've seen is the industrialization of the scam process and I do mean industrialization. So as an example, if you go into Asia, some countries like Cambodia, Thailand,
00:08:40
Speaker
You actually have large compounds, and even the UN reported that there might be hundreds of thousands of scammers in those countries. But you also have to understand many of these scammers are victims. It might have been a young woman in Indonesia who was going to Cambodia because she saw a job advertisement that was going to make her some decent money being in Asia. And so she gets there, they immediately take her passport, and they basically imprison her in this scam compound.
00:09:08
Speaker
And so these people doing the scamming are scammed themselves, tragically so. Yeah. And we definitely talked about this with actually a couple of episodes ago with Césare Podkul, who's a ProPublica reporter. He published a few articles about this topic and talked about these trends and how this industrialization has flourished in Southeast Asia. And that's definitely something that
00:09:36
Speaker
will be interesting to see how these are tackled. Because one of the things that I know that the UK government and Australian government have both announced is these programs to actually defeat financial scams by taking action. And one of the pillars of that is pursue fraudsters. So with that industrialization of fraud, it's going to be really interesting to see how we drive
00:10:05
Speaker
global collaboration and I think that's why taxonomy that is global will also matter.
00:10:11
Speaker
Well, and to be fair, there have been some recent large-scale arrests in Asia, some certain Chinese crime organizations and so on. So we are starting to see governments take effect. But unfortunately, there's a fair amount of corruption in some of these countries. And so I think a lot of it still exists. But there have been some actions taken. That is part of the pillar of the UK government fraud strategy, is to actually embed people in different countries to help with that process.
00:10:40
Speaker
the UK is definitely putting a focus on going out after those people. And we've seen that in the US with the FBI. So I have to say there have been a number of well-reported arrests around the scam area in the last 12 months. But I think it's still a growing problem. We just still have people
00:11:01
Speaker
You know, these scams, they start at the basic level. I mean, I will still get text messages that will say, hello, or say, hey, I'm looking forward to golf this weekend, or I really enjoyed last weekend. And you get a lot of consumers who go,
00:11:16
Speaker
Gee, I want to be nice. I want to tell that person they've mis-sent their text message. Well, that's the hook. Once you do the response, the fraudster then puts the hook in and some percentage of the people get on a journey, whether it's weeks or months, winds up costing them tens

Zelle's New Policy on Impersonation Scams

00:11:34
Speaker
of thousands of dollars. And it happens again and again and again.
00:11:37
Speaker
you get the robo calls that come in the you know the call it's the The Chinese Embassy is calling or the FBI is calling about a scam that your bank is involved in and they're here to help you and I just heard one the other day of a person lost an elderly person lost about a hundred and sixty thousand dollars on one of these FBI impersonation scams even to the point of they went to their local bank branch over I believe it was a six-week period and
00:12:07
Speaker
and did nine withdrawals.
00:12:10
Speaker
same bank, but different branches of cash totaling about 160,000. Now to me, I was going to say the irony, but I would think I'll change it. It's the weakness of that financial institution is they could not detect that this was an anomalous transaction, an elderly person, and $165,000 withdrawn over, I believe it was a six-week period, again, across multiple branches of the same bank. So that's the kind of problem that we're facing.
00:12:39
Speaker
It's a difficult one. It's a very difficult one to address. It's not simple to solve. So let's actually look at the responsibility and liability that financial institutions are facing in certain places of the world. Let's start with here in the US. Last year, there was a Senate hearing in September. We talked about it here as well, where a number of US senators
00:13:04
Speaker
kind of crackdown on financial institutions demanding them to provide numbers around Zelle fraud and also take action. And as a result of that, the Zelle network took responsibility and there's an initiative that was kind of top secret, but actually published in articles in November this year, where in June they started to reimburse customers for scams. We'll talk about the details of that in just a second. And then November suddenly hit the news. I was told at the time that it's
00:13:34
Speaker
that it's kind of kept secret because of they didn't want cyber criminals to know about it or they didn't want first party fraud. But the problem was that consumers didn't really know about it and they couldn't come and ask for that reimbursement. And it's very unclear what is being reimbursed. So can you share a little bit about that, how it's evolved and what do you think is the breadth and depth of this policy compared to the overall scam landscape in the US?
00:14:02
Speaker
OK, so a little bit of education first for the audience. So when we talk about scams and fraud, we've got two types of financial transactions. We have an unauthorized payment transaction, which is fraud. And that transaction is done by the fraudster. So then maybe get your credentials, user ID, and password, and they do the transaction online against your account.
00:14:23
Speaker
That's an unauthorized payment transaction. Then you have scams, which is an authorized payment transaction, and it's the customer actually doing the transaction. So in the situation of a romance scam where you're falling in love with somebody and all of a sudden they need some money, you, the consumer, the customer of the bank, does the transaction. And that's an authorized payment transaction.
00:14:48
Speaker
Now, when we look at what happens, typically, if it's an unauthorized payment transaction, a transaction done by the fraudster

Fraud vs. Scam Transactions: What's the Difference?

00:14:56
Speaker
in the US, that will typically fall under regi. And with that, regi means reimbursement to the customer.
00:15:04
Speaker
and the Consumer Financial Protection Bureau about 12 to 18 months ago came out with some additional clarifications of when you should really be reimbursing under these unauthorized payment transactions. A lot of detail, I won't go into it, but suffice it to say, it helped to clarify for bankers that there was more reimbursement even under Reg E that they should be doing.
00:15:26
Speaker
When it comes to the authorized payment transactions, there is no regulation in the United States and most other countries about any kind of reimbursement other than today in the UK, which we'll talk about later. So that's kind of some of the education. Now we come back to talking about Zelle. So you're right, back in September of 2022, Senator Elizabeth Warren and a number of other senators
00:15:50
Speaker
had chief executives of banks in for like a general update on things. And I don't know if that was specifically about fraud, but fraud was a big topic in that conversation. And so
00:16:03
Speaker
As a result of that, about two months later, Zelle itself announced that it was going to come up with some form of a reimbursement policy. And now we know as more information has been provided in the past 12 months and most recently just in the past few weeks,
00:16:21
Speaker
It's a reimbursement for impersonation scams, which could be a bank impersonation scam. It could be a regulator impersonation scam, but it's only under certain circumstances, which again, too much detail to get into today. But just to suffice it to say,
00:16:38
Speaker
Zell will reimburse on certain impersonation scams under certain circumstances. Now, Zell is also trying to be careful about first party fraud, which we know exists. And clearly as an analogy in the e-commerce space, we see a lot of first party fraud where people are just down on their luck, whatever, and they realize they can
00:16:57
Speaker
you know, mouse the e-commerce company. So first party for it is something we always worry about. Now when you look at Zelle, I don't have all the numbers here, but Zelle has been phenomenally successful with the amount of transactions they're doing on an annual basis. Considering they just started a few years ago, phenomenally successful, they say that 99.9% of all transactions are good and clean.
00:17:22
Speaker
And you can sit back and say, that's pretty good. But it also means that 0.01% are either fraud or scams. And when I do the calculations, I come up to maybe there's about 400 million per year in scams, or what I will say up to 400 million per year in scams. We don't know because Zelle doesn't report actual customer losses, actual bank losses. They don't break it out between fraud and scams, as I defined previously.
00:17:52
Speaker
But it's no doubt that with that bank hearing, you know, within months, lo and behold, there is this announcement. Now, the other thing we don't know is that how much are the banks actually reimbursing under their new criteria, and therefore how much of an impact it is for consumers. And I don't know that we'll know that.
00:18:13
Speaker
and how much impact it is for banks too. Kind of how painful is the pain for financial institutions. And also what's unique about this reimbursement mandate is that the receiving banks are the ones on the hook and liability for reimbursement. And one thing that I read recently and it would help me if you clarify is that they talk about their ability to claw the money back. But what happens if they can't claw the money back from the beneficiary because it's instant payments.
00:18:42
Speaker
If there's no issue, they will

StudCo's Lawsuit and Bank Liability Issues

00:18:44
Speaker
get it. The receiving bank is on the cook 100% for any of these impersonation scams as defined in these internally written procedures that Zell and only Zell has. But if it's determined that it is a impersonation scam under the rules, the receiving bank will pay the money. As far as I know, there's no issue of what if they don't.
00:19:09
Speaker
So we're talking about impersonation scams, authorized payment. Uh, what, what about beyond that? You know, we, we know we're talking about a $10.2 billion and up to 400 million. And I know that 10.2 includes other forms, not just authorized, but there's a huge gap still. And the question is what about other forms of payments of, you just gave us an example of someone who went to a bank and took money, you know, to cash out and use that money or,
00:19:38
Speaker
There are many, many types of scams that don't happen even electronically, not to mention ACH wire transfers, things like that. So what is the broader scheme here that goes to protect customers and consumers? Well, if you think about this, you have a couple of different payment rails. You have faster payments, you have ACH.
00:20:00
Speaker
You have wires, you have taking cash out of the bank. You could also be going to the ATM and withdrawing cash, but you're kind of limited there as to how much you can do. But all that really doesn't matter because in the United States, there's no regulation for reimbursement for any kind of scams, these authorized payments. So it doesn't matter how it's done for either the consumer
00:20:23
Speaker
or for a commercial entity. The one thing I will say is on the consumer side, there is some regulation about elder abuse. So if you're over a certain age, banks should be paying more attention and they have additional obligations to protecting that customer. So in that example I gave before of this elderly woman, 78, I have to watch out because I'm getting close to that, but I'm not elderly, just they are.
00:20:48
Speaker
but an elderly woman who's 78, the bank has additional responsibilities. So in that case of where there was 160,000 withdrawn over nine times over a six-week period, one has to look at that. I'm not the attorney, so I'm not gonna comment too much on it, but I would simply say that there's a difference in that case for someone who's 78 versus someone who might be 20 or 30. And so in those cases, there will be some amount of reimbursement because of improper
00:21:18
Speaker
management or procedure associated with an elderly individual. But it's under the elder abuse, not under reggae. And one other case that I found really interesting that is also not mandated for reimbursement under any regulation is a case that was recently brought to court with a business email compromise. And that was reimbursed. So can you tell us a little bit about that?
00:21:43
Speaker
Okay, so this is basically, the case is called StudCo versus First Advantage Federal Credit Union. And this is a business email compromise. This is commercial. And so this is typically the case where the business will receive an email saying, hey, this is Bob from XYZ Company, and we're changing our account. So when you send us payments for the invoices, you need to send it to a new account. So what happened was the business email
00:22:10
Speaker
was compromised either from the corporation side or the vendor side there was a compromise and the bank the business didn't do proper controls and they just accepted the email and the next several times they sent the invoices to this bogus account which happened to go in this case to a federal credit union and they lost about six hundred thousand dollars.
00:22:32
Speaker
And so first they probably said, geez, I'm going to try and get this money back. So let me look at the sending bank, which is the bank for Studco. And they probably looked at that. And I don't know the facts, because it's not in the case. But probably that bank called Studco and said, hey, we're seeing some anomalous transactions here. Can you confirm? Are these legitimate? Should we let them go through? And Studco probably said, yeah, we've looked at that. That's all fine. So that initial bank, the sending bank, did their responsibility.
00:23:01
Speaker
They questioned it and they were told probably by stud code to send the money which they did so stud code attorneys again hypothetically probably looked at that and said we have no claim there.
00:23:14
Speaker
But wait, and kind of for the first time, they said, let's look at the receiving bank. Maybe they made some mistakes in their security, and let's see if we can get the money from them. So they did sue the receiving bank, and they did do discovery. And lo and behold, they found there were a lot of errors on behalf of that receiving bank. And so they identified them in discovery. They had an expert come into court and say, yes, here are the 10 or 15 different things that the credit union did not do properly.
00:23:45
Speaker
Um, and so as it went into, as it went to the court case, the decision was that the receiving bank, the credit union was liable for the entire amount plus some additional penalties. So six, $700,000. Now at this point, it's being taken to the next court. And so it's, it's the fourth court of appeals now is reviewing the case.
00:24:09
Speaker
So right away, the credit union said, I'm going to appeal this. And in the appeal, you also have friends of the court briefs from the Clearing House, TCH, and also NACHA, which is the ACH Management Company, if you will, in the United States. So those two entities are coming and saying, wait a minute. The initial court made a number of mistakes in this. And according to TCH and NACHA, it was like a joint brief.
00:24:37
Speaker
They're basically saying the receiving bank has no responsibility to the customer of the sending bank because of ABCD in the UCC regulations. Again, won't get into all of that, but that's still a pending appeal. And so my guess is the next couple of months, because all the filings have been done, we'll see a decision on that.
00:25:02
Speaker
How do you think this case, regardless of the results really, but the fact that we're actually looking and saying, hey, you made these mistakes. Maybe you don't have to repay the customer, but you did make the mistakes. How does that impact the responsibility that both sending and receiving banks will have in light of the evolving scam landscape for business and consumer banking?
00:25:27
Speaker
So again, I'm not an attorney. I don't know what the outcome is actually gonna be, but I will say, let's just look at a couple of different ways. If it's upheld,
00:25:35
Speaker
that the credit union must make the payment to studco. This will open the door to a number of other business email compromise cases and also consumer cases. So romance scams, investment scams, pig butchering, there's some big dollars there. They're not all 10, $20,000. Some of them are $700,000, $2 million. I think you will see a lot more lawsuits go in if this is upheld. We're already seeing some of this in Canada.
00:26:01
Speaker
where they've had some recent court cases and they've been looking at the obligations of the bank and where they see that the bank has not performed correctly, they're finding the bank at fault.
00:26:15
Speaker
in one case at fault for another BEC case up there, but also on a consumer case, a Chinese embassy impersonation case, where they basically said the sending bank didn't provide enough warning to the customer. And in this case, therefore, the lawsuit can go forward. So it wasn't adjudicated yet, but they said there's enough possibility there that this is a credible case.
00:26:42
Speaker
That's what I think will happen, but it's going to be a very interesting case. The TCH made a very strong argument about why this should be thrown out, and they went back point by point and talked about the UCC and all the things in the UCC that make payments going back and forth between banks exist as they do today in the high volume that they do.
00:27:06
Speaker
Again, I'm not a lawyer, but they did a very detailed job of like a 40-page response, you know, friends of the court kind of a thing. So we'll see. I think it's a very important case, and I think probably soon it will be adjudicated one way or the other.
00:27:22
Speaker
but it is a clarion call to receiving banks that you need to get your act together because the reality is most receiving banks have no controls around what I would call receiving bank scam activity. What we know in the vernacular as the money mule account. To be fair, the very largest banks in the US I think are doing a pretty credible job in that space, but once you go beyond that,
00:27:50
Speaker
It's pretty lax, I believe. Now, you may have seen just maybe a week ago now, Navy Federal Credit Union came out or there was a report that Navy Federal Credit Union found 50,000 money mule accounts from their existing customers. So customers of Navy Federal Credit Union basically received money to make their account be available as a money mule. That's a very big, stunning number.
00:28:20
Speaker
But I think the bottom line point is, and this is one of my points for this year, in 2023, this is the year of the receiving bank needs to wake up and look at their controls. Now, part of the problem is, if you talk to a bank, they go, I spend money for my controls under certain criteria. Number one, am I losing money?
00:28:42
Speaker
the receiving bank does not lose money in a money mule case. So the answer to that, am I losing money? Answer's no. Number two, is there regulation to have these types of money mule account controls? And the answer, sadly, very sadly, is no. The FFIC, the Consumer Financial Protection Bureau, they're ignoring it. So I don't lose money and I don't have regulation, I'll spend my money elsewhere.

Improving Controls Against Money Mule Accounts

00:29:11
Speaker
Sometimes you'll change that when you start to get sued because, again, the stud co-case against the Federal Credit Union, if that holds, that's gonna be a big wake-up call. There's also just the responsibility, if you're in the banking ecosystem, any financial institution should be doing the best they can to make the ecosystem reputable. The fact that we have thousands and thousands of money mule accounts shows we have a major gap
00:29:40
Speaker
in the protection and the reputation of the banking ecosystem because these money mule accounts are one of the primary reasons we have so many scams and our customers losing money and it's not being reimbursed. You can put a big underline to what I just said there. Wearing my consumer hat.
00:30:01
Speaker
I think that brings another good point, right? Because there's what is today in legislation and what their liability is today, but there's also planning for the future. And if we want to plan for the future, all we need to do is cross upon to the UK. So let's shift the conversation there.
00:30:20
Speaker
And we've seen in the past that things that start there, because that's where the sophisticated cyber crime or cyber fraud starts and then gets to the US. So I think the impacts have been there, the faster payments have been there earlier, started much earlier than in the US. So there are controls that they are putting in place right now.
00:30:42
Speaker
Maybe it's a question if we expect to see that in the future here. But before we get into that, let's talk about what's happening there. So what we know about the UK is, first of all, they have had a voluntary reimbursement code since 2018 where some financial institutions participated and reimbursed customers for some cases of authorized fraud. And then recently in last year and a half, there have been conversations where the payments
00:31:07
Speaker
systems regulator has introduced new legislation, which now we know is going to be in effect in October 2024. It's going to be fully enforced. And that actually talks about faster payment, many cases of authorized push payment, not just bank impersonation scams.

UK's Mandated Scam Reimbursement Legislation

00:31:28
Speaker
So one of the questions that I wanted to ask you is, you know, what is going to be covered or moreover, maybe what is not going to be covered? Because I know there are some exceptions and some cases of vulnerable customers. So what are the limitations around reimbursement? And also, how does the split of reimbursement between the sending and receiving bank play out and what are some challenges? Okay, so first off, it is correct that the
00:31:56
Speaker
It will be a mandatory reimbursement for authorized push payment scams, probably around October 2024. And it will be a split 50-50 between the sending and the receiving bank. So this is the second time in 2023 we've heard about the receiving bank being on the hook. Prior to 2023, we never heard anything about the receiving bank. And the UK regulators are saying, look, both sides are at fault. On the receiving bank, you've got the money mule account. So we're going to hold you accountable for that.
00:32:26
Speaker
clean it up because that's where the payments, that's 50-50. That's where the money's going, yeah.
00:32:33
Speaker
It's where the money's going. Now, as far as what's being covered, again, in the UK, it's incredibly broad. It's impersonation scams, it's romance scams, it's investment scams, all of those kind of things. It's not if I bought my dog, that's not covered. But it also does cover, there's a couple of other entities that cover, but for this conversation, let's just say it's consumer plus a few other examples, but it's very broad. And the breadth of that we see nowhere else in the world.
00:33:04
Speaker
Nowhere nowhere else in the world. So they are very broad in the UK. It does come into effect They're gonna have a lot of reporting and they want to get it and it's gonna be the initial Voluntary program that's been going on for the last couple years was just for like maybe the top ten banks This is now gonna be everybody. So this is a big deal. I
00:33:24
Speaker
Absolutely. And what are some exceptions? What is not covered? Obviously, first party fraud is not covered. Well, yeah, your main thing is your first party fraud and also a lot of some of your purchasing activities. So if you're purchasing things, that's that becomes certainly if you're buying a dog, that's not covered. The big dollars are impersonation, romance and investment scams, pig butchering. Those are the really big dollars. Those are all covered. But it's up to a certain dollar amount, which is still being defined.
00:33:52
Speaker
So it's not going to be like $2 million. It might be 300,000 pounds, 400,000 pounds, something like that. There are some limits, but again, you also have to take into account elder. So there's exceptions, positive exceptions for elderly people again. Not just elderly. I think vulnerable populations is broadly defined. It's vulnerable. Yeah, they have, you're right. They have a term vulnerable, which is very broad.
00:34:18
Speaker
What's really interesting about the UK that they've been working on the framework of vulnerable population in banking for a very long time. It's not new. Right. But it's very broad. It might be 20, 30% of the banking customers are vulnerable.
00:34:32
Speaker
So it's a very different definition. I don't think we have such a definition in the US. We have elder, but not vulnerable. But their definition of vulnerable is very broad, and it's another one of those things. How do you know what it is? So maybe somebody who's ill is vulnerable. If you have cancer, as an example, you would be considered a vulnerable customer. So if you have cancer or some other medical situation and one of these scams occur, but you're only 40,
00:35:00
Speaker
the bank has to take that into account as to kind of what they're doing. In May 2023, I think we mentioned this already, the government, the Home Secretary led this three pillar strategy for attacking and
00:35:15
Speaker
defeating financial scams in the UK. The first pillar is pursue fraudsters, which we talked a little bit about in collaborating globally. The second one is block fraud, which I wanted to dive into now. And the third one is empower people. And I think the last two are really interesting. So when it comes to block fraud, how specific are they in how financial institutions and other players in this space should actually take action to block fraud?

Fraud Prevention Measures in UK and Australia

00:35:40
Speaker
Well, they have some prescriptive things like confirmation of payee, which is something which is when you're sending money from the sending bank to the receiving bank, you need to check, you know, the name matches or comes close on the receiving bank side. And so it'll come back saying no match, perfect match, or someone a match.
00:35:58
Speaker
And so that's helpful for scams, but it's also helpful for erroneous sent money. So maybe you fat finger the account you were sending the $25,000 to. So confirmation of payee definitely helps on erroneous sends as well as the scam side. So that's one of the key ones.
00:36:18
Speaker
You know, there's some other ones. I don't have them right in front of me now, but the PSR has definitely been more prescriptive on controls. I will say that. But I will also say when you talk about the three pillars, maybe this is a time for me to bring in a little of this other stuff where the government is recognizing that the telcos and the platforms, the internet platforms have a role in this to play.
00:36:44
Speaker
And so we also have another bill called the Online Safety Act, which was passed in November, no October of this year. So Ofcom is the regulator for the telecommunications world. And they are also, they've come out with a consultancy saying, look, we have now been charged based on this online act to protect children on the internet.
00:37:13
Speaker
and also to protect consumers from being defrauded. And so they're starting to come out. They have a consultancy on what they are going to mandate in that space to address this new online act that came out. That's in a consultancy stage, but they'll be mandating things. And if you don't follow them, there will be penalties. So what the UK is doing is getting into the penalty game. This is what we want you to do, but if you don't do it, we will get your money.
00:37:43
Speaker
Now, that's on the off-com for this bill that I mentioned that just came out. The other part of this is the UK government and 11 internet companies got together and they have the online banking charter. This is voluntary, but the charter signees, these are people like Microsoft, TikTok, LinkedIn, folks like that, Facebook, some big players,
00:38:10
Speaker
Right. And I just wanted to just these players are really important because we've heard actually once regulation was announced for liability for financial institutions, immediately financial institutions such as TSB turned to meta and said 80% of scams come from meta platforms, according to what our customers are reporting. So it's really important to see that Facebook, Instagram, you know, LinkedIn, and other players are in this online fraud charter.
00:38:40
Speaker
Well, and also as an aside, once the banks had to start to pony up the money, they started to add more controls. So when you start to put this focus on it, and what that highlights is, these banks probably should have been adding these controls before. And this is like a warning message to US banks. Even though you're not responsible for the loss, that doesn't mean you shouldn't be putting in controls to help mitigate these losses and prevent them.
00:39:05
Speaker
Thanks for closing the loop on that because that's exactly, I wanted to get your thoughts on that. But before we do that, tell us more about the online fraud charter. What specific actions are they looking to advocate for? Well, they're basically looking to identify on these platforms fraudulent activity and shutting it down.
00:39:24
Speaker
So if you're seeing a fraudulent ad, immediately shut it down. Identify it and shut it down. So anything that looks like it's fraudulent on these platforms, they're voluntarily agreeing to help identify that and take it down. There's other things. There's reporting and stuff like that. But that's the big thing, is to do that. And that's so helpful. Now again, it's voluntary. And they just signed it, so it's going to take six months.
00:39:53
Speaker
before they put something in place to kind of watch and see how that is. But I will tell you an example of that if I can switch over to Australia for a second. I know you've got to focus, but I've got to bring these things in. In Australia, the Australian government's been putting a serious push on preventing scams as well. And the Australian government, I forget which entity it is, which regulator, but they've actually been going out and identifying in bogus investment websites and shutting them down.
00:40:22
Speaker
So the customer doesn't have a loser, someone who's been scammed, who's lost money, doesn't have to complain first. The Australian government, if they see them, they will shut them down.
00:40:35
Speaker
That's what we need done. And I know in the US, there's a guy, Gary Warner. You probably know Gary. He's down in Birmingham, Alabama, I believe. And he's at a college, and he's got his students working as cybersecurity people. And he identifies thousands of bogus investment sites, but he can't get anybody to take him down because the first thing in the US is someone has to report a loss based on that website before it can be taken down.
00:41:03
Speaker
Well, just think of all the losses and all those thousands of cloned websites. Australia's taking a different view. They go, if we find it, we're killing it. And coming back to the UK, that's what they're asking these platforms, these internet platforms to do. As you see things, as we see things work together with the banks and other people, as you see things, take them down, and that's going to really help.
00:41:27
Speaker
What is the scope of that? Is that limited to activity that is somehow connected to the UK and the citizens of UK? Yes, it's a UK agreement. So it's between the UK government and these 11 digital platforms. So it's focused on the UK. US governments, take note.
00:41:46
Speaker
When you say US government, take note, you've hit a real weak spot from my perspective. I think the US government is asleep these days. All the stories that we're going to talk about until you shut me off and say, it's time Ken, I got to go get ready for Christmas. We're going to talk about the UK, we're going to talk about Singapore, we're going to talk about Australia, and we're not going to talk much about the US.
00:42:09
Speaker
The only group in the U.S. that's somewhat trying to do something is the FCC, but there's a lot of, I believe, opposition on behalf of the telco entities to not make major headway. Now, they would disagree with what I've just said. They will say we're doing tremendous amounts, but I still get the scam messages. People still get the robocalls. You mail reports on millions of robocalls. We're not addressing it properly in the U.S. from a telco perspective and also from a regulatory perspective.
00:42:39
Speaker
I think the regulator Consumer Financial Protection Bureau is waiting and at some point they're going to come up with a statement or they're going to come up with a directive that says you have to reimburse for authorized payments, but that's not part of reg E.
00:42:54
Speaker
And I don't know how effective that will be. And of course, the CFPB is also currently under a court case at the US Supreme Court about are they being properly funded and should they even exist. And so to some degree, I think they're waiting for that decision at the US Supreme Court before they get more aggressive on trying to reimburse. But in the meantime, we should be more aggressive on mandating controls.
00:43:18
Speaker
And that's something the CFPB can do, the FFIC can do, and we're just not doing it. We're staying asleep on controls that would be helpful in this. And so the US is not a good example. The US is just not a good example of being the leader they used to be in the online space. If you go back to 2011 and so, they were the leader. They were doing more than anybody else. And it's just not happening now.
00:43:46
Speaker
So what happened? I know that you mentioned earlier Senator Warren and Murky were leading these initiatives. Are they satisfied with the action that early warning systems and the Zell
00:43:59
Speaker
They have been very quiet lately, as far as I can see. I think, like I say, as a result of what did take place, you did get Zelle coming up. But again, I don't know how much of that potential, my hypothetical, up to 400 million in scam losses per year in Zelle. I don't know how much that's covered. But remember, you also have Venmo. You have Cash App. Zelle isn't the only one. They're owned by the banks, and they get a spotlight. But you've got Venmo. You've got Cash App. They're all out there. They're all being scammed.
00:44:30
Speaker
I think you have to put, at minimum, you can require more controls on people, and if they don't provide them, then you can start to find them. So you can make it painful. And that's what we saw in the UK, is that until it was a financial pain point, even the UK banks did not put in some of the more serious controls you see today.
00:44:51
Speaker
Financial pain wakes people up Sad sad to say that but that's the reality so how to but it now we go to it back to the beginning of our conversation if we don't have sufficient reporting
00:45:05
Speaker
And we know again that many people are not reporting. So we don't even know the collective size of the paint. We know enough. We know enough that it's serious. And even if you take $8 billion in the US or the 454 million pounds in the UK or the 2 to 400 million Australian dollars, we know it's enough. So how can we explain the fact that there's no outrage about handling this?
00:45:33
Speaker
I'm surprised, I'm surprised in the US that more people haven't gotten on the bandwagon to put it, and I think it's, I don't know if people don't understand it, from my standpoint, if I was sitting there as a regulator, first thing I'd focus on would be the receiving bank side, and I would put require controls around online account opening and money mule

Need for Standard Controls in US Banking

00:45:55
Speaker
accounts. I would mandate that, and I would manage these banks, and if they don't do it, I would find them.
00:46:01
Speaker
That would be number one. On the sending bank side, there's more things that could be done as well. I mean, I've seen one example. I just saw, I'm writing some other papers, and so I just had a snippet where an Australian bank was saying, using behavioral biometrics, they identified 2,000 money mule accounts. Well, that's significant.
00:46:23
Speaker
They had a tool, and just with that, they found money mule accounts. And then there's other ways on account opening that you can find things. You know, bot detection, credential stuffing. I mean, they're almost like certain things should just be mandated that should just be standard controls.
00:46:40
Speaker
That's where the FFIC used to be so good at that and then they just, I don't know what's happened, but the last guidance they came out with I thought was very watered down. It didn't even address scams and that had been occurring and there was nothing said about it. Receiving bank, nothing. I don't know why it is, but I will say
00:47:00
Speaker
that this is where we're falling down. I've been in banking for a long time, so I'm sure people will want to come after me after what I say. But we have a responsibility to have a sound banking ecosystem. And I think we have some gaps in that today. And it has to do with consumers. It has to do with consumers losing money. And I'm not saying here that we reimburse them. I'm not going into that one.
00:47:24
Speaker
but we can definitely have more controls to help mitigate these. Again, coming back to that woman who withdrew $160,000 in cash. Nine times over six weeks, where was the bank? And maybe there's more to that story, but just from what I heard, it's like we missed the boat there. Maybe the first one happens of the nine, but all nine?
00:47:46
Speaker
And I 100% agree. And I think what happened was this great regulation that had come out earlier in 2006 and 2011 did provide a lot of guidance around account takeover fraud and new account fraud. But once the banking systems have become so great about protecting the banks against that, the criminals turned to the
00:48:09
Speaker
Weakest Link, which is the human and now banks need to take a different approach and they need to empower their customers to protect themselves and put in many, many controls like you mentioned.
00:48:19
Speaker
Right, they turned to the human because the banks did put better controls on, but the other thing that's important is most of these losses are over the faster payment rails. In the UK, the authorized push payment losses, 97% is over the faster payment rail. It's not the other rails, it's a little bit. 97% is faster payments.
00:48:41
Speaker
So the faster payment rail is a banking rail. It's because of the banking rail that the fraudsters are able to scam the customers and move the money over these faster payment rails. So it's still a banking payment rail and there just needs to be more protection around it.
00:49:01
Speaker
I mean, these losses are severe for the consumer. We haven't talked about that, how it affects people. It may be cause, it may be their retirement money. It may be they lost their house. It may be they commit suicide. And you've talked to some of the people in the UK. You've had some conversations with some women there. I forget their names right now, but they're very vocal and very focused on this. And we haven't talked about the emotional side of this in this conversation, but that's very real and you can't lose sight of it.
00:49:31
Speaker
I mean, it's very a lot of pain comes to these people who lose this money and it can be smart people people that may be elderly I mean, I'm here in Santa Clara County or near Santa Clara County in Silicon Valley and Executives lose money to pig butchering. They might lose a million dollars. So it's it's these people they just get their
00:49:53
Speaker
They get hooked on this stuff and it's very costly for a lot of people. And it's a young, it's the old, it's the smart, the not so smart, the elderly, people who might be sick and maybe recently divorced, some things in their life has gone upside down. A lot of reasons, but I think there's more we can do. And we are seeing, in my mind, we're seeing some good examples. I'm seeing some interesting things in Australia now where they're taking
00:50:22
Speaker
the robo calls and robo texts much more serious than I think any country. And they're actually finding some of the providers. I mean, I'm gonna give you one quote here if I could. Let's see if I can find this. So this has to do with the ACMA as the regulator in Australia. And it's called the Australian Communications and Media Authority. And they recently took action against Vonage
00:50:47
Speaker
because I'm just going to read this. They allowed more than 11,780 non-compliant SMS messages to be sent, which included almost 3,400 scam texts impersonating businesses. So that's Vonage, and they fined them for that. They also found Twilio, which is a really big company in the in the telco world. Twilio was also found to have inadequate systems in place to comply with the ACMA rules.
00:51:13
Speaker
Now they didn't identify scam messages, but they found inadequate systems and they find Twilio. It could be a loophole for these scam messages. Yeah. Yeah. So the Australian regulators are going after these people and say, look, if you don't clean up what you're doing, I'm going to find you again and again and again. Yeah. And they're about to come out. They just came out with a consultancy where they're going to mandate on banks, telcos and internet platforms to do certain things.
00:51:42
Speaker
to protect the customer. And it's going to be mandated regulations across all three of those players. I think in summary, I would say we just talked about three geographies. We talked about Australia, US, and UK. And what I would say is that the governments in the UK and Australia care about solving this problem. And we don't see that right now in the US.

Global Scam Prevention Efforts

00:52:07
Speaker
And that has to change. Right. I couldn't agree more.
00:52:13
Speaker
Well, Jen, this is Christmas time, so I'm gonna wrap this up. Thank you so much for the great insights you shared with us today and all the informative updates about the evolution of the regulatory landscape around scams and the action that different governments are taking. I am very inspired by the UK government and I hope that things will get up to speed here in the US as well as we embark on
00:52:42
Speaker
2024. And I think we can leave on a positive note. There are good things happening. You know, as we look at these different examples around the world, so I'm optimistic on some of the things that I see. Yes, we need to see more, but I am optimistic at the positive changes that have occurred in the past 12 months. That's great. Well, happy new year and thank you so much for coming to be a guest on this podcast again. And happy holidays to you as well.
00:53:17
Speaker
This episode is brought to you by ScamRanger. ScamRanger enables you to empower your customers to protect themselves against online scams. Go to scamranger.ai to learn more.