#8: Online Payment Fraud Prevention: PSD3 & PSR, AI and beyond

00:00:02: Hello and welcome to another episode of Fintech Stories, a tail-washing podcast exploring the latest legal and regulatory developments transcended hot topics in the fintech sector from across the globe.

00:00:12: I'm Miroslav Juric, Senior Associate in our Financial Services Regulatory Practice based in our Frankfurt office And today's episode will be discussing one persisting and evolving challenge sitting at heart of global payments industry Fraud prevention and online payments by looking at some most recent regulatory developments in the EU, The role of artificial intelligence.

00:00:32: And what the future holds for the industry?

00:00:35: I'm very pleased to be joined today by Dan Holmes Vice President of Product Planning and Strategy at Feds AI a Lisbon based AI native platform focused on fraud and financial crime prevention.

00:00:46: Then welcome to this show.

00:00:47: could you tell us a few words about yourself and which do?

00:00:51: Thank you very much for having me and giving me the time to have their conversation.

00:00:56: So Dan Holmes, VP of Product Planning and Strategy at Feeds Eye based out with The UK.

00:01:03: I've been at FeedEye for coming up two five years now but my background has been fraud and financial crime prevention for the last ten-to fifteen years.

00:01:11: so originally cut my teeth Miroslavat Lloyds Banking Group in the

00:01:14: U.K.,

00:01:15: that's the largest consumer bank in the UK around a twenty-five percent market share and I did uh, A variety of different things there.

00:01:23: In the fraud space from analytics to strategy two operations And actually they last roll that I had there was leading on a bunch of projects that were intended to begin outsourcing and a lot of the fraud technology.

00:01:36: So in the past, A lot of banks have decided to build their own technology natively.

00:01:41: in-house Lloyds are one of the first to start exploring.

00:01:46: that means about sourcing.

00:01:47: so bringing in vendors that could profile device look at behavioral biometrics operationalize AI and machine learning in a more meaningful way.

00:01:58: And through virtue of some of those relationships, and some of these conversations I moved from the banking side or the practitioner's side onto to technology sides.

00:02:06: so then spent around three-four years at company called Lexus Nexus Risk Solutions where your users will be hugely familiar with... ...and then recently moved on to Feeds Eye.

00:02:17: So my role today focuses on couple things.

00:02:21: One is the forward look of their product directions.

00:02:24: How do we continue to ensure that?

00:02:26: We're building things that have a strong impact in market and are designed To really solve those end user problems, but I'm sure will dig into today.

00:02:35: And then secondly once those things have been developed how do we message Those things in the market in a way that hopefully resonates with our customers and helps out customers and help banks around The world recognize the value that can come from there.

00:02:47: feeds i products up great.

00:02:50: Thank you Dan, so let's kick off with our todays episode.

00:02:55: So in recent years the growth of digital finance and online payments has been nothing short of transformative wasn't it?

00:03:03: Seamless and instant payment experiences have become pretty much a new reality for all us when shopping online or using our mobile wallets for payments while traveling.

00:03:16: At the same time, this rapid digitalization has created a highly attractive environment for fraudsters.

00:03:22: The shift to remote interactions and increasing sophistication of social engineering techniques have made online payments particularly vulnerable concept which aims to strengthen security and reduce fraud rates in payment sector.

00:03:50: For those of you less familiar with the concepts, run customer.

00:03:53: authentication is a mandatory security process that requires online payments to be validated by payment service providers so your bank based on at least two of the following three authentication factors something the user knows for instance your password some think The User has for instance token or your mobile phone And Something That The User Is for instance fingerprint or face ID.

00:04:16: If you remember that push-up notification popping up from your phone when you initiate a payment transaction, That's pretty much seeing strong customer authentication in practice.

00:04:26: Well this had a measurable impact on certain areas.

00:04:28: online payment fraud practices have not dropped or disappeared didn't they?

00:04:33: Instead They've sort of adapted and became more nuanced.

00:04:38: then Now from a practical perspective, how do you see developments in fraud prevention space?

00:04:45: Yeah.

00:04:45: So your absolutely right, Mirastav Strong Customer Authentication and PSD-II was a meaningful step forward for the industry, but it was very much designed with a particular fraud problem in mind which is the concept of unauthorized fraud or what you might call account takeover.

00:05:02: So if Dan compromises Miroslav's credentials or his card or whatever it might be I can use those credentials to try monetize either by logging into your online banking portfolio execute in a payment to a new beneficiary that I have control over.

00:05:17: So, PSD-II and SCA were very much designed with that type of fraud in mind because the idea as you said is if i compromise your credentials ,i might be able log into our account.

00:05:25: but then when im challenged to pass a push notification or an SMSRTP .I haven't got Practical developments, I guess.

00:05:35: firstly from the criminal side.

00:05:38: You know what we know is a couple of things.

00:05:40: one fraud is adversarial by nature.

00:05:43: So as soon as the bar moves in terms of controls that the banks have put in place We know that criminals will circumvent and try and walk away around them.

00:05:51: And that's ultimately led to I guess the onslaught of authorized fraud and scams that we now see in the market.

00:05:58: So, The difference between two typologies is one- I compromise your credentials to try monetize.

00:06:03: Authentication puts a good blocker or a good amount friction on my way.

00:06:06: so i can't continue with this fraud.

00:06:09: What the fraudsters did was say well actually rather than trying to pass it myself what im gonna do The weakest part of the chain, which is a customer or victim themselves.

00:06:19: And I'm going to convince Miroslav To make that payment on my behalf.

00:06:22: So then when he's challenged and does get that push notification He passes it because here's one making the transaction a wide variety of ways, whether it's investment scam impersonation scam and we'll dig into perhaps what some of these mean.

00:06:42: So I think that's the first thing.

00:06:44: And then i think The second thing.

00:06:45: you know...I've listened to A bunch Of really interesting conversations recently with X fraudsters.

00:06:51: so guys That used To do this for a living.

00:06:54: And what they told us is that to your point, you know the digital first world.

00:06:58: The opportunity now to hide behind the VPN and hide behind laptop and commit these types of fraud Is highly attractive to criminals AIs lowering their barrier into entry even further.

00:07:08: So we've seen in the UK Fraud accounts for forty percent Of all other criminality In our market Because the way which bank fraud or bank criminality used to be executed is that I would go into a branch, I would demand some money from the cashier.

00:07:25: A-I wouldn't able take a lot of money because i'm limited what's held in the bank.

00:07:29: but B does have very high chance for me being caught whereas now if ima criminal can hide behind the laptop and hide behind my phone call The amount of money I could make almost unlimited.

00:07:41: we're not limited to save and the chance of me being caught is very low.

00:07:46: So that paradigm has completely shifted, which is what further amplifies this challenge.

00:07:51: so I'd say they're the big practical developments from the criminal side.

00:07:55: you absolutely right The attack surface is expanding as well.

00:07:58: You know i think there's three things That are changing simultaneously within the market Which us real-time payments Are becoming the norm which means that as soon as the payment is initiated, a bank has got to do their decision in real time.

00:08:10: Which it's harder than taking one day or two to be able assess whether the repayment should leave.

00:08:15: It means once its gone much harder to recover As well.

00:08:17: so not only does response have to faster decisions itself has to be faster, the sophistication of fraud attacks is increasing very rapidly through virtue of AI and stronger social engineering than all these things.

00:08:31: And then the third thing to your point is that regulatory environment is evolving very quickly as well.

00:08:35: so what we're seeing now is that um...the future of the regulatory environment in the fraud space uh..is now attempting to address this second wave of fraud which is the authorized fraud I alluded too.

00:08:46: So some very interesting moving parts are happening right now on Miroslav.

00:08:51: Yeah, indeed I couldn't agree more.

00:08:54: So let's turn out to the regulatory developments with a special focus on DEU which Which are clearly trying to respond to these evolving risks don't they?

00:09:04: Just last week we saw the EU council publishing The latest and very much long-awaited compromise text of third payment services directive And the first payment service regulation PSR which together are set to significantly reshape the payment services framework across the union.

00:09:22: Conscious of this sharp rise in all and payments fraud, especially as you mentioned authorized payment fraud.

00:09:27: so we're gonna come to that in a bit.

00:09:30: In recent years The new PSD-III PSR package puts a strong focus on fraud prevention and consumer protection by introducing some key changes.

00:09:41: Obviously, the number of novel leads that will be introduced through PSD-III and PSR goes way beyond the scope for today's episode.

00:09:48: And we'll provide a detailed update on this package shortly in our website.

00:09:52: so please stay tuned!

00:09:57: Some new requirements across several different areas.

00:10:00: So first, we see that PSR is introducing enhanced fraud prevention requirement That will oblige PSPs to implement some additional adaptive risk sensitive authentication processes that reflect user behaviors and also they are able to recognize transaction patterns And the PSP's that fail to implement these will effectively be held liable for customers losses On the impersonation front.

00:10:27: Also a number of novelties, especially when it comes to you know tackling Impersonation fraud in the form of spoofing or for instance social engineering related fraud cases.

00:10:39: So When It Comes To Impersonations Fraud Then I Just Wanted To Briefly Discuss With You.

00:10:43: We See That Now As You Rightfully Point Out This traditional distinction between authorized and unauthorized transactions has become blurred, And the PSRNL states that in circumstances In which customers' consent was given So for instance if you got this push-up notification That was manipulated You provided your consent.

00:11:04: It has to be assessed now carefully Including by courts how this consent was provided, right?

00:11:11: So the new regime applying to impersonation fraud cases will effectively ban PSPs from automatically rejecting refund requests on the grounds that transaction was authorized which is something we know it's common under the PSD framework because PSP have been using this as a defense argument saying so we've applied strong customer authentication and you have authorized transactions.

00:11:33: That pretty much it.

00:11:36: Now under PSR, this is going to be slightly different.

00:11:39: We're gonna come to that in a bit.

00:11:41: but then from your experience what are some practical cases?

00:11:45: That the EU lawmakers trying to address with this new regime?

00:11:51: Yeah so I think The core problem in this life Is that authorized fraud or scams were just for absolute definition.

00:11:59: For the listeners it's when a victim is tricked into sending money themselves.

00:12:03: in the case of spoofing specifically what we're talking about is, The fraudster is impersonating a person that represents a position of authority.

00:12:13: So how that might play out?

00:12:14: Is I as the fraudster make call to victim and say hey i'm calling from your bank whichever bank may be We've recognized some suspicious activity on you account But in the meantime, what we've done is we've established a safe account for you over here.

00:12:30: So if you could log into your account please and move all your money to the Safe Account then we can ensure that we're taking the necessary precautions to insure enough further fraud happens to you.

00:12:40: Now of course.

00:12:40: In that case The Fraudster has full control Over That so-called Safe Account.

00:12:44: As soon as the victim moves their money there... ...the Fraudstar goes on to layer it back Into the ecosystem Move It To Another Account or Spend Or Whatever Their Preferred Approach Would Be.

00:12:53: I think The Regulation Is Recognising a couple of things.

00:12:57: One, APP is one the fastest growing fraud types.

00:13:01: and secondly consequence or to fall out from victims in these situations is significant.

00:13:10: we've seen examples where victims have lost life savings.

00:13:15: We've seen example's case investment scams were victims haven't just their own money, they've then taken on additional debt in order to continue to put money into these investment scams because of the promise of massive unrealistic returns down the line.

00:13:31: And that leads to a very different future for that individual where that money is not reimbursed.

00:13:38: you imagine the person who's just been paid out a pension package and they lose that money immediately to a scam?

00:13:44: That fundamentally changes.

00:13:49: So I think when we think about what the regulator is trying to do, What they're saying Is A let's Think About The Consumer Protection Here But Also What We Often See?

00:14:00: When The Regulator Puts Financial Incentives On The Banks To Better Control These Risks Then Banks Are Often able To Do a Little Bit More Given That They'Re The Last Line Of Defense.

00:14:14: Similar regulations coming in the UK.

00:14:16: For example, we saw a lot of investment from the banks into various types of technology Which I'm sure will talk more about and that gave them a stronger line Of defense than what they have before.

00:14:26: so you could argue That there are some positives to come out with this in terms of the changes And banks were ultimately at last-line.

00:14:33: They had data and means To be able make their decision.

00:14:37: So that's ultimately the angle The regulator is coming From.

00:14:42: It's interesting.

00:14:44: in the new regulations, they're only thinking about specific types of scam.

00:14:48: You know there are a whole range of other types of scams like romance scams for example investment scams which we alluded to, remote account takeover scams... There's a whole bunch of these things.

00:14:58: but this represents a significant step change.

00:15:04: But ultimately, from their perspective it's about getting that balance right between what the bank is responsible for and a fair reimbursement towards that victim.

00:15:13: if they've done everything The Senate would perhaps argue that, well if you put in these controls does that create a risk of negligence on the customer side?

00:15:31: If I now know as a consumer that i've got enhanced reimbursement rights.

00:15:34: Does it mean that I pay less attention and am lest thorough with any payment that I try an execute?

00:15:39: so there's never a perfect answer to These things.

00:15:41: And I think what the EU is trying to do Is really tread that line between What right for the consumer without giving the banks too much burden if they proven That They can Do all that they Can do.

00:15:52: Yeah, indeed then I think that was a great point.

00:15:54: It also keyword negligence right because we see that across the PSR The focus is now on gross negligence or intent.

00:16:02: So pretty much these are pretty much the only safe havens for psps cases in which they can reject refund Refund requests from their customers.

00:16:12: but what it really striking to me At the EU level, we don't have a definition of gross negligence.

00:16:19: So it's a subject off national law if you remember states and We see now that the PSR is trying somehow to strike the right balance between You know the legitimate rights Of consumers on the other hand preventing opening floodgates That would potentially expose The payment services industry in the banking industry through excessive risks.

00:16:41: How do you see these new requirements from a practical standpoint?

00:16:46: Do you believe they are right move at the right time?

00:16:49: I suppose, They could always have been designed slightly better.

00:16:53: But add this moment just compared to PSD-II framework what's your take on these?

00:17:01: Yeah look i don't think there is a perfect answer.

00:17:04: Miroslav Im very much in the camp of...I've seen from my days at Lloyds how sophisticated these scams can be and my position is that, you know these scams can happen to anybody.

00:17:18: You know we often think about it being the elderly part of society that are more vulnerable, but actually when we look at the data there's proof this can happen to anybody.

00:17:27: It isn't just the elderly or young people.

00:17:30: it could be very much middle-aged professionals.

00:17:32: doesn't matter about age and social demographics, education.

00:17:37: We've seen these happen with doctors and surgeons.

00:17:42: Let us call them well educated members of societies.

00:17:45: so there is proof in their data.

00:17:49: And that isn't because the customer is always negligent.

00:17:52: I think we should focus on the fact these scams are very, very sophisticated.

00:17:56: in the case of investment scams for example We've seen that the bank sorry the fraudsters have built fake websites so a user can log in and actually see that their quote-unquote investment is growing inside, so they're very sophisticated.

00:18:14: We've seen investment prospectuses sent through the past just completely fictional organisations but to the untrained eye, or in some cases even the trained eye.

00:18:27: So I do think we have to straddle that line between ensuring that the consumer has the necessary protection where it's needed the most but at the same time not creating a world where customers become negligible.

00:18:40: so i think the right model is some sort of split between.

00:18:43: okay if we can determine what that gross negligence definition should be and we can rally around it It's never going to be perfect.

00:18:52: There are always gonna be edge cases that perhaps blow that line, but I think if we can encourage the bank To reimburse where their customers done all they've kind of in a bank has done All They Can But We Can Give The Consumer That The Protection That They Need.

00:19:04: i Think That'S The Happy Media And I Do Genuinely Believe That That'S What The EU Is Trying To Achieve With What They Lay Out Here

00:19:12: Indeed Indeed.

00:19:13: So, Dan you guys are working with a lot of clients from around the world.

00:19:18: so... From your experience how does the your approach-so this one under PSR compares to fraud related reimbursement mechanisms across other jurisdictions?

00:19:33: That's really good question Moosafan and I think what is very interesting.

00:19:38: Maybe this is, you know testament to the conversation that we just had around it.

00:19:42: It's very hard to get it right.

00:19:44: There isn't a consistent blueprint when we look at different regions around the world.

00:19:49: So the UK was, my region was first to make their move here and they took a very consumer-centric approach to reimbursement.

00:19:57: The policy in the U.K is that one hundred percent of authorized scams are reimbursed to consumers regardless if it's spoofing or impersonation investment.

00:20:09: Rummands purchase whatever it might be... ...the consumer will get their money back.

00:20:13: now there is a small excess supplied You know, so that the bank doesn't have to deal with such a high volume of cases for very small scams.

00:20:22: But once you breach that excess then the bank is liable.

00:20:26: Now what's perhaps most interesting about regulation?

00:20:30: Is how that reimbursement must be applied.

00:20:33: So EU thinking about the sending Bank being responsible because they're one that facilitated the transaction in UK that fraud must be reimbursed fifty-fifty fifty percent by the send-inside, and fifty per cent by the receiving side.

00:20:50: And the idea there is that if we think back to what you said right at start about PSD II We're looking for a point of compromise in the fraud.

00:20:58: In case of unauthorised fraud The point of compromises occurs on the send side.

00:21:05: In an authorized fraud, compromise doesn't occur on the send side because the customer is authorizing that transaction themselves.

00:21:11: But compromise must occur on a receive-side Because if I convince you to send money in account and haven't got control over The whole thing is futile.

00:21:20: So as a fraudster i MUST have control of receiving inside accounts.

00:21:24: And thats what UK is really trying to lean into banks.

00:21:28: here, you're not just worrying about payments leaving accounts.

00:21:31: You should also be monitoring traffic that's coming into accounts as well and I think that has been a really meaningful step forward in terms of understanding the broader risk ecosystem and understanding the risks from both sides to transaction.

00:21:44: Ultimately if we think abut that objectively it gives us two chances for stop frauds.

00:21:48: If you miss on the send side then still get an opportunity to capture them.

00:21:55: regulatory incentive, given the fifty percent liability.

00:21:58: Banks are now doing some very good work monitoring from a fraud perspective what comes into accounts as well as what leaves account.

00:22:05: so that UK approach again has driven some good.

00:22:09: Some would argue that hundred percent reimbursement does bring that negligence risk in to interplay Now if we look at some of the other markets I think The Australian example and the scam safe accord over there is very interesting.

00:22:23: So they're also thinking about mandatory reimbursement, but they think it's a little bit differently.

00:22:29: so what the Australian policy makers are saying is hey look yes the bank should have position of liability here because there ultimately ones that facilitate in payments.

00:22:39: if we think how a scam would start often starts on channel outside has to occur via a means of either telephone call, message via social media and email.

00:22:57: These are all things that occur outside the realm bank control.

00:23:02: What the Australian policymakers are saying is that it isn't fair to push all the liability burden onto the banks when there were other opportunities to intervene on some of these scams through the communication channels and through social media, through these digital platforms.

00:23:18: If we think about how a scam might go out I as a scammer might send this same message to a thousand different SMS recipients or a thousand email recipients.

00:23:27: And therefore, should they be more of an incentive and a pressure for these scams to be stopped at source rather than them being stopped the last point in the chain which is ultimately where the bank processes the transaction.

00:23:44: So I think that's very interesting concept.

00:23:48: it expands the size of regulatory sphere encourages digital platforms take scam prevention most seriously.

00:23:58: It encourages the ecosystem to work together more cohesively as well.

00:24:02: Now, perhaps one of the challenges here is how do you operationalize that?

00:24:06: And when a fraud claim comes into the bank How did they do that?

00:24:09: backwards look in investigation To determine how that contact was made and how do they prove that and how Do they then determine whether that digital platform had them means to stop That initial communication?

00:24:21: So I think there's some operational things that need to be considered.

00:24:24: it needs to be worked through but actually i think The principle of what they're trying to achieve is one that, you know we should all pay a little bit more attention too and one that we should lean in on.

00:24:33: A Little Bit More And Definitely Stay Close To.

00:24:35: So That's Perhaps A Shared Framework.

00:24:37: But Then We Have Regions As Well, Miroslav Like The US For Example Where It'S Much More Fragmented.

00:24:42: They Haven'T Made A Clear Stance Yet On What To Do for Authorised Fraud.

00:24:46: They've Got Regulation That Covers Unauthorized Fraud.

00:24:49: as You Know the Vast-Vast Majority Of Regions have but Not For Authorised.

00:24:55: It's a very, very large consumer pool.

00:24:58: There's you know many many thousand financial institutions there.

00:25:00: so a regulatory change Getting consensus around that actually pushing it out to make it real is uh Is a very large lift.

00:25:08: So perhaps they're looking at these other markets the UK Australia seeing what works in what doesn't work and then maybe They'll make their chest move once they've got data to be able To make that determination.

00:25:21: but I guess The key point there isn't one consistent approach and I think that's testament to the fact this is a very difficult problem.

00:25:42: online platform operators, electronic communication service providers is also something that the lawmakers had in mind while drafting the PSR.

00:25:51: We see now that the focus has been put a bit more on electronic communications service providers and also operators of some very large online platforms.

00:26:03: I think probably the lawmaker has been applying lessons learned from different jurisdictions.

00:26:10: So let's move now to a topic that we will both agree, We can hardly avoid discussing today AI.

00:26:17: As in many other sectors it is expected To leave pretty profound and transformative mark on the payments industry In years ahead shaping both front-end user experience as well as backend infrastructure from payment execution processing to core operational And back office functions.

00:26:34: so compliance risk management you name It!

00:26:38: I believe AI is playing sort of an increasingly complex role because on the one hand, it has enabling fraudsters to develop more sophisticated and scalable attack methods from highly personalized phishing campaigns.

00:26:51: The deep fake based impersonation automated fraud operations you name it this raising the bar significantly in terms of how convincing a difficult to detect fraudulent activity can become.

00:27:02: but at the other end that same time we're witnessing This very same technology is being used by financial institutions and fit the companies alike to strengthen fraud prevention.

00:27:13: So AI driven systems pretty much can analyze vast amounts of transaction data in real time, much better than human beings.

00:27:19: they can identify anomalies detect patterns that would be impossible to spot through it to traditional rule-based approaches that we've seen in the past.

00:27:29: So against this backdrop then, how concerned should we be about the use of AI by fraudsters?

00:27:35: And are we entering a new phase for more sophisticated fraud and in the payment

00:27:40: sector?".

00:27:43: The direct and short answer, Miroslav is yes.

00:27:46: We should be very concerned but let's be precise.

00:27:56: So we're already seeing fraudsters use AI as you rightly called out.

00:28:00: It raises the bar in terms of sophistication, but it also lowers the bar In terms of barrier to entry and it's much easier for fraudsters To commit fraud now through advent of AI And there are some very simple unless sophisticated examples ramping up to Some examples.

00:28:16: that a very very sophisticated.

00:28:18: so You know We think about the advice that banks used to give to consumers when it comes to phishing emails.

00:28:25: It used to be look out for grammatical issues, lookout for bad formatting and all these things... That's how you know.

00:28:31: its a phishing email!

00:28:32: That advices is long gone right?

00:28:34: AI makes it very easy for fraudsters to be able to scale and personalize phishing e-mails or submission texts in a way that are naturally an organically more convincing.

00:28:44: You know I remember having a chat with uh Dutch bank recently.

00:28:47: they made The Jerk of..you Know They Never Used To Have a fishing problem because fraudsters couldn't speak Dutch.

00:28:53: But now in the world of AI, fraudsters can use translation and it's very easy for them to craft Dutch phishing emails.

00:29:00: so that is one simple example how the fraud is already changing but goes way beyond that.

00:29:05: in terms of sophistication The way which fraudsters build scripts or manipulations individuals is much, much easier so they can practice their scripts.

00:29:19: They get feedback from the script and stress test their scripts.

00:29:25: as we mentioned before fake investment platforms use code to spin up websites in no time at all when previously that would have required technical expertise and investment to be able.

00:29:46: A person is impersonated in a video call or on a podcast like you and I are right now.

00:30:05: One for knowledge of the organization, but you've got my authorization to do it and they go ahead and do it.

00:30:09: We've seen millions of dollars Exited via businesses through that means.

00:30:14: And we've also seen emotional Tolbeen cast on victims as well.

00:30:18: So if I'm able to go and grab a ten second snippet of your voice mirror staff from one of your podcasts I can then train a model to be able to convince the machine, say anything that you want in your tone and sound of voice.

00:30:32: Which is very scary proposition.

00:30:33: but we've seen it with politicians or high-profile individuals And i could use this to contact somebody who's close to me Or family member and pretend being in trouble and saying The only way out of this sticky situation Is by sending money into my account and give him the amount.

00:30:49: You know, ninety nine times out of one hundred.

00:30:51: The person on the other end of the phone when they see a loved one in distress is going to respond to that.

00:30:55: In the emotional way, which I'm just gonna give this guy whatever They need because you know That the care and the safety of that person that i care for Is very much at the forefront Of my mind.

00:31:06: so we're already seeing AI being used To enhance the sophistication of fraud through those various means And I don't think This is this is the end right?

00:31:15: I Think ultimately The way in which AI will play a significant role in fraud is that it will make the scams and the fraud more convincing.

00:31:24: Typically on average today, It's less than zero point one percent of transactions That happen in a bank that are fraudulent.

00:31:32: So even though this is a massive problem In terms of the numbers you know the FBI reported eleven billion dollars lost in crypto investment scams in twenty-twenty four.

00:31:42: A huge number but tiny tiny percent of transaction.

00:31:46: Imagine a world where, as a criminal network my scam has become more convincing.

00:31:51: If that not point one percent doubles to naught-point two percent or triples to nought-point three percent the bank's fraud problem is gonna double triple in size.

00:32:00: and My systems...my process..My people....my means of prevention Has got to scale at the same rate as that fraud attack And if it doesn't I'm going get left behind.

00:32:09: then It's Gonna be A real challenge.

00:32:10: So i think That increasing Fraud Rate In The Increasing Number Of Frauds and Transactions We See It's going to be one of the most significant things to monitor and ensuring that market can move with risk in terms if it means scale.

00:32:23: Ultimately, its an arms race right?

00:32:25: And banks have got to respond in a way that is reflective on the risks that the fraudsters pose I guess even longer term.

00:32:32: there has been a lot talking about the Anthropic Mythos model which is under wraps because it's been able to expose security and cyber vulnerabilities within operating systems with an infrastructure.

00:32:46: So, you know right now that's a cyber risk which is very different to a fraud risk.

00:32:51: Cyber is about protecting the integrity of an organization in their assets as they're organization whereas frauds are about protecting them consumer money.

00:33:01: but what if that mythos type capability can be pointed towards fraud.

00:33:05: It can start stress testing controls, it could start trying to unpack the way in which banks are using behavioral biometrics or creating device fingerprints and stress testing nodes, a manipulated nose.

00:33:16: So you know whilst we're already on this kind of scale of severity I do think there's a risk that the scale of severity can become even more severe through virtue of how AI is continuing to mature and the opportunity it presents for criminals who intend to use it.

00:33:36: Yeah, definitely.

00:33:37: I mean it was so fascinating seeing the other day.

00:33:39: you know how a new technological update can line up all Wall Street CEOs like in-a-day You know super concerned about its impact on the financial services industry as a whole Something that is pretty much unimaginable just few months ago.

00:33:59: Okay then It all sounds pretty frightening, I have to say.

00:34:02: But on the opposite side now how do you see the role of AI evolving in fraud prevention?

00:34:07: So what are good guys doing and why aren't they most impactful use cases that we're seeing today?

00:34:16: The first thing i should call out is that whilst AI might be a newish term for consumer or man-on-the-street banks using AI for fifteen years You know, we used to call it machine learning or in a machine learning being an arm of AI.

00:34:35: But we've been using Machine Learning and this domain for many years.

00:34:38: It was one the first AI use cases within large banks because The data depth and the opportunity in quality of labels, things that you had to be able train models.

00:34:50: But secondly because it's very quantifiable as well in terms of ROI.

00:34:53: if you invest a dollar into AI I mean your able stop five dollars fraud leaving bank.

00:34:59: there is something very quantifiable for execs boards business cases all those thing.

00:35:04: so i would start by just adding caviar.

00:35:06: this isn't an institution or domain starting from scratch.

00:35:11: its one thats coming at us.

00:35:14: But you're right, AI has evolved.

00:35:16: And the challenge now is how does the application of AI from a defensive perspective evolve with that capability?

00:35:25: I think ultimately when I think about the role that AI can play, there's four or five examples.

00:35:31: so continuing to maximize the use of machine learning from a detection perspective... When we talk about machine learning what we really mean history of transactions and we look at where he normally spends his money, how much he normally pays the location that he normally comes in from what behaviors does he typically exert?

00:35:53: And then we use that to determine whether the next transaction that he makes is very likely to be him.

00:35:57: so it fits those patterns of norm or its an anomaly.

00:36:02: The way which we build models as were looking hundreds and hundreds different unique features for Mimislathas individual And then we use that to make that deterministic outcome in real time when the transaction occurs.

00:36:13: So, we should absolutely continue to ensure that we're maximizing that use of machine learning.

00:36:18: That means not just looking at one channel a-time or risk it a-time.

00:36:23: You know what I mean by this is if you look at typical infrastructure of large institutions We might have One system and model looking digital transactions Another one looking debit cards another one looking credit card Having three different models or three distance, different systems as part of your ecosystem.

00:36:41: You know you're leaving opportunity and value on the table because simple examples like Miroslav making a card transaction in Zurich at midday And then log it into his online banking in London at ten pass Mid Day if these two features These to data points aren't talking to each other.

00:36:57: You can tap into that to that anomaly, which would be infeasible for a genuine customer.

00:37:04: So I think really maximizing machine learning value is the first thing.

00:37:07: but then second things.

00:37:09: how do we you know thinking about evolution and generative AI and agentic AI?

00:37:14: How are starting?

00:37:15: see opportunities here?

00:37:19: one of hardest jobs in bank fraud space operations team works alerts flag by model.

00:37:28: So when the model says this transaction is risky, we think the customer might be scammed.

00:37:32: Invariably that goes into a queue and then somebody addresses the alerts.

00:37:35: in the queue.

00:37:36: They speak to the customer And they try and determine if it was legitimate or if their pretend she'd been stabbed Or If It Was A Fraud.

00:37:42: That's very hard role Why?

00:37:45: You're working against The Clock.

00:37:47: you are thinking about how quickly can I resolve This.

00:37:49: i don't want to inconvenience the Customer too much.

00:37:52: I might have a customer on the other end of the phone that's been scammed and manipulated.

00:37:56: And, i've also got to get quality in outcome for this decision correct.

00:38:00: so im looking at alot data with somebody who may be under duress.

00:38:11: So how can we give them a capability area of that alert and alerts some of the high-risk things they might want to engage with their customer on.

00:38:21: How can we go out use agents to go out to external sources and bring back intel that they might have to go in up another browser tab for or got a different website.

00:38:31: For how can we streamline an assist the human with getting the right contextual information?

00:38:37: And then summarizing it, giving them the context in the right way to be able to reach the right operational outcome?

00:38:43: because if you're detecting all of the fraud but your not Preventing it by having the right operational conversation, then the whole risk becomes futile.

00:38:50: So I think the adoption of a gentekai within that end user Use case and aiding that human is one of the big opportunities.

00:39:00: And then perhaps the third thing in terms evolution would be, how do I then take some of these agentic or these LLM capabilities and think about how i can apply them?

00:39:09: back to that initial point of detection.

00:39:12: So we talked about training the model based on what's normal for Miraslav.

00:39:16: but how can I scale that too?

00:39:18: The data sets of dozens of customers hundreds of customer hundreds of banks at the same time Then use a foundational model or tabular model predict what's going to come next based on whats gone before.

00:39:32: So if you think about what LLMs do, they complete a sentence or produce something for us.

00:39:37: so try and anticipate the word that might be in sequence.

00:39:41: If I go into coffee shop and say like order A The next word comes out of my mouth is likely to be a coffee or a croissant.

00:39:49: It's unlikely to be duck or turtle or microphone Something thats little bit more abstract.

00:39:58: completing the sentence from a word perspective or text perspective is actually quite narrow.

00:40:03: But if we apply that to transactions, If Mimislav spends in coffee shop there's whole range of things he could do next.

00:40:10: He can go and book holiday, buy something at the sports shop Go into casino.

00:40:16: The range of options is much, much larger.

00:40:18: So how do we bring some of that LLM mindset into the models themselves?

00:40:23: That are trying to detect the next transaction and determine the risk of that transactions.

00:40:27: How do you create essentially a boundary or what could follow?

00:40:30: And if it falls outside of that boundary then We use that as means of flagging the anomaly.

00:40:34: so I really see that As they're the next evolution in detection at the same time has been Really being able To double down on using agents In smart way to assist humans who actually used tools.

00:40:46: Yeah, yeah that definitely comes as a relief and I have to say after hearing all this about especially your transaction monitoring product.

00:40:54: I believe that cautious of these rapid developments in impersonation fraud space This could be very helpful Especially in terms like pattern recognition you know identifying any transaction That pretty much doesn't fit customer spending behavior And thereby preventing even authorized Impersonations fraud transactions.

00:41:15: Finally, looking ahead it feels like we're entering a period where regulation technology and fraud are all evolving at the same pace and increasingly influencing each other sort of.

00:41:25: With PSD-III and PSR setting in your regulatory baseline in the EU And with AI reshaping both the sophistication The landscape is clearly becoming ever more complex, but also more dynamic.

00:41:40: So to wrap up then how do you see the front provincial landscaping line payments evolving over the next few years?

00:41:46: And where do you think the biggest challenges and opportunities will lie for industry

00:41:50: participants?".

00:41:52: Yeah so I think my trajectory has been pretty clear throughout the conversation.

00:41:58: right now i'm not going to deviate from that in terms of why become more mature.

00:42:05: I think the number of fraudulent transactions that banks will have to defend is going to increase because of the sophistication and all those things we talked about, and that triangulation of real-time AI native risk and regulatory focus and scrutiny coming into the banking environment for reimbursement and increasing risk exposure.

00:42:25: on all these things it's gonna continue to ensure there's a huge Um, sized financial institutions in terms of how they take fraud seriously.

00:42:35: So that's very clear to the challenge.

00:42:37: I think The biggest opportunity for me is a couple things.

00:42:41: so i think Banks that succeed will be banks that adopt AI and use it in a preventative way.

00:42:49: So they're thinking about a bunch of the things I talked about before, um... They-they're maximizing the use of traditional machine learning their adopting agentic to become as efficient as they can be from an operational perspective.

00:43:01: Their pushing the boundary in terms of what AI usage can mean In terms of their ability t-to spot those those anomalies.

00:43:08: You know there are couple of softer things as well more of a heuristic perspective rather than the technology mirror stuff.

00:43:15: like banks continue to ensure that they're giving their education to consumers.

00:43:19: Education has to evolve in the same way and at the same pace as technology does, you know?

00:43:24: Banks can't continue to give that old advice we talked about.

00:43:27: The advice has become dynamic.

00:43:29: it comes from material risk.

00:43:32: because transactions have been executed It must be reflective on the risks present within the transaction.

00:43:37: These are all really good pockets for exploration.

00:43:41: How do I tailor messaging?

00:43:42: that's specific to Miroslav, which is going to resonate with him rather than just putting the same warning in front of every time.

00:43:48: Which once he has seen three times it will lose impact and continue to click through.

00:43:53: so there are some things AI can support from a communication perspective as well.

00:43:59: So i think theres really big opportunity for banks to think about AI From an education and consumer awareness perspective Aswell as pure detection perspective opportunities.

00:44:11: as we go forward is the convergence of all these incentives coming together.

00:44:16: So when intelligence being shared across payment schemes, how do we look at the companies that own the payment rails in certain regions and get that top-down intelligence?

00:44:31: At the network level.

00:44:32: That gives bank insight they're unable to generate themselves natively.

00:44:36: How can we explore banks and telcos working together more effectively?

00:44:51: now have incentives, there's a strong incentive to get them working more closely.

00:44:56: Sharing data sharing context sharing best practices all with the view of putting the safety of that consumer at the heart of what we do and in a feed size position um and feedsize brand is ultimately.

00:45:09: we want to build a world of safer money.

00:45:11: We'll continue to do that with the technology and the advice, and the thought leadership we put out into market.

00:45:17: But we'd love The Opportunity To Be Able To Collaborate With Different Parts Of The Ecosystem As Well... ...with That Core Ethos of Protecting The Consumer In Mind.

00:45:25: So they be some other things.

00:45:27: I would think about Merislaw as their risk but also the opportunities as we go forward.

00:45:34: Then, it's been a real pleasure speaking to you about this very interesting and important topic that keeps and will continue keeping the payment services industry busy.

00:45:43: With that we have come unfortunately until the end of our todays episode.

00:45:47: Thank You all for listening!

00:45:48: If you enjoyed the episode feel free to subscribe to our channel To stay up-to-date with our forthcoming episodes That will continue to explore latest legal regulatory developments.

00:45:57: Transcend hot topics in the fintech sector from across the globe.