Immediate payments settle instantly and offer credit unions new opportunities to reimagine their business and serve members in enhanced and different ways. However, these speedy new opportunities raise questions about the potential risk and fraud involved with immediate payments.  

Questions on fraud are some of the most frequently asked questions from credit unions. And understandably, the immediate payment rails are new, and fraudsters quickly adapt to fledgling systems. So, today's article will tackle the following questions: What levels of fraud are we seeing in immediate payments? What tools do the new immediate payment rails offer to help mitigate fraud? 

Note: Part Two of this article next month will go into further detail about managing fraud for both types of participant profiles: Receive only and Send/Receive.

Classifying the types of fraud

First, it’s important to remember there are many different types of schemes, and fraudsters regularly invent new ways to trick us. However, there are just two primary ways to classify fraud: unauthorized and authorized. And your members and your staff need to understand these classifications because Reg E. lays out differences in the protections offered, depending on if the fraud is authorized or unauthorized. So, let’s look at what sets these two types of fraud apart. 

• Unauthorized fraud example: Someone gains access to your member’s checking account and makes a payment using your immediate payment solution without your member’s permission or involvement. Because your member did not authorize the payment, Reg E. has a provision that allows the member to typically get their money back after reporting the incident.   
• Authorized fraud example: Your member was knowingly involved in the transaction and gave authorization to send the payment. These are your “garden variety” scams. Your member is tricked or persuaded into authorizing a payment for a good or service that ultimately ends up not being provided. Because your member authorized this payment, there is a chance they may not be able to get their money back.

Reviewing the data 

There is no doubt that we are asked the fraud question so frequently because there is some concern with the immediacy and irrevocability of immediate payments. However, when we look at the data for the volume of transactions conducted last year across the RTP^® network, unauthorized fraud is minimal—just .001% for 2022—even as volume continues to increase. And when we look at global data, which is important because immediate payments have been in use much longer in countries overseas, we see a similar story. For example, in 2021, the U.K.’s Faster Payment Service, which has been around since 2008, experienced authorized fraud rates of only .009%.  

Of course, The Clearing House and the UK’s Faster Payment Service are measuring two different types of fraud, but what’s important to keep in mind here is that immediate payments fraud is infrequent. Immediate payments face the same fraud scenarios – no more and no less – that are relevant in existing payment channels. Fraud is a dynamic and always-evolving threat that is not new or specific to immediate payments and many of the same mitigation efforts you use today at your credit union can be extended to the RTP network and the FedNow^SM Service. Now, let’s look at what each of these new rails specifically offers to help mitigate fraud.  

Understanding the fraud controls for both payment rails

The RTP network and the FedNow Service have system fraud controls to aid your financial institution’s fraud management. The FedNow Service, managed by the Federal Reserve, has the following requirements:

• A maximum credit transfer of $500,000 per transaction, but participants will have a default transaction limit of $100,000. Financial institutions will have the ability to increase or decrease the $100,000 amount (from $0 up to the $500K limit) to align with their institutions’ needs and risk appetite. 
• Participant-specific negative lists, which provide additional validation during the processing of consumer credit transfers. 
• A requirement that participants report transactions processed through the FedNow Service that they have investigated and confirmed to be fraudulent. 

The RTP network, managed by The Clearing House (TCH), has the following controls in place: 

• A maximum receive limit of $1,000,000. Participants can set their default transaction limit and time of day limits to align with their needs and risk appetite. 
• Participants with Send profiles must use multi-factor authentication. Adopt the needed tools to authenticate payors’ and payees’ bank accounts, verify invoices and Master Vendor Files (MVFs), and detect suspicious behavior before transactions begin. Any incoming payments, data at rest, and outgoing payments should be validated.
• Sending participants must also perform appropriate fraud monitoring prior to submitting a payment on the network and must report any instance of fraudulent activity or suspected fraudulent activity to TCH.  

Overall, both payment rails allow your credit union to structure your financial institution’s immediate payment program to meet your risk appetite, just as you do today with wires and ACH. This is where knowing your member becomes very important. And, of course, you can further help protect your institution and members by staying informed of developments in the fraud landscape, so that you know what to look for and how best to respond. Understanding fraud trends isn’t just something that your BSA Officer should be aware of. One of the most helpful tools available is the Fraud Classifier Model, which helps you classify fraud independently of payment type, payment channel or other payment characteristics. 

For more information on this topic, I encourage you to visit our Real-Time Payments Info Center and/or reach out to me at 866/MyCorp1 or via  tthomas@corporateone.coop to have a conversation about the next steps in your immediate payments journey.