PSR performance report and preventing Authorised Push Payment fraud at Monzo

Hey, I’m Ashley and I look after fraud, disputes and our fincrime operations teams at Monzo.

I wanted to drop by to share an update on some new fraud data that the Payment Systems Regulator (PSR) has published today. They’ve shared rankings for banks across three metrics based on data from 2022, looking specifically at Faster Payments and authorised push payment fraud (APP fraud) where fraudsters trick you into sending them money.

You can see them on the PSR’s website APP fraud performance data | Payment Systems Regulator

You might have concerns or questions about the rankings and press coverage about it today – so I wanted to come on to explain some of the data behind the rankings and take the opportunity to share more with you about what we’re doing to tackle fraud and prevent it from happening before customers fall victim.

We’ve really made some significant investments here this year, in technology and in people: so far in 2023 we’ve hired almost 200 people into fraud teams across product, risk and operations. So while last year’s data isn’t where we’d want it to be, I’m confident we’re taking the right steps and making progress.

Fighting authorised push payment fraud is an ongoing challenge for the industry

Let me start by sharing some general context about the fraud landscape at the moment. UK Finance’s latest report really helps to set the scene for what we’re seeing across the industry but I’ll give a quick overview.

Last year victims in the UK lost over £1.2bn due to fraud and authorised push payment fraud in particular is an industry-wide challenge. Right now criminals primarily focus on APP fraud: social engineering with a view to getting victims to authorise or make payments themselves.

UK Finance’s data shows the value of APP fraud actually fell 1% in the first half of 2023 but the volume of cases reported increased 22% vs the same period in 2022.

The main thing driving this is an increase in purchase scams, which typically result in lower value losses than other types of fraud.

Our younger customer base are disproportionately affected by purchase scams – and this drives a lot of the data behind the rankings the PSR published today

We see a higher proportion of purchase scams as on average the demographic of our customer base is younger and more likely to shop online. At Monzo in 2022, purchase scams made up 79% of the overall volume of authorised push payment fraud we saw, and 53% of the value. By comparison, across the industry they make up 57% of volume and only 14% of the overall value.

The PSR data shows last year we saw the highest volume of APP fraud sent from our accounts, though not the highest value – which is consistent with us seeing more lower value purchase scams.

You’ll also see our reimbursement rates are among the lowest, and this is because we’re less likely to reimburse for these purchase scams given it’s extremely hard for banks to detect and prevent them.

I’ll dig more into this in more detail later, including what we’re doing to address purchase scams.

It’s worth saying that we are confident in the way we make decisions about reimbursing fraud – and the data backs this up. If our decision-making for reimbursement was at odds with the industry, we’d expect the rate of Monzo cases that went on to be upheld by the Financial Ombudsman to show this. But our ‘upheld rate’ in 2021/22 was in line with the industry average at 56% (the industry rate is 54%).

Our priority at Monzo is to prevent fraud before people fall victim

Our aim is really clear – to stop people experiencing the distress and emotional toll of falling victim to fraud in the first place. And crucially to stop criminals benefitting.

Fraudsters are sophisticated and their methods are ever-evolving. So we need to constantly innovate if we want to be successful.

In the fraud team, we think about this challenge in the same customer-centric way we do across Monzo, and look at how we can tackle it with a combination of skilled experts and technology.

As I said above, we’ve really been investing here, and there are a few things we’ve implemented this year we can see are already making an impact. I’m going to focus on impersonation fraud, investment scams and purchase scams in particular as these are the three most prevalent APP fraud typologies.

We use now machine learning to successfully tackle impersonation fraud and investment scams

Since the start of 2023 we’ve introduced new machine learning models that target impersonation fraud and investment scams. These are the highest-value types of fraud and cause victims the most harm – people can lose life-changing amounts of money.

Since January we’ve stopped £3.8 million getting into the hands of fraudsters, and in the first half of 2023 our average fraud losses per case are 82% lower than other banks – which shows we are being successful in stopping the highest-value scams that can cause the biggest harm.

Investment scams usually start on social media like Snapchat, Instagram or TikTok, where fraudsters will try to convince you to make an investment promising really high returns. Impersonation scams involve fraudsters posing as trusted organisations – anything from your bank, the police, HMRC or your landlord.

These scams usually involve an extremely high level of social engineering and emotional manipulation. Fraudsters can really convince people they need to make these payments by posing as trusted organisations, creating a sense of panic and urgency, and lots of other tricks. And they even know how to coach customers around things like Confirmation of Payee and other warnings and controls banks put in place.

So, we have the best chance of success if we can both identify when someone is at risk of fraud, and then deliver them really relevant ‘interventions’, in real time.

To help us spot when someone’s at risk, we have machine learning models for impersonation and investment fraud that assess a number of different factors to learn patterns associated with them.

We’re then able to intervene when we identify that risk. For example, one of our expert fraud investigators may reach out to ask you more questions about a payment before we release it.

Because fraud evolves so quickly, using machine learning that can quickly detect and adapt to new trends is really powerful.

These models work alongside the feature we recently launched to fight phone scammers and help you check in the app if you’re really talking to us on the phone or not. Since we implemented it in early September, we see about 100 cases a day where people have been able to avoid attempted fraud using the tool.

We’re also tackling purchase scams with machine learning and targeted interventions

As well as making progress to address the highest value scams, we’re committed to preventing fraud across the board. Purchase scams, though typically lower in value, can still be distressing for customers and have a real impact on their finances.

They involve fraudsters tricking people into buying something online that never arrives (think a designer pair of trainers on Facebook Marketplace for a price that’s too good to be true, that never actually turn up in the post).

In the last few months we’ve implemented a new machine learning model here too.

Identifying purchase scams is pretty challenging as they’re typically for smaller amounts of money and look just like regular payments. And they originate on platforms where we don’t have any visibility.

But thanks to this new model we’re now able to better identify them. In a similar way, the model evaluates different factors to understand the patterns/hallmarks of purchase scams and flag them. Then based on the signals from these models we intervene when we identify someone’s at risk.

Here’s some examples of user journeys we’ve recently launched, that show how we’d intervene in the moment when we identify someone’s at risk:

Experiment 11920×1080 142 KB

Experiment 21920×1080 114 KB

Experiment 3 - 011920×1080 112 KB

Experiment 3 - 021920×1080 165 KB

Experiment 3 - 031920×1080 163 KB

This technology works alongside human experts manually reviewing cases to identify risks too.

But we can’t do this alone – social media companies need to help us stop scams at the source

APP scams largely originate on fake websites and social media platforms that banks just don’t have any visibility over. UK Finance found 77% of APP fraud takes place online, mostly on social media. And in our own data 70% of purchase scams we see start on social media. This really demonstrates the scale of fraud that’s actually initiated outside of banks’ controls.

Unfortunately, social media companies aren’t as proactive as banks at preventing fraud, and often host scam adverts and posts which lead to people losing money. They’re just not regulated or incentivised in the same way as they don’t bear any commercial responsibility for reimbursing victims. We really need these firms to step up and take steps to stamp out this fraud at the source, rather than allowing people to fall victim and relying on banks to reimburse.

This is something we work with our Policy and cross-industry bodies like Stop Scams UK to address. Because APP fraud really is an issue that spans sectors and typically starts outside of banks/financial services, Stop Scams UK helps us work with tech and telecommunications companies to find ways to address fraud by looking at the problem end-to-end.

We’re committed to preventing fraud happening through Monzo

Finally, I wanted to talk about how we prevent fraud happening through Monzo. All stolen money has to go somewhere - and it’s equally important that we stop criminals using our accounts. The data in the PSR rankings for ‘Metric C’ relates to money muling, which is a growing problem across the industry.

A money mule is someone who receives criminal money into their bank account and quickly transfers it onto another account, keeping a small cut for themselves. Criminals recruit (sometimes unsuspecting) people to do this. Their goal is to get the money they’ve stolen into their own bank account, while making it as difficult to trace back to them as possible.

Muling is varied and difficult to detect, which is why again we use a combination of machine learning technology and expert human investigators to monitor transactions and detect muling patterns in real-time.

Our strategy is to identify muling before someone can transfer fraudulent money out of their account, investigate, and often return money to victims.

Monitoring transactions in real-time is pretty unique in the industry, where processes can take weeks or even months to detect muling. But it’s really important as mules usually receive and send money onto another account really quickly. We’re actually seeing this real-time approach being replicated by some other banks.

We’re also part of UK Finance’s bank notification system, which lets us quickly tell other banks if they’ve received the proceeds of APP fraud (and vice versa). The quicker we can move, in collaboration with other banks, the more fraudulent money we can stop and the more we can get back to victims – whether they’re Monzo customers or not.

We work closely with the law enforcement agencies and other industry players too. We’re in the Operations Group of Joint Money Laundering Intelligence Taskforce (JMLIT), which is a partnership between law enforcement and the financial sector to exchange and analyse information about fraud.

Again, social media firms have a role to play here too, as lots of money mule recruitment happens on social media.

Thanks for reading

As you’ll know we can’t divulge too much detail about our controls and strategies for preventing fraud to avoid helping criminals circumvent them! But I’m happy to answer questions where I can, about the PSR’s report or what we’re doing in this space.

Ashley

Very nice and very clean!

Great read, thanks for sharing!

Not that banks or any other business should really incentivise social media to work hard in this area, they surely make enough money to fund and protect users themselves, but do you feel there’s an opportunity to work with social media in some form that would mitigate or reduce the losses impacted by their platforms?

Just thinking outside the box, but paying a social platform £££ for a fake ad to be placed, and then make £££££ in return, just feels like the social platform takes their cut and doesn’t put enough effort in to check the legitimacy of the ad, or their tech isn’t smart enough to reject misleading websites.

I see a lot of this at work, and some sites do look really well built - though unless you’ve a keen eye for detail, you wouldn’t think otherwise about buying from said false website, at times driving really difficult conversations with genuine customers losing £££s.

Couldn’t agree more.

We’re really excited by our partnership with Stop Scams UK, because they have a lot of tech firms on board as well as banks - including Meta. There’s a lot more collaboration than in the past, and I’m hopeful it will help - albeit a lack of incentive is still a challenge.

It’s certainly true that fraudsters are getting more devious - and the tech they use keeps getting better year on year. We’re seeing really positive signs from our early work tackling this though, and we’ll keep the focus up to make sure we stay ahead.

https://stopscamsuk.org.uk/ourwork-stop-scams-uk

Working with Stop Scams, will monzo consider being part of the 159 project?

I only ever really hear about your neighbouring fintech talking about this on their socials, and looking at the list, monzo isn’t there

Looking at their page, I guess you’re referring to the below as the other pieces more relate to the telecoms industry:

Data Sharing

We are undertaking an ambitious programme of work on data sharing building on research published together with the Royal United Services Institute (RUSI). In addition to important recommendations for changes in policy, this work is helping establish how information can be better and more effectively shared between organisations. It will enable the development of scalable, replicable data sharing across our three sectors.

Other projects

Along with our members, we are taking forward several other projects intended to bring additional insight and intelligence to our understanding of the scam problem and help build solutions. This includes using voice biometrics to match criminal voices across multiple members and a system that allows banks to know if an online banking customer has a live remote access session on their device.

Watch this space! We’re working on it right now.

Just getting social media firms around the same table as banks is real progress, and we’ll see results as we understand commonalities in our data and spot opportunities to prevent fraud on their platforms before it hits our systems and customers.

I do have one question remaining, at least for now.

Do you think banks and other industries will ever see such a reduction in fraud (driven by AI or other) that it’ll not be at the forefront of their minds (but not become too complacent)?

Probably talking many many many years from now.

Interesting read. Is there any thought behind the decision to use a cartoon drawing of a flashing light rather than an established warning symbol like ?

I think everyone working in a fraud team hopes that the day will come - but there’s also a need to be realistic. Tools that we can use to prevent fraud are also available to criminals to commit it.

What’s really clear is that no bank can ‘solve fraud’ alone.

A combination of data sharing across all the industries involved end-to-end, advanced tools, and education will make a big dent (and in fact they already do today, with a huge amount of attempted fraud stopped before it happens). Alongside this, we also need to rebalance the risk/reward equation for criminals, and make sure there are consequences for people committing fraud.

We always experiment carefully - and we go with the most effective option we can - but I’ll definitely pass the feedback on to the team!

It’s Monzos flare! If you look most of their stuff is like this

Oh my god, that makes so much sense than what I thought it was - a bow tie under a glass cloche

I’ve had some horrendous experiences the past two days with Monzo blocking payments to myself on another app. There should be a process which says if I’ve given answers to why I’m making a payment to a particular app then it shouldn’t be blocked the next day for the same amount. It just makes Monzo un-useable.

I’m really sorry to hear that - that’s not a great experience. Getting fraud prevention right is really hard - and the balance between friction and ease is always tricky to strike.

I’ll feed your example back to the teams working on this feature though, and make sure we look at ways to make this better for you and the rest of our customers.

Thanks. There should be better integration with the ops teams to check if the same amount and payee has been used before, before blocking the payment and locking down my account. Also these payments were being made with and Open Banking connectiont to Chip - I wonder if there are specific triggers with Open Banking payments as they do not have an account number or sort code, and therefore it’s a lot harder to connect them each time perhaps.

In the short term I’m taking all savings out of Monzo as I can’t having my account blocked regularly.

Love this, seems like a great step forward, and the right balance too. I typically send the same people the same amount each month, so presume I could do this without it picking up the warnings or delays.

If it’s a new person (paying a tradesperson) does it automatically revert to pausing or does it give you one of the three screens to slow it down?

Thank you for the feedback!

We will be experimenting to see which approach gives our customers the right balance of protection and friction - but yes we will definitely consider things like past payments, and the actual risk of the transaction before deciding which route to follow.

I really don’t want to poo poo on what is some very good stuff, but how much of what you’re saying is just marketing mumbo jumbo that’s driven more by the regulator than Monzo?

The cynic in me says Monzo is at the bottom of the report because you’re one of the few banks who never signed up to the code and so had no incentive to protect your customers against this fraud and reimburse them. Let’s not kid ourselves; Monzo customers have been very easy targets for APP scams for years, and you’ve done nothing about it in all that time from a customer facing standpoint. And you’re only taking this seriously now because participation in the code is about to become mandatory, and you’re soon to be on the hook for 50% of the reimbursement. So you have no choice but to be incentivised now. Effectively meaning, everything you’re doing here is being driven by the regulator, not by Monzo wanting to do best by their customers. The timing is too suspect, particularly in the face of this report. You didn’t jump before you were pushed.

Don’t get me wrong, this is all great stuff, but I don’t buy in to, nor appreciate the spin you’ve put on it. My brother has been caught out by APP scams as a Monzo customer multiple times. Monzo don’t care. They never have. The regulator is now making Monzo care. At least be honest about that. Utilising what are efforts being driven largely by the regulator to save face from what is a disastrous report for Monzo isn’t a good look at all. A little more time on actually acknowledging your own pitfalls and apologising for them, and less trying to dismiss the concerns raised by the report would have gone a long way for me.

Interesting - I find this figure from the attached report quite interesing:

image1188×311 54.1 KB

image745×66 5.92 KB

A mere 22% reimbursed - and 12th out of 14th.

I remember some time ago, in a topic about APP fraud - I recall quite vividly Monzo never signing up to the APP code - but stating you would “Follow the spirit and intent of the code” when it comes to Consumer refunds etc.

Source: Thread where it was discussed: → here
(There’s a tweet linked that seems to be no longer available - if anyone can get it?)

Does this 22% show thats… Not true?

Jeez!

Look at TSB go!