Dive into the world of fraud with the "What The Fraud?" podcast! 🚀 Our guest today is James Nurse, Managing Director at FINTRAIL. In this episode, Thomas and James discuss APP fraud, unpack recent cases involving Revolut and Coinbase and also discuss the UK reimbursement rules, set to be enforced in October 2024.
TOM TARANIUK: Hello and welcome back to “What The Fraud?”, a podcast by Sumsub where digital fraudsters meet their match. I’m Thomas Taraniuk, currently responsible for some of our very exciting partnerships here at Sumsub the digital verification platform helping to verify users, businesses and of course transactions as well.
Here’s a shocking stat to begin today’s episode. According to UK finance criminals in the UK in 2023, in fact stole over 459.7 million GBP and this threat continues to go on the rise. So today we’re going to break down why these scams have exploded, the ongoing challenges and of course, stopping them and how businesses and users protect themselves against the growing threats, we’ll dive into a recent example of Revolut, highlighting the vulnerabilities for top fintech firms. We’re also taking a closer look at the new UK reimbursement rules, set to be enforced by October 2024, which shift liability to payment providers. We’re also comparing them to similar regulations in other countries, such as the US, where similar regulations are under debate.
But first, let me introduce you to our brilliant guest, a seasoned expert in fintech fraud, James Nurse. James began his career in a fast paced online gambling industry where he tackled fraud, KYC and payment challenges head on. From there, he moved to scale operations at a startup bank and later worked on a group level financial crime framework at a major financial institution. Now, as a managing director at FINTRAIL, a financial crime compliance consultancy, James and his team help businesses build robust fraud control frameworks, as well as financial crime programs, with a current focus on assurance reviews and fraud audits in fintech. So James, welcome to “What the Fraud?” It’s great to have you on the podcast. So to begin our episode together, James, and with your extensive experience leading a consultancy team, you’ve had the opportunity to work with a range of businesses, right? Can you share what type of businesses you typically work with, and what the common challenges they face when it comes to financial crime?
JAMES NURSE: Sure. Traditionally we’ve worked with, I guess, that broad brush statement of fintech, although we do work with a variety of traditional financial institutions as well, but it’s anything from crypto businesses to challenger banks to FX businesses to lending firms, capital markets, wealth management, anything kind of that, or an alternative finance method. The challenge usually relates to either the richness of the financial crime threats that they face, because obviously if you offer a card products, lending products, access to fast payments, they have some kind of nuances against them. But obviously as a wider piece, some businesses still need to be compliant to local legislations that they need to meet, whether it’s the FCA, FinCEN or whatever country you operate in.
TOM TARANIUK: Thank you, James. So APP frauds, otherwise known as “authorized push payment fraud”, is when a victim is tricked into sending money to a fraudster. And this is a massive one. I mean, it’s rife across the UK with 1 in 3 consumers falling victim and over half saying it’s getting harder to spot the signs. So to even add to the issue, James, only 25% or one quarter of APP fraud and scams are detected by a victim’s bank. So in your expertise or your light of experience, why do you think APP fraud has become such a big issue recently, in the last year or even beyond? And what would you say has changed to cause such a surge?
JAMES NURSE: We’re talking about a couple of things, though. There’s the lag in us actually doing something about it. This isn’t necessarily anything new. If you look back to when the original super complaint came in around 2016, that was nearly eight or nine years ago. So, it’s not really new. But where we’re seeing it being amplified and brought more into the limelight is due to the incentives created over the last three, four, or five years, particularly with the payment system regulator implementing the new reimbursement model. We’re also seeing factors like the continuous rise of social media platforms, alternative payment methods, and the increase in money mules as a vehicle for authorized push payment fraud. Generally, criminals have become more innovative in their approaches.
Suggested read: What’s Money Muling? Understanding Red Flags and Why Businesses Should Be Concerned
TOM TARANIUK: Well, based on our experience, behavioral analysis and AI-powered anomaly detection help a lot with spotting this type of fraud, or at least the signs of different fraud schemes. And from your experience—you’ve worked in both small banks and startups, as well as large corporations where you’ve developed these frameworks—what works best in detecting these schemes, from your perspective?
JAMES NURSE: So I think when we talk about detecting, I guess that goes back to that classic prevention and detection principle that you’re often often looking at a generally on financial crime, not just fraud necessarily. Obviously the more you can stop in from an onboarding perspective is always the best thing. If you can stop them getting in and onboarding with you as a business, that is always the best approach. Often when people talk about APP fraud, they think because it’s related to a transaction, that means that’s the most important. The important part of the customer journey, but actually ensuring you have proportionate controls throughout the lifecycle of the customer journey with you is equally as important. So, not neglecting onboarding and, obviously, making sure you have the proportionate detection requirements when looking at transactions as well.
TOM TARANIUK: I definitely makes sense from our perspective as well. We’ve always seen the origination point just being the the the first touch point, right. And after the fact, around 60 to 70% of a lot of the fraud that we see happens. But we’ve also recently seen that banks, as well as service providers like Mastercard, actually roll out these AI-driven tools that scan the transaction histories for suspicious activity, with confirmation of payee being implemented by, let’s say, October 24th. I believe the payment details are being double checked now. Do you think these measures are enough to actually tackle the APP fraud that we’ve seen previously?
JAMES NURSE: I think it’s about not being reliant on one area, like it’s bringing up confirmation of payees are really, really good example. If you look at some of the open consultation that we’ve got at the moment on delaying payments as well. There’s like a whole variety of areas that bring the big picture and meaning that you’re not solely reliant on one particular control area to basically prevent it. And I think stronger customer authentication or confirmation of payee and all those kind of areas all contributes as well.
TOM TARANIUK: And we need all of these organizations, all of these banks within the UK and beyond to actually to put these measures in place, including the likes of, let’s say, Revolut.
JAMES NURSE: I think there’s a few things at play here. I think the general consumer is more aware that they are potentially able to kind of get reimbursed for scams than maybe they ever used to be. And I think, they are being pushed towards the Ombudsman as they always had as a last resort. I think more people are being scammed. It is clearly one area. But when we talk specifically about the Revolut case, I think there’s a couple of like context bits that are important to take into consideration when we’re talking about that. The growth that they’re seeing. I think I read that Revolut have added like 7 million customers on their books over the last year or something, which is something like a 18% growth. So if you look at that and the retail, the average kind of retail, high streets, kind of banks are not nearly adding that amount of customers to their client list over the last 12 months in comparison. So what we’re seeing is proportionality to a certain degree. That’s not to say that they can’t necessarily increase their control area. And it sounds like they are adding significant investment into their fraud control framework as well. But ultimately there’s an element of proportionality and that you need to consider there as well.
TOM TARANIUK: Agreed, James. Not long ago, Revolut actually received a UK banking licence, right? It’s been all over the news, and after a three-year wait, they’re now moving forward with that licence. But does that actually mean they’re well-protected? And is that the case for other fintechs in the UK and beyond?
JAMES NURSE: So I guess let’s be quite clear here, the protection when we talk about protection, it’s about protecting the ecosystem and protecting the consumer. That’s where most of the protection when we talk about come from. So by providing them a banking licence, clearly, the FCA thinks they are ready to receive that banking licence ultimately. And they would not have necessarily accepted them unless they thought they were ultimately ready?
TOM TARANIUK: At the end of the day, this is about protecting the user base—or rather, the general public—the millions of Revolut users. I believe there are around 35 million now. UK policymakers, specifically concerning Revolut users and other banking customers in the UK, are planning to introduce more regulations requiring banks and fintechs to reimburse scam victims. The industry, of course, opposes these costs, but this is a clear signal from regulators for the financial sector to invest more in anti-fraud measures and better protect their customers.
Now, James, UK policymakers actually plan to introduce rules requiring banks and fintechs to reimburse scam victims, though the industry resists these costs. Does this represent a strong signal from regulators for the industries we’ve discussed to invest more in anti-fraud efforts? From what we’re seeing, they’re liable to reimburse up to £85,000 for losses due to fraud. Could you explain that a bit more for me?
JAMES NURSE: Yeah, absolutely. So ultimately it’s a shared cost that’s coming into kind of play. So the payer and the payee or the sender and the receiver will ultimately be liable for 50% of those potential kind of amounts. There is a recent consultation that has closed over the last week or so that has lowered that limit from, I think it was £415,000 or something, down to the 85,000 limit that we’re looking at right now. So that is the maximum amount that a firm could be liable for and through that reimbursement.
TOM TARANIUK: So from your perspective, James, as well, what would you say is the biggest reasoning behind this change?
JAMES NURSE: I think there was an element of industry feedback. So I think, the payment system regulator and any kind of authority that does consultations. We’re not limited to just the UK here. They do consultations because they want industry feedback. There was an element of lobbying against that limit as well. So I think, there’s a whole variety of things. They went for consultation after kind of industry feedback. The formal industry feedback through the consultation was that it was too high. So now it has been reduced.
TOM TARANIUK: So how will this new cap actually affect both providers and large loss cases?
JAMES NURSE: Ultimately, those unable to prevent these types of scams—whether on the sending or receiving end—will be liable to pay if they cannot prove certain exemptions. The exemptions are essentially gross negligence, which is difficult to prove, or that the client was acting fraudulently. So, while there are a couple of exemptions, they will ultimately be liable to reimburse the consumer or the person scammed if they cannot prove either exemption within, I believe, five working days.
TOM TARANIUK: Okay. That makes a lot of sense now. So, James, can you draw any similarities to what actually happened in the US last year with Coinbase?
JAMES NURSE: So I guess the point on Coinbase is like and it’s about Uber growth companies where they have gone through significant growth in such a short period of time. It is extremely difficult to kind of prepare for those kind of exceptional growth where you’re taking on thousands, tens of thousands, sometimes of customers on a daily basis. And I think, if you look at the Coinbase, fine, from last year, whilst it wasn’t necessarily related to fraud, actually the similarities in growth and how you kind of proportionally grow your financial crime and fraud framework with the growth of the company, you know, is a really, really important, but ultimately also really, really tricky and really difficult to prepare for, and you ultimately become a victim of your own success because you’re doing really well as a business and you’re scrambling around to try and make sure you’re kind of compliance areas can keep up.
TOM TARANIUK: Would you say it’s part and parcel of these large organizations growing so quickly to actually be attached to these types of frauds? And also, is there a way to get away from it, or is it just part of the natural lifecycle of going through the processes?
JAMES NURSE: I think there’s an element. It’s being in the natural lifecycle, like it’s about maturity. You can’t have always have maturity at de dot. You learn and traditional businesses are still learning. HSBC are still seeing kind of illicit money going through from various kind of businesses. We saw an example case study the other week where they were connected to, I think, it was Putin’s Vagner Group or something. So I think no one’s exempt for these things. But I think particularly with some of these Uber growth businesses, it’s about maturity.
TOM TARANIUK: There’s an element of this sort of fraud that you kind of get away from as a large organization. But when you’re talking about, as you said, de Dot, an organization which has just been post startup and then they’ve just raised and they’ve now gone after two years to 10 million customers having the right frameworks in place, the ones that you’ve built previously is essential. But is it enough to actually stop these types of fraud from the get go, or are there other elements at play?
JAMES NURSE: I think like whenever we as FINTRAIL sit down and do projects around risk appetite, I guess is what I’ll call it. You are never. Whilst you obviously want to prevent all fraud or all financial crime happening on your system, or your through your payments or through your accounts that you you hold, ultimately you’re never going to set a risk appetite, which is zero. You have a low or no tolerance, maybe. But you also accept that ultimately, like you’re going to see some form of financial crime through your accounts or your through your payments. It’s an inevitability to a certain degree, but it’s about making sure you kind of keep it below your tolerance thresholds and the regulators tolerance thresholds as well.
TOM TARANIUK: Absolutely. I mean, every company wants to grow, right. But it will be paradoxical to think that you’re going to grow whilst also eating into your risk appetite.
JAMES NURSE: Yeah, absolutely. And ultimately we could put 1000 controls in place. But ultimately for the consumer you would not be getting quick payments. You would not be getting quick bank accounts, you would be restricted from access from accounts. So like it’s about how we get the right balance as an industry to make sure it’s accessible to everyone. The ecosystem we have, you know, good service for the kind of industry as well, but also we’re protecting the consumer at the same time. And unfortunately, the trade offs don’t always pair well together.
TOM TARANIUK: What do you think the day-to-day consumer needs to know, especially regarding these types of fraud, to remain vigilant? We’re discussing a lot of back-end processes like KYC, from origination to ongoing monitoring, as well as the regulations. But if the user or app user is in control, is there anything they can do to prevent the types of fraud we’re talking about?
JAMES NURSE: I think it’s important to keep educating yourself. I understand that there’s a legacy element where we have vulnerable customers who are more difficult to educate, but even someone like me could easily receive a text and think, ‘Oh, that’s from DPD or another company,’ and almost click on it before realizing it’s a scam. It’s so easy to fall for these tricks, so just keep educating yourself, stay informed, and read any updates or alerts that your bank or financial institutions provide.
TOM TARANIUK: I would say even with DPD, that was a really interesting one that you just mentioned, because I got one of those, I believe it was Saturday, but I’d in conjunction actually ordered something from abroad, so I don’t know if that was by coincidence or it happened by chance, but I did click the link and I didn’t proceed onwards because I did check the URL. But that’s something that you’d always need to remain vigilant for anyone listening. Always check the URL. Always check terms and service or policy. Make sure everything is completely fine.
JAMES NURSE: Absolutely.
TOM TARANIUK: Even from Revolut’s standpoint, I know we keep touching on them, but one of their executives, actually, Francesca Carlisi, has actually said it is a national emergency. Strengthening fraud controls and online fraud controls is indeed that. I mean, what role will this play in mitigating future scams, and how can they meet the rising sophistication of online fraudsters as well.
JAMES NURSE: I think if you’ve attended any of the Payment System Regulator’s external speeches, read any of their write-ups, or reviewed the documentation on the reimbursement model, it’s clear that not everyone supports it. However, they emphasize the same message repeatedly: creating the right incentives for the industry to do the right thing. At FINTRAIL, we’ve worked with a variety of businesses over the last 12 months and beyond, primarily conducting assurance reviews on their control frameworks, particularly around fraud. If you compare the numbers in these firms to where they were two years ago, you can see that their fraud rates have significantly decreased. So, when we talk about creating the right incentives, it’s clearly working well.
TOM TARANIUK: Do you think these schemes are designed to protect users over the next 1 to 2 years, or will it take a broader effort to address the challenges posed by other types of fraud over the next decade?
JAMES NURSE: Yeah, I think I think when we talk about types of fraud, we often get confused or as well, like authorized push payment fraud, we have to remember, covers a whole variety of scams, which ultimately are the same thing, whether it’s romance scam, we talk about the classic building a school scam, like investment scam, loan fees, advanced fees, kind of scams as well. They all lost pets. Another one as well. If anyone’s kind of looked at those ones as well. Like they, they all cover like authorized push payment fraud. So I think and the principles are the same. It’s just conning the individual for paying for a, paying for something that they think they’re getting and ultimately like it does not exist. It was a fake kind of a scheme in the end. So I think, principally it’s the same.
Suggested read: Detecting Romance Scams: A Guide for Dating Platforms and Their Users
TOM TARANIUK: James, we often talk about the fact that KYC, otherwise known as “Know Your Customer”, is not enough and only full-cycle verification can be a solution to anti-fraud today. So in your humble opinion, how important is it to monitor users in fintech?
JAMES NURSE: Yeah, absolutely. And as you kind of alluded to that full-cycle approach, there’s a bit of an obsession with the word perpetual KYC at the moment, as I’m sure you as a KYC provider it’s already been simplified already. And making sure that you ultimately have a good understanding of your customer through the lifecycle of your journey. I absolutely agree with you there. Particularly around the topic that we’re talking around as well, like things that come into play like dormancy or inactive accounts, changing customer behavior, etc. A whole variety of areas that you’re not going to know unless you monitor that ongoing kind of concepts with your customer.
TOM TARANIUK: Absolutely. And there’ll be different risk triggers based on different interactions, right? Whether or not it’s frequency or volume, but from your perspective, James as well, how do the new rules shift the financial liability, let’s say, for APP fraud scams from the customers to the actual payment service providers?
JAMES NURSE: I think that’s one of the concerns, particularly in the fintech industry, where there’s an argument about affordability—especially when these businesses operate on funding rather than profitability. Pushing too much responsibility onto the payee and payer sides without enough emphasis on the consumer may ultimately lead to some unexpected consequences. We actually posted about this on LinkedIn a little while ago, highlighting some of these unexpected consequences, such as more firms going bust and an increase in friendly fraud. There are many areas where pushing too far away from the consumer could be problematic because, in my opinion, there still needs to be an element of responsibility on the consumer to look after themselves. It’s about finding the right balance.
Suggested read: Payment Fraud Guide 2024: Detection and Prevention
TOM TARANIUK: How do you think the UK regulations compare to the approach being taken in different markets, such as the US and Australia too?
JAMES NURSE: Certainly. Well, the UK is the first, the more progressive market on this particular area. Yes. I think there’s a variety of different progressions across the board in some of those countries. I think I understand the US are certainly exploring it, but they are looking at it. They have a basically a voluntary reimbursement scheme, I think at the moment where it’s the kind of approach that we were looking at the UK before, where you do not have to reimburse, you do not have to sign up to the scheme. It’s a voluntary one. But I think and similar to Australia, Australia are also kind of doing a whole range. They’re also going on the journey not dissimilar to kind of the UK. They’ve got a lot of other initiatives, not just around reimbursement that they’re looking at, but I think one of the bits that they are looking or the Treasury is looking at the moment is similar mandatory investment kind of model that we are adopting in the UK as well. We’ve also got PSG 2.5 or 63 or whatever you want to call it. That’s also coming into play. And a big focus around that is also fraud and protecting the consumer around a few different areas. But one of them is around reimbursement considerations we need to be thinking about as well as in Singapore are also doing something as well on, shared responsibility framework. I think they call it. So again, a maybe a dual kind of reimbursement scheme. So basically, to answer your question, in short, there’s a lot of countries that are following a similar approach.
TOM TARANIUK: Of course, I know that you’re busy at FINTRAIL providing all types of resources and insights to help businesses and individuals combat fraud and fintech, but could you please share a sneak peek of what you’ll be publishing and where to find it, for our audience sake? Absolutely.
JAMES NURSE: So if you don’t follow me or us on FINTRAIL, we’re on LinkedIn. And we do quite a few practical resources. We have a fraud checklist actually, as well on the website. So do feel free to have a look at that. And there might be some kind of little bits if you’re not looking at consulting an external party to look at your fraud controls. That checklist might maybe help kind of tick some of those boxes to see if you’re doing the right things or you’re on the right lines. Do connect. Do follow us, we’d love to hear from you.
TOM TARANIUK: It does sound fascinating, James. We also have, I believe, an event that we’re doing together, right? Would you be able to tell our audience a little bit more about that?
JAMES NURSE: Absolutely. So FFACON25 is returning. We had a gap year this year, but we’re really pleased to do our seventh conference. So this will be in February next year. We’re also really pleased that Sumsub team will be joining us for the day. So tickets are now live. So if you want to join, do sign up. We’re looking forward to getting 400 or 500 people in the room, having a chat, listening to some good content.
TOM TARANIUK: Incredible, James. Well, I don’t have my ticket yet. So where would people like myself who want to join actually go and get their ticket?
JAMES NURSE: Yours is in the post, so don’t worry. But yeah, if you go to the FINTRAIL website and you just click on FFACON25, you’ll be able to find the link there.
TOM TARANIUK: Wonderful. Thank you, James. Whilst we have looked through quite a few questions today, I’d like to kind of switch things up. We like to call them ‘rapid fire’, ‘quick fire’ and it’s a great way to wrap up the show. So without further ado, just remember no overthinking. Let’s go. James, when choosing a crypto wallet, do you go for more features or better security?
JAMES NURSE: Better security.
TOM TARANIUK: Wonderful. Number two: strong passwords or biometric authentication?
JAMES NURSE: Biometric authentication or technically, a blurred. Blurred. I’ll take a shot for that because I think it’s both right.
TOM TARANIUK: So, James, question three: is online fraud in crypto more about technology flaws or human error?
JAMES NURSE: Human error.
TOM TARANIUK: Fantastic answer. Actually, we’re getting a mixed bag on each call I need to speed up. Sorry for what one habit would you say you rely on to stay safe online?
JAMES NURSE: Change my passwords, making sure they’re in a password vault or things like that. Like trying to remove yourself and close as many accounts as possible. All that usual stuff.
TOM TARANIUK: Oh. It’s true. Two factor authentication also. I get a lot of pings on a weekly basis saying, ‘Oh, look, your passwords have been accessed from something obscure’.
JAMES NURSE: Yeah.
TOM TARANIUK: And I have to go back to some random place, but number five. If you could have any other career other than the one that you currently in, what would it be?
JAMES NURSE: Wow. I always want to be a chef. It’s probably more stressful, I think, being a chef. But I fancy being a chef.
TOM TARANIUK: Thank you so much, James, for joining “What The Fraud?” It’s been a pleasure to have you. And also listen in to some of the very exciting things that you had to say today, as well as explore the case study and the answers to our quickfire questions. So once again, thank you and very much. Looking forward to FFACON25.
JAMES NURSE: Thanks so much for having me. Speak to you all soon. Thanks so much.
TOM TARANIUK: Thank you for tuning in to this episode of “What the Fraud?” If you’re loving the show and finding it as eye opening as myself and the rest of the team are, please don’t forget to hit the follow button on your favorite podcast platform. And that could be YouTube. It could be Spotify, and it could be Apple Music and so much more. So whilst you’re at it, drop in a review. We’d love to hear your thoughts. So are you ready to elevate your business game? Discover how Sumsub verification services can supercharge your success. So whilst we’re thinking of that, visit our website for more and don’t forget to follow us on social media for the latest updates and insights.
