Payment fraud is looking likely to hit around US$48bn by the end of 2023, and it had risen to US$41bn in 2022 from the previous year.¹ So what is going on and how could it be reduced – or even better prevented?

Here is a typical example of how it happens. A vendor that a company regularly works with sends an invoice with updated payment details. Without checking, the corporate changes the static data they hold in their system for that vendor as they believe the request comes directly from the account’s primary contact and pays the invoice. Yet, a couple of weeks later the company learns that the money – as well as the following invoice payments – have never reached the vendor. Following an investigation, it turns out that the email with updated payment details was sent by a fraudster in a compromised email and that the money was remitted to the fraudster instead of the company.²

This scenario – known as business email compromise (BEC) or payment diversion fraud – is one of the most common digital crimes. According to data from the FBI’s Internet Crime Complaint Center (IC3), Americans alone lost US$2.9bn via BEC in 2023.³ As Europol pointed out in a December 2023 report, these fraud techniques are now often accompanied by deepfakes, i.e. artificial intelligence (AI) software that makes synthetic duplicates of real people’s voices, images and videos.⁴

“Pre-validation services are an important element for real-time treasury”
Kerstin Montiegel, Global Head of Client Connectivity and Digital Client Access Channels, Deutsche Bank

However, avoiding fraud is not the only challenge when it comes to handling payment data. Corporates also frequently experience payments returns caused by the inability to verify account information prior to their supplier onboarding process or while the payment is being processed. This results in additional fees, payment delays, lost funds and an overall poor customer experience. Swift estimated in 2021 that “friction in the payments system costs the industry more than US$2bn every year, affecting over 700 million transactions. But much of this friction is the result of avoidable errors, such as typos and formatting errors”.⁵ Other estimates are much higher.

“Resolving inaccurate payment details is often time-consuming and labour intensive. Minimising the number of payment returns and thwarting increasingly sophisticated fraud attempts is an effort that allows for no respite,” says Kerstin Montiegel, Global Head of Client Connectivity and Digital Client Access Channels, Deutsche Bank. Once the bank is aware of the failure, it then has to reach out to the client to inform them – which different time zones and operating hours may complicate further. Often, the client, once informed, will then need to respond to the bank and contact their own client in turn, to provide and confirm the correct payment details. With the right information to hand, a revised payment to the client is initiated, which incurs further costs.

The need to confirm before a payment is sent that the instructed payee is indeed the intended recipient becomes even more pressing on the backdrop of instant payments. Given that the money will immediately be available to the payee there is no room for mistakes.

As the EU wants to make instant payments the new norm across the continent (the new Instant Payment Regulation came into force on 9 April 2024), it will mandate banks to offer a new service which is named Verfication of Payee (VoP) by October 2025. Under VoP, Banks and other Payment Service Providers (PSP’s) will be required to check that the IBAN and beneficiary name match before a payment is sent.⁶ This is not only supposed to bring a widespread reduction in fraud, but also to drive down the high numbers of manual interventions and keep funds safe and moving – reducing costs and driving efficiencies for corporates.

Some countries in Europe like France or Italy for example – have already implemented their own Confirmation of Payee systems to ensure funds are kept safe from fraudsters and avoid operational errors.

Swift first released its API-based Payment Pre-validation service back in 2021. Users can cross-check payment information against pseudonymized and aggregated historic transaction data on the Swift network too. Alongside other validators features, the use of centralised data can be used to confirm that account format, purpose of payment and currency codes are correct before a payment is sent.

But how exactly does this work? Pre-validation solutions can be made available through an API plugged into the vendor master data portal. Corporates can check the existence of their payment’s beneficiary in real-time, using key account details such as IBAN, Name and Account Number. Before corporates press send on their transaction, they can confirm that their beneficiary is who they say they are as well as ensure that the account details they have on record are correct, reducing time spent on payments reconciliation for incorrect or inaccurate details and helping fraud prevention (see Figure 1).

Figure 1: Account Pre-validation workflow process

The ability to validate account information has benefits for many use cases. For instance, when paying an account for the first time, pre-validation can help to reduce the risk of it going to the wrong recipient and for cross border remittances, it provides additional controls to validate the beneficiary. “In particular, it provides support to treasurers dealing with high value payments – they can have confidence that added controls will help towards payment reaching the intended recipient,” Montiegel explains. “Pre-validation services are an important element for real-time treasury as they allow for a safe and efficient use of instant payments.”

Additionally, the solution applies to direct debt mandates and once-off rebates/refunds. Treasurers can reduce the risk of direct debit mandates being returned due to wrong account details and authenticate account information when a rebate or refund is needed. Finally, when it comes to actioning payroll payments, the pre-validation solution can confirm that bank accounts of employees are still active.

For pre-validation to have greatest efficiency, it requires two things:

1. A robust data pool on which to draw from to ensure comprehensive coverage for corporates. In other words, companies need to be able to validate supplier master data in several countries around the world – irrespective of the bank at which the supplier holds its bank account.
2. An API based connectivity which enables the validation request to be sent to the data source of ultimate beneficiary bank directly on a real time basis ascertaining accuracy in the response received.

So, what does a robust data pool look like? Figure 2 highlights four data sources that Deutsche Bank taps into for global coverage.

Figure 2: Data sources for pre-validation service

For a start, industry initiatives play a big role as it allows to leverage data from strong correspondent banking relationships. Swift’s Beneficiary Account Verification (BAV) solution aims to do exactly this by enabling all the banks on the Swift network to both send and respond to verification requests, leveraging APIs to cross-reference the account details to the identity of the beneficiaries.⁷ In November 2021, Deutsche Bank was the first bank to roll out SWIFT BAV on a global basis – both as data provider as well as consumer of the SWIFT BAV services establishing itself as front runner.⁸

At the same time, banks are also coming up with other innovative and collaborative ways to pool their resources to further bolster their data pools and validate more account details. For example, Deutsche Bank is founding member of Confirm by Liink service under, Onyx by JP Morgan – a blockchain-based bank initiative, where participants on the peer-to-peer network can exchange information privately and securely.⁹

“Deutsche Bank holds significant payment data which can be re-purposed to validate the beneficiary accounts”
Pravin Rodriguez, Global Product Owner, Client Access and Accounts Services, Deutsche Bank Corporate Bank

Moreover, the bank also hooks into Deutsche Banking private banking data network, inhouse to the bank adding few millions of private and business clients accounts. This can be helpful for corporate clients with B2C business, such as insurances or telecommunications companies. “Being the Top Euro clearer, Deutsche Bank holds significant payment data which can be re-purposed to validate the beneficiary accounts,” explains Pravin Rodriguez, Global Product Owner, Client Access and Accounts Services, Deutsche Bank Corporate Bank.

The final piece of the puzzle is adding any third-party data where available. Some local markets – such as Indonesia, India and the Netherlands – have regulatory-driven, clearing-based account validation solutions, and some fintech is emerging to add additional resources in others. Also, institutions like EBA Clearing are launching new API data validation services (known as fraud pattern and anomaly detection, or FPAD) that will help participant banks to significantly extend the range of available data coming from historical payment transactions and improve their overall anti-fraud capabilities.

“Our vision is that pre-validation is possible in every country around the world which is why we don’t want to rely on one single network but partner with several initiatives,” says Jose-M Buey, Global Head of Client Accounts Services, Deutsche Bank Corporate Bank. “We have integrated a range of and are now reaching more than 20 countries globally and validating from a pool of more than one billion accounts, there are plans to increase the coverage to more than three billion accounts over time through additional engagements.”

Sources

¹ See statista.com
² See A corporate’s guide to payment fraud prevention at corporates.db.com
³ See ic3.gov
⁴ See europol.europa.eu
⁵ See europeanpaymentscouncil.eu
⁶ See swift.com
⁷ See swift.com
⁸ See A new era for payment validation at flow.db.com
⁹ See jpmorgan.com