Faster payments mean faster everything: from connectivity to approvals to fraud management. To capture the opportunities instant payment methods like SEPA Instant Credit Transfer (SCT Instant) create, payment operations teams must adapt their ways of working from batch to flow.
Payment operations teams mostly use XML ISO 20022 files to initiate and track payments. They generate XML payment files from their ERP and then share them with their banks using their TMS or SFTP - or EBICS-based bank connectivity solutions. This process is asynchronous and requires manual file management at every step of the file-handling process, which generates manual work and potential errors. Batching is, however, efficient when grouping a large number of payments and thus is the norm both for credit transfers and direct debits, accounting for over 66% of all payments initiated in the eurozone.
|Total Number of Payments (in Billion)
|% SEPA Payments
|% Initiated Electronically
|% File / Batched-based
|% Single Payments (All)
|% Single Payments (Online Banking)
Source: European Central Bank Statistical Warehouse, 2021
To be able to execute instant payments (i.e., a payment in less than a few seconds between its initiation and the crediting of the beneficiary account), batching payments does not work well. SFTP or EBICS file transfers were not built for straight-through processing due to the manual nature of payment batching, file creation, file uploads, and file downloads from servers.
To enable straight-through processing, companies and banks are shifting their connectivity methods from files to APIs (or messaging queues). Instead of batch payment files, payments are created and transmitted at the individual payment order level through APIs. The payment order information is carried in the encrypted API call’s payload instead of a file. The bank can then provide a response for each payment in almost real time.
While APIs theoretically reduce the number of steps the data has to travel through and merges data with connectivity, it requires different capabilities and processes. Human-based processes need to be mostly automated with the right technology and rules. This shift requires dedicated buy-in from management and the right engineering resources for implementation.
However, once those connectivity changes are implemented, the payment operations team can benefit from:
Safer connectivity by removing the handling of sensitive payment files
Reduction in errors by moving to more auditable, automated processes
Improved business scalability through the reduction of manual tasks
Another complexity for the payment operations team lies in dealing with instant payments approvals. Currently, payments are mostly approved by batch once during the day. The head of finance, up to sometimes the CEO for smaller organisations, approves a file containing hundreds of payments before it is uploaded to SFTP / EBICS servers, usually just before the bank’s cut-off time.
With instant payments, approvals have to be managed in real-time for each payment order. With instant approvals needed, custom approval rules have to be designed to automate the low complexity / risk payments while adding rapid semi-manual approvals for high-risk payments.
The benefits of this payment-order level approach enabled by technology are three-fold:
More granular control of payment approvals and rejections, with custom rules focusing manual efforts on the most important payments
Increased visibility throughout the organisation of the approvals by providing a documented audit trail to manage issues
Increased process flexibility for payment operations to include the right stakeholders at the right time in the approval process
An element to consider for businesses which envision using instant payments for their payouts is the economic equation.
Currently, instant credit transfers can be more costly than regular credit transfers when looking solely at the cost per payment. While this concern will undoubtedly alleviate when the proposed policies from the European Commission come into force, switching to SCT Instant can have a short-term impact on the total cost of payment.
Moving to instant payments can also have a short-term impact on the company’s cash position. Paying suppliers and partners up to 2 days faster can result in a working capital increase. However, with instant payments becoming the norm for account receivables, this increase should only be temporary as customer invoices get paid faster.
SCT Instant should always be considered as an investment in a better customer experience whose upside easily offsets the temporary financial cost.
Instant payments, because they are fast and irreversible, have attracted more and more sophisticated fraudsters.
There are two main types of fraud in SCT Instant payments:
With the authorization of the end-user: Fraudsters use so-called “social engineering attacks” where they persuade victims to share their screens or personal information received from their banks. Users unknowingly reveal key information about their accounts that fraudsters use to rob them. Alternatively, fraudsters also try to contact customers and dupe them into authorising the payment themselves. Most common techniques are phone number spoofing, robocalls, and personalised text messages to initiate payment through the banking app.
Without acknowledgement of the end-user: The most common technique is account takeover. This happens when a criminal gets access to compromised user’s credentials (e.g., via phishing or malware that collects information from online logins or breaches third-party websites). Once the fraudster has accessed the customer’s account, they can set up and make payments without the customer’s knowledge.
The speed of instant payments raises challenges in combating fraud for financial institutions.
Weight of legacy and lack of real-time fraud-fighting solutions With regular SEPA payments, risk and compliance teams have hours to perform checks. Moving to real-time payments means there are only a few seconds during which the payment can be reviewed, verified, and authorised. Since there is such a short amount of time to come to a decision, the pressure to reliably process a large volume of transactions in real-time is high.
The fact that SCT Instant is available for companies 24/7 raises an additional challenge for banks and traditional institutions, requiring automated processes to operate around the clock.
Higher risk of loss for consumers and companies The risk of loss with SCT Instant is different than with other types of transactions. Once a real-time payment has been accepted by the payee’s financial institution, the payment is often considered irrevocable. The irrevocability of instant payment is a blessing for fraudsters who can instantly make use of the transferred funds.
Real-time money movements plead for more agile fraud prevention techniques, high-performing software, and increased automation.
Make use of all your data and analyse it in real-time A lot of financial institutions we discuss have designed their internal processes and review management to operate on a batch basis (for instance, every day, an analyst would review the alerts of the previous day). These systems can no longer support real-time payments. If you review alerts only on a day+1 basis, chances are high that fraudsters had the time to empty the account. The ability to quickly analyse huge amounts of data and to respond effectively is therefore critical to managing fraud risk.
Set up the right rules With all this data at hand, financial institutions also need to set up the right rules. Not too generic to avoid flagging regular users and generating too many false positives. Not too specific as they might miss new fraud schemes. Fraud schemes constantly evolve and are getting more and more sophisticated. Setting up rules that monitor users' behaviours and being able to identify deviations from the norm, will help you faster detect new fraud attempts.
Automate risk scenarios Financial institutions should consider allowing certain alerts to result in automatically rejecting a transaction, banning a user or taking an action without needing human approval. The use of predefined blacklists or watchlists helps react quickly and appropriately.
This article was written in partnership with our friends at Marble, the real-time fraud and decision engine.