Fighting fraud and money laundering: did the EU Commission provide a major breakthrough last week?
If you’ve followed the news and our previous publications, you saw that, on October 26th, the EU Commission pushed for Instant SEPA adoption across all EU banks. While the text emphasizes pricing, which should no longer be higher than regular transfers, better coverage, and transition from a transaction-by-transaction sanction filter to a daily check, one thing caught our attention: the necessity to check the correspondence between the IBAN and the beneficiary’s name before sending the transfer.
How to increase trust and confidence for Instant SEPA
This new measure is supposed to counteract the trust issue that Instant SEPA raises: payments are instantaneous (duh..) and cannot be recalled. Hence an error, or a fraud, can have dire consequences. To fight that, the Commission added a new mandatory check: The sender’s bank must check the match between the name of the beneficiary indicated by the account owner and the actual owner of the IBAN, as indicated by the bank of the receiver. The mechanism is not yet fully detailed but already states that every bank must provide a solution to realize that check. Customers can still bypass the check decision, but by doing so, they waive the bank’s responsibility if there is an error.
Correcting a flawed solution
Solutions to identify the genuine holder of an account already exists on the market but are significantly flawed. PSD2 APIs generate a lot of friction, especially since the beneficiary account holder must grant access to his info with his credentials to allow the check to be concluded. As such, only a few SEPA transfers are using this system, while it’s been on the market since 2017, and this option is currently used mainly for credit scoring. It also has severe limitations regarding privacy, as the use of the PSD2 credentials could also grant access to the past transactions of the account verified.
Alternatively, SEPA Diamond, a sublayer of the SEPA network, is a powerful solution for correcting the above flaws: the beneficiaries bank will provide a confirmation of the account identity based either on the SIREN or on the name/surname and date of birth combination. But it also has two major problems: Most of the checks take between 20 minutes to an hour to be processed, removing the ability to validate a beneficiary in real-time, and worst, only a handful of banks are using it, baring the opportunity to checks accounts hold in non-compatible establishments.
Calling for a European standard
As a result, the decision of the EU commission certainly left the market with many questions, starting with: how will every bank connect to all other establishments in Europe to get the IBAN / beneficiary info? The worst case would be to let each bank develop its interface, like in the early days of PSD2 APIs, forcing hundreds of different integrations. The solution remains to be built. It also raises the question of the data that will be checked. For a company, for example, the ideal key would be to match the IBAN with the registration number (SIREN in France). But usually, a sender will indicate the company’s name when adding a new beneficiary, not the SIREN. Same for individuals: how deep/accurate should the algorithm be when trying to match a “Mr. Dupont” beneficiary name with a joint account open in the name of “Agnes Dupuis George Dupont”?
And finally, in the hopes of keeping the ability of modern banks to add a new beneficiary and immediately process a transfer, the retained solution must work in real time, 24/7, just the same as the Instant SEPA scheme.
Balancing the scale on transfer fraud and AML
A real time, market wide, open solution to check the actual beneficiary of any third party account is a potential breakthrough for fraud fighting and anti-money laundering.
Have you ever heard of the information balance gap? A financial institution always knows less than its customers. If the level of information known by the bank and the customer was perfect, credit scoring would be immensely accurate, for example, because the customer could not hide any negative data from the bank. But in the real world, this gap is a huge source of difficulties for a financial institution : when a customer does a transfer, they know why it’s done, to whom, and for what purpose. On the other side, the bank must extrapolate that info from a limited set of data: customers' knowledge gathered during the KYC, transaction labels… That is why it is so easy to bypass banks’ safeguards against fraud : Indicate that you are doing a transfer to your cousin, with an amount similar to your usual spend, and it becomes tough, without generating a massive amount of false positives, to detect that you are hiding drug money or committing a scam. The gap of information forces the banks to dig deeper into the data, notably by matching the info with the user’s account paying to limit the false positive volume and improve the detection value.
The EU commission’s decision to let banks query, ideally in real-time, the info of the actual account owner behind each IBAN is a considerable step forward in reducing the information gap. Financial institutions will be able to detect if the beneficiary is an individual or a business, if there’s a mismatch with the infos provided, or simply if the account really happens to belong to the senders., The impact on the detection models will be tremendous, probably generating a boost of over 50% of accuracy over current scenarios targeting scams and money laundering. It remains to be seen how much friction the access to the information will generate.
If indeed a standard, real-time, sturdy API is deployed scheme wide, this will open a new era of confidence and better oversight over SEPA transfers.
