How the digital revolution is transforming trust and fraud in the global payments ecosystem 

At Visa, we know the power of digital money movement. Few innovations bridge the distances around the world so completely. But the rise of digital commerce and the sheer scale involved bring new challenges for businesses, the clients they serve, and the bad actors who seek to take advantage of them both. Protecting businesses and consumers in the digital money movement era requires different ways of looking at security and trust. The saying goes “It takes a village,” but in this case it takes the union of technology, expertise, products, and partners to deliver on that security.

Visa Direct is helping create the infrastructure necessary for a secure, connected global economy. Built with Visa’s risk management products, Visa Direct benefits from our relationships with select partners who are innovating at the forefront of identity management, fraud management, and artificial intelligence. Together, we are in a position to offer security and fraud management that helps clients deliver money to billions of payment endpoints around the world.¹ Visa Direct is powering the on-demand financial system one transaction at a time. 

“Through our own leading fraud risk products combined with selected partnerships, we are in a position to provide our clients with the best in fraud risk management,” says Sue Onians, Vice President Visa Direct Ecosystem and Risk.

“Through our own leading fraud risk products combined with selected partnerships, we are in a position to provide our clients with the best in fraud risk management.”

Sue Onians headshot
Visa logo
Sue Onians, Vice President Visa Direct Ecosystem and Risk.

Halt, who types there?

One of the most persistent challenges in payment security and one of the most crucial aspects of any financial transaction is proving that someone is who they say they are. When this process breaks down and bad actors are able to insert themselves into a transaction, the financial impact can be significant. Fraud via identity scams accounts for a growing portion of fraud losses. According to the Federal Trade Commission (FTC), Americans reported $8.8B in total “scam” losses in 2022—a 30% increase compared to 2021—which includes investment scams, fake lotteries, and phony job opportunities.² Nearly 30% of the reported damage from scams came from imposters who bilked people out of money by impersonating someone.¹ Across the Atlantic in the UK push payments fraud has become more common than card fraud, where an average of £2,300 was lost to fraud every minute in 2022.³

$8.8 B

Scam Losses in 2022²

30%

Total Scam Increase Compared to 2021²

Filtering good actors out from the bad ones has spawned an entire industry around identity management and KYC regulations around the globe, yet it’s still a challenge that will take further innovation to tackle. One of the most vexing tasks is verifying an individual's “digital identity.” But what even is digital identity, and how do you prove it?

“Digital identity is a question of how we prove that you are who you say you are when you're transacting online” says Matthieu Charpentier, Vice President and Global Head of Authentication and Identity at Visa. “It’s also going to mean a different thing depending on where you are, depending on what you're trying to do, depending on who you're trying to transact with.”

Visa can support clients in building layers of identity security to assess the level of risk for transactions and help organizations fight scammers and fraudsters from receiving money in the first place. Consider someone who is trying to send a large amount of money to someone in another country they’ve never sent to before. Identity security and fraud prevention technology, enabled by Visa, can flag that kind of transaction based on probabilistic models and prompt clients to confirm who the person they’re sending the money to is and if they’re in control of their account.  

“Visa has a lot of data, and we see transactions happening across the ecosystem and across our network,” says Charpentier. “We can identify accounts that are fraudulent accounts and are being used by fraudsters to receive money from scams.”   

Identity security is not a one-size-fits-all solution, though. Bad actors use a range of identity fraud types to acquire funds from digital financial transactions. Losses to U.S. companies from identity fraud like account takeovers, theft of personally identifiable information (PII), and tax identity theft eclipsed $43 billion in 2022,⁴ a staggering sum that shows how vital identity is in the digital economy.

“We can identify accounts that are fraudulent accounts and are being used by fraudsters to receive money from scams.”

Matthieu Charpentier headshot
Visa logo
Matthieu Charpentier, Vice President and Global Head of Authentication and Identity at Visa
That’s why Visa works with partners like the identity verification platform, Persona, to bolster Visa Direct’s own capabilities or provide services that Visa may not. Persona helps clients with KYC by providing infrastructure and tools to identify their customers through PII and other data—like database checks—depending on the industry of the client or action the customer is taking.  “Your name, address, date of birth—those things are pretty foundational when it comes to identity. But we also want to have context around where you're coming from, what kind of action you're trying to take, what services you’re trying to access,” says Jeff Sakasegawa, Trust and Safety Architect at Persona. “Depending on the answer, we may make some additional requests of you to build out a more comprehensive picture of who you are, what you're trying to accomplish and what that means for our clients. And we’re trying to do this in an automated, scalable, and fast fashion.”⁵

Geography plays a role in how Persona provides identity security as well. Even though we live in a globally connected economy where customers and businesses can send money across borders in real-time,⁶ the regulations around identity vary from country to country, which makes for a complex privacy landscape. Different countries use different bits of information for identification, whether it’s a national ID card or a tax ID number, and have different requirements for storing that data. For example, “The EU is a much more regulatory-driven market, and so they will have expectations of us to secure information in a particular way, store it in particular places, and only use information when and where appropriate,” says Sakasegawa. “That's much more defined than America.”

Until there’s a global standard for identity verification, platforms will have to make do with adjusting to local regulations. “Every company and every country is on their own digital identity journey,” says Sakasegawa, who highlights the differences in data security regimes in the EU and the U.S. as an example. Persona is able to check identities against global databases in 40+ countries in order to allow their customers to conduct KYC/AML checks, which helps companies scale without dealing with a piecemeal fraud prevention platform.⁷

Identity security is an important part of making the global economy flow more smoothly, especially as digital identities allow people to be more mobile. “Knowing your identity in the moment might not be enough anymore,” says Sakasegawa, before underlining the need to develop a more contextual understanding of identity. “We need to understand how that identity will change and how we can better support and differentiate between what's legitimate or fraudulent behavior no matter where you are.”

“Your name, address, and birth date are foundational for identity. We also consider where you're from, your intended actions, the services you use. We may do more to build out a more comprehensive picture of who you are, what you're trying to accomplish. And we’re trying to do this in a fast, automated, scalable way.”

Jeff Sakasegawa headshot
Persona logo
Jeff Sakasegawa, Trust and Safety Architect at Persona

New scammers, old tricks

Thieves have been trying to scam, con, and manipulate people out of their money since money was invented.  The digital economy hasn’t changed that fact, as scammers still use tricks like social engineering to steal someone’s identity or bank account. But, it has created a new battleground between scammers and institutions dedicated to protecting consumers. Visa has been using technology like artificial intelligence to fight fraud in its global network of payment rails at scale for years. “We’re always looking at how we can improve the security of our global network when you operate in over 190 countries and move the equivalent of almost 15 trillion US dollars around the globe yearly,” says Michael Jabbara, Vice President and Global Head of Fraud Services at Visa. “Artificial intelligence really gives us that superpower to be able to identify that fraudulent needle in the haystack of legitimate activity that we want consumers and businesses to engage in.”

Visa Direct also focuses on preempting threats using AI and machine learning to craft predictive risk modeling on account funding transactions (AFTs) through the Visa Advanced Authorization tool. It’s part of a layered approach that Visa uses to fight financial crimes, which also includes the use of “white hat” hackers who attempt to find any weaknesses in Visa’s fraud detection system and troubleshoot potential customer issues before they interrupt a transaction. 

“The type of scammer changes, but the way they convince you to do stuff doesn't change,” says Soups Ranjan, CEO and founder of Sardine AI, a fraud protection platform that works with major financial services firms and another partner Visa Direct clients can choose to leverage. “They'll call you up, they'll ask you to do something, and they'll try and sweet talk you into actually installing something on your computer so that they can guide you through the process.” 

“Artificial intelligence really gives us that superpower to be able to identify that fraudulent needle in the haystack of legitimate activity that we want consumers and businesses to engage in.”

Michael Jabbara headshot
Visa logo
Michael Jabbara, Vice President and Global Head of Fraud Services at Visa

Sardine tries to interrupt fraudulent activity by using machine learning to validate transactions as they’re happening. Scrutinizing certain data points like passwords, social security numbers, and IP addresses are obvious ways to fight financial crimes, but Sardine’s analysis of behavior is also valuable in detecting authorized fraud (i.e., scams). Similar to how Visa Direct recognizes patterns across its network, Sardine tracks and recognizes behaviors during onboarding, logins, and transactions as a way to validate customers and transactions. 

Authorized fraud often occurs when a person lets a fraudster into an account or shares a password, and nuances like how someone moves a mouse, screen mirroring, or other trackable behaviors have become new methods of fraud detection. “Nowadays, a fraudster can spoof a device or IP address very easily,” says Ranjan. “That’s where our forte comes in. We pierce through tools like proxies and VPNs to find if someone is truly accessing the service from the country they say they are in vs a high-risk country. We also detect use of remote access tools commonly used by fraudsters to coach victims through the process of account creation. Finally, we look at user behavior. How is a user typing, swiping, and scrolling? Are they switching tabs? Are they copying and pasting PII they should know by heart? We use these signals to predict malicious intent." 

“We look at user behavior like typing, swiping, scrolling and tab switching? Are they copying and pasting PII they should know by heart? These signals help predict malicious intent. Faster payment methods come with faster fraud and scams. You need to be able to make accurate risk decisions almost instantly.”

Soups Ranjan headshot
Sardine logo
Soups Ranjan, CEO and Founder, Sardine

Behavior may seem like a subjective marker for detecting fraud, but research has shown that there’s a connection between your personality and how you move your mouse on a computer screen.⁸ “Keystroke dynamics”—the study of how people type—has long been considered a unique biometric signal, the rhythm of typing being akin to a speaking cadence or a gait. Sardine AI is able to analyze these and other factors using AI and turn them into real-time decisions about fraud, helping their financial institution customers make informed risk decisions and stop criminals before they can move money. That means they are able to help prevent some types of fraud as they happen instead of resolving it after the damage is done.  

“So, [as suspected fraud is detected,] we would provide the tools to the neobank or the bank, [and] they stop the transaction,” says Ranjan. “They could flash a message to alert them, essentially saying, ‘This transaction has been stopped, because we suspect something,’ or, ‘Security systems have flagged this as an anomalous event.’ 

"Faster payment methods come with faster fraud and scams. You need to be able to make accurate risk decisions almost instantly," continues Ranjan. "A fraudster can easily load money into a wallet using a stolen card via AFT, and then send that money to another card via OCT. To stop this type of scam, you need to look at not only the speed of money movement, and any irregularities, but you also need to take into account more subtle behavioral patterns. Combining these is a powerful predictor of scams and APP fraud." Ranjan points to the example of someone funding a neobank account and then immediately going to an ATM to withdraw that money using a legitimate debit card with an appropriate PIN. That behavior could either be a fraudster or a tourist, but analyzing the context in real-time is key. Deciphering which is which takes an understanding of how people behave and how fast money moves. “A good user would at least have some gap between those two actions,” he says. “Speed of money movement is key in catching fraud. How fast is money moving in and then moving out?” 

Fraud isn’t something that can be fought with a single tool or technology. Scammers may not have changed what they want, but their toolkits have expanded significantly, which means that institutions need to respond in kind. “It's very much an arms race between what is happening on the security side and what is happening on the fraud and financial crime side,” says Jabbara.

The next chapter of securing financial transactions

Financial scammers aren’t going anywhere any time soon, but the technologies being developed and deployed by Visa Direct and its partners are at the front line of the fight against fraud. That’s why Visa Direct is focused on forward-thinking strategies that help clients address growing fraud threats and operational frameworks and tools that help clients be more informed and prepared to manage their own risk. Visa Direct is focused on a secure payments future, and that philosophy will guide Visa Direct’s efforts to continue to look ahead as the world continues to become increasingly digital and interconnected.

Sharing information is going to be a vital component in the future of financial security.⁹ As a result, Visa Direct’s efforts to streamline the communication across the digital payments ecosystem is focused on improving the quality of data that businesses, governments, and institutions have access to, as well as accelerating how quickly that data is shared. Two new innovative security tools from Visa Direct, Account Name Inquiry (ANI) and OCT Fraud Reporting, involve data sharing during and after transactions to help Visa Direct and its clients make more informed risk decisions.

ANI is a name-matching service that helps to protect against scams and fraud on either side of a payment transaction. Put simply, the system determines whether the name on the card account that the sender is sending money to matches the name of the person that they think they should be sending to. For example, a brokerage firm receiving a request from a client to pay out from their brokerage account to their card account can check whether the name on the receiving card account matches the name on the brokerage account. These name cross-checks are used in concert with Visa’s other identity verification techniques, adding another layer of security to global payments.

Visa Direct‘s new fraud reporting requirements are also helping in the shifting fight against financial crime. As of October 2023, acquirers are required to report fraud on card-based original credit transactions (OCTs). This new reporting flow can potentially provide Visa with new insight into fraud taking place on push payments while enabling it to enhance information-sharing with issuers in an effort to reduce the likelihood of repeat fraud. That means more information sharing and more data points with which to fight.

New fraud reporting capabilities from Visa Direct also allow clients to report more granular information on seven sub-types of fraud, including purchase, investment scams, and impersonation scams on AFTs and card-based OCTs. This information can help improve Visa’s modeling and provide insights into how fraudsters perpetrate scams, which in turn can help with the development of future tools.

The digital revolution has transformed how we think about the need for trust and security. Groundbreaking technology like artificial intelligence and machine learning have helped protect consumers and businesses—but scammers and fraudsters have access to those tools as well, which means that the complexity of protecting people has increased in kind. Security in the age of digital money movement takes a village, and Visa Direct is helping shape that community one financial transaction at a time.

More Visa Direct thought leadership

Read more about global money movement, evolving digital payments trends, and Visa Direct clients

Footnotes

This article was originally published in February 2024.
 

Visa Direct is a service that facilitates funds transfers by Visa’s clients.

Case studies, comparisons, statistics, research and recommendations are provided AS IS” and intended for informational purposes only and should not be relied upon for operational, marketing, legal, technical, tax, financial or other advice. Visa neither makes any warranty or representation as to the completeness or accuracy of the information within this document, nor assumes any liability or responsibility that may result from reliance on such information. The Information contained herein is not intended as investment or legal advice, and readers are encouraged to seek the advice of a competent professional where such advice is required.

These materials and best practice recommendations are provided for informational purposes only and should not be relied upon for marketing, legal, regulatory or other advice. You should independently evaluate all content and recommendations in light of your specific business needs, operations, and policies as well as any applicable laws and regulations. Visa is not responsible for your use of the marketing materials, best practice recommendations, or other information, including errors of any kind, or conclusions you might draw from their use. You should consult with your own legal department when creating your own materials or policies to determine if any legal disclosures, changes, or registrations may be required under applicable federal, state and local laws and regulations and your own institution’s policies.

This presentation contains forward-looking statements within the meaning of the U.S. Private Securities Litigation Reform Act of 1995 that relate to, among other things, our future operations, prospects, developments, strategies, business growth and financial outlook. Forward-looking statements generally are identified by words such as "believes," "estimates," "expects," "intends," "may," "projects," “could," "should," "will," "continue" and other similar expressions. All statements other than statements of historical fact could be forward-looking statements, which speak only as of the date they are made, are not guarantees of future performance and are subject to certain risks, uncertainties, and other factors, many of which are beyond our control and are difficult to predict. We describe risks and uncertainties that could cause actual results to differ materially from those expressed in, or implied by, any of these forward-looking statements in our filings with the SEC. Except as required by law, we do not intend to update or revise any forward-looking statements as a result of new information, future events or otherwise.

All brand names, logos and/or trademarks are the property of their respective owners, and do not necessarily imply product endorsement.