No protections? No dice

Canada's "epidemic of fraud" may be around the corner

“I’ve been scammed.” This is what Adam Rickitt, an actor known for his appearances in British soap operas, told his Instagram followers last month. It all started with a text message from his bank, or so he was led to believe. The impetus? Suspicious activity in his bank account. Next came a phone call, with the caller ID matching the phone number of his bank’s fraud department. So he picked up. After being told what had gone wrong, Rickitt was given the ostensible corrective. When all was said and done, Rickitt had been duped into sending the clever fraudster tens of thousands of dollars.

This year, a trade association that sells itself as a collective voice for the banking and finance industry told the Financial Times that the United Kingdom is experiencing an “epidemic of fraud.” According to members of UK Finance, people lost more than half a billion pounds in 2021 to criminals committing “authorized push payment fraud.” This is when people are tricked into sending their money to fraudsters, like Rickitt was.

British fraudsters are clever. But they also have something else: a way to do account-to-account money transfers in real-time, allowing them to withdraw the funds and disappear without a trace before their marks discover what’s happened.

This makes me worry that Canada’s own “epidemic of fraud” is around the corner.

---

It is me, or is that déjà vu?

Canada is no stranger to fraud. You’ve probably picked up a few phone-calls only to hear an automated message about a pricey Amazon.com order on your credit card or there being a warrant out for your arrest. If you played along until the very end, you’d have been asked to give them the credentials to make payments from your bank account and into their own. The Canadian Anti-Fraud Centre reported that nearly 70,000 Canadians lost almost $400 million to fraudsters in 2021.

We don’t have good data on fraud by payment type—which could be its own essay—but it’s safe to assume that a lot of today’s fraud is credit card fraud. Stealing someone’s credit card and going on a shopping spree is one of the older tricks in the book. This is why I smiled when the federal government recently passed regulations under the Bank Act to limit the liability of Canadians to $50 in the event of credit card fraud.

The payments industry on this continent “solved” the problem of credit card fraud long ago. Let’s go back to the United States in the 1960s. Credit cards, as we know them today, were just becoming a thing, and so credit card fraud was growing. How much fraud was there? The estimates vary. Depending on the source, the number ranged from a few million to a few hundred million dollars’ worth.

All it took was for the United States federal government to put its foot down. First came hearings. One commentator described the hearings as a “thinly-veiled public trial of the entire bank credit card industry, accusing the banks of fueling inflation and tempting innocent consumers to abandon the traditional values of thrift in favor of reckless debt spending.” Then came laws, including one that protected consumers from credit card fraud. Under today’s laws, American consumers are not liable for more than $50 in the event of credit card fraud.

In practice, credit card networks do more. When a consumer is the victim of credit card fraud, they’re not on the hook for any of it. Their bank—what the industry calls the issuing bank—makes them whole. But the issuing bank isn’t ultimately on the hook, either. Under credit card network rules, the issuing bank is compensated by the merchant’s payment processor. Likewise, the payment processor is compensated by the merchant. In the event of credit card fraud, it’s the merchant that pays the price.

Even when it’s happening in the magnitude of billions of dollars, the problem of credit card fraud can be considered “solved” because the chain of events to reimburse consumers is mostly automatic and amicable. People rarely sue each other. Merchants treat it like any other cost of doing business, like office space and salaries.

As peculiar a solution as it may seem, a solution it decidedly is.

Think about the higher-order problem. Imagine a merchant who has goods for sale. Now imagine a consumer who brings only a promise of future payment. Why should any merchant believe that a consumer will pay tomorrow for goods today? There’s always a non-zero risk that the consumer skips town, goods in hand, never to be found again. Merchants can solve this problem with their own credit system. They can determine who’s good for what on a case-by-case basis, and they can take people to court when things go wrong. But this is hardly a solution. Informal credit systems duct-taped together by merchants have their limits. They take time to build, and they don’t scale well. What’s more, the courts are slow and advantage people who can afford to partake in their lengthy, complex proceedings.

So banks and credit card networks came to the rescue. The glossy square of plastic in your wallet is so much more than a payment method. It’s a solution to a trust problem.

---

This time, the epidemic won’t be credit cards

Though the problem of credit card fraud has been solved, the problem of fraud hasn’t been solved when the payment method is a real-time account-to-account transfer. The most salient, in-market example of this is Interac e-Transfer, which is a payment system that lets you send money as easily and quickly as an email or text message. You need only enter the email or phone number of the payee and off the money goes. In no more than thirty minutes after you hit “send,” the money has been pulled out of your bank account and deposited into theirs, free for them to withdraw at their convenience.

If you discover you’ve been duped and then ask Interac or your bank for help, you’re not likely to get any. Here’s a chunk of text from Interac e-Transfer’s terms of service:

You assume all liability and risk arising from your acceptance or creation of Interac e-Transfer transactions through Interac or otherwise, including any liability or risk that an Interac e-Transfer transaction was improperly sent to or requested from you, that you may be required to return the Interac e-Transfer transaction or associated funds for any reason, that the Interac e-Transfer transaction was illegal, or that you may legally be required to turn the Interac e-Transfer transaction or any associated funds over to another person for any reason. You agree that Interac is not liable or responsible for any losses or damages suffered by you because of Interac e-Transfer transactions accepted by you.

In other words, it’s all on you. Your bank thinks it’s all on you, too. For example, Royal Bank of Canada says it’s entitled to pay an e-Transfer to anyone who “claims the e-Transfer and correctly responds to the e-Transfer Question and Answer, whether or not the Sender intended that person to receive the e-Transfer.”

That said, it’s not always going to be on you, even though it is on you in writing. It’s not hard to find stories about consumers not getting any help after sending money to the wrong person or being defrauded. But it’s also not hard to find similar stories about merchants. A small-business owner from Edmonton was defrauded of hundreds of dollars when a fraudster redirected the e-Transfer she was owed by a customer. A student from Ontario who sells collectible shoes was duped by a fraudster who reversed an e-Transfer after the transaction was executed and the shoes had changed hands.

It’s confusing. Going by the public terms of service of Interac and banks, it’s not clear where liability falls and how cases are settled in the event of fraud.

Confusion gets in the way of solving the highest order problem in payments, which is the trust problem. Trust grows with clarity and predictability. Credit cards have been providing both. They start from the clear premise that no consumers are liable for credit card fraud. After the consumer is reimbursed in full, each party in the credit card payment flow is predictably compensated by the next, except merchants. Merchants pay the ultimate price again and again. But merchants choose to bear it—they want to sell things more than they want to reduce their fraud exposure to zero. As Patrick McKenzie has written, the optimal level of fraud is non-zero.

Interac e-Transfer doesn’t give us the same level of clarity and predictability. As a merchant, if I don’t know when the money coming into my bank account will stay there or be clawed back, why should I release the goods to my customer? Likewise, as a consumer, why should I pay my merchant if I can’t expect to be reimbursed when my outgoing e-Transfer is redirected to a fraudster, and the merchant is refusing to either send me the goods or refund me?

Canada’s epidemic of fraud may be around the corner because the stakes are about to get higher.

If you follow the money, you’ll see Canada’s financial sector is betting on the growth of account-to-account transfers. Interac launched a new version of e-Transfer for businesses, which upped the limits on the amounts people are able to send to $25,000 in real time. In the next couple of years, Payments Canada may launch a real-time payment system, called the RTR, with transaction limits that are even higher. According to Payments Canada’s most recent consultation paper, the proposed limits are $100,000.

Still, while the sector is betting on the growth of account-to-account transfers, it’s not solving the associated trust problem. I’ve already explained why Interac hasn’t. Neither will Payments Canada, which has a habit of following in the footsteps of Interac and Canada’s biggest banks. Check out the most recent RTR consultation paper:

RTR Participants must make their policies for errors, unauthorized and fraudulent transactions clear in their terms and conditions established with their end-users. This will include setting out circumstances in which the RTR Participant will reimburse the end-user or send a Payment Return Request on their behalf. RTR Participants must also make their end-user obligations clear, for example, end-user care in payment initiation and in safeguarding their security credentials, such as passwords.

In other words, the policy is that there is no policy. Banks and other payment system participants must make their own. But what happens when one bank’s policies conflict with another’s, or when the policies are so laden with discretion that they can’t be clearly and predictably enforced? People being paid won’t get the clarity and predictability they need to prepare for expected losses. Neither will the payors, who can only wonder how often the cost of fraud will fall squarely on them.

There’s no utility in passing laws that let people make their own laws. There’s more in passing laws that prescribe what is illegal and what is not. The American credit card networks figured it out, even if it took a bit of convincing from the United States federal government all those decades ago. So why can’t we?

---

We can stop the epidemic before it starts

In the United Kingdom, where the “epidemic of fraud” is already underway, the government is exploring ways to give everyone more clarity and predictability. Since 2019, the United Kingdom has been relying on a voluntary code of conduct to solve the problem of “authorized push payment fraud” in the country’s equivalent of Interac e-Transfer and Payments Canada’s RTR. But the code hasn’t been enough. The reimbursement of victims of fraud has been inconsistent. Now the United Kingdom is consulting on legislative changes that would give its payment system regulator the ability to establish a clear and predictable liability framework for victims of fraud.

Meanwhile, Canada is letting its financial sector do next to nothing about fraud in Interac e-Transfer and Payments Canada’s RTR.

It’s time for our federal government to intervene. Policy options abound. The federal government can amend financial consumer protection regulations under the Bank Act to protect consumers from liability in the event of any type of payment fraud, not just credit card fraud. Alternatively, the government can take its credit and debit card code of conduct and turn it into an electronic payments code of conduct, like Australia’s ePayments code. You could even incorporate it by reference in Interac’s and Payments Canada’s payment system rules, giving the code more bite. The federal government can also scare Interac and Payments Canada into adding a clear and predictable liability framework to their payment system rules. Let’s not kid ourselves. In her dealings with Interac, the Minister of Finance has moral suasion at her disposal. What’s more, when it comes to Payments Canada, the Minister of Finance is required by law to review and effectively approve payment system rules before they come into effect.

The federal government can also do nothing, but in so doing it would be committing a sin of omission. The growth of real-time account-to-account transfers in the United Kingdom was followed by an “epidemic of fraud,” according to the country’s own financial sector. Why should we expect the growth of real-time account-to-account transfers in Canada to be followed by anything different?