Four ways for businesses to drive innovation while mitigating risk in the age of instant payments

The introduction of new regulations and real-time payment rails has created challenges for cross-border payments firms looking to grow their business. The payments industry in the UK is adjusting to the new reality of APP fraud reimbursement, while in Europe, rules around SEPA Instant Credit Transfers (ICT) are reshaping firms’ approach to compliance and risk management. But how should ambitious firms respond to these changes, and what does the future of innovation in payments look like?  

As part of AML Unplugged, a new and informal networking forum for compliance professionals, ComplyAdvantage hosted a conversation between three industry experts: Iain Armstrong, our Regulatory Affairs Practice Lead, Jessica Cath, Head of Financial Crime at Thistle Initiatives, and Simon McFeely, Managing Director at Finvisor.co.uk. 

In a wide-ranging and informative discussion, Iain, Jessica, and Simon discussed how firms can tackle the issue of APP fraud and get their compliance setup ready for instant payments while continuing to drive innovation. 

This article explores some of the tips and insights from the conversation, guiding firms processing cross-border payments on how to grow their business, not their financial crime risk. 

1. Prepare for changes in consumer expectations

The rise in APP fraud led to £459.7 million in losses in 2023 and has driven major regulatory changes. Firms in the UK now have to reimburse APP fraud victims up to a maximum of £85,000, and expectations are that the EU’s proposed Payment Services Directive 3 (PSD3) will include similar measures. 

Given the dominance of instant transactions, consumers are unlikely to demand a shift in emphasis from speed to security of payments. Our panel agreed that a more likely change will be an expectation for fast reimbursement processes in fraud cases. The regulations specify a maximum of five days, giving firms little time to investigate fraud claims. 

This poses challenges for financial institutions (FIs). In addition to dealing with pressure from customers to reimburse them immediately, they must address the new risk of fraudulent APP fraud reimbursement claims. While the regulatory balance between consumer duty and fraud reductions is difficult to achieve, it is clear that firms’ consumer duty obligations and their need to strengthen anti-fraud controls are, in practice, the same. The cost of fraud is likely to rise for firms as they risk spending more on reimbursement and being targeted by criminals. 

In response, firms should ensure they have robust record-keeping in place, both for their compliance policies and procedures and for individual APP fraud cases and claims. Any decisions made should be backed up with clear documentation to avoid regulatory issues. While firms should draw up their policies based on their expected fraud risks, they should also recognize that exceptions to any rule will always exist and that retaining evidence supporting decisions in these cases is particularly important. 

Given the pressure mandatory reimbursement creates for firms, they may be tempted to implement hard rules, such as stopping all transactions over a certain amount or increasing the frequency of enhanced due diligence (EDD) checks. However, this will only cause customer friction and reduce the efficiency of the compliance process with slower payments and mounting case numbers. Instead, firms should work to understand their customer base to know the specific risks they face and risk-assess their business. 

A Guide to Financial Crime and SEPA Instant Payments

SEPA instant payments are changing the EU payments landscape. Our essential guide for compliance officers explains how to use compliance as a growth driver.

Download your copy

2. Calibrate sanctions solutions to customer risk 

Sanctions compliance is top of mind when it comes to challenges for cross-border payments: it ranked alongside APP fraud as one of the top two concerns of firms offering cross-border payments in our survey of AML Unplugged attendees. 

To mitigate concerns in this area, firms must build their solutions around the specific risks they face. While the idea of a risk-based approach is not new to compliance professionals, our panel agreed that weak risk assessments remain an issue for some FIs. In some cases, they resemble box-check exercises or surface-level assessments rather than genuine considerations of risk. 

Simply identifying that a firm may be exposed to sanctions risks is not enough. Instead, firms should look in detail at where their actual sanctions risks lie, taking into account their products, customers, and transaction flows, and outline the steps they will take depending on which risks they are exposed to. Importantly, FIs should update risk assessments regularly rather than continuing to rely on an initial evaluation. 

The sanctions landscape has changed significantly in the last few years, with a huge number of new designations coming into force. One-size-fits-all policies will not fulfill compliance requirements. In practice, sanctions risks will look very different from one jurisdiction to another. The sanctions screening solutions that work are not just plug-and-play but calibrated to an organization’s constantly evolving customer base and risk profile. 

3. Don’t overlook the power of training 

Maintaining the right level of compliance expertise is a related challenge to carrying out fit-for-purpose risk assessments. Smaller and mid-size firms, making the most of limited headcounts and resources, can end up taking a broader approach to anti-money laundering, rather than looking at individual predicate crimes. Specific expertise in sanctions, for example, can be weak until a firm reaches a certain size. 

For these firms, employee training can be an important step in meeting compliance requirements while driving business growth. Employees across the firm should have a strong knowledge of compliance policies, know how to identify risks, and know when to escalate cases to compliance officers or teams. This is especially important for those not in specialist sanctions roles but where mistakes still carry sanctions risks. 

Like risk assessments, employee training can sometimes be overlooked or seen as a formality. Because budgets can be tight, especially at smaller firms, staff only undergo basic training until a problem occurs – at which point any increased training comes too late to solve it. However, this ignores the fact that training can help budgets go further. Firms without the resources to hire large, experienced compliance teams can benefit from embedding effective in-house training early on in their growth, ensuring a strong level of expertise across the organization. 

Just as important, however, is that firms make specialist appointments in important compliance roles. A suitably qualified and experienced officer should always oversee sanctions programs. While specialist sanctions screening tools are essential for firms, firms need to build an effective team to use them. In the increasingly complex world of sanctions compliance, the key to success for firms is to back up detailed risk assessments with the right people, processes, and technology. 

4. Test your screening solutions and data 

New regulations around APP fraud and instant payments only increase the pressure on FIs to optimize their compliance software. Firms should ensure their customer screening and payment screening measures are capable of processing instant payments securely and at scale, with the SEPA ICT regulations specifying a maximum of ten seconds for payment processing. Without proper testing and validation, firms risk not being able to balance their business and compliance objectives in this way. 

Firms should also ensure their screening software is equipped with the correct data – meaning data that is, accurate, complete, relevant, and current. The SEPA ICT regulations direct payment service providers (PSPs) to conduct daily customer screening so that they can process real-time payments more efficiently by avoiding the need to screen each individual payment as it goes through. Meanwhile, major fines for large FIs demonstrate the serious risks of not conducting proper checks against all relevant and up-to-date sanctions lists. 

Mistaken or missing data can lead firms to inadvertently transact with sanctioned entities, while duplicated or irrelevant data can cause false positive rates to spike, slowing down payments and compliance processes. Firms should identify and address any gaps in their data and ideally implement a solution that allows them to receive updates to sanctions lists in real time.