New payments platform The industry approach to minimising real-time payments fraud KPMG.com.au | nppa.com.au Executive summary The New Payments Platform (NPP) is new, world-leading domestic payments infrastructure that enables connected Australian financial institutions to offer their customers – consumers, businesses and government agencies – near real-time, data- rich inter-bank payments 24 hours a day, 7 days a week. The platform launched to the public on 13 February 2018. It is an open platform that is designed to support multiple overlay services which could be offered by a range of service providers from the fintech and financial services community, or from any other sector outside of the traditional payments industry. It is in this ‘layering’ of the architecture that the NPP offers opportunity for future innovation and development. The NPP’s distributed architecture design is the result of intensive industry collaboration over several years, between the Reserve Bank of Australia (RBA) and Australian financial institutions – large and small – to design and build a secure platform for domestic payment services that meets the needs of Australia’s digital economy. It is arguably one of the most significant pieces of national payments infrastructure to be built in Australia in decades. KPMG | 1 © 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. © NPP Australia Limited This paper considers the fraud risk, and the authentication and payment monitoring in real- potential impact to fraud risk, of real-time time and consumer education. payments. Research indicates Australians are enthusiastic Fraud risk is a particular operational risk in any adopters of new technology generally, and of payment system, but is frequently cited as digital and electronic banking and payment being a higher risk in real-time payment services in particular. Australian financial systems due to the velocity of payment institutions have a solid track record of processing, and the typically irrevocable nature providing safe and secure online and mobile of real-time payments. banking applications, that over the last few years have leveraged interbank batch clearing Real-time payment systems have been and settlement arrangements which occur operational around the world for many years, several times each business day. and while data about online banking fraud by service or payment type in those countries is Australian financial institutions already deploy not generally publicly available, many fraud detection for online commerce and real- commentators point to the UK implementation time online banking authentication tools to of real-time payments in 2008 as evidence for protect their customers when they make the proposition that faster payments inevitably payments. This, together with Australia’s lead to an increase in fraud. This tends to beg consumer protection framework that ensures the question whether faster payment systems consumers are compensated for unauthorised create new fraud risks. transactions where they have not contributed to the loss, is the context for the Australian Experience suggests that real-time payment implementation of real-time payments. systems do not create new types of fraud – the typologies of account compromise are Thus, whilst the NPP is not expected to create consistent across both traditional and real-time new fraud types, participating financial payments systems. However, the velocity of institutions recognise the particular operational payment processing does challenge financial risks of processing velocity and 24/7 institutions’ fraud detection and prevention operations, including the need for effective tools that were designed and adequate for real-time technology-based tools to manage slower intraday and overnight batch processes. banking fraud risks and to help protect their customers from scams. Australian financial Unaddressed, this vulnerability could be institutions further recognise that banking exploited by fraudsters and scammers. fraud risk is not a static concept and To meet this challenge, institutions with continuously invest in enhanced prevention experience in real-time systems attest to the and detection in line with global markets to importance of upgrading to leading technology stay ahead of new trends in digital fraud. solutions to provide a fraud risk management framework that focuses on identity, KPMG | 2 © 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. © NPP Australia Limited Australian financial institutions offering NPP The NPP also includes a new addressing payment services to their customers are well- service, named PayID, which allows placed to manage fraud and financial crime customers to optionally register their phone risks by: number, email address or ABN and a ‘display name’ in a central secure repository, via their financial institution which is then linked to their prioritising security bank account details. authentication controls for online A PayID is used to direct a payment into a banking to ‘protect the front linked account – it cannot be used to withdraw gate’, including use of multi- from that account. A PayID name is recorded factor authentication, biometrics, with the proxy (email, phone number or ABN) device and IP authentication and and account details. the consideration of more sophisticated behavioural The NPP message flows and rules have been biometrics; designed to enable PayID name validation for all PayID initiated NPP payments. This particular feature will enable payers to check leveraging a range of advanced and confirm a payee before authorising a real-time fraud prevention and payment, reducing the incidence of detection controls, including misdirected and mistaken payments, including artificial intelligence / machine payments to fraudsters and scammers learning systems and payment purporting to be a genuine payee. pattern monitoring to identify and In conclusion, the NPP has been designed to hold unusual payments for fraud support innovation and competition in digital checking; commerce and payments services now and into the future. It has also been designed with continuing to proactively roll out the benefit of observing faster payment consumer education campaigns system implementations in other jurisdictions, to increase customers’ vigilance designing out vulnerabilities and incorporating around potential scams; and enhancements to existing systems. The platform is expected to revolutionise the Australian payments industry and fuel the continuing to promote industry digital economy. collaboration between financial institutions, regulators and law enforcement agencies to stay ahead of emerging financial fraud trends and scam activities. KPMG | 3 © 2018 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. Liability limited by a scheme approved under Professional Standards Legislation. © NPP Australia Limited What is the New Payments Platform? The New Payments Platform (NPP) is new, national payments infrastructure for the Australian economy that enables consumers, businesses and government agencies to send and receive real-time domestic Australian dollar payments using either easy-to- remember ‘PayIDs’ 1 that link to a bank account, or traditional BSB and account numbers. NPP and PayID services offered by participating institutions are built in to consumers’ usual mobile and online banking applications, eliminating the need for additional applications to be downloaded. In addition to the NPP’s many benefits for end-users, the platform’s architecture and open access enables multiple overlay services to be offered, each 1A PayID can be a person’s phone number, email address, ABN/ACN or an unique ‘Organisation leveraging the capabilities of the platform’s ‘Basic Identifier’. Infrastructure’ to offer different products and 2 The RBA published its conclusions to its Strategic services, allowing for future innovation and Review of Innovation in the Payments System in development. June 2012, identifying objectives for the Australian payments industry. In response to the RBA’s Review, the Australian Payments Clearing The NPP was established following the Reserve Bank Association Limited (APCA – now Australian of Australia’s (RBA) strategic review of innovation in Payments Network Limited) established and coordinated the industry committee, the Real-Time the Australian payment industry in 2012. The RBA Payments Committee (RTPC), responsible for (through the Payments System Board) endorsed a developing a proposal to deliver the ‘Core Functions’ (being, speed, 24/7 availability, data-rich and simple proposal developed by the Real-Time Payments ad- dressing). The RTPC recommended a new Committee