UK fintech Revolut was named in more fraud complaints than any of its peers last year, raising concerns about the digital-only bank’s fraud prevention program.
According to the BBC, the 9,793 complaints against Revolut were nearly two thousand more than Barclays. Most of these incidents involved automated push payment (APP) fraud tactics, including one case where a Revolut customer was scammed out of £165,000.
In that case, criminals called the customer, claiming his Revolut account had been compromised after a session on open WiFi. The customer was manipulated into providing login information and security codes, which allowed the criminals to withdraw thousands of pounds from his account.
“Products like Revolut offer quick-to-open accounts and fast money movement options, which, while convenient for consumers, can also lend itself to fraud and money laundering,” said Jennifer Pitt, Senior Fraud and Security Analyst at Javelin Strategy & Research. “All financial services providers, including fintechs and digital-first banks, must adequately vet new customers, which includes the implementation of identity verification and identity proofing measures.”
Circumventing Recognition
Revolut’s authentication methods were called into question by the customer who lost £165,000, because the criminals were able to circumvent the fintech’s facial recognition software. The software requires the user to post a selfie to authorize a transaction, which the user said he did not provide.
“Financial services providers must ensure that the identification being presented is that of a real person—identity verification—and that the identification presented matches that of the customer presenting the ID—identity proofing,” Pitt said. “Shortcutting these processes can lead to increases in fraud.”
“With advancements in technology, it is entirely possible for fraudsters to easily bypass or pass facial recognition software and set up fraudulent new accounts,” she said. “Instead of just requesting a static photo or selfie, Revolut should require action photos or videos and use liveness detection solutions along with robust identification document verification, which checks for signs that the ID has been altered or is counterfeit.”
Red Flags
While APP fraud is all too common, the customer took issue because he was unable to immediately contact Revolut—there was no phone number for customer service, just a chatbot within the fintech’s app. According to the BBC, during the 23 minutes it took for the customer to reach the correct department, £67,000 was stolen from his account.
Another issue was that the money was taken through over a hundred payments made within an hour—activity that should have raised red flags. Most financial institutions notify customers and freeze accounts in response to transactions that are both frequent and substantial.
Regulatory Flashpoint
Revolut is not yet a financial institution; it has been granted status as a UK e-money firm, but is still awaiting full approval as a bank. Still, the company said that it has implemented robust fraud controls in line with other banks in the country.
The role of fintechs in the emerging banking-as-a-service model has come under increasing scrutiny from regulators worldwide, who are concerned about the reliance on fintech companies that are not regulated in the same way as traditional banks. The recent failure of U.S. fintech Synapse, which caused consumers to lose millions, has been a flashpoint for regulators.
While there is no doubt that fintech companies have helped the financial industry take major strides toward digitalization, the lack of a regulatory framework governing the platforms—coupled with their ease of use—has made them frequent targets for bad actors.