Sonar: Real-time fraud data sharing utility for Financial Services
There has been a massive uptick in ACH-friendly fraud, authorized push payment (APP) fraud, and other fraudulent scams in the past few years.
Existing consortiums within the financial services sector do not share fraud data with fintechs or emerging financial service providers, creating visibility gaps across payment rails that fraudsters exploit.
Sonar is developing a new data-sharing framework that will stand up an industry-wide utility enabling institutions to risk assess a counterparty in real-time during a financial transaction.
Faster payments means faster fraud
How we move money has fundamentally shifted. The mainstream adoption of peer-to-peer payments has accelerated the need for instant settlement across financial services. New real-time payment rails are being stood up to meet this market demand, while older, existing rails innovate to keep up with this change.
Yet, a significant consequence of faster payments is faster fraud. In the United States, the Federal Trade Commission found that imposter scams comprised 40% of total fraud losses ($2.3 billion) in 2021 – nearly doubling 2020 totals.
The rise of socially-engineered authorized push payment (APP) fraud, where criminals convince a consumer to initiate a payment on their behalf, has been a critical driver of fraud growth. Another lesser-known fraud is ACH-friendly fraud, where a user will load money into a fintech app, transfer the money off the app, and later claim to their bank that they didn’t do this – thus, doubling their money and leaving the fintech with a loss.
Unfortunately, these bad actors can repeatedly commit ACH-friendly fraud because there is no data-sharing mechanism across the industry to stop repeat offenders.
Growing visibility gaps driving fraud
Today, unless it is a bank-to-bank transfer, limited communication between parties and intermediaries enables money movement since little data is collected and shared during a payment. The sending bank or fintech app often cannot verify the recipient before the transaction, nor can they detect whether their customer is being socially engineered or has acted fraudulently in the past.
The industry’s inability to verify a payment recipient at the transactional level will only heighten systemic risk with the launch of additional RTP rails and new payment networks. Payment service providers are largely siloed from one another; parties initiating push payments on one rail or app are blind to fraudulent activity occurring on a separate rail or app.
Enterprising criminals will take advantage of this opportunity if existing risk management processes cannot better detect fraud before instant settlement in a multi-rail environment. The ideal solution would be if a payment originator could access data providing visibility into the payment recipient’s risk profile, regardless of the rail or app used. This would allow all parties to protect shared customers better.
Unfortunately, no single source exists to establish trust and connect the dots today. Due to the dispersed nature of various consortium models – where large banks collaborate to share information, community banks and their core processors work together, and neobanks and fintechs develop their data-sharing structures – the U.S. financial system is increasingly fragmented when it comes to risk management within and across rails.
The solution to APP fraud, ACH-friendly fraud, and other scams is improved counterparty risk assessment for any business conducting financial transactions. This is possible with increased risk data-sharing amongst all Financial Services segments via a trust anchor that establishes and verifies the credentials of senders and receivers of funds.
Creating an industry consortium
As a fraud, compliance, and payment services provider to financial institutions and fintechs, Sonar deeply understands the overlap between these firms and what is needed to address their visibility gaps.
We propose the development of an association of financial institutions, neobanks, lenders, card networks, payment service providers, and others to build a consortium that transcends the financial system unlike any created by the private or public sector before.
The consortium’s mandate is to:
- Develop a universal identifier (UID) for every unique entity (individual, business, etc.) covering their history transacting with digital assets and traditional financial services.
- Enable the UID to verify an entity instantly and provide risk scores, reputation levels, blocklists, device fingerprints, behavioral biometrics, and more.
- Incorporate participants across emerging and existing payment rails to ensure fraudsters can no longer exploit visibility gaps between parties.
Based on these principles, the consortium will have a shared database where industry-wide participants contribute to UIDs on any entity – providing fraud- or compliance-related data as that entity transacts across financial services. In real-time, participants can query this database to retrieve and incorporate any UID within existing infrastructure and risk management processes to assess that entity better.
The consortium will be an independent organization that maintains its own management team and data relationships, and participants will determine the consortium's governance structure. Membership is predicated on participants being permissioned parties that can access appropriate data under existing legal frameworks, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and Section 314(b) of the USA PATRIOT Act, to prevent fraud and money laundering.
Getting started with the consortium
Any organization facilitating a financial transaction can be a part of the consortium with appropriate permissions. How it would work:
- A participant can request information about an entity from a shared database by sending various identifiable information (personal or account details) via an application programming interface (API) call. Participants only disclose this information to the consortium; no other participant can access that private data.
- The information is matched to a UID within the database, and the consortium instantly compiles available risk data on that entity and returns the data pack via API in response. The participant receives the data pack in real-time to discern whether that entity is in good standing with appropriate reasoning and detail.
- Lastly, the participant will provide feedback on each query, and the consortium will incorporate the results into the entity’s UID. Feedback creates a network effect where the value of each UID increases with each transaction. As more participants inquire about entities, the more feedback they receive in response – generating better insights and longer blocklists.
If an entity is not present on the existing network, the consortium will develop and utilize relationships with third-party data sources to build a UID for an entity. Additionally, the service will incorporate existing consortium models into its data collection processes to ensure other blocklists across financial services are integrated seamlessly into its database.
Action: Join the proof of concept
To provide a proof of concept, interested parties can work with Sonar to run a pilot with the consortium in two ways:
- Provide 90 days of transactional data as a flat file that we can input into the existing database to return UIDs and associated risk data with the entities conducting each transaction. The results of the pilot can be compared to the known outcomes of the transactions to validate its efficacy in detecting fraudulent behavior.
- Utilize the service in “shadow mode” and use the API for ongoing transactions to see how it can validate payment recipients.
10 initial founding members will be offered the pilot opportunity and 180 days of use without cost. Further, Sardine will seed 50,000 transaction records over 90 days to train existing fraud and risk models with this new data and consulting services to help with integration.
Once the pilot period concludes, consortium participants will provide nominal, recurring costs to cover the consortium’s operations and, in return, full access to the database with no restrictions. Participants can leave the consortium at any time with notice.
Lastly, participation in the consortium requires active involvement in the governing Working Group. This includes quarterly Working Group meetings where participants will work together to drive the development of the consortium’s product roadmap and discuss critical topics in risk management.
Future state
The potential network effects of this consortium can progressively stamp out fraud across the industry. Imagine a future where the consortium could graphically compose a network map of any entity’s devices, accounts, and interactions with others in one view.
By working together, we can conceptualize a world where individuals and businesses have a clear idea of the recipients of their payments. Imagine a consumer adds a new recipient to their favorite P2P application – the recipient is someone selling an item they found in an ad on a social media platform. After the consumer adds the recipient, the app may notify them that this recipient is suspicious due to previous fraudulent activity associated with their account or email. They would receive reasons for why this is a suspicious recipient and be advised to protect themselves before the transaction.
We can make this a reality through our collective use of this consortium.