A security gap has emerged in online payments in which transactions that pass financial companies' fraud detection systems (FDS) are not blocked at the electronic payment gateway (PG) stage, prompting the PG industry to mount a joint response. The plan is to draw up industry-wide working guidelines based on the suspicious-transaction detection experience and response cases accumulated by each PG firm, to fix a structure in which fraudulent payments slip through monitoring nets at both financial firms and PG companies.
The Financial Supervisory Service and the Korea Fintech Industry Association on Tuesday launched an "online fraudulent payment response consultative body" in Seoul's Yeouido district, with major PG firms, the Financial Security Institute and academic and security experts taking part. Participants include Naver Financial, Kakao Pay, Viva Republica, Danggeun Pay, Hecto Financial and Coocon.
Financial authorities believe that as simple payment services quickly become part of daily life, authentication procedures have been simplified but the risk of fraudulent payments using stolen personal information is also growing.
A key vulnerability identified is a structure in which PG firms also fail to block suspicious transactions that financial companies' FDS do not catch. Suspicious transactions that pass card company or bank detection nets are not filtered at the PG stage either, which could lead to actual fraudulent payment incidents.
PG firms transmit payment information and settle funds between merchants and card companies or banks, so they are also required to block suspicious transactions in the payment process. The FSS decided to set up an industry-level joint response system, judging that it would be difficult to resolve such structural vulnerabilities through efforts by individual companies alone.
Lee Jong-oh (이종오), deputy governor for digital and IT at the FSS, said that if PG firms and others focus only on user convenience and expanding profits and leave fraudulent payment incidents unattended, they will ultimately lose market trust through user harm. He urged active steps to prevent fraudulent payments and strengthen security.
He added that structural vulnerabilities, in which suspicious transactions that financial companies' FDS fail to filter are also not blocked by PG firms and lead to incidents, would be difficult to eliminate through efforts by individual companies alone. He stressed the need for an industry-level joint response system.
PG firms to share detection experience; industry-wide guidelines to be drafted
The consultative body will be run in two subcommittees, an FDS subcommittee that handles fraud detection systems and an AML subcommittee responsible for anti-money laundering.
Participating PG firms plan to share their accumulated experience in detecting suspicious transactions and their response cases to fraudulent payments. The aim is to jointly analyse fraud cases in the industry and problems in the current response system, and draw up joint working guidelines that can be applied in the field.
Kim Jong-hyun (김종현), chairman of the Korea Fintech Industry Association, said increasingly sophisticated and intelligent fraud methods have limits that cannot be addressed only at the level of individual companies. He said the body would faithfully gather views from the field and prepare measures the industry can immediately put into practice so the discussions do not remain formalities.
PG firms participating in the consultative body also agreed that responding to fraudulent payments is an industry-wide task directly tied to consumer protection. They plan to present working-level views so the standard guidelines to be prepared can function effectively in the field and to take part in the guideline-drafting process.
External advisers including Koh Cheol-su (고철수), vice chairman of the Korea Financial Crime Prevention Association, will also take part in preparing practical measures that can be applied immediately, based on field experience accumulated in FDS and AML work processes.
Standard guidelines to be finalised in November and linked to supervision system
The consultative body will share and diagnose industry fraud cases and problems in the current response system through October.
Based on that, it plans to draft a "standard working guideline for fraudulent payment prevention and response," gather opinions from PG firms and experts and then finalise it in November. Once the final guideline is prepared, it will hold a results seminar to share it with the industry.
The FSS plans to communicate closely with the industry so that the standard guideline prepared by the consultative body aligns with the financial supervision system and can take root in the field.
Lee said the market influence of fintech operators is steadily growing, and that the time has come for roles and responsibilities commensurate with their status. He said balancing convenience and its side effects is a difficult issue, and the market is changing so much that it is not easy for the supervision system to keep up. He said he believes autonomous moves are more important than in any other field.