Restrictions on cash withdrawals from ATMs: what will change from September 1

Today, many banks are already trying to protect their clients from fraudsters by various measures, including when withdrawing cash. However, from September 1, credit and financial institutions will be able to move from admonitions to actions, because the Central Bank of the Russian Federation has published nine signs by which banks will identify fraudulent schemes.

If the transaction is deemed "atypical" for the client, then the issuance of cash will be limited to 50 thousand rubles for 48 hours. Information security expert Anton Redozubov told MK how the new rules will work.

— The Central Bank of the Russian Federation published nine criteria for transactions that are carried out under the influence of fraudsters on its website on August 21, and they will come into effect on September 1. Will banks have time to prepare?

— Having reviewed the list, I saw that some of the points have already been implemented at the moment and are operating within the framework of anti-fraud rules – anti-fraud measures.

— We are talking about such signs as the discrepancy between the nature, parameters or volume of the request for cash withdrawal from the client and the transactions usually performed by him, non-standard time and location of the ATM, unusual amount or frequency with which the person requests cash withdrawal during the day. That is, if the client usually withdrew money three times a month, but suddenly withdraws every 10 minutes, then this will raise questions. And also the presence of information about five or more refusals to issue money, including in connection with exceeding the credit limit, or errors in entering the PIN code during the calendar day. Has this already been implemented in banks ?

— Yes. But the Central Bank's list also includes items that reflect our modern financial reality. In particular, it indicates a client's request for cash in an unusual way, for example, not from a card, but via a QR code. It talks about a change in the activity of telephone conversations at least six hours before withdrawing funds from an ATM, an increase in the number of SMS messages from unknown numbers, including in messengers, withdrawing money within 24 hours after applying for a loan or credit, and changing the phone number for authorization in online banking. Signs of suspicious activity include a change in the characteristics of the phone with which the client withdraws funds, and the presence of malware on his device, and a person transferring more than 200 thousand rubles to himself via the SBP from his account in another bank or early closing of a deposit for the same amount. It must be admitted: fast transfers, atypical calls, bursts of activity in messengers - all this often accompanies social engineering scenarios, fraudulent scams.

— There are many criteria. Will it not turn out that citizens will simply be blocked from receiving cash, and this at a time when the holiday season is still going on and people need cash in hand, and they withdraw it from ATMs not near their homes, but at resorts?

— In fact, the introduced rules reduce the risk of arbitrary blocking of money by banks, since they are now obliged to take into account nine factors, rather than act according to internal and not fully known algorithms that differ from bank to bank.

— Are there any disadvantages to this decision of the regulator?

— I see the main disadvantage in the fact that the method for lifting restrictions is not described. Most likely, banks themselves will offer confirmation methods. In addition, frequent false positives are possible, especially among socially active groups of the population — travelers, owners of a large number of bank cards or clients of rare banks who are forced to use random ATMs near their location, and not those provided by their bank.

— Are there any new rules being introduced that banks have not used in their practice before?

— Yes. For example, one of the points states that a transaction is suspicious if there is information about the possible implementation of a transaction without the voluntary consent of the client, "about risk factors for compromising the data of an electronic means of payment, sent in authorization messages by the operator of payment infrastructure services, if this is provided for by the rules of the payment system." This point discloses the interaction between banks and payment systems in creating a single anti-fraud protection. There are also points that reflect a new phenomenon for the banking sector — proactive protection, when a large amount of data about users is analyzed, where data is exchanged with telecom operators, where IP addresses are checked and much more. Here, the actions of banks are aimed at preventing fraudsters from stealing money even before they commit a crime.

— Will these criteria help protect Russians?

— Yes, such features will increase the protection of citizens and their accounts from fraudsters. The advantage is that they affect those steps that greatly interfere with the work of criminals, but very rarely affect a bona fide bank client. And yet I must warn that this will create difficulties for consumers, since we have a direct link: "more security - less convenience." And at some point, too high a level of security begins to harm, but this is not the current option. The extreme measure here would be a proposal to switch to paper payment orders and savings books, which would be a step back into the past and a kind of recognition of the victory of criminals in the IT space, which is basically unacceptable. And it will also dramatically slow down business processes and operations, which both clients and banks themselves have long since gotten out of the habit of. For now, the question is more about how exactly the "availability of information" will be confirmed at the Central Bank offices. We are waiting for clarification from the regulator or, perhaps, each bank will develop its own protocols.

— Let's look at a specific example to understand. A hypothetical metallurgist from Chelyabinsk usually withdrew no more than 50 thousand rubles from an ATM after receiving his salary, and kept the rest of the money on a card for non-cash payments, and now, before going on vacation to Sochi, he wanted to withdraw 110 thousand rubles at once. Will he be refused?

— No, they will not refuse. In the example you gave, nothing will change for the citizen. The only fact that stands out from the usual actions is a one-time withdrawal of 110 thousand rubles instead of 50 thousand rubles. It is clearly not a significant feature. But if there are some other facts, or the amount is 10 times greater, or there are 10 withdrawal requests instead of one, then the bank can introduce a temporary limit of 48 hours. In this case, his card will not be blocked, but the limit on cash withdrawal from an ATM will be limited to 50 thousand rubles per day. Unfortunately, the mechanism for lifting this limitation has not yet been described, for example, when contacting a bank branch, which is why it is impossible to say how this check will be carried out. However, even with such a temporary limitation, the client can receive the required amount at the bank branch.