20 May 2019

Use of online banking and mobile banking apps which allows customers to make payments faster and more easily is widespread in the UK.

However, with the increase in the use of emerging technologies, fraudsters have become more sophisticated. 

One such example of this is where fraudsters use online and mobile systems to trick account holders into sending money to the wrong account. This is known as authorised push payment (APP) fraud and according to figures published by UK Finance, the representative trade association for consumer banking and financial transactions, resulted in a total loss of £145.4 million for thousands of businesses and customers in the UK during the first six months of 2018. 

In this article, Angie Bamboulis and Caroline Stevenson of Womble Bond Dickinson look at what is being done to mitigate the risks of APP fraud.

Combatting APP fraud and misdirected payments 

The Payment Systems Regulator (PSR), UK Finance and the payments industry have been working together on a number of initiatives to combat APP fraud, one of which is Confirmation of Payee (CoP). 

In a nutshell, CoP is an account name checking system, whereby banks require the account name, sort code and name of the intended payee. Once an account holder inputs the name, account number and sort code of the payee, there are three possible outcomes:

  • a positive match where the account holder has used the correct account name. The account holder will receive confirmation that the details match, and can proceed with the payment.
  • a negative match where the account holder has used a similar name to that of the payee, and will be provided with the actual name of the payee to check. The account holder can then update the details and try again, or contact the intended recipient to check the details.
  • a negative match where the payee's name is incorrect. In such instances, the account holder will be told that the details do not match and be advised to contact the person or organisation he/she is trying to pay.

Although some banks already request the name, account number, and sort code of the intended payee in payment instructions, the intended payee's name is not checked by the recipient bank. This means that a payment will not be stopped or returned if the name of the payee does not match the name of the intended recipient, and the account holder is usually unaware of the mismatch. This gap has resulted in an increase in APP fraud, as well as account holders making misdirected payments. 

Using the comparison capability of the CoP service, it is intended that account holders will have a better chance of avoiding fraudsters and misdirected payments. However, a degree of cautiousness is required as although account holders will be alerted of the risks associated with a no match, the ultimate decision on whether or not to go ahead with the payment lies with the account holder. 

Implementing CoP 

Following the work undertaken by Pay UK, the UK's leading retail payment authority, the technical specifications for CoP (as well as the operation and technical guides) are now available to participants in the CoP service. These documents are not publicly available so as to preserve the confidential nature of some of the design and rules from fraudsters. 

Furthermore, the PSR carried out a consultation in autumn 2018 which considered whether regulatory intervention was necessary to ensure that payment services providers implemented CoP in a timely and coordinated manner. Although the consultation has closed, the PSR is yet to publish its response. 

As part of the consultation, the PSR set out a proposed timeline for the implementation of CoP including requiring payment services providers to have the ability to send CoP requests and present responses to their customers by July 2019. However the PSR recently announced that the deadline for implementation was no longer achievable. 

In February 2019, Stephen Jones, chief executive of UK Finance confirmed to the Treasury Committee that although it is working with the PSR to put CoP in place, it would not be ready until "some time next year". The main reason for the delay is that banks cannot ensure the capabilities of their IT frameworks in time to implement the necessary changes. Banks and other payment institutions are required to implement complex changes across all their customer channels, including online and mobile services. 

Addressing customer concerns 

Although the PSR has previously said that CoP 'needs' to be implemented quickly and be widely available to payers, it is clear that there are a number of issues that still need to be addressed in order for CoP to be effective in meeting its main objective - combatting crime. 

Along with the complex IT and process changes, which come with operational risks, there are also competition issues that need to be addressed. In his statement to the Treasury Committee, Mr Jones stated that a quick implementation of CoP may result in a two tier system where only large organisations can offer CoP. To avoid this, third party solution providers are encouraged to deliver competitive solutions to both large and smaller organisations. Initial market testing undertaken by Pay.UK has identified more than 20 third party solution providers with an interest in supporting the launch of CoP.

The engagement of third party solution providers to provide competitive solutions does in turn raise other concerns, one of which is data protection. Customers have become increasingly concerned with the way in which payment institutions use and store their data, due to the industry focus on, and changes brought about by, the General Data Protection Regulation (GDPR). 

To address this issue, the PSR stated in its consultation that, for the purposes of GDPR, the payment service providers are the data controllers for the CoP service. There is also an expectation on each payment service provider offering the CoP service to undertake their own ‘legitimate interests assessment’ set out in the GDPR, including, where applicable, in assuring that any data processors they engage, such as third party solution providers, comply with the GDPR.

Another data protection concern amongst some customers lies with the negative outcome of CoP - whereby an account holder has entered an incorrect but similar name of the intended recipient that it wants to pay, and is then provided with the actual name of the payee to check. 

In addressing such concerns, PayUK stated in its October 2018 report, that it is thought that a wider education piece would help alleviate some concerns with data protection and also presents a good opportunity for banks to communicate how they are protecting their customers with added security measures. Furthermore, it was thought that a clear and precise set of guidelines and vetted supplier list will help to reduce concerns with the service. 

There has been no further guidance on what these measures should entail, however Pay UK recently published a Q&A in which it stated that 'payment providers will use the Open Banking directory service and highly secure architecture to safely exchange Confirmation of Payee requests. In addition, to be accredited to use the system, companies must undergo rigorous security checks and also be regulated by the Financial Conduct Authority (FCA) or European equivalents. We would expect that further information to address data protection and other concerns will be published prior to the implementation of CoP.

Looking forward 

The new timeline to implement CoP has not yet been made clear by the PSR. Although the issues associated with the CoP service need to be addressed before CoP can be effective, the PSR and associated bodies should ensure that any further delay in the implementation does not cause any detriment to the end customer and is no longer than is necessary. 

This article was originally written for Compliance Monitor.