Confirmation of Payee: The Silver Bullet To Combat Payment Fraud?
Why Implement Confirmation of Payee?
Since the launch of Faster Payments in the UK in May 2008, there has been a gradual increase in the number of users making real-time payments through the scheme, with over two billion transactions processed in 2018 . A key factor has been the increase in the frictionless nature of these payments, however this brings with it corresponding fraud concerns.
When making a payment today, the payer must provide their bank with the payee’s name, sort-code and account number. The sort-code and account number are used to determine the destination of the payment (i.e. where the payment is sent). However, banks are not obliged to check the payee’s name as part of the payment confirmation process; if the account number and sort-code are valid, then the payment will be processed.
The speed and convenience of making an Authorised Push Payment (APP) via Faster Payments, has been critical in its widespread adoption and success. However, the low-friction nature of these payments, coupled with the fact that banks do not check that the payee name provided matches with the name on the account, has led to spike in APP fraud. APP fraud occurs when an individual is tricked into sending a payment to a bank account that fraudsters control. In 2018, £354 million was stolen from customers via APP Fraud.
One proposed solution to reducing this type of fraud is ‘Confirmation of Payee’ (CoP). CoP is essentially an account name checking service’ that provides assurance to the payer that the name provided by the payee matches the name associated with that account number and sort-code.
How will Confirmation of Payee work?
Just as today when a payer is setting up a new payment, details of the intended payee (name, account number and sort-code) will be entered in the payer bank systems. However, under CoP the payer bank and the payee bank will then exchange information in order to confirm that the payee name provided matches the account name held by the payee’s bank. This check will result in one of four messages to the payer: a) a positive match where the names match exactly; b) a partial match when similar names are matched (e.g. Jonathan Smith vs. Jonny Smith); c) no match, or; d) CoP unavailable, where in both instances the payer will be advised to double-check or contact the recipient. The payer can then decide to either progress or cancel the payment.
Any Potential Downsides?
Phase 1 of CoP will only be mandatory for the six largest banks (Lloyds, RBS, Barclays, HSBC, Nationwide and Santander). Other banks, building societies and payment providers can choose whether to implement. Whilst many ‘non-mandatory’ providers will likely adopt the scheme as a hygiene factor, the risk is that without universal adoption, fraud will simply move from one channel or provider to another. Additionally, CoP will initially only cover Faster Payments transactions, meaning that CHAPS or cross-border payments will still be just as susceptible to this type of fraud. Historically, a high proportion of losses have stemmed from business making high-value CHAPS transfers; something CoP will not solve initially. Phase 2 is still to be defined but will likely include corporate use cases and bulk payments.
Payment providers are (rightly) increasingly mindful of customer experience. CoP introduces additional friction into the payment journey. Friction can be positive, but the fact that each bank will have its own definition of what constitutes a partial match may mean that customers have an inconsistent user experience across providers. Warning messages (for partial or no match scenarios) may elicit different responses in different customer groups. Some may be so concerned by a partial match scenario, that they drop out of the payment journey entirely. Others may suffer from ‘warning fatigue’, whereby they are so conditioned to accept any warnings shown to them, that they choose to progress the payment without giving the warning any thought.
Under the new Contingent Reimbursement Model (CRM), CoP can introduce a liability shift from provider to consumer. Whilst customers who receive a ‘positive match’ will receive greater protection if they fall victim to APP fraud, customers who receive a ‘partial match’ will not receive the same levels of protection. Given a ‘partial match’ could be incredibly similar to a ‘positive match’, it could be argued that this represents an unequitable shift of liability. Any shift of liability may unduly impact customers classed as vulnerable, and it will be up to the individual provider to balance their appetite to avoid APP fraud, against customer experience.
CoP is also limited to simply checking that the name provided by the payer, and the name associated with the payee account, are a match. In a scenario whereby a fraudster has hijacked a legitimate customer’s account the fraudster will likely know the name associated with the account. Therefore, CoP cannot guarantee that the intended recipient receives the money.
What can be done to implement CoP with minimal disruption?
1.Education and Communication
Banks need to ensure that both staff and customers understand the ‘why’ behind the implementation of initiatives such as CoP. Given the pace of technological change and an increasingly heavy regulatory burden, providers may be tempted to ‘hit deadlines’ and ‘tick boxes’, without investing sufficient effort to educate staff and consumers.
With the right education, staff will be able to advise, answer questions and provide support in the early stages of CoP implementation, when customers are very likely to have queries and issues.
Banks need to articulate the value that CoP will add from a customer’s perspective by emphasising the security and additional protection it affords. This will help mitigate customer dissatisfaction and help to promote a greater sense of collaboration towards a safer banking experience.
2.Customer First Approach
The logic applied during the technical design phases of CoP will directly affect the customer experience. Existing journeys must be fully understood and CoP journeys fully mapped, so that potential pain-points can be identified and solved.
Approaching regulation with a ‘customer first’ perspective avoids digital teams over-engineering a solution that, whilst compliant, provides a sub-optimal customer experience.
3.Collaboration and Consistency
Functionality such as ‘fuzzy matching’ (in the case of a partial match) is as much an art as it is science, and it will be down to individual providers to implement as they see fit.
An openness and willingness to share information will greatly increase the likelihood of a consistent, repeatable customer experience – something that is as positive for providers as it is for customers.
The industry is experiencing unprecedented levels of innovation and change, which must be tempered with secure and effective controls, such as CoP.
The long-term benefits of implementing CoP will be gained by those providers who are able to find the optimal balance between protecting their customers and maintaining (or even improving) customer experience. Education, communication and a ‘customer first’ mindset will be key to success.
Whilst CoP will not be the ‘silver bullet’ to combatting fraud, it is undoubtedly the right thing for the industry to do and providers must rise to the challenge of implementing it successfully.