On 20 March 2020, the Payment Systems Regulator (PSR) announced that it was permitting the UK’s six largest banking groups, which cover 90% of bank transfers, to not fully implement Confirmation of Payee (CoP) by 31 March 2020.
The PSR acknowledged that banks are managing coronavirus COVID-19 related risks and working hard to protect their customers. The PSR also noted that these banks are under significant pressure. Having carefully considered the situation, the PSR informed the directed banks that if they are unable to fully implement CoP by 31 March 2020:
- they must take appropriate steps to roll out CoP, taking into account the impacts of COVID-19, even if that means they do not meet the original 31 March 2020 deadline;
- the PSR does not expect banks to ensure customers who would have benefitted from the protections of CoP are not otherwise disadvantaged from any COVID-19 related delay, including refunding victims of fraud if CoP would have prevented it from happening; and
- the PSR is keeping these arrangements under review as the wider impacts of COVID-19 are better understood.
Current practice
Banks currently use unique identifiers (usually sort code and account number) entered by the payer to identify the receiving account. Whilst the intended payee’s name may be provided, there is currently no mandate to check that name against the account to which the unique identifiers relate.
There is a need for further unique identifiers to guard payment transactions against fraud. Fraudsters have become increasingly sophisticated in using online and mobile processes to trick people into sending money to the wrong account. An example of this type of Authorised Push Payment (APP) fraud would be paying an invoice that looks exactly like the one from your child’s school – but it turns out to be from a fraudster and sends the money to the fraudster’s bank account.
According to figures from UK Finance, GBP456 million was lost to APP fraud in 2019. This represents a 29% increase on the 2018 figure of GBP354 million. The current COVID-19 disruption may also represent an opportunity for criminals to utilise APP fraud. The Financial Conduct Authority (FCA) has updated its consumer protection webpage with advice on how to avoid COVID-19 scams, including APP fraud.
The advent of real-time payment systems, such as Faster Payments, has made this type of APP fraud more attractive to criminals. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned. Real-time payments also have a lowered risk for fraudsters as once the money is received instantly, they can quickly extract the proceeds of their crime. Although the percentage of transactions that are accidentally misdirected or fall victim to fraud is small (less than one in 20,000), the impact on victims can be significant.
With this type of fraud in mind, the PSR has directed banks to put in place CoP in order to provide an extra safeguard for payment transactions.
What is CoP?
CoP is a new way of checking the identity of the payee. It checks that the account name entered by the payer for a new payee matches the account name / type held by the payee’s bank. Anyone setting up a payment will be alerted if the name on the recipient account does not match, is incorrect or misspelt, meaning it can be corrected before a payment is made. This is a negative CoP outcome. Where the entered name does match, this is a positive CoP outcome.
CoP will address APP fraud by introducing another hurdle for fraudsters by giving effective warnings to customers about the risks of sending payments to an account where the name did not match.
Which banks must apply CoP?
CoP will apply to specific banks/building societies within the UK’s six largest banking groups. These firms are:
- Bank of Scotland plc
- Barclays Bank UK plc
- Barclays Bank plc
- HSBC Bank plc
- HSBC UK Bank plc
- Lloyds Bank plc
- National Westminster Bank plc
- Nationwide Building Society
- Royal Bank of Scotland plc
- Santander UK plc and
- Ulster Bank Limited.
Regulatory direction
The Payment Systems Regulator exercised its power to issue directions to certain persons under section 54 of the Financial Services (Banking Reform) Act 2013 (the Act) to mandate the above firms introduce CoP. It did so via Direction 10. This Direction requires that:
- From 31 December 2019: Directed banks must respond to CoP requests. From this date banks must have the capability to talk to each other. For example, a receiving bank must be able to notify the sending bank that there is not a match.
- From 31 March 2020: Directed banks must send CoP requests and notify the payer of the outcome – for example, if there was a name match or a mis-match, banks should notify the person making the payment.
The direction does not apply to all banks in the UK. Some other banks are choosing to opt-in to providing CoP voluntarily.
CoP applies to all UK-based accounts and payments made via the Faster Payments System or CHAPS (high-value payments). It does not yet apply to direct debits, Bacs Direct Credits or batch/bulk payments, but these are expected to be introduced at a later date.
Direction 10 remains unchanged despite the PSR announcing that the 31 March 2020 timeframe may not be met by directed banks. The PSRs decision to allow for banks not to meet the timeframe in certain circumstances is an exercise in regulatory forbearance and not an official alteration to the required go-live of CoP. The PSR will therefore not take formal action against a firm due to delays, providing the conditions in the announcement are met.
PAY.UK
Pay.UK, the retail payments body, is coordinating the development and delivery of the new service. Pay.UK has developed rules and standards for CoP that are designed to ensure consistency in messaging and functionality, instant verification and clarity about liability.
The rules and standards cover consistency in language such as in the use in abbreviations, joint-accounts/maiden names, common misspellings, and company names.
The types of firms that can enrol with Pay.UK to provide CoP is broad – extending beyond firms allocated a sort code under the Extended Industry Sort Code Directory (typically banks, building societies etc) to all firms authorised by the Financial Conduct Authority (such as investment firms) and participants of the UK’s Open Banking initiative. Enrolment does not currently apply to so-called Third Party Payment Service Providers – being firms authorised as Account Information Service Providers or Payment Initiation Service Providers.
Once enrolled with Pay.UK and having signed a Non-Disclosure Agreement, firms offering CoP are given the Pay.UK CoP Enrolment pack which includes the Rulebook, the Operating Guide, the Technical Guide, the Technical Specifications, the Test Pack, the Pricing Schedule, the Terms and Conditions for Participation and the required forms. Enrolment is available via the Pay.UK website.
The need to balance control with protection
The options for a payer customer if a negative CoP outcome is received are:
- To confirm the correct details with the payee;
- Correct the error (if there has been one) and resubmit;
- Cancel the payment;
- Proceed to make the payment with clear warnings about the consequences and liability if the payment goes wrong
There must therefore be a balance between minimising friction for positive CoP outcomes and introducing appropriate friction for negative CoP outcomes to ensure the payer is given an opportunity to exercise suitable care before executing a payment.
The Pay.UK rules and standards require that banks be very clear in their warning messages to customers who choose to proceed with a transaction where there has been a negative CoP outcome.
Proceeding after receiving a negative CoP outcome may have real consequences for the consumer as the voluntary Consumer Protection Code for push payment scams excuses a bank from liability if they can show the consumer received the CoP warning and failed to take the requisite level of care. Under this Code, approximately GBP41 million has been returned to consumers so far.
In a APP scam conference call hosted by the PSR with representatives of the payments industry on 30 March 2020, the PSR expressed disappointed that only 40% of cases assessed under this Code were reimbursed between 28 May and 31 December 2019. This is well below the levels of reimbursement the PSR was expecting.
Public awareness campaign
Alongside CoP, a national public awareness campaign – take five to stop fraud – is providing the public with straight-forward and impartial advice to protect themselves from fraudsters. Led by the industry lobby UK Finance and backed by the Government, the campaign is being delivered through a range of partners in payments, financial services, telecommunications and commercial/public organisations.
The campaign is warning consumers at this time of fraudsters who are seeking to capitalise on the COVID-19 pandemic to contact consumers (via email, call, text or social media) to attempt to get the recipient to disclose personal or financial information or click on links that may contain malware which they will then use for their own fraudulent purposes.
Consumers are urged to:
- Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.
- Challenge: Could it be fake? It’s ok to reject, refuse, or ignore any requests. Only criminals will try to rush or panic you.
- Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud.
and then 