Well played the Payments Systems Regulator. It has taken a little longer than the PSR wanted, but it got there in the end. The UK’s six largest banking groups, covering around 90% of bank transfers, fully implemented Confirmation of Payee with effect from 30 June.
The PSR had originally been pressing for a go live date of 31 March.
The six banking groups participating are: Lloyds incorporating Bank of Scotland and Halifax brands; Royal Bank of Scotland, NatWest and Ulster Bank; HSBC and First Direct; Barclays, Santander and Nationwide.
TSB will join its six peers in the fourth quarter.
So what is Confirmation of Payee?
Confirmation of Payee is an important tool that will further protect banking customers from Authorised Push Payment (APP) scams. In particular, it will help consumers avoid sending payments to the wrong account or organisation.
In these scams, a fraudster tricks someone into sending money to an account that the payer believes is legitimate, but is in fact under the control of the fraudster
CoP works by checking that the name of the account a payer is sending money to matches the name they have entered. Anyone setting up a payment will be alerted if the name on the recipient account does not match, is incorrect or misspelt, meaning it can be corrected before a payment is made.
Customers who use the correct name and account details will be able to go ahead with the transfer with additional confidence all is in order.
If however they enter the wrong name for the account holder and the details do not match they will be advised to contact the party they are trying to pay and hopefully a fraudulent transaction will be avoided.
The final decision on whether to make the transfer remains with the customer but the new system will flag up to the consumer the risk of going ahead with a payment where is a non-match of details.
As the PSR says, by reducing financial losses from APP scams and misdirected banking transfers, CoP will provide significant benefits to everyone.
Confirmation of payee follows the successful introduction of a voluntary industry code in May 2019, designed to give people better protection against APP scams.
With the introduction of CoP, a payer will face an additional process, and therefore friction in carrying out the transaction. This is particularly so if the response to the CoP request is that there is no match, or a close match that requires further consideration.
One hopes that consumers will appreciate the good reason for the additional step, given the sheer scale of APP fraud.
APP scams in UK in 2018 total £354m
These types of scams can have a devastating impact on victims. Indeed, APP scams are the second biggest type of payment fraud, in terms of both the number of transactions and the total value involved, according to trade body UK Finance.
For example, in 2018 total losses due to authorised push payment scams were £354.3m. This was split between personal (£228.4m) and non-personal or business (£126m). In total there were 84,624 cases relating to a total of 83,864 victims. Of this total, 78,215 cases were on personal accounts and 6,409 cases were on non-personal accounts.
All in all, the go-live of CoP represents a triumph for the PSR. And the same comments apply to Which? The PSR started to work with the payments industry to gather data and implement standards for tackling APP following a super-complaint from the consumer group Which? back in 2016.
Strong customer authentication lack of clarity reigns
Meantime, Paul Rodgers, chairman and founder of Vendorcom and a panel member at the Payment Systems Regulator has been kicking off again about Strong Customer Authentication. When he speaks on SCA, the rest of the industry ought to listen.
His message that the sector needs to get its act together seems not to have reached the European Banking Authority.
The SCA rules, introduced in 2018, form part of the European Union’s (EU) revised Payment Services Directive (PSD2).
They ought to go have been enforced from 14 September 2019.
SCA was created to improve the security of payments and prevent fraud. In particular, all payment service providers within the EU will have to implement the changes. In as few words as possible, SCA centres around multi-factor authentication to increase the security of payments. However, implementation has been problematic. Just ahead of the September 2019 deadline, implantation was delayed and then along came Covid-19.
The EBA wants to stick to a SCA go live date of 31 December 2020. The UK FCA has moved its date back six months from 14 March 2021 to 14 September 2021.
Says Rodgers: “It’s just crazy that the European Banking Authority has not made any public pronouncements on SCA since 16 October 2019.
“The lack of clarity is creating turmoil in the pan-European merchant payments sector and in particular e-commerce. I’m now calling on the European Commission to intervene as I think that only the Commission can now take charge and bring resolution to the impasse that the EBA is precipitating.”
Rodgers is right to call for an alignment of dates – indeed there is no valid argument not to align dates. They will get there in the end.