Call for all payment firms to apply fraud checks

Out-Law News | 19 Mar 2020 | 9:40 am | 3 min. read

All payment service providers (PSPs) in the UK should apply anti-fraud checks that the biggest banks have been ordered to carry out by next month, consumer group Which? has said.

The UK's six largest banking groups, Barclays, Lloyds Banking Group, Royal Bank of Scotland Group, Santander, HSBC Group – excluding M&S Bank, and Nationwide Building Society have been set a deadline of 31 March for implementing 'confirmation of payee' (CoP) protocols for payments made via the Faster Payments and CHAPS payment systems.

Those protocols require the banks to check the name on the account of the person or organisation to be paid and either confirm the details are correct, ask the payee to check the details are correct if the name provided is similar, or advise the customer that the details are wrong.

Which? has said that the confirmation of payee requirements could have prevented almost a third of all bank transfer fraud that is estimated to have occurred in the UK since the beginning of 2017 had they been in place over the period. That would have saved approximately £320 million from being defrauded, it has estimated.

"Which? wants all payment service providers to introduce confirmation of payee, not just the six largest banking groups," the consumer group said in a statement. "This will also eliminate confusion and uncertainty among consumers who find that there is no consistency among providers and prevents fraudsters from simply targeting banks that don’t offer it."

Payments expert Andrew Barber of Pinsent Masons, the law firm behind Out-Law, said: "Given payment fraud is something that does not differentiate between account providers, the call from Which? for the extension of confirmation of payee protocols to be extended to all PSPs makes a lot of sense. Customers would want their PSP to utilise all available tools to help protect them against fraud and if some PSPs provide CoP why shouldn’t all."

"However, rolling out CoP to all PSPs may not be an easy task. The IT build costs and development time may cause a significant impact for smaller PSPs and this should be taken into account when considering the extension of CoP. An approach that ensures all PSPs can deliver CoP in the quickest time, while ensuring delivery timelines and costs are manageable will deliver the best outcomes for payment systems users," he said.

Which? said that confirmation of payee alone will not eliminate fraud and warned of potential tactics criminals could deploy to perpetuate fraud in spite of the new protocols.

It said: "Assuming customers are provided with clear and reliable information, CoP will make it harder for scammers to operate. But, it won’t prevent fraud entirely and criminals will look for ways to bypass the name checks. For example, they may claim that the business name on an account doesn’t match because it’s a related trading name, or they may open accounts with names that are deceptively similar to legitimate businesses."

The Payment Systems Regulator (PSR) last summer set two deadlines in relation to the CoP reforms.

It confirmed at that time that the six biggest banking groups would have until 31 December 2019 to ensure they can "respond to every CoP request made to it that complies with the CoP rules and standards". The PSR said that, in practice, this meant that "a receiving bank must be able to notify the sending bank that there is not a match", among other things.

From 31 March 2020, the banks will be expected to also send CoP requests and to notify the payer of the outcome.

The institutions have the right to apply for an exemption from one or more of the requirements contained in the PSR's direction "in respect of any of its UK accounts on grounds that exceptional circumstances reasonably prevent it from complying with the obligation or obligations", the regulator confirmed at the time.

Gareth Shaw, head of money at Which?, said: "This month will be decisive in demonstrating how well the industry is equipped to tackle the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code. ‘If the banks fall short of making these commitments themselves, the government must step in and ensure these schemes are made mandatory."

A voluntary code developed by the industry regarding reimbursement for authorised push payment (APP) fraud took effect last year. The government has been urged to make the code mandatory for firms.

APP frauds take place where a victim is conned into authorising a transfer of money from their bank account into an account which they believe is controlled by a legitimate payee, but is actually controlled by a fraudster.

According to new figures from UK Finance, APP fraud losses in the UK rose to £456m in 2019, up from £354m the previous year.