Regulator sets banks 'confirmation of payee' deadline

Out-Law News | 09 Aug 2019 | 2:59 pm | 3 min. read

The five biggest banking groups in the UK and a major building society have been given until 31 March 2020 to update their systems to fully implement reforms aimed at combatting payment fraud.

The Payment Systems Regulator (PSR) issued a formal direction to the institutions in relation to 'confirmation of payee' (CoP), a protocol for enabling banks and their customers to check that the name of an account to which funds are to be sent is correct before a planned transaction goes through. It is envisaged that the change will help reduce authorised push payment (APP) fraud and accidentally misdirected payments.

APP frauds take place where a victim is conned into authorising a transfer of money from their bank account into an account which they believe is controlled by a legitimate payee, but is actually controlled by a fraudster.

Technical standards for the 'confirmation of payee' protocol were published by industry body Pay.UK in October last year. At the time Pay.UK said the service would kick-in when businesses or consumers are setting up a new payment, or amending an existing one. The standards invite payment service providers (PSPs) to check the name on the account of the person or organisation to be paid and either confirm the details are correct, ask the payer to check the details are correct if the name provided is similar, or advise the customer that the details are wrong.

The PSR has, however, been considering whether regulatory intervention is necessary to drive implementation of the CoP reforms. It consulted late last year on a timetable that would have required banks to conform to the new protocol by 1 July this year. However, that deadline was shifted back after payments industry figures flagged a backlog of changes being worked on by banks and the complexities involved in delivering the new measures.

Now the PSR has announced that it has finalised a specific direction setting out two compliance deadlines for the six major banking groups in respect of CoP.

From 31 December this year, the banks must be able to "respond to every CoP request made to it that complies with the CoP rules and standards". The PSR said that, in practice, this means that "a receiving bank must be able to notify the sending bank that there is not a match", among other things.

From 31 March 2020, the banks will be expected to also send CoP requests and to notify the payer of the outcome.

The PSR's direction impacts banks in the Lloyds, Barclays, HSBC, RBS and Santander Group, as well as Nationwide Building Society.

The institutions have the right to apply for an exemption from one or more of the requirements contained in the PSR's direction "in respect of any of its UK accounts on grounds that exceptional circumstances reasonably prevent it from complying with the obligation or obligations", the regulator has confirmed.

In a statement, the PSR said: "CoP will work by checking that the name of the account a payer is sending money to matches the name they have entered. Anyone setting up a payment will be alerted if the name on the recipient account does not match, is incorrect or misspelt, meaning it can be corrected before a payment is made."

"For CoP to be effective in protecting both consumers and the banks, it needs to have widespread coverage and be implemented in a timely and coordinated way. That is why the PSR is using its powers to direct members of the UK’s six largest banking groups," it said.

Civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law, said that the PSR takes its role extremely seriously and that the regulator "is continually pushing through consumer protection protocols/codes to reduce the impact of fraud on the consumer".

"The PSR has placed a huge burden on banks to protect consumers and reimburse them should they suffer a fraud," Sheeley said. "Such a burden comes at a huge financial cost to the banks, not only in respect of implementing widespread IT system changes but also, in light of the voluntary code for reimbursement to victims of APP frauds, in having to reimburse customers who have transferred funds to a third party for what they thought was a legitimate purpose but later discover fell into the hands of fraudsters."

"This reimbursement requirement is a massive burden on the banks and concerns a form of fraud that they cannot protect the customer from falling victim to initially. The only way the banks can reduce their exposure is to actually take on the fraudsters directly and recover the stolen monies from them via civil litigation methods. This is because the customer will not issue civil proceedings against the fraudster themselves as they will have been reimbursed by the bank and ultimately suffered no loss, and also because it is unlikely the police will take action owing to a lack of resources and often see this issue as the banks' problem to solve," he said.