A guest blog by Bob Ford, Payments Business Analyst and SME.
The Pay.UK service of Confirmation of Payee (CoP) has been established for just over a year but the life under lockdown under Covid has not abated the attempts by fraudsters to endeavour to try and scam our accounts of our money.
A friend asked for my thoughts on fraud reduction on the back of the recent request from the Payment Systems Regulator which got me thinking about the whole CoP lifecycle works and how it could be enhanced to assist in fraud reduction as well as allow the Paying Bank to provide a better service to their customer such that the paying customer can make a more reasoned decision about effecting the payment. (John Bertrand’s blog is at: https://www.finextra.com/blogposting/20134/customers-have-50-percent-chance-of-reimbursement-after-app-fraud?utm_medium=rssfinextra&utm_source=finextrablogs )
Whilst I have found it frustrating in the past, after considering matters of fraud prevention, I now understand (a little) why my Bank does not allow me to change the payee, sort code or account number for a stored payment or standing order. The underlying instruction must be cancelled and then created anew thus ensuring that the new payee details are validated through CoP processes. Some banks may claim this as a reason which may hide the fact that their systems are so antiquated that this functionality isn’t available but let’s not allow truth to get in the way of a good intention !! As a thought, couldn’t CoP processes still be triggered from a payment instruction amendment (answers on a postcard from the banks (Barclays, Lloyds, HSBC, NatWest…..) would be appreciated).
So, just to put things into perspective, the paying bank is worried that their customer may wish to pay a fraudster and then the bank may have to accept some or all of the liability if the payment is proven to have been made to a fraudster. Even if they feel there is no liability, this position can be changed by the customer taking their complaint through the Financial Ombudsman.
The main function of CoP is to validate purely the account name of who the payer wishes to pay and the name of the account at the recipient bank.
As I see it, there are two issues around an account being used by fraudsters:
1) The account would, potentially, be newly opened
2) There are likely to be a number of CoP’s received for the account in a short period because once the account has been used to receive funds and have them removed, then the account is ignored especially if the recipient bank learns of the fraudulent use of the account. From a personal perspective, I have had no new payees this year as far as I’m aware so any bank should raise risk sensors when multiple CoP’s are received for an account which is out of character for the account.
Therefore, to assist the Paying bank in the information provided to their customer (and, hopefully, reduce the risk of payment to a fraudster) then include additional elements in the API/data exchange between the banks from purely the account name but also the periodicity that the account has been opened as well as the number of CoP requests processed for the account over the past, say, month.
Using the response data from the payee bank, the payer bank can provide a better risk analysis to the payer and hopefully allow the payer to make a more reasoned decision about establishing a new payee.
There would need to be a couple of matters requiring some additional thought: GDPR and Account Switching.
As regards GDPR, there are allowable circumstances where disclosure would be appropriate in fraud mitigation. The legal fraternity within the financial community needs to raise the issue with the governmental powers that be to obtain appropriate dispensations and provide suitable guidelines to protect all parties.
As for Account Switching, a payee should not be disadvantaged because of using the Account Switching facility and therefore some additional capabilities may be required so that longevity of relationships across multiple banks is properly recognised.
It is appreciated that the implementation of these ideas will not be a means to eliminate the push payment frauds and that there are customers out there who simply will not believe that they are being scammed but there is some hope that these ideas duly implemented may at least help in reducing fraud to a certain extent.
Bob would value your comments around the content of this blog – you can contact Bob via Linked In.