The Payment System Regulators call for views on Phase 2 of the implementation of Confirmation of Payee (CoP) closed at the end of June. The call for views outlined the findings of the PSR’s analysis of the impact of Phase 1 of CoP (following Specific Direction 10 which was served on the UK’s six biggest banking groups) and the feedback received on the upcoming roll out of Phase 2 which, it is planned, will enable more Payment Service Providers (PSPs) to join CoP.

In the call for views the PSR also set out potential policy options to enhance the service and deliver increased implementation across a greater number of PSPs. These include options such as issuing a further direction mandating PSPs to implement Phase 2, bringing about improvements to the CoP service, and the future of SD10.

During July and August the PSR plan to consider the responses received and consult on next steps. During September and October the PSR plan to publish a follow-up policy statements with Direction(s) if appropriate). Ahead of these PSR milestones we are pleased to publish Northey Point’s response to the consultation and would be happy to discuss our response with interested parties.

Confirmation of Payee Call For Views (CP21/6)

Introduction

This paper sets out Northey Point’s response to the PSR’s Confirmation of Payee Call For Views (CP21/6).

Mike Chambers is a recognised authority on retail payments and, as Chief Executive Officer, led Bacs Payment Schemes Limited (Bacs), the UK’s biggest retail payment system, from 2004 until 2018. During this time, he successfully steered the company through a record number of payment processing, technological, regulatory and innovative customer proposition ‘firsts’ including extending Bacs’ product offering to include the ownership, management and market adoption of the Current Account Switch Service (CASS) and the Cash ISA Transfer Service.

During his time at Bacs, Mike also led the UK’s systemically important RTGS payment system (CHAPS) as its CEO and operated the UK’s Faster Payment Scheme as its first Chief Executive creating the Payment System Operator (Faster Payment Scheme Limited).

Mike was an integral part of the industry initiative which led to the New Payments Architecture (NPA) vision (including concepts such as Request to Pay and Confirmation of Payee), the regulatory endorsed merger of the UK’s retail payment schemes and the formation of Pay.UK.

Having successfully merged Bacs into Pay.UK, Mike has developed a portfolio including roles as chairman, payments advisor (Mike founded Northey Point), Non-Executive Director and ambassador. Mike also publishes a newsletter (www.payments-unpacked.com) which provides an informed insight into the UK’s retail payments landscape.

General comments

In addition to answering the questions outlined in the Call for Views we’d like to make the following comments:

  • Notwithstanding the significant successes that Confirmation of Payee (CoP) has delivered there are other initiatives within the operator’s (Pay.UK) and regulator’s (PSR) remit that have the potential to reduce fraud and instances of mis-directed payments. For example, Request to Pay offers an effective way of establishing that a payment is being correctly routed to the intended beneficiary. It is important, therefore, to consider CoP in the wider context of a complimentary set of payment types and overlay services.
  • With Specific Direction 10 having fulfilled its purpose we believe that, to protect the payer and to thwart the fraudster, (CoP) service ubiquity should not be regarded as an optional extra and there is a case for continued regulatory intervention. We recently published a blog on this subject: Why is CoP not a mandatory requirement on all PSP’s?
  • Whilst not a silver bullet, the implementation of Confirmation of Payee has proven to be an effective way of combatting Authorised Push Payment Scams (e.g. where a fraudster tricks their victims into willingly making a large bank transfer to them). Also, Confirmation of Payee also helps to avoid payments being sent to the wrong account due to ‘fat fingers’ (keyboard errors) when we type in somebody’s Sort Code and Account Number. However, the effectiveness of CoP has not been fully realised as CoP coverage remains incomplete, We believe Safer Payments need (CoP) service ubiquity.

Call for Views Questions

1: Phase 1 trends and impact: Do you have any comments on the trends presented above regarding the impact of CoP on the relevant types of misdirected payments and the relevant types of APP scams? Do you believe that, in light of the decreases in the relevant types of misdirected payments and despite an increase in the relevant types of APP scams, CoP has had a positive impact? Do you believe that CoP has resulted in improved customer experience and confidence in electronic bank transfers?

The financial impact of APP Fraud is eyewatering and has is having a significant impact on individuals, business and society at large. It is clear that the introduction of Confirmation of Payee (CoP) has had a positive impact and the banks that have introduced CoP, whether by regulatory Direction or voluntary action, should be applauded for doing so.

It is vital that payments work safely and securely for all in society and, whilst not a silver bullet, CoP offers an effective tool to both thwart the fraudster and provide a level of protection against mis-directed payments.

Given the rise in fraudulent activity, which has been exacerbated by the COVID pandemic, it is difficult to be precise on figures but it is our view that without the introduction of CoP the impact of APP fraud would have been far greater than if the service had not been introduced.

Conversely, if the adoption of CoP had been greater by scope (number of accounts covered), payment system and bank adoption we believe that the successes ‘enjoyed’ by the fraudster would have been far lower than has been the case. Para 3.23 of the Call for Views document illustrates this point, notwithstanding all the benefits of CoP the ultimate ‘prize’ is so much greater than the achievements made to date.

It is our view that the adoption and implementation of CoP is not a competitive issue but a reasonable and fair protection that the sender and the beneficiary of a payment should benefit from as a right.

Given the success of CoP it is only natural to expect all accounts that permit payment activity to be afforded the protection of CoP regardless of the bank that provides the account or the channel / payment system that is utlised. Neither a consumer or a business should be more vulnerable than others just because they (or the person that they are seeking to send money to) holds an account at an institution or use a certain payment channel / system.

CoP is currently limited to Faster Payments and CHAPS, there is a need to consider the role of CoP checking for other payment types. This includes, Bacs payments with a focus on bulk payment submissions and push (Credit) / pull (Debit) payment types.

It is our view that the fraudster’s focus will reflect the vulnerability of the banks that choose not to implement CoP and the payment systems / channel that remain out of scope of the CoP service. This position is not sustainable or justifiable, safer payments require (CoP) service ubiquity.

When a CoP check is available it is clear that customer experience and confidence is enhanced. When a CoP check is not available then trust and confidence is greatly reduced, this is often compounded with the messaging used by some banks which instils fear and confers an unfair liability shift to the person or company making the payment.

CoP is an excellent example of a fraud prevention mitigant (i.e. not post-event like CRM).

2: Fraud migration and bypassing a no match: Do you agree that the analysis shows that financial institutions that haven’t implemented CoP provide opportunities for the relevant types of APP scams to continue to grow? Are there any other type(s) of institution where the relevant types of fraud have migrated to? Do you agree with the analysis showing that scams continue even when a ‘no match’ occurs? Do you have any views as to how these areas could be addressed in future?

It is our view that the fraudster’s focus will reflect the vulnerability of the banks that choose not to implement CoP and the payment systems / channel that remain out of scope of the CoP service. This position is not sustainable or justifiable, safer payments require (CoP) service ubiquity.

We note the PSR’s analysis in respect of ‘no match’ situations and fraudster seeking to bypass CoP checks. It is our view that the person sending the payment needs to be provided with a greater level of support in how to address a negative CoP check. Banks must not leave the support and ‘education’ of how to rectify a negative CoP check to the fraudster or chance.

3: Phase 2 progress and dependencies: Do you have any comments on the progress and dependencies of Phase 2 and the CoP-only role profile presented above? Are there any other dependencies or barriers that you would like to highlight?

Given our view that safer payments need (CoP) service ubiquity then we are keen to see a technical solution that results in the remaining PSP’s adopting CoP and offering it to their customers. This may be via voluntary adoption or may require regulatory intervention.

There seems to be an unnecessary level of complexity between Phase 1 and Phase 2, however, if PSPs agree that this approach will result in their adoption of CoP then we are supportive. Have non-compliant PSPs been asked whether this, seemingly complex, Phase 2 pathway will result in their adoption?

We note that the Call for Views considers the role of HOCA’s and roll numbers, in our view the emphasis should by on ensuring that any account that has the ability to make or receive a payment is afforded CoP protection.

4: Costs and benefits of including SRD accounts: Do you have any comments on the specific costs and benefits of including SRD accounts in CoP Phase 2? Are there any other potential costs or benefits that you would like to raise? Do you have any comments on whether there are certain types of SRD accounts which would not yield a significant benefit from CoP, and/or whether the industry should focus its efforts on SRD accounts that allow for transactions to both into and out of them?

Whilst we understand that change may be complex and expensive are these costs necessary to reduce the eye watering levels of APP fraud, to protect the send and receiver of payments and to preserve trust and confidence in the UK’s banking system?

We suggest that working on the assumption that certain types of accounts are not generally vulnerable is a difficult position to maintain as the fraudster will always seek to target accounts with the lowest form of protection. As CoP gains further coverage these types of accounts will increasingly become targets. Northey Point recently published a blog by John Bertrand where he notes that banks / PSPs (Payment Service Providers) not offering Confirmation of Payee (CoP) could be aiding and abetting fraudsters.

5: Alternative solutions for SRD accounts: Do you have any comments on whether the alternative solutions presented above could bring the benefit of CoP at a lower cost than creating a specific CoP solution for SRD accounts? Do the alternative solutions have any downsides?

We are agnostic on the solution, but we think that it is vital that both the sender and the receiver are protected with CoP checks.

6: Phase 2 benefits and costs: Do you have any comments on the benefits of CoP Phase 2 presented above? Are there any other potential costs or benefits that you would like to raise?

It feels that the process of adoption of CoP is quite complex, simplicity is key to PSP adoption.

7: Messaging and warnings: Do you have any comments on how CoP messaging works and how this could be improved in order to avoid the issues raised above – for instance, by standardising messaging? What other enhancements could be brought to the CoP service?

With regard to messaging and warnings we have the following comments:

  • The lack of CoP ubiquity engenders fear and nervous experiences and harms the trust and confidence that those making payments should enjoy.
  • The messaging used appears to have had the effect of delivering a disproportionate liability shift from the PSP to the account holder.
  • There is some merit in standardise messaging although we are of the opinion that whatever the message there is a real danger of ‘click fatigue’ in getting past the message to make the payment.

8: Directing migration by SD10 banks to Phase 2: Do you think we should direct the SD10 banks to move to the Phase 2 CoP-only role profile environment by the end of 2021? Is it also important to include in any such direction a period of dual running for Phase 1 and 2 ending in Q1 2022, as currently foreseen by Pay.UK?

It is not our place to opine on the process that is outlined in the Call for Views – however we believe that all payment users should enjoy the same safeguards, protection, confidence and trust regardless of who they (or the person they are trying to send money to) bank with, what type of account they hold, what payment channel is used or what payment system the funds flow through.

9: Directing Phase 2 implementation by non-SD10 PSPs with unique sort codes: Do you have any comments on whether we ought to direct non-SD10 PSPs with unique sort codes to implement Phase 2, in addition to the SD10 banks? In particular:

  1. Should we direct non-SD10 Phase 1 participants to move to the Phase 2 environment, and/or PSPs that have not yet adopted CoP to implement CoP under Phase 2? If so, by what date? Are there any specific PSPs or groups of PSPs that we ought to prioritise and/or exclude from an eventual direction, such as medium sized and/or small financial institutions?
  2. Should we direct PSPs to develop both the responding and sending capabilities for CoP, or responding or sending only?
  3. Is a PSR direction the best way to achieve the necessary changes? Do you have any other suggestions to achieve these changes?

It is not our place to opine on the process that is outlined in the Call for Views – however we believe that all payment users should enjoy the same safeguards, protection, confidence and trust regardless of who they (or the person they are trying to send money to) bank with, what type of account they hold, what payment channel is used or what payment system the funds flow through.

Northey Point recently published a blog by Bob Ford which considered the demands of CoP on PSP’s not operating real-time 24*7 systems.

10: Enabling CoP participation by SRD accounts: In relation to SRD accounts, do you have any comments on the following:

  1. For those SRD accounts where CoP would be beneficial, is a PSR direction to deliver a specific CoP capability for these accounts the best way to achieve the necessary changes? Do you have any other suggestions to achieve participation in CoP by those accounts, such as the alternative industry-led solutions in paragraphs 4.23 to 4.24 ? Do you have any comments on the costs of the industry introducing unique sort codes and account numbers for (certain types of) SRD accounts?
  2. If a PSR direction were to be needed, should we direct the SD10 banks to implement the capability to send SRD information by the end of H1 2022 in accordance with the timeline established by Pay.UK? Should we direct PSPs beyond the SD10 banks to deliver this capability?
  3. Should we also direct PSPs that offer SRD accounts to implement CoP responding capabilities for SRD accounts by the end of H1 2022 in accordance with the timeline established by Pay.UK?

It is not our place to opine on the process that is outlined in the Call for Views – however we believe that all payment users should enjoy the same safeguards, protection, confidence and trust regardless of who they (or the person they are trying to send money to) bank with, what type of account they hold, what payment channel is used or what payment system the funds flow through.

11: Pay.UK’s role: In view of Pay.UK’s role described in paragraphs 1.10 and 2.2, do you have any comments on whether we ought to require Pay.UK to have a greater role in terms of the CoP messaging? Do you have any comments on the role we should require Pay.UK to play in monitoring adherence to the CoP rules, standards and operating guidance, and communicating relevant statistics?

Given the importance if CoP service we believe that, as the guardian and operator of the UK’s service, that Pay.UK ought to take a more proactive role in CoP.

It is our view that CoP will ultimately be a key New Payment Architecture ‘overlay’ service and Pay.UK should commit to and support CoP in the same way as they support the Current Account Switching Service (CASS).

In addition to the elements suggested in the question, Pay.UK ought to have meaningful capabilities to hold PSPs to account.

12: Future of SD10: Regarding the future of SD10:

  1. Do you believe that SD10 has achieved its objectives, will be technically redundant once Phase 2 is implemented, and should therefore be revoked?
  2. Should SD10 be revoked in circumstances where there is no direction in relation to CoP Phase 2? Are there any elements of SD10 that should be continued into any future direction, and how long should these be for?

We agree that SD10 is technically redundant but, rather than, revoked we believe that the scope of the regulatory Direction should be revised to ensure that the UK benefits from safe payments through true CoP service ubiquity.

Mike Chambers, Northey Point Limited, June 2021