Confirmation of Payee – Requirements for further participation in CoP  

Further participation in CoP 

The Payment System Regulator (PSR) are consulting on their proposed next steps on delivering Confirmation of Payee – a consultation that will see around 400 more firms introduce the payment protection measure.

This essential fraud protection service will increase coverage from 92% of transactions made via Faster Payments (FPS) and CHAPS to 99% worth approximately £2.5 trillion.

Northey Point has responded to the PSRs consultation and are pleased to publish our response in full.

Introduction

This paper sets out Northey Point’s response to the PSR’s “Confirmation of Payee – Requirements for further participation in CoP (CP22/2)” consultation.

Mike Chambers is a recognised authority on retail payments and, as Chief Executive Officer, led Bacs Payment Schemes Limited (Bacs), the UK’s biggest retail payment system, from 2004 until 2018.  During this time, he successfully steered the company through a record number of payment processing, technological, regulatory and innovative customer proposition ‘firsts’ including extending Bacs’ product offering to include the ownership, management and market adoption of the Current Account Switch Service (CASS) and the Cash ISA Transfer Service.  

During his time at Bacs, Mike also led the UK’s systemically important RTGS payment system (CHAPS) as its CEO and operated the UK’s Faster Payment Scheme as its first Chief Executive creating the Payment System Operator (Faster Payment Scheme Limited). 

Mike was an integral part of the industry initiative which led to the New Payments Architecture (NPA) vision (including concepts such as Request to Pay and Confirmation of Payee), the regulatory endorsed merger of the UK’s retail payment schemes and the formation of Pay.UK. 

Having successfully merged Bacs into Pay.UK, Mike has developed a portfolio including roles as Chairman, Advisor, Non-Executive Director and Ambassador. 

Mike also publishes a newsletter which provides an informed insight into the UK’s retail payments landscape[1]

Consultation Response

Question 1: Do you have any comments on our proposed approach outlined above? 

Any report featuring the title ‘the definitive overview of payments industry fraud’ is never going to make easy reading and the newly published report by UK Finance[1] for 2021 certainly does not make comfortable reading. An end of year report that can only conclude that we must all do better in our fight to thwart the fraudster.

The UK Finance report states that there were 195,996 reported incidents of Authorised Push Payment (APP) scams in 2021 with gross losses of £583.2 million, compared with £420.7 million in 2020 (an increase of 39%).

This eye watering amount of ‘authorised’ fraud sits awkwardly with the fact that almost every other type of payment fraud has reduced (2021 vs 2020 by value).

We agree with this statement made by Louise Beaumont, SVP Global Open Banking & Open Finance Industry & Policy Engagement: 

“Well, this was always going to happen…..: “huge rise in authorised push payment (APP) fraud in 2021, with losses 39% up on the same period in 2020.” The PSR needs to mandate CoP far beyond the big banks. And Kate Frankish is right “we need to share data and technology that can spot the crime and enable banks and payment providers to intervene before it happens.”  

Whilst not a silver bullet it is clear that performing a Confirmation of Payee (CoP) check prior to a payment being made is making a significant impact in both thwarting the fraudster by reducing fraudulent payments being made and avoiding misdirected payments being inadvertently sent to the wrong account.

Being ‘sure who we pay’ is central to ensuring trust and confidence in making digital payments – we believe that trust and confidence should be a basic tenant of making a payment.

Against this backdrop whilst we are generally supportive of the approach outlined by the PSR however:

  • Para 2.1 recognises that this consultation ‘represents a continuation of a journey to achieve widespread adoption and use of CoP’. Whilst this is an admirable statement it is our view that, given the fundamental imperative to thwart the fraudster, achieving widespread adoption of CoP has already taken far too long and this concern is being exasperated by the proposed 2023/24 timescales, ‘gaps’ in the PSP coverage and omissions of ‘in scope’ payment channels. UK consumers and businesses have a right to ‘enjoy’ safer payments and will only ‘enjoy’ this right when CoP achieves service ubiquity. 
  • Para 2.5 expresses a concern that some PSP’s who could have adopted CoP have not done so. With annual gross losses of £583.2 million it is difficult to understand that cost of implementing CoP can be a justifiable reason for inaction and to need a regulatory direction to secure budget to implement CoP suggests that, for some PSPs, the budgetary process does not appropriately recognise a PSPs fundamental requirement to protect their customers and reduce fraud. Also, where a technical complexity of Phase 1 prevented a PSP adopting CoP we ask that the PSR seek to satisfy themselves that these complexities have now been addressed and are not presented as a non-compliance reason when the Direction deadline approaches in 2023/24.
  • Notwithstanding our view that the timeline to achieving CoP service ubiquity is too long and, given the eye watering amounts of APP fraud, the route to safer payments ought to be accelerated we are broadly supportive of the proposal to split PSPs into prioritised groups (para 2.7).
  • We agree with the proposal (para 3.4) that PSPs ought to be directed to implement CoP checking for both sending and responding scenarios.
  • Whilst we see the value in providing data in relation to the losses suffered by a PSPs customers as a result of APP scams or misdirected payments (para 3.4) we would also suggest that there ought to be an obligation for a PSP to provide data on (full, partial and no) matching rates – after all it is these criteria that are a true reflection of ensuring trust and confidence when making payments.
  • Para 3.7 notes that some institutions may not meet the criterial of a PSP as defined by some payment schemes. It is our view that if a Sort Code holds accounts that payments may be made to or from then the ability to perform a CoP check should be afforded to anyone who is making a payment to or from an account domiciled at that Sort Code.
  • Whilst the desire for transparency (para 3.8) is a laudable objective of the PSR we are concerned that the requirement to publicly state that CoP checking has not been implemented will only serve as a fraudsters charter directly their fraudulent activity. This would place both the PSP and its customers at considerable risk. 
  • The process to grant an exemption to a PSP (para 3.9) ought not to be artificially linked to specific payment schemes but, rather, an exemption be determined by whether or not payments can be made to or from a Sort Code. (Cross reference para 3.7).
  • If on boarding friction experienced in phases 1 and 2 (para 3.11) manifested itself with the current CoP cohort it is incumbent on Pay.UK to resource appropriately and to ‘marshal’ the industry effectively if the proposed timeframes are to be achieved for the large cohort envisaged by this consultation. What are the learnings from the Phase 1 and 2 Post Implementation Review(s) and how are these learnings being addressed?
  • Since launch the ability of third party providers has delivered a real and tangible alterative to ‘self  build’ (para 3.12), such third party provision ought to provide PSPs with the confidence they need to implement CoP checking.
  • The need for a regulator to take enforcement action (para 3.15) will not serve anyone well. To reduce the risk of non-compliance, to what extent could Pay.UK be responsible for ensuring that PSP’s who fall within the scope of Groups 1 and 2 commit to an implementation plan and evidence progress made against that plan?
  • Given that ‘faster’ payments can often equate to ‘faster’ fraud we are supportive of the fact that all remaining direct participants of the Faster Payments scheme are included within Group 1 (para 3.23).
  • Whilst we understand the rationale for indirect / direct PSP’s in Faster Payments that have a high proposition of fraud (para 3.23) we are concerned that inclusion within Group 1 will lead to an assumption that CoP will provide these PSPs with a ‘silver bullet’ that will address the high proposition of fraud that they may be experiencing. Given that CoP is part of a range of approaches to thwart the fraudster and not a single ‘silver bullet’ we believe that such an assumption will be ill placed.
  • We agree with the suggestion to base CHAPS criteria on the use of MT103’s (para 3.23).
  • The Northern Ireland community should take great comfort in being included within scope of Group 1 (para 2.23), however it is a shame that a significant number of people across the rest of the United Kingdom will not be afforded the same protection that CoP provides.
  • Para 3.24 suggests that CoP coverage within Faster Payments will increase to 99% and will reduce APP fraud and a greater protection against misdirected payments. Whilst such an increase in coverage will provide greater protection for many it still means that over 37 million payments per annum will denied the opportunity of being sure who they pay. The users of Faster Payments will be better served if it were a requirement of scheme participation that 100% of transactions were afforded a CoP check.
  • The timeline for Group 2 adoption (para 3.26) covers a two-year period, the eye watering levels of APP fraud ought to represent a battle cry to thwart the fraudster not a plan of action that takes two years (over a £1billion will be lost to APP fraud in this period).
  • Whilst there are many unique uses of HOCA accounts it is surprising to see that all HOCA PSPs are being excluded (para 3.28). The para states that payments are processed over some of these HOCA Sort Codes and, for these Sort Codes, a CoP check should be required. A process to seek exemption on a one-by-one basis would seem to be a better solution.
  • Para 3.29 outlines a fraudsters charter to target specific PSP’s. If the regulator is serious about delivering safer payments through service ubiquity and the industry / vendors are serious about thwarting the fraudster, then these accounts should be brought into scope (even if the timeframe needs to reflect complexities).
  • Para 3.20 suggests that there is no need to direct PISPs as part of this direction. Whilst this may be a valid view the paragraph suggests that the PSR has concluded this based in OBIE analysis, has the PSR conducted its own analysis or validated the OBIE’s conclusion?
  • Para 3.31 suggests that scheme operators ‘may look to include a requirement to undertake CoP checks as part of their participation in those systems’. Whilst the coverage of CoP is front of mind for the regulator and the industry now it is likely that, over time, this focus will dimmish as near service ubiquity is achieved. It would serve future generations of payment users well if the requirement to perform CoP checks were enshrined in the scheme participation criteria and rules.
  • We agree with the PSR that there is sufficient vendor supply (para 3.32).
  • In the comments above we have expressed our view that an elongated implementation period doesn’t serve legitimate payment users well and delays the opportunity to thwart the fraudster. Para 3.33 seems to suggest that the timeframes included in the consultation have been determined based on one respondent to previous consultations, is this the case?
  • Para 3.36 suggests that current and future PSPs will continue to maintain service ubiquity without the need for an ongoing regulatory requirement and suggests an expectation that CoP checking will, over time, become a part of scheme participation. We believe that it would serve future generations of payment users well if the requirement to perform CoP checks were enshrined in the scheme participation criteria and rules.

Also, we are concerned about CoP coverage for other payment types:

  • We note that the PSR’s road to CoP service ubiquity focusses on Faster Payments and CHAPS. The latest UK Finance fraud figures report that Faster Payments was used for 97% of fraudulent APP scam payments and accept that it is probable that the CHAPS MT103 payment values are likely to be higher than other payment types. However, with an increase of APP fraud via Bacs (+42%), interbank transfers (+8%) and international transfers (+24%) it is surprising that this consultation only focusses on the Faster Payment and CHAPS payment schemes.
  • Given that a fraudster will turn his / her focus to the point of most vulnerability we are concerned that an extended CoP coverage across Faster Payments and CHAPS will lead to the fraudsters attention turning to other payment types. 
  • This includes the two billion Bacs Direct Credit payments processed annually and, perhaps, the sign-up process for new Direct Debits. Whilst there may be complexities in extending CoP checking to ‘push’ Direct Credits and ‘pull’ Direct Debits it seems that users of these systems ought to be afforded the same level of protection ‘enjoyed’ by users of other payment schemes. 
  • The road to adopting CoP checking on international payments may also introduce a level of complexity but, as with Bacs, it seems wrong to define ‘ubiquity’ as only payments that are processed by Faster Payments and CHAPS.

Question 2: Do you have any views on whether we need to consult on a requirement to implement SRD because of the proposed Direction? 

  • Paras 4.1 to 4.3 suggest that there is an issue with delivering SRD capability within a previously determined deadline of H1 2022 and, should this occur, a delay would have consequences for the cohort of PSPs identified within Group 2. Whilst the PSR would need to determine whether regulatory action was required our only comment would be that the need to instigate a process to determine the need for action, including the need to consult, would place the Group 2 timelines in doubt before a Direction was even served. Such a turn of events will make those who choose to fraud UK consumers and businesses very happy.

Question 3: Do you have any views on the PSR’s expectation that Pay.UK and/or the Bank of England as the operator of CHAPS (in respect of retail payments) consider a rule change to require CoP for payments in those systems to be consistent with the Group 1 timeline? 

  • As mentioned above and for the reasons stated in Para 4.5, we believe that the PSR should do more than ‘support’ Pay.UK and the Bank of England in introducing a rule change (para 4.6) and direct the operators of payment schemes to do so.

Question 4: Do you have any comments on our CBA? We welcome any further information about the costs and benefits relating to directing the implementation of CoP to the additional PSPs. 

  • Our only comment on the CBA analysis is that we believe that the ability for a consumer or business to perform a CoP check ought to be a right and not a privilege. On this basis a level playing field will only be achieved when the right for a PSP to participate in a payment scheme is accompanied with an obligation to provide the ability for a CoP check to be performed by all users. 

Question 5: Do you have any comments on our equality impact assessment? 

  • Para 6.7 appropriately places the responsibility on PSPs to treat all of their customers well and, noting the additional demands CoP places on Payers, those with protected characteristics have every right to be afforded the same safeguards as anyone else. 
  • Para 6.8 to 6.11 considers, amongst other things, the position of vulnerable payees and complex names and notes that Pay.UK’s CoP rules and standards provide guidance. In considering our response we have assumed that the PSR has reviewed the rules and standards and have satisfied themselves they are appropriate.

[1] Fraud: We need to fight together https://northeypoint.substack.com/p/fraud-we-need-to-fight-together?r=5igm3&s=w&utm_campaign=post&utm_medium=web


[1] Payments:Unpacked www.payments-unpacked.com/subscribe

Comments are closed.

Up ↑