Authorised push payment fraud is when a fraudster tricks an individual or business into sending them an electronic payment. This is usually done by using social engineering techniques and may also involve gaining access into an individual’s email and then pretending to be a person or business which the individual already has a relationship with. Authorised payment fraud has become the second biggest form of payment fraud in the UK, both in terms of the number of scams and the total value that is involved. This type of fraud targets some of the most vulnerable in society, in the last six months £145 million was stolen from 35,000 people, a drastic rise from the year before. Fraud of this type used to be 1 every 12 mins last year, now it as frequent as 1 every 8 mins. It is for this reason that a National conversation has arisen as to how to tackle the issue. Police resources are strained, as the national fraud bureau only has 25 investigators to review between 30,000/40,000 cases of fraud a month. Thus there is not much chance that those who have been defrauded will ever see their money again.
Hannah Nixon, the Managing Director at the Payment System Regulator (PSR) has announced in their report on authorised push payment scams, “Outcome of consultation on the development of a contingent reimbursement model,” that banks will have to start to reimburse their clients if they have not done everything in their power to stop or at least curb fraudsters from defrauding their customers. Nixon has also claimed that the final code for the reimbursement scheme will be in place by January. However the code also has some gaping issues that still need to be resolved. Firstly, there is no measure in place at the moment that if the banks have implemented all the appropriate measure to stop this type of fraud, who if any one will reimburse those who have conned? The banks have pointed at the government, as there is already a measure in place, the criminal injury compensation scheme that would work in the same vein. Secondly, when the high street banks were asked for a specific timing as to when they would implement measures to curb authorised payment fraud, 3 out of 5 claimed that they could not give a specific time as to when the code would be in place, and would not implement it until a resolution is reached. Lastly it should also be noted that all of those who have already been affected or will be affected by the time that the code has been put into place, will not receive any form of compensation whatsoever.
This brings us now to ask the question, what measures can the banks put into place which will exhibit behaviour that the banks are doing all in their power to stop their customers from being defrauded? A solution has been put forward, that banks should introduce the Confirmation of Payee (COP) system when a customer is making an authorised payments. What it will allow the payer to do is, as shown in example, reconcile the account holder’s name as stored at the payee’s bank for the account number that the payer has keyed in. Now if a name which the payer is not expecting to come up appears, the payer has the ability to make an informed decision to cancel the payment before it is sent. The PRS in a consultation dated 23rd of November 2018 has set out two deadlines for implementing technology change for confirmation of payee. By the 1st April 2019, Payment service providers must be capable of receiving and responding to confirmation of payee requests from other payment service providers, and by July 1st payment service providers must send confirmation of payee requests and present response to their customers.
With the current push payment system in mobile phones and online banking, there is no validation of the beneficiary’s name against the sort code and account number, and the payer takes all the risk involved in the payment, with very little information at hand. It should also be noted that the payment instruction is irreversible once confirmed, meaning that a victim cannot reverse the payment even if they realised they have been conned
Systems Architecture Change
As seen in the diagram below, from the payer’s perspective, the payment is “fire and forget.” The relationship between the payer and the receiving bank is “asynchronous;” thus there is no need for the receiving bank to be working and responding in real time for the payer bank to send the payment, only the payer’s bank’s systems have to be working. This makes the payment experience for the payer fast and hassle free, but not risk free.
In the proposed “confirmation of payee” system, some aspects of this would change. The architecture would change for the payer from “asynchronous”, to “synchronous.” The new architecture, as seen in the diagram below adds a message pair, in real time, between the payer and the receiving bank into the middle of the payer dialogue (the payment instruction part of the system – the lower part of the diagram – would still be “fire and forget” for the payer.)
There are some issues associated with the new system. The banks will have to make multiple changes in their payment systems and the interactions with the payer will be changed but the changes will be different depending on which payment method/ channel the payer uses. Because of the large number of channels in most banks, this represents a lot of IT work. The last time the UK banking industry faced a change of this magnitude was the introduction of Faster Payments. This is not the only challenge, we will also see problems with…
- The relationship between the paying bank and the receiving bank is “synchronous”; the receiving bank has to be up and running, responding in real time to the paying bank to allow the payment to be sent
- This is demanding of the IT infrastructure in terms of 24 x 7 availability and fast reliable response times
- The bank’s ability to make and receive payments now becomes critically dependent on its own and the receiving bank’s API infrastructure
- The path lengths and the number of components involved in making a payment is now doubled; doubling test complexity and cost
- How to decide how much risk to take versus pass onto the customer
- Should the bank implement the system at all (NB. Contingent reimbursement model)
- What does the sending bank do with the comparison information, always pass it on?
- What if the receiving bank cannot respond with a name vs payee comparison (e.g. during a receiving bank outage)
- How to incorporate the new check into the different user experience of the channels including the error conditions
- Opening up all channel systems to talk to the open API layer
- Implementing new security layer for open API to all channel systems
- Creating highly reliable, highly performant open API layers
- Test environments
- Meeting regulator timescales
- Coordinating a critical mass of banks to live
- Industry test facilities
- Fit with the Contingent reimbursement model (e.g. if a bank has not implemented confirmation of payee, how much should it pay in customer compensation?)
The Banks’ Costs and Project Feasibility
There will be two major costs in implementing confirmation of payee. The one that is of interest to this article is the capital expenditure that is associated with changing the customer interfaces, implementation of API’s and the name matching service. The PSR has estimated that this cost will be in the region of £6 million to £15 million per PSP. Howbankswork thinks otherwise, it feels light in comparison to comparable industrywide changes like the introduction of Faster Payments or the move to Cheque Image processing. Even if we take these conservative estimates and assume an average annual FTE cost of £50k for staff/ contractors/ consultants the project seems implausibly large to mobilise and complete in such a short timescale. The consultation on the dates does not finish until the beginning of January and the PSR will need a month to review the consultation feedback and issue its judgement. This means that the COP project would have to start on Feb 1st 2019 and finish by 1st of July 2019 if the dates are to be kept. To be able to spend £6M to £15M in five months, means each bank will have to hire/ deploy 240 to 720 staff for the full 5 months from a standing start. All the banks would be scratching around trying to recruit the same experts (who are quite busy already on things like Open Banking) so it is very likely that there would be an industry skills shortfall. Then we have to probably double all this due to the fact that there are two payment systems (FPS and CHAPS ) that need to updated with the confirmation of payee system. The CHAPS system in Banks is typically a different set of components to the retail payments handled by FPS so there is little saving of costs by doing the two at the same time but a lot of extra risk.
Furthermore, the Bank of England is in the middle of replacing RTGS which sits at the heart of the CHAPS system and so most banks will be very uncomfortable spending a lot of time and energy upgrading their CHAPS systems shortly before these have to be replaced because of RTGS changes.
When would we expect “confirmation of payee” to become an industry standard? Hannah Nixon has claimed that the system should be in place by the 1st July 2019. However we have already seen that it was meant to be put into place by September 2018. With the myriad of technological, industry and business issues which the banks have to face whilst implementing the “confirmation of payee” system in both the Faster Payments Scheme (FPS) and the Clearing House Authorised Payment Scheme (CHAPS), is it reasonable to believe that the majority of banks will make the system live by the middle of next year? What are the consequences if the banks do not meet the deadline? Nixon claims that fines and enforcement actions will be put in place, yet if the whole industry decides that they cannot meet the deadline, does Nixon have the ability to fine the entire industry? With the final code still to be decided on, the banks needing to go through multiple test phases of the whole system, it is highly unlikely that we will see “confirmation of payee” introduced by the middle of 2019. Having said, that it is clear that this change is going to come. The regulator and the public want action on Authorised Payment Fraud.
What Banks must do, and many have not done, is put in a budget line into the 2019 change budget for a COP project and start planning now how to achieve COP. The Regulator will have to relent on the dates a bit, but it will still be a very challenging change whatever dates they finally settle on.