Making essential payments that support society and vulnerable individuals is a critical role of UK local authorities and public sector organisations. These payments fund vital community services, including waste collection, social care, healthcare and emergency response.
For example, East Midland Shared Services (EMSS), which is a partnership between Nottingham City Council and Leicestershire County Council, undertakes the councils’ transactional finance, HR and payroll payments, processing about 900,000 payment instructions of around £2.9 billion annually through the Bacs system.
Ensuring consistency for vital payments
To ensure those essential payments are made consistently on time, EMSS requires a secure, reliable and cost-effective solution.
“We use PTX for managing Bacs payments for the likes of payroll, suppliers and benefits recipients. These are sensitive payments that, if disrupted, could have a severely negative reputational impact [on the councils],” said Jill Turner, Business Development Manager at EMSS, during our recent webinar entitled ‘Enhancing payment processes for local authorities’.
In addition, the shared services company has been looking at ways to eliminate inefficiency by automating payment processes, as well as improve security. For example, it’s currently implementing paperless Direct Debit functionality to reduce manual workarounds.
EMSS also uses Bottomline’s CoP for Business service to verify an organisation or supplier’s bank details to reduce the risk of payment fraud, which is a major issue for both the public and private sectors.
The company focuses on improving security, robustness and resilience across the business. “We’re looking for greater self-service and automation to avoid rekeying. Automation also improves security and provides better risk management, especially around payments. I now spend much more time working on business continuity planning and disaster recovery initiatives, such as scenario planning in response to cyber-attacks or if the network fails,” Turner said.
Mitigating fraud risk
EMSS’s story really brings to life the importance of secure, automated payment processes—especially when the stakes are high. As it turns out, they are not alone in that thinking.
During the webinar, we asked attendees what they see as the biggest challenge in payment processing. The results were telling, with more than half (54%) pointed to fraud risk as their top concern in payment processing.
It highlights that verifying account details is especially important for the public sector, which has more business-to-business Direct Debit transactions than other industries. Local authorities and public sector organisations should consider how they verify and validate account information today, not only for Direct Debits but also for purchase ledger-type payments. A lot of Authorised Push Payment (APP) fraud occurs when paying supplier accounts, for example. It’s quite common for fraudsters to impersonate a supplier and request an account information change via a letter or an email.
To address this issue, particularly around APP fraud, the industry association Pay.UK launched the Confirmation of Payee (CoP) service in 2020, which was then extended to Payer Name Verification checks in 2023 to verify both payees and payers. The account name-checking service conducts near real-time verification on more than 99%* of UK bank accounts, both business and personal.
In addition to decreasing the risk of error and fraud, CoP for Business can help scan existing data to highlight if multiple employees or contractors are being paid into the same account, which might be an indication of fraud. The service also provides a better onboarding experience, as customers receive a real-time response, and reduces the need for future manual checks that can delay payment.
Tokenisation protection
Data management is an area where many organisations are unaware of the risk that holding personally identifiable information (PII) presents, or don’t know how to solve the problem.
Local authorities hold sensitive personal data in their finance systems, including bank sort codes and account numbers. As such, they face increased costs to protect PII, such as implementing more processes and controls around the systems where the data is stored, as well as investing in more security features.
Not only do they need to protect the data from internal threats, such as staff changing the data for their own benefit, but also external threats from hackers, accidental data breaches and the impact of data quality issues and errors.
Worryingly, fraudsters are becoming more sophisticated and successful in their attacks. For example, hackers have recently attacked well-known retailers costing them millions. In addition to lost business, they face reduced customer loyalty, increased churn rates, and difficulty attracting new customers. As Turner pointed out, reputational damage is as much a concern for local councils too.
To help address this issue, Bottomline can, through its Account Tokenisation service, offer an additional and powerful layer of protection. It securely captures bank account details in an encrypted central data store, and returns a randomised, anonymous token that can be used in place of the bank account details within the local authority’s finance systems.
Payments can be initiated using secure, non-reversible tokens in place of bank account details. When it’s time to initiate a payment, the token (alongside the payment amount and date) gets passed back to the tokenisation service, which retrieves the underlying account details and executes the transfer. In addition, bank account validation and verification** can be enabled in the tokenisation service workflow to improve data quality.
Tokenisation enables organisations to remove bank account data from their CRM and ERP processes. The result? Organisations can eliminate the need to use customerss payment credentials in their payments processes by using non reversible, meaningless tokens throughout the payment process.
Staying up-to-date
All organisations should be aware of the latest version of the UK Direct Debit guide and rules published at the end of March. These rules are put in place to protect both the payer and the payee from fraud and errors. Importantly, organisations can lose their sponsorship or limit their Direct Debit capability if they don’t follow the rules.
For example, version 5.8 has made changes to the Direct Debit indemnity claim (DDIC) code 4, which is a Direct Debit cancelled directly with the Service User (SU). Previously, it wasn’t possible to challenge the amendment claim, but now there’s a mechanism in place to challenge a code 4 if the service user can provide specific documentary evidence to demonstrate that the DDIC has been applied incorrectly (Section 7A.1 of the SUGR).
Recent innovations in the UK payments landscape include Pay By Bank and Variable Recurring Payments (VRPs), which are both part of Open Banking. For the former, the payer must authenticate with the bank for every payment, and the payment moves ‘account to account’ using Faster Payments settlement for the payee.
VRPs, on the other hand, allow for regular collections using an open banking framework without needing to authenticate multiple times. They are currently used for sweeping funds between “accounts I own”.
Interestingly, while more than half (56%) of the webinar audience knew of VRPs, they were not sure how they worked, and a third hadn’t even heard of them. No one in the audience had begun using VRPs as yet.
A new development is Commercial VRPs (cVRPs), which are regular payments using Open Banking without needing authentication on each payment. Today, only a few banks support cVRPs; however, the regulators are keen for the payments industry to support them more widely.
The industry is currently working on a multilateral framework agreement that will include a commercial model, dispute management and interoperability standards.
We believe that VRPs will come to complement, not replace, Direct Debits - offering choice, flexibility and real-time advantages where appropriate. It provides an interesting alternative to ‘Credit Card on File’ or ‘Continuous Credit Card Authority’ billing methods. Given the current lack of awareness and adoption highlighted in the straw polls mentioned above, there is clearly a significant opportunity for organisations in the public sector to introduce tighter controls around their Direct Debits.
*Source: PSR – Specific Direction 17 on expanding Confirmation of Payee.
** Payment Verification for Business is provided by Bottomline Payment Services Ltd.
Confirmation of Payee for Business is provided by Bottomline Payment Services Ltd, who are authorized by the Financial Conduct Authority under the Payment Services Regulations for the provision of payment services with FCA registration number 616279.