We all want to stop crime. It brings the community together for a common good. We will never eradicate the creativity of the fraudster working the law of averages in a digital payments world, but we can always work together in the industry to block and tackle the biggest leaks in the system.
Authorised Push Payment (APP) fraud has become a big leak - £479m worth of leak.
Following the Which? super-complaint on rising APP fraud back in 2016, the banking industry gathered and under the Pay.UK guidance set out a technical response with Open Banking called Confirmation of Payee (CoP) to start blocking the leaks on redirected payments, errors and fraud. After a slow start, the PSR gave it a nudge and mandated some 2020 dates to get the biggest 6 banks committed. The usual technical bedding down took place and the CoP checks started to flow. Consumers and businesses started to see the ‘no match’, ‘match’ and ‘partial match’ messaging when looking to some payments and the new world of CoP checked beneficiaries for new accounts on Faster Payments and CHAPS began.
And the APP leaks continued – rising 5% in value and 22% by volume of cases in 2020.
The initial celebration of moving over 90% of the new beneficiary traffic across to CoP checking was merited but became muted. Statisticians briefly pondered what the £479m loss may have been without the CoP deterrent employed and knowing this is only the officially-reported number that reaches UK Finance’s economic crime unit. The real damage is higher. And then the other 90% plus segment - the banks, building societies, agencies, credit unions and others who were not mandated began to see an interesting drift of the fraud into their unprotected world.
The result is we now have the unintended consequences of a two-track market. Those with CoP and those awaiting CoP.
We have the early adopters of CoP in Phase 1, who have invested heavily, fine-tuned their name matching engines and are protected by the CoP checks. These have grown from the original 6 mandated banks to around 12 in total that are live and another 8 or so waiting to onboard Phase 1. They all know that Phase 1 in not technically interoperable with the newer set up engineered in Phase 2, so will need to move everything across to Phase 2 at some point.
Then we have everyone else. This means the balance of the 396 banks that own their own sort code to qualify for Phase 1 and another 2000 or so organisations who can only join when Phase 2 opens from July 2021 plus some corporates who are interested to check who they may be paying, as were the UK government when using CoP to pay out Covid loans last year. Their access to the CoP services has fast become a topic of much debate in the industry.
The CoP technology is now available off-the-shelf from Fintech players like Bottomline, with competitive lead times of 4 weeks and low-cost subscription models. So, do new participants join the safety of Phase 1 (PLAY) where the volume sits today, do they wait for Phase 2 in the Summer with automated onboarding and a wider coverage of bank account configurations but needs incumbents to move across (STICK) or do they wait forever until the PSR mandates a published date to adopt CoP (BE TOLD). It’s not as straight forward as it may seem.
The liability discussion does look straight forward. The non-checkers of CoP are not well placed when an APP fraud successfully leaks through the system. The Lending Standing Board has clear guidance on the duty of banks to check who they are paying, and some direction on how the Financial Ombudsman Service (FOS) will rule on cases. One analogy is the introduction of chip and PIN onto plastic bank cards. It’s an extra layer of fraud protection where you don’t want to be the last one to implement the chip. You’ll attract the criminal activity and have little defense against claims for doing nothing, before even measuring the reputational damage, unhappy customers and the bank’s overall competitiveness in the market.
The PSR have published a critical ‘Call for Views’ during June. Detail like ‘when does Phase 1 formally close to new applicants?’ and ‘when will incumbents move to Phase 2 technology?’ are fundamental to the long-term success of the CoP initiative. Ambiguity in the program phasing remains and the confidence behind all the dates published is low. Every Chief Risk Officer has a different experience of APP fraud. Everyone wants open access to the industry initiative and the free choice to join the CoP services at the right time for them.
Whether it's stick, play or be told– the industry is approaching decision time for your organization to commit on how you want to manage a fraud type that continues to grow and frustrate everyone.
For further insight into the payments and banking industries, subscribe now and stay up-to-date on the latest tips, trends, and topics. You can also check out The Payments Podcast, where experts engage each other on the real world factors impacting your industry.