The Payments Podcast transcript

Jacqueline: According to the last Business Payments barometer, 56% of companies confirmed they had invested in bank account validation and verification platforms, and just over half had implemented.

According to the last Business Payments Barometer, 56% of companies confirmed they had invested in bank account validation and verification platforms, and just over half had implemented multi-factor authentication, or MFA, if you like. But the big question is, what about those that haven't? And are they more susceptible to payment fraud?

Hello, I'm Jacqueline Powell, host of today's podcast, and I'm chatting with Mark Bish, one of Bottomline’s product leads about why bank account verification and validation measures are critical to the payments process, regardless of whether it's funds you're collecting or paying out.

Hi, Mark. Thank you for joining us today.

Mark Bish: Thank you for inviting me.

Jacqueline: It's great to have you with us. So, Mark, kicking off, let's start with the fraud angle and work backwards. How bad is payment fraud really? Is it getting worse? And should we be concerned as growing businesses?

Mark Bish: I think the easy answer to that is yes, it definitely is getting worse. Everything we see shows that this is a growing issue. Over the last couple of years we've seen individuals and organisations rapidly pushed into the online world. So, you know, we've been in lockdown and that's given fraudsters a huge opportunity. It's really hard to give a measure on direct debit, direct credit fraud losses. Outside the increased number of reported incidents that appear on the Internet, there's not a huge amount of official information made available.

It's quite a sensitive topic, and it's not something that people share in general. But if we used authorised push payment or APP fraud, as it's often known, as a sort of proxy, we can see that the impact of financial fraud on the UK economy is significant and it's growing. The last full-year stats for APP from UK Finance reported losses of £479 million in 2020. So far we've only seen figures for the first half of 2021, but that fraud had already grown by 71% at that point. It was already £355 billion, and that was already bigger than credit card fraud for the first time, which is a real big challenge I think for the UK.

I think the chances are that any organisation not implementing fraud measures, so not validating and verifying bank account ownership, they're under attack, irrespective of what channel they're working in.

Jacqueline: With numbers like that, I couldn't agree more, I must say. So I know from the Payments Barometer Research we conduct annually that payment fraud in businesses does keep rising year on year. So Mark, you talk about bank account validation and verification as a prevention measure, but many people might think that they are actually one and the same thing. That's not the case, though, is it?

Mark Bish: Okay. No, so validation is a great tool for ensuring that account details haven't been mis-keyed and preventing payment failures due to keying mistakes. And without that process, without validating, error rates are typically around 4%. So that's not an insubstantial problem and also not an insubstantial cost to repair. But it is just an algorithmic check on the sort code and the bank account number that confirms that the bank account is valid for that particular bank.

Verification is very different. It's a much more powerful tool and gives you the ability to verify the connection between the account details that have been provided and the person or organisation that you're dealing with. So does this account belong to that particular person? Does the account exist and is it open? And that kind of insight is key to mitigating fraud risks to your businesses. Fraudsters are relying on the fact that you're not finding inconsistencies in the information provided.

So having that extra check is a really powerful element to that process. And if you look at it from a direct debit, direct credit perspective, they're an essential component of the payments landscape. They help companies to improve their cash flow, enable better credit visibility, drive down bad debt, so verifying the account owner has a significant impact on mitigating the risk to businesses of frauds through both those channels.

Jacqueline: So ensuring those funds are collected or made to the right bank accounts is pretty critical. That much is obvious, but do you think that you could just do either rather than doing both? So is it worth the risk of not investing in a validation and verification platform?

Mark Bish: I personally don't think that's a risk anyone should consider. There are two things to address here, I think. Firstly, if you're a business processing paperless direct debits, then the verification of an account holder, that's not an optional activity. And if you aren't doing that, you aren't compliant with BACS scheme rules and you'd need to resolve that straightaway. Anyone using AUDDIS, whilst it's not mandated, it is strongly recommended by BACS to implement the same process. So I would say the same to anybody doing AUDDIS transactions too. It is something that you need to resolve pretty well straight away.

If we put that to one side, I guess, yes, you could not validate bank account numbers, but then you won't prevent the inadvertent mistakes and you'll have to bear the remediation costs for repair for that 4% that I mentioned earlier on that are mis-keyed. And the impact that has on your cash flow. You could not verify account holders, but if you think about the online account opening process and the minimal data that we all expect to provide, you know, name, address, date of birth, telephone, email, address, bank account, the first three are really easy to find.

You can get a pay-as-you-go SIM card for pennies. You can get an email address within seconds. The one element that's really problematic from a fraudster’s perspective is the bank account. And if you look at the way people are impacted and businesses are impacted, if we look at the APP side of things, where the banks are at both ends of that transaction, only 25% of losses are recovered. If you look at it from a direct debit and direct credit point of view, that number is closer to zero. So it doesn't bear thinking about to take that risk.

Jacqueline: Mark, I'd like to just spend a little bit of time looking at direct debits in more detail. Could you share with us why businesses should verify and validate a customer when signing up for DDs? What are the consequences of not doing anything?

Mark Bish: Well, I guess from a validation perspective, the point is to catch the error at source. So in direct debits, there's a heavy reliance on supplying the bank account details, or if it's through a call centre, manually capturing the data correctly, and mitigating that internal time effort to resolve and correct records, re-present a collection and, you know, the loss in terms of cash flow until that problem's resolved. From a verification perspective, it's to ensure the account details are legitimate.

We quite often focus on direct debit fraud because that's the symptom that we can see, but it's a symptom of an underlying problem. We always focus on the promise to pay element of it, the direct debit bit. But the reality is the fraudster’s after goods, services, money. The direct debit is incidental and it's something that they have to provide because it's a necessary part of the process to achieve their objective. If you consider it from a reputational point of view as well, there's a lot of noise within the Internet around problems with direct debit transactions.

Again, people are focussing on the fact that money has been collected from their account, but it is a reputational damage for organisations. You also have to consider the impact of that on the individual. And I guess where times are quite hard at the moment on businesses, around the fact that if you have collected money from someone's accounts and it wasn't the correct person, they might be subject to bank charges. You might have put them into overdraft, it could affect their business.

And whilst you might give that money back through the direct debit guarantee, the consequences are much bigger from their perspective. And looking in general, direct debit, direct credit fraud, the noise around fraud is getting louder. Last year, BACS made a stronger recommendation around AUDDIS activity and checking and verifying the account holder. That's driven by the potential damage to the reputation of the schemes, and making sure that the genuine individual has authorised a payment or collection.

The other challenge that we have is once the fraudster has found an account to use, particularly from a direct debit perspective, they will keep exploiting that account. You will see numerous reports on the Internet around an individual who has had dozens and dozens of direct debits set up against their account because the fraudster’s identified that it works and they just keep on using it over and over again.

Jacqueline: Mark, thank you. It certainly sounds far more damaging to not do anything than it does to take the necessary and sensible precautions. On that note, I'd like to move on to what you would recommend companies should do to make sure that their payments are properly screened.

Mark Bish: Right, okay. So we have to remember that fraudsters are smart. Companies have to make sure that they do everything that they can to prevent criminals accessing funds, whether that's through payments made to compromised accounts or collecting from accounts that they’ve compromised from a direct debit perspective, when you're onboarding customers, or even suppliers or paying staff. So let's bear in mind as well that individuals can be compromised and have their wages paid to someone else.

It's really important that we verify the individuals or business’s bank accounts. And it's a really simple process. Electronically, online services confirm that the account holder is correct. Are they linked to that account? Is it the same name, address? Not relying on paper-based processes. I think it's very tempting to move towards that because it's really easy to get people to provide paper. But just remember that it's really easy to forge paper-based documents. Very, very few people nowadays actually have things sent through to them in the post.

They're generally things that they print off from an online process. So that electronic process, I think to me is really important. And also tying that back to the individual, so, you know, it's not just a standalone check of identity, it's not a standalone check of the bank account ownership. It's the combination of checks on all of the attributes that's really important. We can't stop payment fraud, but we can make it really, really difficult. And it's relatively straightforward to do it by having the right processes in place.

Jacqueline: Without doubt, Mark. I think the more we can do collectively to monitor potential payment fraud earlier on in the process, the more chance we have of catching it in flight. Now, in a bid to drive down APP fraud, UK Finance introduced Confirmation of Payee, or COP, if you like. Could you give us a bit more information on this initiative?

Mark Bish: Yes. Confirmation of Payee is a fantastic initiative. It's a service that allows banks to verify the account owner of an account at another bank when one of their customers is setting up a payment. So you'll quite often have seen it yourself. If you go into your online banking page, you want to pay one of your friends or pay a bill. It asks you to put the name in and it will check that name matches the name that's held by the account holder at the bank that you're paying towards. It's been really crucial, I think, in mitigating fraud within authorised push payment.

So those are those payments that you make faster payments, CHAPS payments bank-to-bank. If you think about how much the value of that fraud has grown, how bad that would be without the process in place, so about 95% of UK accounts are covered by this service. It's really crucial from an APP perspective in that those payments are instant. It’s in near-real-time, 15 seconds and the money's gone. And it also means that people can be more comfortable when they're making a payment that they are paying a genuine individual and it is that person or the genuine business, and it is that business that they're paying.

And you can identify where things are wrong, right at the point where you're trying to make that payment, go and speak to the person you're trying to pay, the name is not matched, etc. And that maybe puts a little bit of doubt in your mind and maybe drags you away from potentially being compromised by a fraudster. It's also a really simple service: name, account number, ping, information comes back and tells you whether that information matches the data that's held. And it's a pretty good customer experience, I think, having used it myself.

What we need to see is that growing and moving outside of APP. At the moment it's within that bank-to-bank side of things. But I do think it could have a massive impact outside of the banks, too, by providing people a greater and stronger service for things like direct debit and direct credit in the longer term.

Jacqueline: So, Mark, I expect that many businesses are asking the question, “But isn't this the role of the banks? Isn't this their problem rather than mine?” What would your response be to that?

Mark Bish: I think, yes, I don't necessarily entirely disagree with that position. I think the challenge that you have, though, is that the crime has already been committed if you're looking at it from a fraud perspective. So if you set up a direct debit and the bank identifies that that's not the account holder, you've already given away the goods, the services, the money or whatever to that individual. So it needs to be done at the front end, at the point where the person is on-boarded.

So it's just a little bit too late in the process. You're essentially just reporting the fraud earlier than perhaps you would identify it a little bit later down the road.

Jacqueline: Okay. Thank you, Mark. I think it's safe to say that it's no longer enough just to assume and trust that the payer details are correct and legitimate. Clearly, there is a reason why more and more businesses are looking to invest in platforms that can help them be more efficient and certainly safer. Before I close out, are there any key takeaways that you'd like to share with our listeners today?

Mark Bish: I think the first one from my perspective is: don't wait for the next best thing. There are solutions on the market now. So you can fix the majority of that problem today. Look at the processes that you have in place. Are you identifying fraud in the right way? So look at the people processes, the technology that you have and the way that you're using those to make sure you stay ahead of the potential frauds. Trust any service that you onboard to evolve as information becomes available. All services are using as much information as is available today.

That will change over time. Those services will change over time. So, you are part of a process that will evolve along with the capabilities that they have available to them. Also, if you haven't already, then you can listen to the recording of a webinar I did two or three weeks ago: The Mod Is Not Enough. And that's available on the resource page on the Bottomline website.

Jacqueline: Those are great tips, Mark. Thank you so much. All that's left for me is to thank you for joining us today and for your insight.

Mark Bish: Thank you.

Jacqueline: So that brings this episode to a close. Should you be looking for more information about securing your business payments, then please get in touch with our team, or you can visit the Bottomline website, But for now it's goodbye, until next time. Thanks for joining us.




Want to learn more about PTX?

Give us a call.

Our payment experts are here to help.

0118 925 8250

Chat with us.

Chat with one of our payment experts. We'll recommend the right solution for you.

See how we can drive your business forward.

Tell us a bit about you and your business and we’ll get back to you with all the information you need.

footer curve