When you’re adding a new contact to pay, how many times do you check you’ve entered the right sort code and account number, more than once right? What if you’ve been given the wrong numbers - how would you know? Jack Gianella and Julien Laurent are discussing the new initiative ‘Confirmation of Payee’ and how this will confirm you’re paying the right person. They’ll also discuss how this is only the start, with new technology in place there are more ways than ever to protect your payments from fraud.
Rich Williams: We start with a short story based on real events about an individual who gave their solicitor the wrong sort code in order to claim inheritance.
Hundreds of thousands of pounds went to the wrong person, who then refused to give the money back. A year later, thanks to costly legal fees and countless hours of toil, they did manage to recoup the money.
But guess what, this doesn’t always happen, and the same thing can affect business payments too.
Hello, I’m Rich Williams, host of the Payments Podcast, and today I’m welcoming back fraud specialists at Bottomline; Jack Gianella and Julien Laurent and asking them about the importance of ensuring that you know who you pay.
We’ll also be discussing the impact that the confirmation of pay initiative is set to make to the market as it encourages innovation as well as attempting to eliminate APP fraud.
Hi Jack, hi Julien.
Jack Gianella: Hi, Rich.
Julien Laurent: Hello.
Rich Williams: So, first of all, let’s begin with the topic of Authorised Push Payments, which I referred to a moment ago as APP fraud. Now this is a problem which costs organisations millions of pounds every year to investigate and rectify; Julien, could you explain for us the problems caused by this activity?
Julien Laurent: Yes, so first of all just to give you a bit of background, the APP fraud is when criminal actor managed to convince you to change the beneficiary of a payment.
So it could happen in terms of the example we have here when it’s a mistake in that case that you mentioned, but it could also happens to businesses when invoices are being intercepted and the account number or the electricity provider get changed to a different account number. Then the fraudster will then in terms get the money.
And I think Jack, you’ve got some figures for us in terms of what it means to the UK industry?
Jack Gianella: Yes, so Rich, I think you mentioned hundreds of millions of pounds. I think specifically we’re talking £350m during 2018-
Rich Williams: Wow.
Jack Gianella: … was the total cost of APP fraud, and we’re talking about substantial amounts of money as well. So, per transaction, we’re talking around about £16,000 per one-off payment that goes into the wrong account or a fraudulent account.
So, you know, when we talk about different businesses, obviously £16,000 can be detrimental to the everyday operation of somebody’s business, and these sums of money are often paid through the Faster Payments network, so we’re talking instant payments that get paid, like we’re saying, to the wrong account, but that money’s gone.
It’s not like a BACS transaction where you might be able to retrieve it during the first and second day, we’re talking instant payments that just go and are into the wrong place, like I say, and you can really badly affect a business’s cashflow by this.
Rich Williams: I think regular listeners will probably remember the old phrase, “Faster payments can involve faster problems.”
Jack Gianella: Yes, yes, exactly.
Rich Williams: And I think that’s a good example of that. So clearly that’s something that companies will all want to avoid falling fowl of entirely, but I suspect that’s easier said than done.
As you mentioned, APP fraud revolves around the change in bank details. Confirmation of Payee is meant to help eliminate this; now how is that possible?
Jack Gianella: So, Confirmation of Payee is a regulation that’s been brought to deal with this area, so quite a topical area in the industry at the moment; CoP, or Confirmation of Payee is coming in to deal with this.
So, what CoP is all about, is that there is currently no check-in place that matches a bank account owner to their sort code and account number.
So, I always use the example of my own house deposit; I remember being so scared when paying my house deposit that I had a bank account and sort code in front of me, and I did not know that the digits that I was entering matched my solicitor. And I was so scared, I’ll never pay that much money in one go again – I hope, anyway – and I just had no idea that, like I say, the detail that I had in front of me matched.
So, CoP is being brought in to make sure that that check is being happening; it’s happening in making payments, basically.
You know, you can give the first example that you gave, Rich, similar to my example; it doesn’t have to be even fraud; we’re talking about error here as well, where you are entering just the wrong details in, and paying substantial amounts that go to the wrong account.
So, the regulators are bringing this in to make sure that we’re further secured and that we’re making more better and accurate payments.
So, yes, really pleased that – and I think everybody in the industry can say that CoP is a great initiative, and the benefits are quite clear, but I suppose it’s important to mention and relate into everything we’ve talked about so far, is that it’s not the silver bullet; that CoP is not just going to stop all kinds of APP fraud.
And, you know, Julien, I think you’d probably back that up, wouldn’t you?
Julien Laurent: Yes, that’s right. I mean, if we consider a slightly different scenario; so, we looked at a scenario when someone had to enter details and they made a mistake, or someone is convincing them to change the bank.
Now, in those scenarios, the name will not match who it is supposed to be on the bank account. So, in this scenario, CoP would be able to help you.
Now, let’s consider a slightly different scenario; let’s imagine someone had set up a wonderful, a very promising pension management organisation, and then they convince a few retirees to give them all their savings and pension with great promises of greatly improved return investment.
But when they make that transaction, the company exists, the company is legitimate, the bank account exists, it’s the right bank account; where the fraud lies is that that person has no intention to invest that money to help them; the intention is to – once they have enough money – close shop and disappear with the money. In that scenario, CoP is not enough.
So, there comes a different layer of protection, so what we are doing here with PTX Verify, the solution at Bottomline is we have anomaly detection.
So in that scenario, when the retiree is trying to transfer a large sum of money, the bank would be able to be alerted that this is out of the ordinary; this is a large sum of money compared to the normal behaviour of the person, and it’s also going to a new beneficiary, not someone we already know, like a little grandson, or the son and family.
So that enables the bank to then interact with the customer and bring a new layer of protection for their customer by having this technology there. So, there is a lot of things that we can do with this that really helps.
And I think a good example to help you relate, is when we do online shopping – all of us now use that experience – and when you use your Visa card, there are some websites that will ask you for the password of your Visa Protect, or Mastercard services, to be fair to everyone, but then you will notice that it’s not a question of the amount of the transaction, it’s whether it matches your habits or not.
In my case, I spend a lot of money on mountain biking, so when I got to mountain biking websites, I never get asked for that code, but if I go and order a spa weekend, which I normally do when I’m in trouble with my Mrs, then the code is asked because it’s not a regular thing, and so my profile does not see that as a normal transaction.
That’s basically what we are doing without services; we help our clients to identify their pattern and spot something which is out of pattern. So even if a system is compromised and that transaction has been deleted from their services, we are able to see it.
Jack Gianella: Yes, so a great point, Julien, and I suppose when you link that straight back into the corporate world, it’s all about trapping things in real-time, you know, if somebody makes changes to your supplier payments or your invoices, and once you’ve made a few payments, it might be too late by the time you’ve had a chance to go back in and do a check on balance. And once you’ve taken the time, that money is gone.
We’ve talked about the Faster Payment network; even in relation to the BACS network, it’s too late to get your money back at this point, so the whole point about this whole process is being one step ahead and taking a holistic risk-based approach to your payment processes.
It’s not just doing one check right at the beginning of your payment process by a very similar CoP check, where you’re double-checking the match of the account details and name, but also later down the payment process, checking for anomalies, checking basic transaction monitoring rules that can stop a payment in real-time as well.
So, it really is taking that risk-based approach all the way through.
Rich Williams: That’s an interesting point, Jack. So being that there’s no cure-all, or there’s no plaster that you can put on at the front to stop problems, it’s that continuous investigation – a bit like Kizon, I suppose.
Jack Gianella: Absolutely
Rich Williams: What are you at Bottomline doing with solutions like PTX, for example, to make sure you’re continuously monitoring activity and preventing human error and fraud?
Jack Gianella: Yes, absolutely Rich. So, trying to do exactly what I’ve just been speaking about, really; it’s taking that holistic approach. So we start with a solution that’s called PTX Verify; so Verify uses an existing database from one of the largest credit score agencies in the UK, and it takes the data to validate sort code and account numbers with the name that we’ve been talking about.
We then come inside to PTX Payment Solution itself, where we’re doing transaction monitoring; we’re looking at 100% of our transactions from our customers that come in for simple things like duplicates, first time payments to accounts, being able to alert our customers to when things just don’t feel quite right, which as we’ve said, makes this whole- which brings this whole process together, so you’ve coupled your initial check with what is actually happening within the transaction.
If it doesn’t feel right for a consumer or a customer, we’re then going to tell them that and they’re going to be able to act upon that.
Rich Williams: So, it sounds that you guys are going very much above and beyond what the regulations are leading you to doing, and you’re taking proactive steps to tackle this head-on?
Jack Gianella: I think so, Rich, yes definitely. I think we’ve mentioned already we very much welcome CoP coming in as a regulation; it’s a fantastic thing that’s going to hopefully protect a lot of people and a lot of users. But we want to go further.
We want to almost be ahead of the regulators; it’s all about knowing who you’re paying at all points of the process, being ahead of any potential fraud that can come in. You know, CoP is a great initiative, but it also means that fraudsters are going to have to be better, come above the regulator again and do something different.
So, we need to be proactive in what we’re doing in protecting our customers, and like you say, doing exactly that.
Rich Williams: Thank you. Any closing remarks from you, Julien?
Julien Laurent: No, I think Jack really summarised it well; it’s a game of chess.
It’s great that the regulators are copying; we need to also do our duty of care with our customers to use technology to stay ahead.
Regulators have a latency to what they can do; with the technology, we can move slightly faster and so we’re not just waiting, being reactive; we’re being proactive, and that’s the right thing to do.
Rich Williams: Interesting you mentioned duty of care there; listeners might be interested to know that we are actually doing an entire podcast on this in the next couple of months, so stay tuned for that.
A really interesting and informative conversation there, and thanks again to you, Jack and Julien for joining us today.
Jack Gianella: Pleasure, Rich. Thanks for having us.
Julien Laurent: A pleasure, as usual.
Rich Williams: So, the introduction of Confirmation of Payee should clearly be welcomed by individuals and organisations alike, and the combination of increased safeguards against fraudulent activity, human error and the innovation it will encourage in the marketplace are both things to be embraced.
Unfortunately, that’s all we have time for today. We’ll be back with some more podcasts very soon, and in the meantime, you can listen to more episodes on ‘All Things Payments,’ at the touch of a button using your preferred provider. And we’ll see you all next time.
PodcastHow Banks Should Be Preparing For PSD2 Part 2
Bottomlines Marcus Hughes continues where he left off in part 1 talking about how banks need to prepare for PSD2 and Open Banking.
White PaperOpen Banking: Changing the Way Businesses Pay and Get Paid
The way businesses and banks pay and get paid is changing. There has never been a period of such radical shift in the payments landscape. Many of these changes are driven by regulation, so businesses and banks will need to ensure they are compliant with the new rules and payment schemes. But these transformations will also bring many exciting opportunities to make payments easier, faster and more secure.
For Customer Support and Services click here.