The UK’s six largest banking groups, covering 90% of bank transfers, must fully implement Confirmation of Payee (CoP) by 31 March 2020.
Banks currently use unique identifiers (usually sort code and account number) entered by the payer to identify the receiving account. Whilst the intended payee’s name may be provided, there is currently no mandate to check that name against the account to which the unique identifiers relate.
There is a need for further unique identifiers to guard payment transactions against fraud. Fraudsters have become increasingly sophisticated in using online and mobile processes to trick people into sending money to the wrong account. An example of this type of Authorised Push Payment (APP) fraud would be paying an invoice that looks exactly like the one from your child’s school – but it turns out to be from a fraudster and sends the money to the fraudster’s bank account.
The advent of real-time payment systems, such as Faster Payments, has made this type of APP fraud more attractive to criminals. As payments made using real-time payment schemes are irrevocable, the victims cannot reverse a payment once they realise they have been conned. Real-time payments also have a lowered risk for fraudsters as once the money is received instantly, they can quickly extract the proceeds of their crime. Although the percentage of transactions that are accidentally misdirected or fall victim to fraud is small (less than one in 20,000), the impact on victims can be significant.
With this type of fraud in mind, the Payment Systems Regulator has directed banks to put in place CoP in order to provide an extra safeguard for payment transactions.
What is CoP?
CoP is a new way of checking the identity of the payee. It checks that the account name entered by the payer for a new payee matches the account name/type held by the payee’s bank. Anyone setting up a payment will be alerted if the name on the recipient account does not match, is incorrect or misspelt, meaning it can be corrected before a payment is made. This is a negative CoP outcome. Where the entered name does match, this is a positive CoP outcome.
CoP will address APP fraud by introducing another hurdle for fraudsters by giving effective warnings to customers about the risks of sending payments to an account where the name did not match.
Which Banks must apply CoP?
CoP will apply to specific banks/building societies within the UK’s six largest banking groups. These firms are:
- Bank of Scotland plc
- Barclays Bank UK plc
- Barclays Bank plc
- HSBC Bank plc
- HSBC UK Bank plc
- Lloyds Bank plc
- National Westminster Bank plc
- Nationwide Building Society
- Royal Bank of Scotland plc
- Santander UK plc and
- Ulster Bank Limited.
The Payment Systems Regulator exercised its power to issue directions to certain persons under section 54 of the Financial Services (Banking Reform) Act 2013 (the Act) to mandate the above firms introduce CoP. It did so via Direction 10. This Direction requires that:
- From 31 December 2019: Directed banks must respond to CoP requests. From this date banks must have the capability to talk to each other. For example, a receiving bank must be able to notify the sending bank that there is not a match.
- From 31 March 2020: Directed banks must send CoP requests and notify the payer of the outcome – for example, if there was a name match or a mis-match, banks should notify the person making the payment.
The direction does not apply to all banks in the UK. Some other banks are choosing to opt-in to providing CoP voluntarily.
CoP applies to all UK-based accounts and payments made via the Faster Payments System or CHAPS (high-value payments). It does not yet apply to direct debits, Bacs Direct Credits or batch/bulk payments, but these are expected to be introduced at a later date.
Pay.UK, the retail payments body, is coordinating the development and delivery of the new service. Pay.UK has developed rules and standards for CoP that are designed to ensure consistency in messaging and functionality, instant verification and clarity about liability.
The rules and standards cover consistency in language such as in the use in abbreviations, joint-accounts/maiden names, common misspellings, and company names.
The types of firms that can enrol with Pay.UK to provide CoP is broad – extending beyond firms allocated a sort code under the Extended Industry Sort Code Directory (typically banks, building societies etc) to all firms authorised by the Financial Conduct Authority (such as investment firms) and participants of the UK’s Open Banking initiative. Enrolment does not currently apply to so-called Third Party Payment Service Providers – being firms authorised as Account Information Service Providers or Payment Initiation Service Providers.
Once enrolled with Pay.UK and having signed a Non-Disclosure Agreement, firms offering CoP are given the Pay.UK CoP Enrolment pack which includes the Rulebook, the Operating Guide, the Technical Guide, the Technical Specifications, the Test Pack, the Pricing Schedule, the Terms and Conditions for Participation and the required forms. Enrolment is available via the Pay.UK website.
The Need to Balance Control with Protection
The options for a payer customer if a negative CoP outcome is received are:
- To confirm the correct details with the payee;
- Correct the error (if there has been one) and resubmit;
- Cancel the payment;
- Proceed to make the payment with clear warnings about the consequences and liability if the payment goes wrong
There must therefore be a balance between minimising friction for positive CoP outcomes and introducing appropriate friction for negative CoP outcomes to ensure the payer is given an opportunity to exercise suitable care before executing a payment.
The Pay.UK rules and standards require that banks be very clear in their warning messages to customers who choose to proceed with a transaction where there has been a negative CoP outcome.
Proceeding after receiving a negative CoP outcome may have real consequences for the consumer as the voluntary Consumer Protection Code for push payment scams excuses a bank from liability if they can show the consumer received the CoP warning and failed to take the requisite level of care.
Public Awareness Campaign
Alongside CoP, a national public awareness campaign – take five to stop fraud – is providing the public with straight-forward and impartial advice to protect themselves from fraudsters. Led by the industry lobby UK Finance and backed by the Government, the campaign is being delivered through a range of partners in payments, financial services, telecommunications and commercial/public organisations.
The campaign is warning consumers at this time of fraudsters who are seeking to capitalise on the COVID-19 pandemic to contact consumers (via email, call, text or social media) to attempt to get the recipient to disclose personal or financial information or click on links that may contain malware which they will then use for their own fraudulent purposes.
Consumers are urged to:
- Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.
- Challenge: Could it be fake? It’s ok to reject, refuse, or ignore any requests. Only criminals will try to rush or panic you.
- Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud.