Fraudsters are very good. Very good at convincing ordinary people to send them money, by thinking that they are protecting themselves, or paying a valid invoice. You can tell this from UK Finance’s published fraud figures which show authorised push payment (APP) fraud in the first 6 months of 2022 amounted to £249.1 million in the UK alone.
To a significant extent, the rise in APP fraud is an unintended and unforeseen consequence of the success of Faster Payments, with its ability to make irrevocable payments instantly, 24 hours a day, 7 days a week, 365 days a year. Fraudsters, being as sharp as they are, spotted that this would enable them to quickly move fraudulently obtained funds around to make it difficult to follow the trail and seek reimbursement for the defrauded customer.
From a sending payment service provider’s perspective, of course, in an APP fraud all they have done is to action what the customer has told them to do, so one can understand their frustration at being held liable when a fraud happens. Linked to this is the concept of “unique identifier” in the Payment Services Regulations (PSRs), defined as:
“a combination of letters, numbers or symbols specified to the payment service user by the payment service provider and to be provided by the payment service user in relation to a payment transaction in order to identify unambiguously one or both of—
(a) another payment service user who is a party to the payment transaction;
(b) the other payment service user’s payment account;”
Regulations 43 and 48 (referencing Schedule 4) require payment service providers to specify the unique identifier as part of the contractual agreement for the services. In most cases it is specified as the sorting code and account number or IBAN, omitting the payee’s name. Regulation 90 then says that if the customer provides an incorrect unique identifier:
“Where a payment order is executed in accordance with the unique identifier, the payment order is deemed to have been correctly executed by each payment service provider involved in executing the payment order with respect to the payee specified by the unique identifier.”
The effect of this is that, even if the name on the beneficiary account is completely different from that shown on the payment, the payment service providers are not liable. At the time when the first Payment Services Directive was being negotiated this seemed entirely reasonable (to the banks at least – I should know, I was part of the banking industry team working on it) because the banks at that time had no mechanism to identify and validate whether the name of the payee account held at another bank tallied with the sorting code and account number or IBAN.
However, for the larger banks in the UK now, that is no longer the case. The Payment Systems Regulator’s Specific Direction 10 (SD10) first given on 1 August 2019, required the UK’s six largest banking groups (Bank of Scotland plc, Barclays Bank UK plc, Barclays Bank plc, HSBC Bank plc, HSBC UK Bank plc, Lloyds Bank plc, National Westminster Bank plc, Nationwide Building Society, Royal Bank of Scotland plc, Santander UK plc and Ulster Bank Limited) to fully implement Confirmation of Payee (CoP). They were originally required to complete this by 31 December 2019, but this was subsequently varied in February 2020 to put the full application back to 31 March 2020 and full implementation didn’t happen until June 2020. The Payment Systems Regulator define CoP thus:
“Confirmation of Payee (CoP) is a process that aims to reduce fraud and misdirected payments in electronic bank transfers. It checks the name of the payee against the details given by the payer.”
The Specific Direction points out that Pay.UK has developed rules and standards for CoP (more details can be found here Confirmation of Payee – Pay.UK (wearepay.uk)
The rise in APP fraud and its spread beyond the six main banking groups already required to implement CoP, has led the Payment Systems Regulator to issue a further Specific Direction (Specific Direction 17: Expanding Confirmation of Payee (psr.org.uk)) in October 2022, expanding the requirement, essentially to all UK Payment Service Providers who provide accounts for their customers. This is in two tranches – Group 1 is a listing of the higher volume institutions participating in CHAPS and Faster Payments and they are required to provide the service by 31 October 2023.
Group 2 PSPs are defined as:
“a PSP which:
- is a participant in Faster Payments or CHAPS
- is not a Group 1 PSP
- conducts relevant business
- does not have a CoP system in regular operation on the date this direction comes into force, and
- is a building society, or has a unique sort code listed on the Extended Industry Sort Code Database (EISCD)
Group 2 PSPs are required to implement by 31 October 2024.
For a major requirement such as this, those are not short timescales, and I would urge any PSP offering accounts to its customers to get their projects underway.
That said, while writing this, I read a report about a customer complaining that a PSP would not reimburse them for having sent payments to a fraudster, where the fraudster had convinced them to override the CoP warning. As I said at the outset, fraudsters are good at what they do, frighteningly so. So CoP is unlikely in the long run to be sufficient, and the FCA’s Consumer Duty may mean that further controls are needed to safeguard customers.
