By Chris Stephens, Head of Banking Solutions at Callsign
Originally the Confirmation of Payee (CoP) scheme was scheduled to be introduced in July this year. And yet, the system designed to guarantee that names match on transactions in order to reduce fraud now isn’t expected to be officially launched until March next year. As a result of the delay many people are apprehensive that, until CoP is in place, consumers will be exposed to fraudulent scams.
And their concerns are justified. Right now, banks don’t actually have a means of verifying the name on the account that the money is being transferred to. CoP will encourage banks to implement the correct checks to offer end users of payment systems greater reassurance that they will be sending their money to the right person or organisation. Last year, bank transfer fraud soared to over £354m, as scammers managed to dupe victims into permitting payments into their account instead of the correct one. CoP is fundamentally a service for name checking bank accounts to help prevent the misdirection of payments as a result of human error, which inevitably creeps into payments administration.
Aware of the concerns, the Payment Systems Regulator has confirmed that HSBC, Lloyds, Royal Bank of Scotland, Barclays, Nationwide Building Society and Santander (who together control approximately 90 per cent of bank transfers) are obligated to have their CoP schemes fully functioning before the deadline next year.
The Payment Systems Regulator states that the primary reason for the postponement of CoP was due to an “unachievable” implementation deadline.While some have been vocal regarding what the impact of the delay could be for consumers, as a result of the lack of protection against fraud, there are murmurs within the industry that the introduction of CoP might not have the desired impact.
There is no disputing that CoP will bring with it some benefits. Its introduction will absolutely help tackle the burgeoning problem of bank transfer scams, although it will only serve as one piece of the bigger prevention puzzle. As regulation evolves, fraudsters’ techniques follow suit using a wide range of clever techniques to achieve their goals, therefore financial institutions must echo their tactics by employing a range of security measures. In order to overcome the restrictions imposed by CoP, fraudsters won’t be too challenged to simply create a new account in the victim’s name as a way of reassuring the victim that any money being moved is being directed into a genuine bank account.
Growth of consumer complacency is an additional worry as some consumers might perceive CoP as an added ‘safety net’ when banking online. Furthermore, while the new regulation will be a huge help in the fight against authorised push payment (APP) fraud, it could simultaneously cause a surge in more complex fraud, meaning we will see an overall reduction in the number of scams taking place, however their value will be far greater.
There is also the requirement for all banks to be on board with CoP for the measures to have any sort of reliability. For CoP to work properly, there needs to be a unified approach from all banks at the same time, i.e. CoP banks have to depend on what security measures their peers have enforced. If a fraudster is able to work out which banks don’t have CoP up and running, they immediately know that the requirement for the customer and the bank account details to match up isn’t in place. The outcome of this is that the last bank to use CoP will be the weakest link. Worryingly, it’s not just the customers of the last bank to implement CoP that will be sitting ducks. It’s a customer from any bank that is sending money to that bank. Implementing CoP involves both doing the check on outbound payments as well as providing the account names to other banks for inbound payments.
Irrespective of the delay, there is an urgent need for banks to implement dynamic authentication journeys now, founded on threat and risk intelligence. By doing so they will have the means to question why an individual is carrying out a payment and flag any risk of fraud – this is a particularly effective way of stopping APP fraud. However, for this system to work successfully requires ongoing management and regular updates to the system, which can be quite labour intensive. What’s more, the logic that underpins these types of management systems can be another stumbling block. In the absence of employees with the right skills, continuous policy management and monitoring can become overwhelming.
So, what else can banks be doing to mitigate against potential fraud? For them, data is crucial. By making the most of all the information and intelligence they can possibly have access to, they will have a far greater chance of protecting their customers. By entering this data into a strong and dynamic policy manager, which can adapt and be flexible in response to the evolution of financial regulation, banks will have tighter security and it will be easier for them to meet the CoP requirements when they are imposed. Rather than staying focussed on single point elements, banks must view how they manage security far more holistically. Using this approach, they will improve their chances of defeating the fraudsters and will simultaneously facilitate the seamless, friction-free service consumers expect from their digital experiences.