Authorised Push Payment (APP) fraud continues to be a growing problem in the UK
Authorised Push Payment (APP) fraud, also known as a bank transfer fraud, is a form of fraud in which victims are manipulated into making payments to fraudsters, typically by social engineering attacks which involve confidence tricks and impersonation. Fraudsters usually contact their victims by phone, email or social media, pretending to be someone else (e.g. the victim’s bank, their accountant or the police). APP attacks are becoming increasingly sophisticated, with fraudsters manipulating electronic communications for a long period of time to gain the confidence of their victims.
Fraudsters target a wide range of payments, from school fees to substantial payments intended for property or commodities. The average loss in APP scams was £3,724 in 2019. However, five and six figures' losses are becoming increasingly common. Fraudsters usually target elderly consumers as they are less tech-savvy or small or medium businesses that are more likely to have larger amounts of money in their current account than Millennials or Gen Z individuals.
APP fraud continues to undergo strong growth in the UK, with losses having increased from £354m (2018) to £456m (2019) – an increase of 29%. Banks returned £116m, which equates to 25% of the total losses. In other words, British consumers and businesses collectively lost £340m as a consequence of APP fraud in 2019. Many of these consumers were severely impacted by APP, with some of them having lost their life savings. APP consequences can be significant and life-changing for consumers (Source: UK Finance – Fraud – The Facts 2020).
UK Finance, with the objective of tackling the APP fraud crisis, wants APP fraud to be included in the new online harms regulatory framework being proposed by the government. In the meantime, UK Payments introduced in May 2019 the voluntary Contingent Reimbursement Model code, which compels banks to reimburse blameless victims. In 2019, a number of cases worth £101.1m were assessed under the code, resulting in reimbursements worth £41.3m. A relatively small amount compared to the total losses (Source: UK Finance – Fraud – The Facts 2020).
When it comes to the reimbursements, the industry is making fair progress. However, the industry has been criticised for its lack of progress to prevent fraud. A new service called Confirmation of Payee (CoP) was introduced 1st April 2020 and the expectation is that APP fraud will be significantly reduced.
What is Confirmation of Payee (CoP)?
Confirmation of Payee (CoP) is an account name-checking service introduced by UK Payments, the re-branded New Payment System Operator, to give payers (consumers and businesses) greater transparency in sending payments to their intended payees (beneficiaries).
Sort codes and account numbers were, until 31st March 2020, only used by banks to determine where a payment was sent in the UK. CoP is adding an extra layer of security to protect consumers and businesses further by enabling them to check that the account name entered matches the account they are planning to pay as well as by alerting payers in case of any discrepancies.
CoP is designed to reduce the risk of funds being sent to a wrong sort code and account number as a result of a human error or a fraudulent attempt.
How does CoP work and does it impact the consumer experience?
CoP’s process is initiated when the payer sets up a new recipient from their bank account to whom they would like to make a payment. When the payer enters payee’s details, a Confirmation of Payee response will be requested from the payee’s bank, who will check if name and account details provided by the payer are correct and will return a response to the payer’s bank reporting that the details are either an exact match, a partial match or not a match at all. This response is displayed for the payer who can either choose to confirm or cancel the payment.
Source: Edgar, Dunn & Company
CoP intends to help keep consumers safe but it also adds ‘friction’ to the payments journey.
Consumers can receive up to seven different messages as an outcome of CoP (as the table shows below). This can be overwhelming for consumers initially. Banks must ensure that the process is implemented as seamlessly as possible and that consumers are ready for the changes.
Source: Lloyds Bank
What does Confirmation of Payee (CoP) mean for consumers and businesses?
CoP will be complemented with a new ‘Contingent Reimbursement Model’ that will provide payers, who have taken due care and received a positive match, with greater protection from financial losses if they have been victims to an APP fraud. However, those consumers who receive either a partial match or a no match and decide to proceed with the payment will not be eligible to benefit from the newly introduced contingent reimbursement model.
According to the UK’s leading consumer guide, Which?, £1.1bn could have been lost due to APP fraud from 2017 to 2019 and of that £320m could have been prevented if CoP would have been introduced in 2017. In other words, CoP could have prevented 30% of total APP fraud. This clearly indicates that unfortunately CoP will not solve all fraud cases but will be a useful tool to combat fraud, making it harder for scammers to operate. Nevertheless, fraudsters are likely to find ways to bypass the name checks.
CoP is mandatory for the six largest UK banking groups only, including Lloyds, Barclays, HSBC, Royal Bank of Scotland, Santander and Nationwide. As a result, there is a relative important proportion of transactions that will not be covered by CoP. Additionally, HSBC, one of the six largest banking groups in the UK, has not been able to confirm when it will be ready to implement CoP. As of 5th April 2020, HSBC is able to respond to CoP’s requests but is not able to send CoP’s requests on behalf of its customers. By contrast, other banks such as Starling Bank, which are not part of the initial roll-out, have confirmed that they will be supporting CoP from 31st March 2020.
As mentioned above, consumers who receive a positive match from CoP will be eligible to be reimbursed. However, if a bank like HSBC does not introduce CoP and consumers fall victim to an APP fraud which CoP could have prevented, consumers will not be protected. In this scenario, regulators should ensure that banks are fully responsible and that consumers are fully reimbursed.
As the table below shows, the readiness to support CoP varies greatly by bank. This will lead to disrupted consumer experience at least during the first months of CoP’s service and will be potentially extended until the end of 2020.
In addition, CoP only covers Faster Payments (including standing orders) and CHAPS in the UK. BACS payments (including direct debits) are not included. CoP applies to both personal and business customers but not always to private customers. This will vary by bank. For instance, Barclays and Santander Private customers should see CoP checks from April 2020 but HSBC Private customers will not.
Nevertheless, the proportion of transactions which has fall victim to fraud is small, less than 1 in 20,000. As a result, the business case of CoP is in doubt. Is it worth building a new service to prevent 1 out of 20,000 cases? Will CoP be able to completely eliminate APP fraud? CoP will be a useful tool to prevent fraud but it is likely that fraudsters will change their methods and target other weak points in the payments value chain.
The success of the implementation of CoP is very much linked to the history of how bank transfers in the UK are perceived to operate prior to CoP. Consumers and businesses commonly believed that the account name was checked as part of the UK’s banking ecosystem. Before CoP, you can enter a correct Sort Code and Account Number but put ‘Donald Trump’ as the payee’s name when their actual name was ‘Mike Smith’. This payment would successfully be processed because the account name was ignored and was not checked in any way. Post CoP, this will not be the case.
CoP is designed to prevent misdirected payments, including the several types of APP fraud. There is an expectation that it will reduce the chance of misdirected payments and some fraudulent activities – where a victim is tricked into sending a payment to a fraudster. Nevertheless, many consumers and businesses are completely unaware of the new account name-checks that are about to be implemented. For many users of the banking system, this will require a change of behaviour which users are notoriously slow to adapt. The customer journey, in setting up a new payment via their bank account smartphone app and internet banking facility, is about to change significantly.
However, there is a danger for CoP to be implemented inconsistently which will lead to confusion. This will only be exacerbated when on the actual ‘go-live date’ not all banks will be ready (e.g. HSBC); smaller banks such as M&S Bank will be delayed and will not be live at the same time as the larger banks that were able to invest in CoP changes. Different banks are meant to have similar checks for the account name. However, for example, a user could have entered only one wrong letter, ‘Toby Young’ should have been typed ‘Tony Young’ – the language of the messaging used to instruct and inform customers through the customer journey is critical in the success of CoP. However, a fraudster could have opened a bank account in the name of ‘Tony Young’ using a stolen identity. After all, there are more than 1,600 Tony Young’s on LinkedIn.
Consumers are keen to know how CoP protects them, not how it protects the banks. Most people understand they are currently liable if they input incorrect bank details. However, people will be less clear about how the liability will change with the introduction of CoP. It is the bank’s responsibility to make sure that their customer journey is carefully designed, and the language of the messaging used to educate and inform users of CoP exceptions, where an account name does not match is fundamental.
Your next payment to Sean (or Shaun), Bryan (or Brian), Jon (or John), or Stephen (or Steven), Michael (or Michael) or Philip (or was that Phillip), could be fraught with problems.
Mark Beresford, EDC Director based in the London office, provided input to the article.
The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).