Mobile and online banking give UK bank account holders powerful tools to move money. All powerful tools come with danger: I particularly remember the time when one of my daughters cut the top of her finger off with a hand blender. It was very messy.
For the practised fraudster it’s relatively easy to convince people to transfer money to them
It’s just as messy for consumers who are scammed out of their money. Humans are, well human, and for the practised fraudster it’s relatively easy to convince people to transfer money to them. You will have read the stories: scare scams to protect money, payments for holidays that don’t exist and, probably worst of all, homebuyers tricked into transferring money to fraudsters posing as solicitors.
This type of fraud is called Authorised Push Payment (APP) and resulted in theft of more than £200m in 2017.
Despite the staggering sums involved, in the eyes of the law victims of APP scams have little recourse. By specifying the account number and sort code the sender has, for legal purposes, identified who they want the money sent to – even though they have no idea who that bank account actually belongs to. When it goes wrong, they will find that they have little to no protection and may struggle to get help from the banks involved. They will most likely lose their money.
This is not new news. Which?, the consumer rights group, has raised a super complaint about this topic and the Payment Systems Regulator (PSR) has been busy trying to tackle the problem. So the stakes are high.
Making faster payments safer
Faster Payments - the scheme that allows payments to other accounts to clear in under two hours - is a potent force in UK banking, which has brought real benefits to consumers. But powerful tools should come with enhanced safety features. With the UK’s implementation of Faster Payments, the enhancements seem to have been left out. A six number sort code and an 8-10 figure account number are all you need to move thousands of pounds.
Is this really safe enough? The experience of thousands of consumers suggests not.
The process by which consumers transfer money is a big part of this. Along with the sort code and account number, most banks will ask you to enter an account name for the person receiving the money. This field, which could act as a control, is, today, totally ignored. The information isn’t checked by your bank or the receiving one. So the reality is that you could indicate that you think you are sending your money to ABC Solicitors but the receiving bank will happily deposit into Joe Smith’s account.
One of the potential safety features often mentioned is Confirmation of Payee. This feature already exists in payment mechanisms like PayM. For new beneficiaries, it works like this:
1. User enters payment details, checks and confirms payment.
2. Potentially receiving bank replies: 'If you confirm, we will apply this payment to Joe Smith who operates a student account at our bank.'
3. The user either confirms or realises that Joe Smith isn’t ABC Solicitors and doesn’t.
It could equally work like this:
1. User enters payment details, including legal name, checks and confirms payment.
2. The receiving bank checks the account against the legal name, if wrong it replies: 'You wanted to send money the ABC Solicitors - that is not the legal name on the account.'
3. The user checks and corrects the legal name or cancels the payment.
This method is a potentially powerful control. It won’t solve everything: some users will be convinced by the scammers that Joe Smith now works at ABC Solicitors, but most won’t.
The banks will continue to be liable for having the correct legal name against an account. It should not be possible to open an account for Joe Smith but with the account name of ABC Solicitors.
The good news is that Confirmation of Payee is now straightforward to implement. The Open Banking framework makes this type of interaction between banks relatively easy. Banks and other regulated financial services participants are already exchanging secure operational messaging using robust and modern application programme interfaces. All that’s required to implement a Confirmation of Payee message and response is the collective will to do it. And it should be quick, 'the work of a wet weekend,' claimed one developer.
Thankfully the PSR is now creating the momentum behind the required collective will.
The original Payment System Strategy was targeting 2021 as the deadline for implementing Confirmation of Payee on a new payments platform. The PSR establishes that this is not soon enough. A new code of conduct is now due at the beginning of 2019. If a bank doesn’t seek and evidence Confirmation of Payee, it will be liable for any loss.
There are a few ways to implement Confirmation of Payee, however re-using the work that underpins the implementation of Open Banking seems like a good place to start. Good infrastructure facilitates rapid reuse.
So there are bright spots on the horizon and 2019 can’t come fast enough. Until then, we could all do with paying a little more attention when handling the powerful tools of today’s online banking.