Is the Confirmation of Payee Delay the Least of Our Worries?
The Confirmation of Payee (CoP) scheme was first introduced in 2018 as a solution to high levels of banking fraud.
The protocol is designed to make sure that during a transfer, the name of the recipient exactly matches the name on the account receiving the funds. Intended to give greater assurance when it comes to transactions, CoP helps users to avoid directing payments to the wrong account.
It was then announced in 2019 that the name checking service would be delayed until March 2020 at the earliest. But given the security implications, Chris Stephens, Head of Banking Solutions at Callsign, asks: why has the deadline been pushed back?
After a consultation with groups in the industry, The Payment Systems Regulator (PSR) deemed the expected implementation deadlines “unachievable”. However, with the personal details of consumers at risk, banks are searching for various ways to address fraud to keep their customers secure. This is especially important given that in 2018, a total of £1.20 billion was stolen from the banking industry by those committing fraud. Justifiably, there has been a great deal of worry that this delay will leave consumers at risk of fraud. But many people are questioning whether its introduction will really help to reduce fraud levels, and if there are any other measures banks can be put in place to keep their customers money safe and secure?
While it seems like a logical way of combating bank fraud, putting the CoP scheme into practice will probably only work to a certain degree. A fraudster’s natural reaction to any such regulation is to improve upon their current skillset and work out a means to bypass the new security infrastructure and regulations. In the context of CoP, all a fraudster would have to do is set up a new account in the victim’s name to give the victim further confidence that they are transferring money to a “secure account.”
Another problem that can potentially arise is the idea that customers will become complacent when it comes to security due to the belief that CoP provides them with another layer of protection. Even though CoP will absolutely protect customers against crimes such as authorised push payment fraud, the scheme could leave them vulnerable to more advanced types fraud which are of far higher value.
In addition, almost every bank would have to implement CoP for it to be successful. While the decision to implement the scheme is down to each individual bank, The Payment Systems Regulator has said that Lloyds, Barclays, HSBC, Royal Bank of Scotland, Santander, and Nationwide Building Society, which together account for about 90% of bank transfers, must all have their CoP schemes up and running by March next year. Banks that don’t sign up to the scheme would automatically become targets in the eyes of fraudsters as they won’t need the details of the bank account to match the name of their intended target. Therefore, there would have to be a more collaborative approach from banks for the implementation of CoP to work.
While the decision to implement the scheme is down to each individual bank, The Payment Systems Regulator has said that Lloyds, Barclays, HSBC, Royal Bank of Scotland, Santander, and Nationwide Building Society, which together account for about 90% of bank transfers, must all have their CoP schemes up and running by March next year.
Regardless of when CoP will be introduced, there are other tools to help banking customers tackle fraud, such as dynamic authentication journeys, which requests that a user states why they are conducting a transaction and offer fraud warnings, that are very effective at preventing APP fraud. However, the logic behind these policies can be complex and they require constant monitoring in order to be kept up to date. Once the implementation of these dynamic user flows has been done, it also highlights the question about how the outcomes can be accessed by the third parties that leverage a bank’s Open Banking APIs.
To have any chance of reducing banking fraud, it’s crucial that financial organisations today use all the relevant information they have to generate a full picture of their customers. It is imperative that they utilise the data at their fingertips in order to safeguard their customers while still providing the seamless, friction-free service they demand. A customer’s digital presence will only be protected from fraudsters once banks look at all the elements of security as interconnected, rather than separate components.
By feeding data into a strong and dynamic policy manager that can be nimble and adaptive, banks will be better compliant and secure while at the same time provide robust user journeys that provide the right amount of friction when necessary. By having a more holistic approach to security, rather than focusing on single point elements, they have a far better chance of beating the fraudsters and allowing their customers to live their digital lives uninterrupted.