UK banks unprepared for new anti-fraud requirements

The extent of the technological changes required to comply with Confirmation of Payee (CoP) rules forced banks to petition heavily for a delay to enforcement, according to payments market participants.

The Payment Systems Regulator (PSR) issued a direction at the start of August to the six largest banking groups in the UK, declaring that they should have CoP fully implemented by March 31, 2020. The original deadline was July 1, 2019.

Willem Wellinghoff, chief compliance and legal officer at Shieldpay, says the delay is primarily due to “the technical and data infrastructure required between financial institutions, and the changes introduced as a result of the second Payment Services Directive (PSD2), Open Banking and Brexit.”

“The banks bleated, and the regulator delayed it,” says Gary Prince, chairman at SmartTrade App and former vice president of UK mobile payments at Barclays. “Banks can complain that they have too much to do because of PSD2 and strong customer authentication (SCA) but it just seems like a convenient excuse for them. What’s going to happen come March next year if they’re not ready? A date is only a date if you stick to it.”

Chris Stephens, head of banking solutions at Callsign, believes that CoP will require extensive technological change. “The new CoP systems requires banks to implement significant updates to their IT and payment processing systems,” he said in an email. “For the regulation to be effective, the banks want to be 100 percent sure that the technology is ready, so that fraud can be tackled effectively.”

First announced in October 2018 with an open consultation, CoP has been proposed as a solution to authorised push payment (APP) fraud in the UK. APP fraud involves a criminal posing as a legitimate company to convince a victim to transfer them money. Banks currently only check the bank account number and sort code of the intended recipient, not the account name. Under CoP the account name would be checked, preventing transactions to fraudsters impersonating legitimate companies.

Mixed response

Responses to the PSR’s opening consultation raised concerns about the implementation timeframe. Payment service providers (PSPs) were due to be capable of receiving and responding to CoP requests by April 1 before full implementation in July.

UK bank TSB said at the time that “implementation of CoP within the timelines suggested will likely result in higher cost and a reduction to the near-term benefits resulting from the risk of incomplete market coverage … delaying implementation is likely to lead to an improved cost-benefit position.”

A spokesperson of the PSR said over email that “there was overall support for the proposal for a direction with useful feedback on its design and proposed deadlines. When we took the feedback into account, we carefully considered the best approach and issued an alternative consultation for our specific direction.”

For Prince, there remain some questions that need to be addressed with CoP. An example is the issue of name variance – someone trying to pay an account with the name Tony instead of Anthony – but from a business perspective CoP is vital so that consumers know who exactly they’re paying.”

Prince adds that there is a discussion going on in the industry now about whether go-lives for mandates like CoP should be coordinated by the banks or whether each should go live when ready. “It would show who are the good banks and who are the bank banks, who is able to deliver on time and who isn’t. We have smaller banks, and challengers like Monzo, Starling, or Atom who might be able to make these changes faster.”

According to the PSR spokesperson, smaller banks “will likely want to give their customers the same level of protection that is on offer by the directed banks and, for this reason, will have a strong incentive to implement CoP as soon as they can. We understand that several smaller banks are looking to deliver CoP to a similar timeline”.

For Wellinghoff, the implementation measures were too ambitious to start with, but there is a code that can patch over the gap between now and March 2020. “Customers will have to wait several years to feel the true impact of CoP within the banking infrastructure. In the meantime, a voluntary code that is known as the Contingent Reimbursement Model has been released that most banks will be subscribing to to reimburse any payer who has been subjected to APP fraud.”

Related reading