Will expanding Confirmation of Payee stop authorised push payment fraud?

It comes in many different flavors from romance fraud to invoice fraud to executive impersonation fraud. Authorised push payment (APP) fraud has been on the rise since the pandemic started.  Push payment fraud cases have risen in the UK by 71% in the first half of 2021, surpassing card fraud losses for the first time. In fact, incidents are spreading so rapidly there that Bottomline’s General Manager & Director, Payments, Ed Adshead-Grant, recently referred to push payment fraud as the ‘digital COVID’ of fraud in the recent webinar, “How to stop APP fraud – the billion-pound question?” Adshead-Grant explains that with at least eight different types of authorised push payment fraud, many of which can be executed through the click of a button, almost everyone knows someone who has been exposed to this type of attack.

For UK banks, which are increasingly on the hook for reimbursing victims of these scams, the first layer of protection against push payment fraud is the adoption of Confirmation of Payee (CoP). Confirmation of Payee was developed in the UK to ensure that entities receiving payments are indeed the intended recipients. The early success of Confirmation of Payee can be partly measured by the fact that scammers have begun to target financial institutions that are not using Confirmation of Payee, which of course makes them more vulnerable to push payment fraud. While CoP can prevent banks that adopt it from being successfully scammed when sending funds, it can fall short when the receiving bank has not implemented CoP and the payee can’t be confirmed. In the UK that equates to about 1 in 10 payments that are not protected.

In addition to Adshead-Grant, the webinar featured executives on the front line of push payment fraud including Dr. Louise Beaumont, Chair, Open Finance & Payments Working Group, techUK; Nick Davey, Payment Specialist, Payment Systems Regulator; Mark Jones, Overlays Product Manager, Business Development Team, Pay.UK; and, Ted Sidgwick, Proposition Specialist, Open Banking.

The webinar is full of authorised push payment fraud insights from the panelists. We’ve identified five key takeaways:

1. Defining the participation gap: There are about 1,800 financial institutions in the UK that are candidates for Confirmation of Payee. According to Pay.UK’s Jones, 33 of those are currently using CoP. That number is expected to grow to an estimated 60 by the end of 2022. Part of the low adoption issue can be attributed to the fact that Confirmation of Payee was initially limited to Faster Payments and CHAPS (Clearing House Automated Payments System). But it’s been recognised that there are much broader use cases for CoP including verifying payroll details, supplier accounts, and even direct debit.
    
2. The case for corporates: Adshead-Grant made the point that corporates can be included in the Confirmation of Payee scheme. He’s had many customers ask when CoP will be ready for them, so he feels the time is right to start that conversation. The technology is already in place, it’s just a matter of changing the rulebook – especially if there is a willingness and an ability to plan for the extra stakeholders in the system. As Adshead-Grant said, the more checkpoints in place across the full payment lifecycle, the fewer entry points for fraudsters  – a win-win for everyone in the system.
    
3. The mandate issue is still alive: As PSR’s Davey pointed out, the only companies who can join Confirmation of Payee are PSPs who have a unique sort code and account number. As the program exits phase one, which focused on the biggest banks, and enters phase two, a mandate to include CoP is under discussion. Davey said the thinking is based on protecting the consumer as well as banks. Whether the PSR mandates or not, he’s hoping that banks see this consumer-based need. Driving participation numbers through mandates are not the goal; wider adoption for the sake of push payment fraud protection is.
    
4. Open banking has a part to play: 2022 has been called a transitional year for open banking in the UK. As consumers green light more data sharing, any kind of fraud will be a key consideration and therefore the two issues are connected. Sidgwick told the audience that “smart mandates” might help drive the necessary participation from PSPs to create more trust in the open banking-consumer ecosystem. But beyond the mandate issue, he also stressed the need for collaboration between the PSR and open banking advocates to help new entrants understand the opportunity and the challenges that were faced by the big banks in phase one. For example, technology setups have been achieved by some banks, and they could then share learnings with others. As the ecosystem changes to allow open banking, said Sidgwick, Confirmation of Payee will be a welcome addition for consumers.
    
5. Confirmation of Payee is not a silver bullet: Adshead-Grant noted that CoP is in the scaling stage, and as such it will have a positive effect but should not be seen as a panacea for push payment fraud. “We're all having a sweepstakes on a billion pounds in losses by year-end,” Adshead-Grant said. “The majority of losses are still being pushed to consumers and businesses. And in the UK fraud levels are now deemed a national security threat. It undermines the trust of Faster Payments, in particular. So, it's an endemic problem for all of us to try and get our head around.”