Confirmation of Payee for Bacs is a welcome upgrade, but it could go further
More than 4.5 billion Bacs payments are made in the UK every year, representing roughly 90% of all regular monthly payments via direct debit transactions. But until now, this vital payment system was not secured by Confirmation of Payee (CoP), a payment verification service that Pay.UK first rolled out in 2020.
By the end of 2021, all the SD10 banks will offer CoP, which already protects CHAPS and Faster Payments. The addition of CoP to Bacs represents an important step in the industry’s battle against fraud and will provide more confidence during payment transactions.
However, in its current form, CoP is not yet the silver bullet that will defeat fraud. To realise the full potential of CoP, it requires further development to improve user experience and offer improved protection against crime.
Ozone API already offers a CoP solution that provides more information about a payee before a transaction than the standard CoP check. Ozone’s founders developed the Open Banking standards that are now used around the world and delivered the sandbox and reference implementation for the UK Open Banking Implementation Entity (OBIE).
It has now issued a call for the industry to expand CoP by incorporating different forms of identifying data and improving user experience.
“The addition of CoP to Bacs payment is a welcome move that will make life more difficult for criminals,” said Huw Davies, Chief Commercial Officer of Ozone. “However, the framework is rudimentary at this stage, meaning that the developing CoP is a long way from complete.
“CoP is supposed to add friction when risk is high and reduce friction during ‘safe’ transactions. Yet the way that CoP has been implemented by some banks is confusing and cumbersome, sometimes showing dramatic fraud warnings even after the payee’s details have been verified, causing the payer to worry that their payment will be misdirected, or worse, lead to apathy about the messages.
“The continued evolution of CoP and extension of its use cases is good to see. But we’re still at the beginning of this journey and must continue to think about how to move forward with its development.”
The evolution of fraud
Fraud prevention is one of the areas in which CoP plays an important role. Criminals are changing their tactics, sparking a huge rise in authorised push payment (APP) scams in which fraudsters trick victims into transferring money directly into their accounts.
During the first half of 2021, the losses caused by APP fraud soared by 71% to £355.3 million – overtaking the amount of money stolen in card fraud. In 2020 alone, losses totalled £479m, with the actual figure likely to be much higher due to underreporting.
Earlier in 2021, the Payment Systems Regulator (PSR) reported that SD10 banks and other PSPs had confirmed that CoP has “improved security and strengthened customer confidence when making a payment to a new payee”. Its data also showed a reduction in the number of APP scams experienced by CoP-enabled PSPs.
“With regards to APP fraud, it is likely that CoP has prevented what would otherwise have been a larger increase in scams,” the PSR wrote.
There is cause for optimism in the PSR’s statistics, but the fact that APP is still growing shows that further action is needed.
Chris Michael, Ozone’s Chief Executive Officer, said: “CoP has the potential to combat APP fraud and offer businesses and consumers the reassurance they need when making payments. Unfortunately, the current framework is not complete yet. We need CoP to be much more than just a simple algorithm. The extension of CoP to Bacs is a good move that points to a better, more secure future of payments. But there is still a long road ahead.”
The state of COP
CoP was initially mandated for six banks but optional for others when introduced in 2020. However, earlier this year, the SD10 firms (a group of major banks made up of Lloyds Banking Group, Bank of Scotland, Barclays, HSBC, NatWest, Nationwide and Santander) wrote to the PSR to offer a commitment to deliver a new Confirmation of Payee role profile by the end of 2021.
There is another important date coming in 2022. Phase 1 of CoP will be retired in 2022, with PSPs expected to complete migration to Phase 2 by March 30.
Phase 2 is “aimed at broadening participation in CoP to all account-holding PSPs, not just those that operate accounts with a unique sort code and account number”, according to the PSR. In the first phase, a PSP offering COP was required to be enrolled on the Open Banking Directory, which then allowed them to identify each other and send CoP messages.
The second phase will allow PSPs that do not have full Open Banking membership to access the Open Banking Directory, allowing a wider range of organisations to offer COP as well as offering reduced set-up and running costs.
Phase 2 also includes technical enhancements that will allow PSPs to send and receive Secondary Reference Data (SRD), which is more information than a sort code and account number that allows for account identification.
Ozone believes the expansion of the data available to CoP is a welcome addition to the framework.
Freddi Gyara, Ozone’s Chief Technology Officer, said: “CoP can be improved by adding further capabilities to the Open Banking frameworks which provide additional information when a payment request is made. Ozone’s API solution already allows banks and businesses to draw on a wider range of data, offering greater certainty during a payment transaction.
The evolution of CoP is only beginning. In the future, it will use much more than just a payee’s name, sort code and account number. External validation data from other data sources (such as Companies House or social media profiles) could more accurately help to verify the identity of a payee. Other methods of verification could include biometrics or phone number matching.
“When the framework is complete, it will be a powerful weapon against fraud and remove unnecessary fear or friction from payments.”