Has Confirmation of Payee Reduced APP Fraud?

Originally announced in October 2018 but not made mandatory at major banking groups until June 2020, Confirmation of Payee (CoP) took a considerable amount of time to get up and running, especially when considering the huge problem it was trying to fix. Given the rise in Authorised push payment (APP) fraud, has the CoP effort been a success or do we need to do more?

Authorised push payment fraud is one of the biggest concerns in the digital payments industry. According to UK Finance, more than £580m was lost to this type of fraud in the UK in 2021, a 40 percent increase year-on-year.

The wheels began turning towards CoP in September 2016 when Which? filed its super complaint with the Payment Systems Regulator. Which? was worried there was not an appropriate level of security around push payments compared to other types of scams. Four years later, banks were directed to implement CoP.

Before CoP was introduced, account names were not robustly examined when setting up a new payee. Payments were made to sort codes and account numbers, making it considerably easier for fraudsters to trick someone into sending them money. CoP is essentially a name-checking service, making sure the transaction matches the name on the recipient’s account.

Issues with CoP

Any new tool against fraud is a welcome addition. But criminals are quick, creative, and ruthless so it is essential to have new security measures regularly introduced. CoP is not a silver bullet, and should not lead to complacency.

We also need to consider the functionality of CoP and whether it is giving away too much information. Fraudsters are meticulous and looking for any chink in the anti-fraud armoury, however insignificant it might appear.

When setting up a payment, if the intended recipient is named James but the payer accidentally types Jamie, the bank will flag this. In some cases, it will go as far as stating that the correct name is James. Whilst this is a great tool to avoid honest mistakes, this is also the type of information that fraudsters can benefit from. They can set up incorrect transactions of their own, knowing that the bank will suggest the correct name. With a name, account number, and sort code in hand, fraudsters are well-equipped to steal. A fraudster who has a customer under their spell can also easily provide a convincing explanation as to why names don’t match.

CoP means nothing without a robust application fraud process. Unfortunately, it is all too easy to open accounts fraudulently which renders CoP useless, in the same way that DeviceIDs lost potency when fraudsters seized on APP fraud. Banks should also look out for a blend of APP and account takeover fraud, where fraudsters change the name on the recipient account so it matches the name the scammer is trying to convince the victim to send money too.

What’s the Answer?

What banks need is to implement a multi-layered approach (of which CoP is a useful addition) to stop any potential danger slipping through. And all those affected need to contribute. Consumers and businesses can no longer lean on their banks for security and reassurance, they must take proactive steps to educate themselves and be aware. Banks and regulators must make full use of the tools available to them to match the fraudsters’ pace and creativity.

One key way banks can step up their game is to profile customer behaviour. Regardless of the type of fraud being committed, fraudulent transactions will look out of character when compared against usual behaviour. Fraud models can be trained to specifically look for signs of APP fraud — FICO made such models available last year. Such models should be at the core of every multi-layered approach. Banks can also use customized communications to customers who are potentially in a ‘live’ APP fraud scenario, rather than just generic messaging at payment initiation. Measures such as these can help stop the ‘scamdemic’.