In the first half of 2019, Authorised Push Payment (APP) fraud, where fraudsters dupe individuals or businesses into authorising a payment to an account which is controlled by a criminal, accounted for 57,549 cases representing a loss of £208m1. Whereas the finance industry is relatively successful by stopping two-thirds of unauthorised fraud, recoveries of £39.3m of APP losses over this period represents a success rate of less than 19%.
To enhance the finance industry's defences against APP scams, the Payment Systems Regulator (the regulator for payment system operators, banks, building societies and other payment service providers2) has issued a specific direction3 for the implementation of Confirmation of Payee (CoP) verification. CoP is a new verification process for electronic bank transfers which checks the name of the payee against the details provided by the payer. To make a valid payment instruction, the payee will need to state the correct account name, account number and sort code.
The regulator's direction is to the Lloyds, Barclays, HSBC, Royal Bank of Scotland and Santander banking groups4. It required the introduction of CoP to Faster Payment Scheme and CHAPS transactions5 by 31 March 2020. However, because of the Covid-19 pandemic, the regulator has informed the directed banks that, if they are unable to implement CoP fully by 31 March6, they must take appropriate steps to roll out CoP, taking into account the impacts of COVID-19, even if that means they do not meet the original 31 March 2020 deadline.
The regulator expects the directed banks to ensure customers who would have benefitted from the protections of CoP are not otherwise disadvantaged from any COVID-19 related delay, including refunding victims of fraud if CoP would have prevented it from happening. The regulator will keep these arrangements under review as the wider impacts of COVID-19 are better understood.
In the first half of 2019, Authorised Push Payment (APP) fraud, where fraudsters dupe individuals or businesses into authorising a payment to an account which is controlled by a criminal, accounted for 57,549 cases representing a loss of £208m1. Whereas the finance industry is relatively successful by stopping two-thirds of unauthorised fraud, recoveries of £39.3m of APP losses over this period represents a success rate of less than 19%.
To enhance the finance industry's defences against APP scams, the Payment Systems Regulator (the regulator for payment system operators, banks, building societies and other payment service providers2) has issued a specific direction3 for the implementation of Confirmation of Payee (CoP) verification. CoP is a new verification process for electronic bank transfers which checks the name of the payee against the details provided by the payer. To make a valid payment instruction, the payee will need to state the correct account name, account number and sort code.
The regulator's direction is to the Lloyds, Barclays, HSBC, Royal Bank of Scotland and Santander banking groups4. It required the introduction of CoP to Faster Payment Scheme and CHAPS transactions5 by 31 March 2020. However, because of the Covid-19 pandemic, the regulator has informed the directed banks that, if they are unable to implement CoP fully by 31 March6, they must take appropriate steps to roll out CoP, taking into account the impacts of COVID-19, even if that means they do not meet the original 31 March 2020 deadline.
The regulator expects the directed banks to ensure customers who would have benefitted from the protections of CoP are not otherwise disadvantaged from any COVID-19 related delay, including refunding victims of fraud if CoP would have prevented it from happening. The regulator will keep these arrangements under review as the wider impacts of COVID-19 are better understood.
There are four possible outcomes from the CoP check when you are arranging a payment7.
Yes, match: If you have used the correct account name, you will receive confirmation from the payee's financial provider that the details match. You can then proceed with the payment.
No, close match: If you have used a similar name to the account holder, you will receive a CoP response stating the actual name of the account holder for you to confirm. If you recognise the name submitted, you can opt to proceed with the payment. Alternatively, you will be able to update the details and try again or contact the intended recipient to confirm their details.
No match: check before proceeding further: If you have entered details for the named account holder which do not correspond with the details held by the account provider, you will receive notification that the details do not match. If you receive a no-match notification, you should be alert to the possibility that fraudsters are targeting your business. With a no-match response, you will not be able to see the actual name on the non-matched bank account.
Confirmation of Payee unavailable: Where an account is not available through the CoP system, whether temporarily or otherwise, you will receive notification that the account is unable to be checked. CoP unavailability does not necessarily mean that fraudsters are targeting your business, but that the payee account is not on the system.
With no-match or CoP unavailable responses, it becomes even more critical that payee information is properly authenticated before transferring money. Recent guidance on layered controls for this is available on the QBE Document Library8 and QBE policyholders can use our Fraud Prevention Questionnaire and Toolkit (requested via qrisk.support@qbe.com) to assess and strengthen their fraud resilience.
For a detailed description of the CoP process from both business and customer perspectives, please visit the UK Finance website (use https://www.ukfinance.org.uk/confirmation-of-payee).
Turning to incoming payments, you should ensure that your business account name is stated clearly in relevant correspondence with customers, as your account name might be different from your trading name.
There are four possible outcomes from the CoP check when you are arranging a payment7.
Yes, match: If you have used the correct account name, you will receive confirmation from the payee's financial provider that the details match. You can then proceed with the payment.
No, close match: If you have used a similar name to the account holder, you will receive a CoP response stating the actual name of the account holder for you to confirm. If you recognise the name submitted, you can opt to proceed with the payment. Alternatively, you will be able to update the details and try again or contact the intended recipient to confirm their details.
No match: check before proceeding further: If you have entered details for the named account holder which do not correspond with the details held by the account provider, you will receive notification that the details do not match. If you receive a no-match notification, you should be alert to the possibility that fraudsters are targeting your business. With a no-match response, you will not be able to see the actual name on the non-matched bank account.
Confirmation of Payee unavailable: Where an account is not available through the CoP system, whether temporarily or otherwise, you will receive notification that the account is unable to be checked. CoP unavailability does not necessarily mean that fraudsters are targeting your business, but that the payee account is not on the system.
With no-match or CoP unavailable responses, it becomes even more critical that payee information is properly authenticated before transferring money. Recent guidance on layered controls for this is available on the QBE Document Library8 and QBE policyholders can use our Fraud Prevention Questionnaire and Toolkit (requested via qrisk.support@qbe.com) to assess and strengthen their fraud resilience.
For a detailed description of the CoP process from both business and customer perspectives, please visit the UK Finance website (use https://www.ukfinance.org.uk/confirmation-of-payee).
Turning to incoming payments, you should ensure that your business account name is stated clearly in relevant correspondence with customers, as your account name might be different from your trading name.
Mark Casady, Underwriting Manager - Financial Lines, has welcomed the news that the major High Street banks are implementing CoP:
With the implementation of CoP, your banking arrangements should form part of the next review of your Fraud Prevention Policy. We recommend that, as a minimum, you review your Policy annually as a pro-active measure to combat fraud. Where client and other accounts are held with banks that do not support CoP verification, you should review the risk management benefits of CoP given your operations and decide if relocating your account(s) is appropriate.
It is important to remember that BACS payments are not yet covered by CoP protection and we have seen an uptick in fraud involving fake change requests for salary payments (typically made by BACS). It is therefore imperative that any changes to bank details by individuals or businesses are always verified by getting in touch with the true contacts in person to ensure the request has not been made by a fraudster using a spoof email address or a hacked email account.
Mark Casady, Underwriting Manager - Financial Lines, has welcomed the news that the major High Street banks are implementing CoP:
With the implementation of CoP, your banking arrangements should form part of the next review of your Fraud Prevention Policy. We recommend that, as a minimum, you review your Policy annually as a pro-active measure to combat fraud. Where client and other accounts are held with banks that do not support CoP verification, you should review the risk management benefits of CoP given your operations and decide if relocating your account(s) is appropriate.
It is important to remember that BACS payments are not yet covered by CoP protection and we have seen an uptick in fraud involving fake change requests for salary payments (typically made by BACS). It is therefore imperative that any changes to bank details by individuals or businesses are always verified by getting in touch with the true contacts in person to ensure the request has not been made by a fraudster using a spoof email address or a hacked email account.
Neil Hare-Brown, CEO of STORM Guidance, cyber risk and breach response experts, was keen to point out:
We should never underestimate the ingenuity of determined fraudsters to adapt to changing technology. CoP is not a panacea that will allow electronic payments to be made without any risk of fraud. There is also the danger that individuals and organisations, lulled into a false sense of security, might lower their guard. What CoP represents is another important tool in your fraud prevention armoury in the ongoing fight against fraud.
Neil Hare-Brown, CEO of STORM Guidance, cyber risk and breach response experts, was keen to point out:
We should never underestimate the ingenuity of determined fraudsters to adapt to changing technology. CoP is not a panacea that will allow electronic payments to be made without any risk of fraud. There is also the danger that individuals and organisations, lulled into a false sense of security, might lower their guard. What CoP represents is another important tool in your fraud prevention armoury in the ongoing fight against fraud.
Understand the cyber risks your business faces
QBE has developed a tool to help you analyse and understand the cyber security risks your organisation faces. It provides a benchmark against which to measure your processes and risk controls, so you can be sure you’re properly protected. Simply complete the online assessment, and you’ll receive a report and recommendations individually tailored to your business. You can also use this tool to request a cyber insurance quote if you wish. Email us to begin the process.
Cyber Essentials Scheme
Lexcel and the Conveyancing Quality Scheme consider the Cyber Essentials accreditation to be an important factor for ensuring practices have the basic security controls. A free online support tool is available that will help you implement the scheme’s requirements.
Understand the cyber risks your business faces
QBE has developed a tool to help you analyse and understand the cyber security risks your organisation faces. It provides a benchmark against which to measure your processes and risk controls, so you can be sure you’re properly protected. Simply complete the online assessment, and you’ll receive a report and recommendations individually tailored to your business. You can also use this tool to request a cyber insurance quote if you wish. Email us to begin the process.
Cyber Essentials Scheme
Lexcel and the Conveyancing Quality Scheme consider the Cyber Essentials accreditation to be an important factor for ensuring practices have the basic security controls. A free online support tool is available that will help you implement the scheme’s requirements.
1) https://www.ukfinance.org.uk/press/press-releases/banking-industry-stops-£45-million-fraud-day-first-half-2019
2) https://www.psr.org.uk/psr-ps-151-new-regulatory-framework-payment-systems-uk
3) https://www.psr.org.uk/psr-publications/policy-statements/specific-direction-10-confirmation-of-payee
4) https://www.psr.org.uk/media/gp2juzmq/psr-specific-direction-10-confirmation-of-payee-february-2020.pdf
5) https://www.psr.org.uk/media/gp2juzmq/psr-specific-direction-10-confirmation-of-payee-february-2020.pdf
6) https://www.psr.org.uk/psr-publications/news-announcements/psr-update-on-implementation-of-CoP
7) https://www.ukfinance.org.uk/confirmation-of-payee
8) https://qbeeurope.com/document-library/risk-solutions/fraud-prevention-important-reminder/
1) https://www.ukfinance.org.uk/press/press-releases/banking-industry-stops-£45-million-fraud-day-first-half-2019
2) https://www.psr.org.uk/psr-ps-151-new-regulatory-framework-payment-systems-uk
3) https://www.psr.org.uk/psr-publications/policy-statements/specific-direction-10-confirmation-of-payee
4) https://www.psr.org.uk/media/gp2juzmq/psr-specific-direction-10-confirmation-of-payee-february-2020.pdf
5) https://www.psr.org.uk/media/gp2juzmq/psr-specific-direction-10-confirmation-of-payee-february-2020.pdf
6) https://www.psr.org.uk/psr-publications/news-announcements/psr-update-on-implementation-of-CoP
7) https://www.ukfinance.org.uk/confirmation-of-payee
8) https://qbeeurope.com/document-library/risk-solutions/fraud-prevention-important-reminder/
Sign-up to be notified about future articles from the Resilience Series, and other thoughts, reports or insights from QBE.