The deadline for UK banks to implement Confirmation of Payee has been extended to March 2020 — Chris Stephens, head of banking at identity authentication firm Callsign, gives his verdict

online payment

Confirmation of Payee is designed to protect customers against payment fraud


Following the delay to Confirmation of Payee standards in the UK, Chris Stephens, head of banking solutions at identity authentication firm Callsign, gives his perspective on the scheme’s prospects for fighting payment fraud.


The Confirmation of Payee (CoP) scheme, a system that has been created to make sure that names match on transactions in order to reduce fraud, was scheduled to be introduced in the UK in July this year.

However, in August it was announced that its implementation will be pushed back until March 2020, sparking concerns that consumers will be exposed to scams until it is in place.

Reassuringly, the Payment Systems Regulator has stated that Barclays, HSBC, Lloyds, Royal Bank of Scotland, Nationwide Building Society and Santander — which combined are responsible for roughly nine out of ten bank transfers — must all have their CoP schemes in operation before the aforementioned deadline.

At the moment, banks don’t actually have the capability to check the name on the account that the money is being paid into.

With the introduction of CoP, financial institutions will have a means of providing end users of payment systems increased confidence that they will be sending their payments to the right individual.


Original Confirmation of Payee deadline was ‘unachievable’

In 2018 alone, more than £354m ($ 430m) was lost to bank transfer fraud, where criminals managed to scam their victims into permitting payments into their bank accounts.

CoP is essentially a bank account name-checking service intended to stop payments being misdirected into the wrong account as a consequence of someone making a mistake during the payment process.

confirmation of payee
Chris Stephens, head of banking solutions at Callsign (Credit: Callsign)

According to The Payment Systems Regulator, the main reason why CoP has been pushed back is because the projected implementation deadline was “unachievable” — a conclusion that was made following a consultation with various groups within the industry.

Although there are many people within the industry worried about what the delay could mean for consumers, in terms of being exposed to fraudulent activity, there is also a cohort who question whether CoP will actually make a difference.


Confirmation of Payee scheme is no ‘silver bullet’ in the fight against bank fraud

So, will the introduction of CoP truly help to reduce the number of fraud cases, and can banks be implementing other security measures in the meantime to make sure their customers’ payments are safe and secure?

Of course, there are some benefits that CoP will bring to help combat the issue of bank transfer scams, but it shouldn’t be considered the panacea.

Fraudsters are creative and use multiple techniques to achieve their objectives, therefore banks must consider a range of different approaches to keep their customers safe.

Criminals also constantly develop their scamming techniques to reflect changes to the latest regulation legislation.

To bypass CoP, it will be relatively easy for them to just create a new account in the victim’s name to gain additional reassurance that they are transferring their money to a legitimate account.

Another concern is that CoP will fuel consumer complacency, and that they will expect it to provide an additional ‘safety net’ for their banking activities.

And although it will absolutely help tackle the issue of authorised push payment (APP) fraud, it could also open up an opportunity for more complicated fraud resulting in scams that are less frequent but of a far higher value.

For CoP to be completely reliable, all UK banks must execute the control simultaneously.

One of the main responsibilities for financial institutions is to look after the money in their customers’ accounts, but CoP banks have to rely on what security measures their peers have in place.

confirmation of payee
Banks are responsible for keeping their customers’ money safe

As soon as criminals find out which institutions don’t have CoP in place, they know that they won’t need the name of the customer and the bank account details to match up.

This essentially means that the final bank to apply the required processes will be the weakest link, and fraudsters will automatically target those institutions.

For CoP to be the silver bullet necessitates the banks to have a coordinated implementation.


Banks must get ahead of Confirmation of Payee and begin developing additional security measures

Regardless of the shifting deadline, banks should start implementing dynamic authentication journeys based on risk and threat intelligence.

By taking this approach, where required, they are able to ask a user why they are undertaking a payment and offer caution about fraudulent activities.

This is known to be an excellent way to prevent APP fraud. Yet, for this to work properly these policies need to be managed on an ongoing basis and updated as required.

An additional challenge is how complicated the logic behind these management systems can be.

If an organisation doesn’t have access to an appropriate policy manager, then this constant monitoring can be very time-consuming.

The best way for banks to make any progress in the fight against fraud is for them to leverage all the data they have access to.

In order to protect their customers while simultaneously providing the seamless, friction-free service they expect from their digital experiences, it is imperative they tap into all the intelligence available to them.

By inputting this data into a strong and dynamic policy manager, which is flexible and agile, banks will be secure and will find it simpler to meet the requirements of CoP.

Instead of concentrating on single point elements, banks need to approach security in a more holistic way.

Doing so will give them a better chance of beating the fraudsters while at the same time causing minimal disruption to the digital lives of their customers.