Confirmation of Payee: The Solution for Authorised Push Payment Fraud?
Posted February 13, 2019
In the first half of 2018 alone, online fraudsters stole more than £500m from UK banking customers according to UK Finance. A total of £145m of that was lost through what is known as Authorised Push Payment (APP) scams. APP scams are scenarios in which banking customers are contacted by fraudsters, usually purporting to represent someone in a position of trust – such as a bank official or a police officer – and are duped into sending a payment to a mule account controlled by the fraudster.
Banks are legally obligated to refund victims of unauthorised transactions. Unauthorised transactions are executed by a fraudster without the knowledge or consent of the account holder. However, victims of APP fraud have no equivalent legal protection and are often forced to foot the loss themselves. Given the nature of APP scams, the average £ loss in these cases is often higher than the average loss in a more traditional fraud attack, such as malware or account takeover. As a result the repercussions of APP fraud are often devastating for both personal and business banking customers and can result in life changing consequences. Sadly, data also shows that it is older, and often more vulnerable members of society, that are likely to fall victim.
To attempt to control this fast growing problem UK banks will introduce Confirmation of Payee (CoP) by July 2019. CoP will allow customers that are sending payments to check that the name on the beneficiary account matches that of their intended recipient. CoP is already live in other countries in Europe, and similar name checking mechanisms already exist in payment facilities such as Paym in the UK, however, this 2019 initiative will bring name checks to the UK masses.
Here is how it will work:
So on paper this sounds great and will undoubtedly prevent some APP fraud cases. But is it the silver bullet? I suspect not, and I have laid out below some possible drawbacks and limitations to the solution.
How many of us have been guilty of entering ‘Mum’ or the nickname of a friend when creating a beneficiary, instead of adding them as their true name? This, along with many other possible reasons, will of course generate a NO MATCH response from the beneficiary banks name matching algorithm. In fact, data shows that only around 60% of all beneficiary creations would currently receive a MATCH response – meaning that 40% will return either POSSIBLE MATCH or even NO MATCH. This presents a problem not only for fraudsters, but also for genuine customers and banks that will need to manage and resolve these failures.
This means that as a single line of fraud defense CoP will not be a silver bullet. While the 60% match rate will likely increase over time as consumers become more familiar with the logic behind CoP, it will always have to be a contributing feature in an integrated, risk based customer decisioning and education process. It will serve to be another deterrent – not a new stand-alone fraud solution.
Existing APP Patterns
Building on the point above, research has also shown that around 65% of APP fraud that occurs today would receive a NO MATCH response. This data is a positive signal, as it means 65% of APP victims would have the opportunity to realise something wasn’t quite right and perhaps protect themselves from becoming a victim. On the flip slide, this means 35% of APP victims already receive a MATCH (or POSSIBLE MATCH) response today, so in these cases all CoP will likely do is increasingly reassure the customer they are doing the right thing, which of course they are not.
So we now know that in 35% of APP fraud today fraudsters are already generating a MATCH response. This means that they are already convincing the customer to type the name of the mule during the scam. I expect this to increase following the introduction of CoP as we also know that fraudsters are very adaptive. This isn’t the first initiative designed to reduce APP fraud, nor will it be the last, but APP fraud still remains one of the largest risks to the fraud budgets of UK banks. I think it is very likely that fraudsters will adapt their scripts and behaviours in an attempt to circumvent CoP. For example rather than saying “we’ve set up a safe account for you in your name, please transfer the money here”, this can simply be adapted to “we’ve set up a communal holding account for you and the other customers at risk, please send the money here”. Only time will tell what will actually happen, but serious fraud practitioners everywhere should prepare for this change in approach by the fraudsters.
Fraudulent Account Openings
An unintended consequence of CoP could well be an increase in fraudulent account openings, using stolen, synthetic, or even genuine customers identities. It’s a very real possibility that fraudsters have a large amount of information about the APP victim long before any contact is made with them, which they could easily use to set up an account in the name of the customer that they control. They can then provide these account details back to the APP victim as confirmation of the beneficiary during the scam. Of course, then this would generate a MATCH response and the customer would not be alerted. In effect, CoP may simply force fraudsters to work harder rather than eradicate the problem, and potentially drive more account opening fraud as they seek to fully monetise their increased investment.
So while CoP is clearly a step in the right direction by the regulators, I suspect it won’t be enough to create firm control of the APP problem. Yes, used in the right way, and as part of a wider, more sophisticated real-time fraud decision, CoP will have an impact, but I suspect the value will be short lived as fraudsters change their approach and continue to target ownership of the positions of ‘trust’
Banks should continue to consider additional strategies if they want to avoid being the industry low hanging fruit. Dynamic, relevant and real-time education & awareness messaging could be one, advanced analytics and machine learning could be another, unusual biometric indicators within the customer’s behaviour could well be another. I suspect it will require all of these – and more – to win this battle. The fight goes on against APP.