The use of Confirmation of Payee in the fight against fraud

Confirmation-of-Payment

Authored by QBE Risk Solutions Practice Leader Deboarh O’Riordan

Online and mobile banking has become a common feature of our banking routines. Over two-thirds of UK adults use online banking, and over half use mobile banking to each perform, on average, over 15 transactions annually. In your organisation, it's likely to be routine practise to receive inwards and make outwards transactions using Faster Payment Scheme or CHAPS, but as we are well aware, there are risks.

In the first half of 2019, Authorised Push Payment (APP) fraud, where fraudsters dupe individuals or businesses into authorising a payment to an account which is controlled by a criminal, accounted for 57,549 cases representing a loss of £208m.  Whereas the finance industry is relatively successful by stopping two-thirds of unauthorised fraud, recoveries of £39.3m of APP losses over this period represents a success rate of less than 19%.

To enhance the finance industry's defences against APP scams, the Payment Systems Regulator (the regulator for payment system operators, banks, building societies and other payment service providers) has issued a specific direction for the implementation of Confirmation of Payee (CoP) verification.  CoP is a new verification process for electronic bank transfers which checks the name of the payee against the details provided by the payer.  To make a valid payment instruction, the payee will need to state the correct account name, account number and sort code.

The regulator's direction is to the Lloyds, Barclays, HSBC, Royal Bank of Scotland and Santander banking groups. It required the introduction of CoP to Faster Payment Scheme and CHAPS transactions by 31 March 2020.  However, because of the Covid-19 pandemic, the regulator has informed the directed banks that, if they are unable to implement CoP fully by 31 March, they must take appropriate steps to roll out CoP, taking into account the impacts of COVID-19, even if that means they do not meet the original 31 March 2020 deadline.

The regulator expects the directed banks to ensure customers who would have benefitted from the protections of CoP are not otherwise disadvantaged from any COVID-19 related delay, including refunding victims of fraud if CoP would have prevented it from happening. The regulator will keep these arrangements under review as the wider impacts of COVID-19 are better understood.

How does CoP work?

There are four possible outcomes from the CoP check when you are arranging a payment.

Yes, match: If you have used the correct account name, you will receive confirmation from the payee's financial provider that the details match. You can then proceed with the payment.

No, close match:  If you have used a similar name to the account holder, you will receive a CoP response stating the actual name of the account holder for you to confirm.  If you recognise the name submitted, you can opt to proceed with the payment.  Alternatively, you will be able to update the details and try again or contact the intended recipient to confirm their details.

No match: check before proceeding further:  If you have entered details for the named account holder which do not correspond with the details held by the account provider, you will receive notification that the details do not match.  If you receive a no-match notification, you should be alert to the possibility that fraudsters are targeting your business.  With a no-match response, you will not be able to see the actual name on the non-matched bank account.

Confirmation of Payee unavailable:  Where an account is not available through the CoP system, whether temporarily or otherwise, you will receive notification that the account is unable to be checked. CoP unavailability does not necessarily mean that fraudsters are targeting your business, but that the payee account is not on the system.

With no-match or CoP unavailable responses, it becomes even more critical that payee information is properly authenticated before transferring money.  Recent guidance on layered controls for this is available on the QBE Document Library and QBE policyholders can use our Fraud Prevention Questionnaire and Toolkit (requested via qrisk.support@qbe.com) to assess and strengthen their fraud resilience.

Turning to incoming payments, you should ensure that your business account name is stated clearly in relevant correspondence with customers, as your account name might be different from your trading name.

Mark Casady, Underwriting Manager - Financial Lines, has welcomed the news that the major High Street banks are implementing CoP:

"QBE has been at the forefront of the insurance industry in providing its clients with risk solutions to cope with the ever-changing threat of cybercrime. By its very nature, the banking system has always been a target for criminals, so the development of CoP is an enormous step forward in strengthening businesses fraud prevention and cybersecurity."

With the implementation of CoP, your banking arrangements should form part of the next review of your Fraud Prevention Policy.  We recommend that, as a minimum, you review your Policy annually as a pro-active measure to combat fraud.  Where client and other accounts are held with banks that do not support CoP verification, you should review the risk management benefits of CoP given your operations and decide if relocating your account(s) is appropriate.

It is important to remember that BACS payments are not yet covered by CoP protection and we have seen an uptick in fraud involving fake change requests for salary payments (typically made by BACS). It is therefore imperative that any changes to bank details by individuals or businesses are always verified by getting in touch with the true contacts in person to ensure the request has not been made by a fraudster using a spoof email address or a hacked email account.

Neil Hare-Brown, CEO of STORM Guidance, cyber risk and breach response experts, was keen to point out:

“This vital check has been years in implementation but is finally here. Our many investigations into cybercrime and related frauds have shown that, if CoP had been in place, many millions of pounds in losses would have been prevented. Even now CoP is not in-place everywhere so it is important to check with your bank to confirm when and how you can rely on this vital safeguard.”

We should never underestimate the ingenuity of determined fraudsters to adapt to changing technology.  CoP is not a panacea that will allow electronic payments to be made without any risk of fraud.  There is also the danger that individuals and organisations, lulled into a false sense of security, might lower their guard.  What CoP represents is another important tool in your fraud prevention armoury in the ongoing fight against fraud.

To speak to someone in QBE's Risk Solutions team about fraud protection, CLICK HERE, leave a message and youTalk-insurance will pass your enquiry on.

CLICK HERE TO SIGN UP FOR OUR
FREE BI-WEEKLY NEWSLETTER

About QBE

QBE European Operations is part of QBE Insurance Group, one of the world’s leading international insurers and reinsurers and Standard & Poor’s A+ rated. Listed on the Australian Securities Exchange, QBE’s gross written premium for the year ended 31 December 2018 was US$13.7 billion.

As a business insurance specialist, QBE European Operations offers a range of insurance products from the standard suite of property, casualty and motor to the specialist financial lines, marine and energy. All are tailored to the individual needs of our small, medium and large client base.

We understand the crucial role that effective risk management plays in all organisations and work hard to understand our clients’ businesses so that we offer insurance solutions that meet their needs – from complex programmes to simpler e-trading solutions – and support them in minimising their risk exposures. Our expert risk management and rehabilitation practitioners focus on helping clients improve their risk management so that they may benefit from a reduction in claims frequency and costs.

Latest video

QBE video: The Top 10 Construction industry risks

What are the most common risks in construction and how can QBE’s new Contractors Combined package help?For more information CLICK HERE click here for more