Developments in the payments sector: CoP and APP

The Payment Systems Regulator (PSR) has recently published a paper concerning the expansion of Confirmation of Payee (CoP) to a wider range of banks and payment firms; it has also commented on the measures it may take to combat Authorised Push Payment (APP) fraud. We consider the PSR’s position and what it means for account providing payment service providers (PSPs).

Confirmation of Payee

Most people in the UK will be familiar with CoP through using online banking. CoP checks that the name on the recipient’s account matches the details a payer has given to their bank. The name check tells payers whether there is a match or not. It is designed to reduce certain types of accidentally misdirected payments and APP fraud in bank transfers.

In August 2019 the PSR required the UK’s six largest banks (representing 90% of transactions over Faster Payments and CHAPS) to implement CoP. These were joined by other payment service providers who signed up voluntarily.

The second phase of the PSR’s approach - which aims to achieve ‘ubiquity of service’ by making it possible for all account-holding PSPs to offer CoP - was announced in May of this year.

In its recently published Response Paper, the PSR has provided an update on the implementation of this second phase, including the following notable observations which show that the direction of travel is clearly towards the adoption of CoP across the payments sector:

• The PSR’s analysis has shown that initial imposition of CoP has had a positive impact, both in terms of reducing accidentally misdirected payments and in preventing what would have likely been a larger increase in APP fraud.
• The PSR’s ambition is for more payment service providers to join CoP and it is likely that the PSR will take further action to ensure that this happens. The PSR will assess whether to direct PSPs not currently offering CoP to their customers to join the service and stands ready to step in if there is a delay in delivering the capabilities for CoP.
• The first step of the second phase will include changes to the Open Banking Directory to enable PSPs with unique sort codes to join through a dedicated ‘CoP-only’ role profile. It will also enable participation by PSPs operating accounts that use secondary reference data, rather than unique sort codes and account numbers, to identify customers. The presence of the six largest banks in the second phase (which is anticipated by the end of 2021) will enable prospective participants to progress their plans to join CoP and ensure interoperability.

Account providing PSPs that don’t currently offer CoP should therefore start planning for how adoption will affect them and what steps they need to take in order to implement it.

Authorised Push Payment Fraud

APP fraud is a significant, and growing, problem in the UK. A total of £355.3 million was lost to APP scams in the first half of 2021 alone – an increase of 71% compared to the same period in 2020. Moreover, since the payments in question are authorised by the victim, there is no automatic right to reimbursement. As a result, victims frequently bear the loss, especially as the perpetrators are commonly located outside the UK.

In its Response Paper the PSR notes that it considers CoP to be part of a package of anti-APP fraud reduction measures, and indeed the evidence is that CoP has helped to prevent some APP fraud. However, CoP alone can never fully address APP fraud, since in some instances the fraudster’s account details will match the details the victim has been given.

In February 2021 the PSR published a “Call for Views” regarding APP fraud. In that document, the PSR set out three further measures that it believed could be used to help reduce APP fraud losses:

• First, requiring PSPs to publish their APP fraud data, including reimbursement and repatriation levels, in order that customers would be in a position to select those PSPs with the lowest loss rates and highest levels of reimbursement where losses do occur.
• Second, requiring PSPs to adopt a standardised approach to sharing data, such as their risk rating for particular transactions or customers, in order to increase fraud prevention.
• Third, changing the payment system rules so as to make APP fraud victim reimbursement mandatory for PSPs in certain circumstances.

The PSR has said that it will consult on these three proposals “in due course”. However, it has also given some indication of how it views the proposals in a speech given by the PSR’s Managing Director in October 2021, in which it was said that the PSR:

• Intends to press on with plans for greater levels of transparency via the publication of fraud and compensation data.
• Believes that PSPs should aspire to a situation where, once a paying PSP has identified one victim, the receiving account is prevented from enabling any more crimes against other victims.
• Wants to move from voluntary protection for victims to protection that is mandatory, albeit this requires a change in law to allow the PSR to act and therefore depends upon government action.

The PSR is also calling on social media firms, those PSPs who have not signed up to the voluntary Contingent Reimbursement Model (CRM) and PSPs who, however inadvertently, provide services to criminals through the receipt of APP fraud related payments to do more to protect victims. The PSR describes these firms as “falling well short of where we need to be”.

It is unclear to what extent these APP-related measures will be implemented or whether they will be amended in the light of consultation responses. However, the more widespread APP fraud losses become, the more likely it is that far-reaching reforms will be introduced on a mandatory basis. From a practical perspective, PSPs may therefore be better served by signing up voluntarily to measures, such as the CRM, that reduce the prevalence of APP fraud, than risking the possibility of more stringent requirements through a lack of action.