The UK’s major banking groups have fully introduced the ‘Confirmation of Payee’ system, previously announced in October 2018, allowing clients to spot fraud and stop payments if necessary. However, this now puts the onus on the customer when continuing with the transfer.
The Payment Systems Regulator (PSR) has given an update that all members of the UK’s six largest banking groups, Barclays, HSBC (including First Direct), Lloyds (including Halifax and Bank of Scotland), Nationwide, RBS (including NatWest and Ulster) and Santander are now using the new fraud prevention tool, Confirmation of Payee. This requires the sending AND receiving bank to have the system in place before customers can enjoy the full benefits with the aim to help reduce Authorised Push Payment (APP) scams.
Confirmation of Payee will work on:
- Faster Payments – the most common transfers which take up to two hours, usually for sums up to £10,000.
- CHAPS payments – used for bigger sums, such as completing on a house purchase.
Not yet included:
- BACS payments – the type used for direct debits.f. However, most banks are unable to implement Confirmation of Payee on BACS payments at the moment.
Steven Murdoch, Innovation Security Architect at OneSpan, a cybersecurity, anti-fraud and digital identity solutions provider said:
“It’s great to see that the Confirmation of Payee mechanism has now been adopted by the six largest banking groups. This improved security should make push payment fraud more difficult, protecting the customer from unknowingly transferring funds to a criminal’s account.
“However, these new security measures could result in victims being unfairly held liable because the voluntary consumer protection code for push payment fraud excuses the bank from liability if they show the customer a Confirmation of Payee warning. The issue here, is that consumers may face “warning fatigue”, where they’ll receive so many irrelevant warnings throughout the online banking process that they’ll be less likely to notice the important ones.
“The standard of care that customers are expected to apply to protect themselves from push payment fraud should be as the Payment Services Directive requires for other types of fraud: that they do not act with gross negligence. In other words, the bank can only shift the liability of fraud to the victim if they demonstrate that a customer has acted with “a conscious and voluntary disregard of the need to use reasonable care, which is likely to cause foreseeable grave injury or harm to persons, property, or both”. If a customer doesn’t act on a Confirmation of Payee warning, then this could contribute towards an argument that they have been grossly negligent, but it would not be sufficient. For example, the effects of warning fatigue, the state of mind of the customer, and sophistication of the criminal could show that nevertheless, the customer acted reasonably.”