Attackers are always finding new ways to steal money from victims. A commonly used method is Authorised Push Payments (APP) fraud, where victims are persuaded or tricked into authorising a payment to a fraudster. This is a core issue for the payments industry. Latest figures show that, in the first half of 2023, £239 million was lost to APP scams.
By using a variety of communication channels, such as email and text messages, fraudsters impersonate trusted entities, such as banks and firms, to lure victims into making payments.
Regulators have mandated measures like Confirmation of Payee (CoP) to provide an extra layer of defence to reduce APP risk during the payment process. This allows victims to verify the accuracy of the accounts they're sending money to.
CoP provides real-time security checks to help prevent APP fraud. It provides users with the ability to check the name of the account to which their payments are going and clearly display this to the user. This information ensures the customer that their money is going to the correct account and that they have oversight over each step of their transaction.
However, the payer must still authorise their payments. Although CoP allows all transactions to be cross-checked, the onus is still on the customer to be aware of their transactions and who they're sending to. Therefore, firms must educate their customer base to use CoP correctly and remain aware of fraud attempts.
The Payment Systems Regulator (PSR) is directing 400 payment institutions to roll out CoP, with the final implementation phase scheduled for October 2024. By this date, CoP will be mandatory for all firms.
With this, the PSR has also announced new reimbursement requirements from 7 October 2024, for victims of APP fraud. This requires, where the customer has not been fraudulent or grossly negligent, firms to repay all customers who fall victim to APP scams within five working days. The cost of reimbursement is split 50:50 between sending and receiving payment service providers (PSP) up to a maximum of £415,000.
There are additional protections for customers classed as vulnerable. Therefore, firms must strengthen their security measures to meet this deadline and stay ahead of the regulatory change.
Firms must ensure they have the appropriate framework in place to analyse their payment data and identify payment patterns. This will ensure there is strong oversight over all transactions and a catalogue to return to in case of incidents.
Additionally, data should be incorporated from multiple sources, such as user behaviour analysis, email data and mobile number data, to ensure that payee information is up to date and reliable.
By using technology, firms can stay ahead of the curve, and create a robust and adaptive framework to safeguard their customers.
To ensure customer protection against APP fraud, firms must assess how they can improve the customer experience while adding payment controls or friction for high-risk payments. Safeguarding users means offering an intuitive and user-friendly interface to guide their payments.
Firms should look to make the payments risk verification process seamless for their users and provide clear instruction to give confidence when confirming their payment details. They can also use multichannel network verification options, to create an accessible and diverse user experience.
Proactive communication is important to build strong customer awareness – providing accessible learning tools to inform the user base is key. Awareness of fraud and understanding the significance of CoP will support broader fraud prevention and minimise the risk of customer error.
Firms should focus on establishing clear communication channels for customer enquiries and concerns to create a more informed user base. Additionally, firms must understand the various types of fraud to inform their customers.
While CoP is a useful addition in the fight against fraud and misdirected payments, it won’t prevent all types of fraud that payment service users are exposed to. In particular, attempts such as 'malicious payee' fraud – where payment service users can be deceived into handing over sensitive information or money – can be extremely harmful and must be monitored closely.
With this in mind, firms need to have their finger on the pulse of fraudulent behaviour, and work to prevent these attempts on their customers. Through a strategic combination of technological frameworks, user-first design platforms, and a proactive approach to customer engagement and risk profiling, firms will be well placed to meet the October 2024 deadline and reduce losses from fraud.
For more insight and guidance, contact Paul Olukoya.
