Authorised push payment (APP) fraud has received a lot of attention recently. And for good reason: it's costing the UK economy a lot of money.
In the past 5 years, total gross losses have steadily increased by roughly 5% each year. We're now losing an average of £450 million annually to APP fraud. That's a lot of money siphoned off by criminals. Putting that number into perspective, that's:
the annual education funding required for 60,321 pupils (5-16yrs);
enough money to cover the annual energy costs of 129,173 families; or
the cost of providing the Ukrainians with 4 HIMARS, 36,000 rounds of 105mm ammunition, 18 tactical vehicles to tow 155mm artillery, 1,200 grenade launchers, 2,000 machine guns, 18 coastal and riverine patrol boats, and spare parts and other equipment.
The opportunity cost is significant, to say the least.
Behind the numbers
There are 2 types of APP fraud:
Malicious payee: deceiving someone to pay for something that isn’t real or is never delivered, such as investment and purchase scams and;
Malicious redirection: where criminals impersonate others, create or amend invoices and divert payments to criminal-controlled bank accounts.
Both of these comprise 8 distinct reporting categories, seen in the graph below.
Historically malicious redirection has made up the majority of losses, though the past few years have been more evenly split with malicious payee losses.
What does this all mean?
It's much harder to prevent malicious payee scams because they exploit emotional vulnerabilities in individuals to make them believe that what they are buying, investing in, or giving money to is real. Think fake wines, bogus crypto coins, Tinder-Swindler style romance frauds, etc.
On the other hand, malicious redirection scams should be easier to prevent because the transacting parties have a genuine relationship and can use tools and processes to verify payment details. E.g. if an email comes in on a Friday afternoon from a 'client' asking to pay completion funds to a different bank account, that should trigger a new set of checks and call-backs to determine whether the new account geniunely belongs to the client.
What tools we need to run these checks is the £450 million question.
CoP is OK, but we need something better
The most ubiquitous tool available for payment verification is confirmation of payee (or CoP). It was introduced by Pay.UK in 2017 in the hopes of fighting redirection frauds. Data from the last 5 years suggests that CoP has not been as successful as hoped (number of losses has steadily increased since). When you see how CoP works, it's clear why:
CoP only checks that the name inputted on your online banking matches the name of the payee (see image).
The problem is that names on accounts don't always exactly match the name of the payee as given. Some banks truncate the name, others include prefix and middle names, some may leave out the first name entirely (true story, my HSBC current account does this). It gets messier with joint and business accounts.
The result of a CoP check, therefore, can largely vary from bank to bank.
In the case of my HSBC account, a CoP check would easily pass at most banks, but how would a payor know that's really my account? The 'all-clear' from the bank would be somewhat misleading when there is no first name on the account to verify against.
Moreover, CoP is not supported by all banks and accounts (yet). So for some, manual verification by calling the payee is the only option.
Let's not forget CoP is just for UK banks and FIs... so any cross border payment needs to be verified manually too.
A recent survey undertaken by UK Finance and Synectics Solutions found that 43% of respondents felt that the value of CoP in tackling APP fraud was neutral (at best) if not useless. More worryingly, more than 30% of those surveyed said they didn't undertake any additional checks beyond CoP.
CoP isn't perfect, which is why many lawyers and professional service providers in fiduciary positions need to undertake manual verification measures, like telephone call-backs, to satisfy themselves that the account details are correct and truly belong to the beneficiary. This, however, is a suboptimal solution in a digitial world where efficiently operating at scale makes the difference between successful and unsuccessful businesses.
With Open Banking, we already have the infrastructure in place to securely share our financial information in a highly efficient, precise way. Things like full name of beneficiary, account numbers / IBANs and transaction data are all accessible. Accessing this data would be a tremendous weapon against detecting payment redirection fraud.
The UK government’s Joint Regulatory Oversight Committee has recently acknowledged this missed oppotunity in its recommendations for the future of Open Banking. Data sharing through a common standard forms a core priority for the next phase of Open Banking, with the hope that it does more to prevent fraud.
CoP was version 1.0. At Lucra, we're working on delivering 2.0.
Alan Schweber is the founder and CEO of Lucra. Previously, Alan was a debt finance lawyer at Kirkland & Ellis LLP.
All data from this post was sourced from UK Finance: