Confirmation of Payee, a new name-checking service warning bank customers when a payee’s name doesn’t match the account number provided, is due to be rolled out by the end of this month – a measure Which? estimates could have prevented £320m-worth of bank transfer fraud since 2017.
Under the direction of the payments regulator, the six largest banking groups: Barclays, Lloyds Banking Group, Royal Bank of Scotland Group, Santander, HSBC Group (excluding M&S Bank) and Nationwide Building Society must all offer Confirmation of Payee (or ‘CoP’) to protect customers when they pay someone new or edit an existing payee.
CoP has a vital role to play in reducing the amount of money lost to bank transfer fraud. Which? estimates that £1.1bn could have been lost to bank transfer fraud over the past three years and of that £320m could have been prevented if CoP had been introduced at the start of 2017.
The new system was originally meant to go live in July 2019, though the major banks now have until 31 March 2020 to get up and running. But, with some banks and building societies not yet forced to sign up, and potential teething problems with those that are, customers are warned to remain on guard as some may remain unprotected.
UPDATE 26 March 2020
The Payment Systems Regulator (PSR) has announced that the roll-out of CoP may be delayed due to businesses having to manage risks related to coronavirus (COVID-19).
The PSR says it will not take formal action against banks that fail to meet the deadline until 30 June 2020 though it hasn’t published details of which customers are likely to be affected.
Crucially, if a bank doesn’t introduce CoP and a customer falls victim to an APP scam that CoP would have prevented, Which? believes they should be fully reimbursed.
How does CoP work?
You might assume that your bank already checks whether or not the name entered matches the account details, but it doesn’t – payments are currently processed using the sort code and account number only.
This flaw means criminals posing as trusted organisations such as a bank or solicitor can trick you into making payments to them, with no warning from your bank if the details don’t belong to the business you’re expecting to pay.
You can also unwittingly send money to the wrong person if you enter the account numbers incorrectly.
Once CoP is in place, your bank will ask for the full name of the registered account holder (if it’s a joint account, you can enter the first and last name of either individual) and the type of account (either personal or business). If someone makes a payment to you for the first time, their bank may do the same.
There are four possible outcomes:
- Yes, exact match – the details match and you can proceed with the payment.
- Partial or close match – some of the details are incorrect so look for spelling mistakes or typos.
- No match – the details don’t match so cancel the payment until you’ve made further checks.
- No name check – it has not been possible to check the name eg because the receiving bank doesn’t offer CoP.
See below for Bank of Scotland’s example of ‘No match’.
Will all banks use Confirmation of Payee?
No – only the six largest banking groups are being forced to sign up to CoP and there is even a chance that some won’t meet the new deadline.
Lloyds Banking Group is ahead of the pack, implementing CoP from 2 March 2020 for Bank of Scotland customers before rolling it out to Halifax and Lloyds customers.
Other major banking brands must follow suit by no later than 31 March though RBS* (includes NatWest and Ulster Bank) and HSBC (First Direct) were unable to confirm a specific date when we asked if they would be ready.
The Payments Systems Regulator (PSR) said: ‘If they are unable to meet the deadline, then we would expect them to let their customers know that CoP wouldn’t apply to their accounts. We would closely examine any potential breach of the direction and decide on an appropriate course of action.’
No building societies other than Nationwide have been directed to introduce CoP.
Starling Bank has voluntarily signed up to the scheme and says customers can expect CoP checks by the end of March. M&S Bank – part of HSBC Group – wasn’t included in the direction issued by the regulator either but plans to deliver CoP for its customers later this year.
*UPDATE 18 March 2020 Since we first published this story, RBS has confirmed that it will be ready to offer CoP and offered this statement:
‘Alongside face-to-face training, online advice and our ongoing investment in biometrics, we believe CoP is an important part in protecting our customers from scams and from entering account numbers incorrectly. We will meet the deadline to offer this service for online banking and on our mobile banking app.’
Check the table below to see when your bank plans to offer CoP checks.
Metro Bank no plans to offer CoP
Both Metro Bank and the Co-operative Bank are signed up to the new voluntary bank transfer (APP) code, which specifically states that all signatories should implement CoP.
However, neither bank has been forced to do so by the regulator.
The Co-operative Bank told Which? Money it is aiming to implement CoP before the end of 2020. However, Metro Bank said it has no plans to implement CoP currently though it ‘can reassure customers that they will continue to be protected.’
When we pressed the PSR on this inconsistency, it could only tell us that it is ‘encouraging all banks, big and small, to implement CoP.’
Will all payments be checked?
No. CoP only affects Faster Payments (including standing orders) and CHAPS in the UK. BACS payments (including direct debits) are not included for the time being.
Checks will only apply when a new payment is being set up or altered, as there is the greatest risk of fraud or mistakes occurring.
CoP will apply to both personal and business customers though not always private customers.
For example, Barclays and Santander Private customers should see CoP checks from April 2020 but HSBC Private customers will not.
Payment Initiation Service Providers (PISPs) – firms that allow you to instruct payments to be made directly out of your bank account, as an alternative to using a third party such as a Visa debit card or PayPal – do not have to implement CoP.
What if you don’t get a positive match?
If the details don’t match, it’s possible that the payment is being requested for fraudulent purposes. Cancel the payment until you’ve confirmed that you are paying a legitimate person or business. If in any doubt, seek advice from someone you trust.
If your bank is signed up to the bank transfer (APP) scam code they should give you appropriate guidance and help you understand what actions to take to address the risk.
Misspelt names, eg John Smith instead of John Smyth, should result in your bank supplying the correct name so that you can either edit the details or cancel the payment.
However, we could see some teething problems, for example, middle names and businesses with multiple brand names could cause confusion or inconsistencies.
If you have issues, double-check that you’ve been given the name registered with that account, not a shortened name or nickname.
What should you do if there is no name-check?
If your own bank or the recipient bank does not offer CoP, you should be told that ‘it has not been possible to check this name’ or words to that effect.
If CoP is unavailable you should take additional steps to ensure that your payment is being made to the correct person or business.
Never be rushed into making a payment and trust your instincts. Contact the person or organisation you are trying to pay using verified details (such as a phone number on an official website) to be safe.
If you make a mistake and send money to the wrong bank account using Faster Payments, the Credit Payment Recovery process kicks in. Once you’ve informed them of the mistake, your bank must contact the recipient bank within two working days.
As long as the recipient bank doesn’t then challenge the refund, your money should be returned within 20 working days of you flagging the error.
- Find out more: how to spot a scam – seven common signs
Will this stop bank transfer fraud?
Assuming customers are provided with clear and reliable information, CoP will make it harder for scammers to operate. But, it won’t prevent fraud entirely and criminals will look for ways to bypass the name checks.
For example, they may claim that the business name on an account doesn’t match because it’s a related trading name, or they may open accounts with names that are deceptively similar to legitimate businesses.
Which? wants all payment service providers to introduce Confirmation of Payee, not just the six largest banking groups.
This will also eliminate confusion and uncertainty among consumers who find that there is no consistency among providers and prevents fraudsters from simply targeting banks that don’t offer it.
Gareth Shaw, head of money at Which?, said: ‘The UK has been in the grip of a fraud crisis for years, but new security measures offered by the banking industry should finally give people better protection against increasingly sophisticated fraudsters.
‘This month will be decisive in demonstrating how well the industry is equipped to tackle the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code.
‘If the banks fall short of making these commitments themselves, the government must step in and ensure these schemes are made mandatory. Anything less would be a betrayal of millions of people at risk of falling victim to increasingly sophisticated fraudsters.’
Can you opt-out of Confirmation of Payee?
Yes, although each bank is responsible for its own policies regarding customer data, they must offer you the option of opting out.
Think carefully before doing so, as this is designed to make it much less likely that you will fall victim to fraud or enter the wrong account numbers by accident.
Your data is also stored securely, as banks will be using the Open Banking directory service to exchange CoP requests.
This system requires participating firms to undergo rigorous security checks and be regulated by the Financial Conduct Authority (FCA) or European equivalents.
- Find out more: open banking – how to share your banking data securely