Starling Bank customers who use Android devices or the old version of its banking app missed out on crucial fraud warnings known as Confirmation of Payee (CoP) for a whole month, Which? Money can reveal.
This system is designed to tell you when the name doesn’t match the account details entered but we discovered that these checks haven’t been in place for all customers.
The bank has confirmed that this was a short-lived issue, lasting for 31 days from 12 October 2020, that has since been fixed. It temporarily affected users with Android devices and some Apple users who had not updated their Starling app.
Customers will now be forced to update to the current version if they attempt to set up a new payee.
Which? discovered this when we asked eight staff members who have the Starling mobile banking app to check if CoP was working earlier last week. Three people said that they weren’t shown a warning despite intentionally using the wrong name when attempting to pay someone new.
What is Confirmation of Payee and why is it important?
This scheme aims to combat both fraud and accidental payments by alerting customers to a mismatch when they make bank transfers.
Without CoP, bank systems only check if the account number and sort code exist, but CoP tells you if the name entered doesn’t match – or only partially matches – the account details.
Customers can still choose to ignore these warnings and authorise the payment regardless, though banks make a point of stating that they do so at their own risk.
A common tactic used by impersonation scammers is to trick victims into moving money to a ‘safe’ account. CoP can help ‘break the spell’ by highlighting when the name entered isn’t as expected.
There are four possible CoP messages:
- Yes, exact match – the details match and you can proceed with the payment.
- Partial or close match – some of the details are incorrect so look for spelling mistakes or typos.
- No match – the details don’t match so cancel the payment until you’ve made further checks
- No name check – it has not been possible to check the name eg because the receiving bank doesn’t offer CoP.
Here is an example of a ‘no match’ warning from Starling:
What went wrong at Starling?
Eight Which? staff members who bank with Starling tested CoP in early November and three found that they could make payments using the wrong names without being given a ‘no match’ warning from the bank.
We got in touch with Starling – a Which? Recommended Provider for current accounts – which fixed the issue immediately.
Starling initially thought this affected Android users only but further investigation revealed that some iPhone users were also affected if they have an old version of the Starling app on their phone (it estimates that around 0.1% of its users were using this version or older up to last week). Starling’s default setting is to automatically update apps but a customer can change this.
A Starling spokesperson told Which?: ‘We’ve now updated our systems so that iOS and Android users will be required to update their app if they have an old version of the app and they try to add a new payee.’
‘After a thorough investigation, we’ve established that this would have adversely impacted fewer than 50 customers so far. We will make good for each one of them as well as any subsequent cases that come to light. We apologise for any inconvenience this may have caused.’
‘We started to roll out CoP earlier this year, though not mandated to, because we think it is an important tool in the battle against fraud. We urge all banks that have not implemented it to do so. We are pressing to have it made mandatory for all banks. CoP is just one part of our fraud defences. We have many other anti-fraud measures in place.’
- Find out more: challenger and mobile banks
Starling will refund fraud victims affected by CoP failure
Starling told Which? Money that it will ‘make good’ for any customers adversely impacted.
It identified 128 transactions as fraudulent during the 31 days that CoP was down, related to 83 payees and 68 customers.
Of the 68, the bank has assessed that 41 people were negatively impacted because they should’ve got a ‘match fail’ warning or a ‘we cannot check whether this is the correct payee’ message, or because Starling does not yet support CoP for the receiving bank (due to issues that it is working through).
Other cases may come to light if they are reported.
Which? is urging Starling customers to check all recent bank transfers, particularly those made during 12 October 2020 and 13 November 2020.
Get in touch with Starling to report anything suspicious and ask for reimbursement. You can also contact Which? at firstname.lastname@example.org.
- Find out more: what to do if you’re a victim of bank transfer fraud
Which banks have CoP?
The six largest banking groups were forced to introduce the long overdue CoP at the point of payment by the payments regulator: Barclays, HSBC (including First Direct but not M&S Bank), Lloyds (including Halifax and Bank of Scotland), Nationwide, RBS (including NatWest and Ulster) and Santander.
It was originally expected in July 2019 but finally went live from June 2020 following multiple delays.
A few other banks – namely Starling and Monzo – offer this name-checking service voluntarily.
Which? wants all banks and building societies to offer CoP to customers to better protect them from scams and accidental payments.