The Payment System Regulator (PSR) has just announced that the UK’s six largest banks must check whether the name of the recipient of a transfer matches what the sender thinks. This new feature should help address a security loophole in online payments: the name of the recipient of transfers is ignored, contrary to expectations and unlike cheques. This improved security should make some fraud more difficult, but banks must be prevented from exploiting the change to unfairly shift the liability of the remaining crime to the victims.
The PSR’s target is for checks to be fully implemented by March 2020, somewhat later than their initial promise to Parliament of September 2018 and subsequent target of July 2019. The new proposal, known as Confirmation of Payee, also only covers the six largest banking groups, but this should cover 90% of transfers. Its goal is to defend against criminals who trick victims into transferring funds under the false pretence that the money is going to the victim’s new account, whereas it is really going to the criminal. The losses from such fraud, known as push payment scams, are often life-changing, resulting in misery for the victims.
Checks on the recipient name will make this particular scam harder, so while unlikely to prevent all types of push payment scams they will hopefully force criminals to adopt strategies that are easier to prevent. The risk that consumer representatives and regulators will need to watch out for is that these new security measures could result in victims being unfairly held liable. This scenario is, unfortunately, likely because the voluntary consumer protection code for push payment scams excuses the bank from liability if they show the customer a Confirmation of Payee warning.
Warning fatigue and misaligned incentives
In my response to the consultation over this consumer protection code, I raised the issue of “warning fatigue” – that customers will be shown many irrelevant warnings while they do online banking and this reduces the likelihood that customers will notice important ones. Even Confirmation of Payee warnings will frequently be wrong, such as if the recipient’s bank account is under a different name to what the sender expects. If the two names are very dissimilar, the sender won’t be given more details but if the name entered is close to the name in bank records the sender should be told what the correct one is and asked to compare.
I also noted that the shift of liability from bank to victim when a Confirmation of Payee warning is displayed creates the wrong incentives for banks. Asking the customer to verify the name of the recipient is just one of many security measures that the bank can apply. For example, they could detect transactions that are out of character for the customer and block them, or they could look for unusual patterns of transfers to the recipient account. Banks should be incentivised to deploy every fraud prevention scheme at their disposal, but with the code as written, as soon as banks have shown a Confirmation of Payee warning, they can shift liability to the victim without doing anything more.
In conclusion, I argued that the standard of care that customers are expected to apply to protect themselves from push payment fraud should be as the Payment Services Directive requires for other types of fraud: that they do not act with gross negligence. That is, the bank can only shift the liability of fraud to the victim if they demonstrate that a customer has acted with “a conscious and voluntary disregard of the need to use reasonable care, which is likely to cause foreseeable grave injury or harm to persons, property, or both”. If a customer doesn’t act on a Confirmation of Payee warning, then this could contribute towards an argument that they have been grossly negligent, but it would not be in itself sufficient. For example, the effects of warning fatigue, the state of mind of the customer, and sophistication of the criminal could show that nevertheless, the customer acted reasonably.
In general, if fraud is being caused by banks or other institutions failing in their duty of care to prevent it, then new security measures that are exploited to shift liability to victims will make the situation worse, not better. Institutions are no more likely to act competently and could even be incentivised to do worse. This happened with Chip and PIN, seems likely to occur for push payment fraud, and could easily happen again in the future unless regulators act promptly.
Under the new scheme payers will get a warning unless there is an *exact* match between the account name they enter and the actual name of the account for the sort code and account number they give. Exact matches will be rare, because payees often abbreviate the name of their account or make mistakes in it, and payers also mistype such things as punctuation. If most warnings are false positives, fatigue will set in fast. The risk of victim-blaming will be high.
The only satisfactory solution is to show the payer the true account name; and even then, the payer should be at risk only if the mismatch is obvious to a moron in a hurry (to quote a judgment from a different context).
I wonder showing the payee account holder’s correct name to a payer when they perhaps don’t know the correct name except having a reasonable guess, complies with the GDPR. It will be unfortunate if the Confirmation of Payee systems turns out to be a method for fraudsters to gain the complete account information for people whom didn’t supply it in the first place. I assume banks have performed a Data Protection Impact Assessment on each of their CoP implementations, in which case I should be able to get a copy from each of my banks (let’s see…)
@Kenneth
I don’t expect the banks will have any difficulty in justifying why they are compliant with the GDPR. One approach would be to say that it’s necessary to comply with the contract (which customers must accept to remain a customer). Another would be to say that there is a legitimate interest in preventing fraud. Given that the Payment Services Regulator will eventually require banks to implement this functionality, banks could argue it’s a legal obligation.
The issue you raise is a potential risk. I do note that some banks will consider requests for customers to opt-out but require justification and won’t promise to accept all requests. If you find out anything more, do let me know. I’d be interested to know what legal basis banks are using and how they believe they have mitigated privacy risks.
(No technical qualifications, just a bystander 🙂
But what _is_ the name of the account?
Consider an account J H Blog & Miss F Fitz-William. At the moment payments will go into the account under Blog Fitz-William, which is what is intended, but I have no idea what the actual name of the account is to the bank!
This will be up to the recipient bank to deal with. I would hope the bank knows the names of the individual people associated with the account and will accept payments to any of those people (and perhaps some combination of those names). The banks also may have access to the names people use to refer to accounts in the past (even though these were not checked) and could learn from this data.
azkvdm