From 31 March 2020, the UK’s six largest banking groups will start checking whether the name entered on a bank transfer matches the names of the recipient bank account. It is hoped the move will combat transfer scams and errors and make it less likely customers’ money ends up in the wrong hands.
What is Confirmation of Payee (CoP)?
Currently, when you make an electronic payment you provide your bank with the sort code, account number and the name of the person or organisation you intend to pay. However, despite what many people believe, only the sort code and account number are used to route the payment – the bank does not check the name you entered on the transfer matches the name on the account you are sending the money to.
CoP is in effect an ‘account name checking service’. It is hoped it will help customers make payments safely by checking the name on an account before processing a new “push payment” – these are payments that you initiate and authorise from your account, which are typically internet or phone payments. The rest of this article will refer to scams involving these types of payments as “transfer fraud”.
Why is CoP being introduced?
CoP is being introduced to help customers avoid transfer fraud in which the victim is provided with the bank details of a fraudster rather than the person to whom they believed they were transferring money. Common examples of this kind of transfer fraud include:
- the victim has a legitimate invoice to pay, but the fraudster intervenes (perhaps by intercepting emails or hacking an email account) to convince the victim to redirect the payment to an account they control.
- invoices being tampered with so that the account details for payment are switched to the fraudster’s account. This kind of fraud might be perpetrated from within a business by an employee with responsibility for raising/processing invoices.
- a fraudster masquerades as a CEO or other senior company official and persuades an employee to transfer money to the fraudster’s bank account
- a fraudster impersonating a trusted organisation, such as HMRC, the victim’s bank, or their utility company, and telling the victim a payment is owed.
In such situations the victim will know the name of the person/organisation they believe they are making a payment to, which, if a fraudster has given them false bank account details, is unlikely to match the name on the recipient bank account. Previously, even when the name a victim entered on the transfer request did not match the name on the recipient bank account, the payment could proceed regardless. CoP will now check this and raise warning flags if necessary.
It is also envisaged CoP will address innocent mistakes where incorrect details are entered on a transfer (such a wrong digit in the account number) leading to money being sent to the wrong person’s account.
How will the new system work?
Currently, banks only check whether the sort code and account number entered on a transfer are correct. The CoP service will also check the recipient account name, with three possible outcomes:
- The name on the transfer matches the name on the account: the customer will be told the details match and asked if they would like to proceed with the transfer.
- The name on the transfer partially matches the name on the account (e.g. John Smith vs. Johnny Smythe): the customer will be told the actual name of the account holder and asked to check this. They will then be able to either update the details and process the transaction or cancel the transaction and check the details provided.
- The name on the transfer does not match the name on the account: the customer will be told the name is not correct. The advice will be that the customer check the details and/or contact the person they are trying to pay. The customer will not be told the actual name on the account.
The CoP checks will be made before a new CHAPS, Faster Payment or Standing Order is set up. CoP will not be used on BACS payments, including Direct Debits, for the time being (although this may be considered in the future).
Which banks are introducing the new checks?
The following banks (which comprise the UK’s six largest banking groups) have been directed by the Payment Systems Regulator to fully implement CoP by 31 March 2020:
[bullet point in columns, 3x3 maybe?] Bank of Scotland, Barclays, HSBC, Lloyds, National Westminster, Nationwide, Royal Bank of Scotland, Santander, Ulster Bank.
What could the impact of CoP be?
The stated aim behind the changes is to provide greater protection from fraud. Figures released by banking body UK Finance indicate transfer fraud was up 40% in the first six months of 2019 compared to the previous year, so any action which tackles this frankly worrying rise is extremely important for banking customers.
While CoP will not prevent every single case of transfer fraud, one obvious sign of a suspicious transaction is the recipient account name not matching the name of the recipient to whom the victim thought they were making a payment. CoP will flag this, which will add an extra layer of security and make life more difficult for fraudsters.
An unintended consequence may be that small errors made when entering the account name on a transfer could prevent transactions being processed promptly. Companies, individuals and their legal advisors may have to be extra vigilant to ensure time critical transfers are not delayed.
The new protocol also raises the possibility that where a bank has failed to complete or introduce the proper CoP checks, a victim of fraud might have stronger grounds for bringing claims against the bank in an attempt to recover lost funds.
Combatting fraud is an on-going battle and it is regrettably the case that more sophisticated security often leads to more sophisticated scams. However, the introduction of CoP is a positive step and will hopefully provide better protection for banking customers against transfer fraud.