By Trevor Clawson.
More than £140m was stolen from UK bank account holders in the first half of this year through so through so-called “push payment” scams. In response to growing concern about the scale of the problem, the organisation responsible for overseeing much of the transfer of money between accounts is stepping in with a new set of rules designed to make it much harder for criminals to operate and for wronged customers to get recompense.
The “push payment” fraud is essentially an old-fashioned con-trick, redesigned for the age of instant cash transfers. Essentially, the term describes any scam that involves a criminal persuading a victim to willingly transfer cash between one bank account and another – something that can be done quickly via online or mobile banking.
Simple but Sophisticated
The fraudsters typically pose as legitimate organisations or individuals that the victim will know. For instance, the fraud may begin with a phone call – apparently from a bank – saying the customer’s regular account has been frozen due to suspected fraud. The caller then invites the victim to transfer money from the frozen account into another one that supposedly can be used.
And there are many variations on the theme – some more subtle than others. The caller may be a local business – say a builder – asking for early payment of a bill to pay for materials. Or the scam could take the form of an email that appears to be from a friend, saying that he or she has been mugged while abroad and asking for an emergency transfer of funds to get home.
Some of these frauds may require a considerable amount of information about the victim – such as details of friends or business relationships – which is often gleaned through hacked emails or even social media posts. So although the con is simple, the execution can be highly sophisticated.
And here’s the thing. Con tricks work. They always have done and always will do because the fraudsters are clever and experienced, so this crime isn’t easy to stop. However. Pay.UK – which creates and maintains the technology infrastructure that makes online payment – has stepped forward with a deceptively simple answer.
The Name Problem
As things stand today, when an individual sends money from one account to another, the bank and the payments operator are only really interested in two pieces of information – namely the bank account number of the payee and the sort code.
And that’s a problem. The person making the payment may see that a payment is apparently being made to ‘Bob’s Building Services’ but as only the account and sort numbers are checked during the payment process, the receiving account may belong to someone else entirely.
But under a new system dubbed Confirmation of Payee and due to be introduced in 2019, life will get harder for the fraudsters.
Once the additional safeguard is introduced, when you set up a new payment from your account or amend an existing one, you will be able to ask for a check on the name of the person or organisation that money is being sent to.
And as Pay.UK sees it, there are three possible outcomes. The account name matches the name of the person you think you are paying and all is hunky dory. Alternatively, the name of the payee may be a close match and the bank will send you further details that should enable you to confirm whether or not this is a legitimate person or organisation. And if there is no name match between the apparent and the holder of the account, your bank will advise you to make further checks.
Or as Steve Porlock, Chief Executive of Pay.UK puts it:
“Confirmation of Payee will let you check you have the correct name for a person or business, giving better protection against certain types of fraud.”
It’s Up to You
However, as Pay.UK makes clear, while the bank will do the name-checking, it is the customer who will make the final decision on whether to press ahead with a payment. In other words, you will be given information and from there it will be up to you to make the judgement call.
It would be wrong to suggest that is a foolproof shield against bank account fraud. For one thing, there are other types of scam in the armoury of scammers. Bank account fraud cost UK consumers and businesses an estimated £500m in the first six months of this year, according to financial services industry trade body, UK Finance, and only £145m fell into the “push transfer” category.
As Pay.UK points out, there are certain scams – such as purchase frauds – that the Confirmation of Payee system can’t address. To take an example, purchase frauds involve customers being asked to pay in advance for goods or services that don’t exist. That might be an advance payment a roof repair that will never happen or a fictional hotel room. In these cases, fraudsters can set up apparently legitimate accounts for as long as it takes to accrue enough money to make the fraud worthwhile. Cross-checking the account name won’t necessarily help.
Better Treatment by Banks
However, Confirmation of Payee will not only help bank customers avoid push transfer fraud, but those who take advantage of the facility may also be treated more sympathetically by their banks.
Until now banks have been reluctant to offer recompense to victims of push transfer fraud, taking the view that the customer should have been more careful. However, Pay.UK says those who cross-check names will have a better chance of financial redress.
“It is anticipated that any customer who has taken due care and received a positive name match through Confirmation of Payee will get greater protection from financial loss,” the organisation says in a statement.
Stepping back to look at the bigger picture, the Payment System Regulator has set out a new code, dubbed the Contingency Reimbursement Model. This describes the circumstances under which banks should offer redress to defrauded customers. There will be no guarantee of compensation but when disputes arise between banks and their customers over who should take responsibility for a fraud – or to put it another way, who should take the financial hit – then the industry ombudsman should take code into consideration when it makes its judgement.
Simple measures. It’s perhaps surprising that no one thought of them sooner.