Published on 14 November 2018
We made a presentation on 8th November to Vendorcom’s Special Interest Group on Faster Payments about the vulnerability that fraudsters exploit in the Faster Payments system which enables Authorised Push Payments Fraud, and how none of the New Payments Architecture, Confirmation of Payee, or the Contingent Reimbursement Model will resolve it.
You can download the slidedeck here
Faster Payments is the main completion channel for Authorised Push Payments Fraud, yet fraud statistics list “Authorised Push Payments Fraud” separately from fraud using eBanking channels (like mobile, PC, telephone).
The outcome of a fraud through an eBanking channel is normally a Faster Payment to a fraudster’s account with a reachable PSP, and Open Banking is a new eBanking channel and its only payment outcome is a Faster Payment.
The proposed “Request to Pay” service is an open invitation to invoice fraud, and its outcome is a Faster Payment.
The Bank of England’s policy to push payments they regard as not systemically important off CHAPS has led to a much higher Faster Payments system limit and in its train to frauds of much larger size.
The central flaw in the Faster Payments system that enables all of this is the absence of a name-check at the beneficiary bank on the coherence of the payee name as stated in the payer’s payment order, with the name on the account associated with the Sort Code and Account Number that the payer gave in their payment order: the processing at the beneficiary bank is on the Sort Code and Account Number alone.
Fraudsters can send invoices and payment requests quoting a legitimate name, but their own account details. Since a Faster Payment is instant and irretrievable, the fraudsters clear out the beneficiary account straight away – without recourse!
The proposed “Contingent Reimbursement Model” confers far weaker rights for the payer than they have under PSD2 in the case of the usage of a “payment instrument”. This is a yawning gap in consumer protection, and the contingencies within the Model can be expected to limit payouts to fraud victims in practice.
“Confirmation of Payee” was originally an “overlay service” on top of New Payments Architecture, but now it has been detached from it, and Pay.uk have put a narrow scope around their own responsibilities for it. It has a weak roll-out plan with uncertain reachability, and it will not be carried out on every payment.
The industry plan, orchestrated by Pay.uk and the Payment Systems Regulator, is badly adrift:
- Faster Payments has a central flaw which should be remedied as an absolute priority;
- Confirmation of Payee is a distraction which serves only as a Confirmation of Vulnerability;
- the Contingent Reimbursement Model is a very weak offering, given the nature and scale of the problem.
Until the central flaw in Faster Payments has been remedied, the system should neither be:
- The receptacle of the payments that the Bank of England wants to move off CHAPS;
- Elevated in importance above other payment systems as is proposed under Pay.uk’s New Payment Architecture;
- The universal settlement layer for retail payments (also proposed under New Payment Architecture);
- The basis for further new payment products like Request to Pay.