Project Carlton has been conceived as a stock take of the efforts to reform the UK payments business since 2014 and to evaluate the case for a change in direction.
The reform efforts have been spearheaded by the Payment Systems Regulator and its creature the Payment Strategy Forum, involving a supporting cast of hundreds, including several other official or authority bodies: HMTreasury, the Bank of England, the Open Banking Implementation Entity, Payments UK/UK Finance, the Payment System Operators Delivery Group, and New Payment System Operator/Pay.uk, to name but the main ones.
The cupboard is bare. No assets of value have been created. This enterprise should be put into liquidation.
Our sponsor has endorsed that a version of the Project Carlton research be put into the public domain, after it was circulated to a number of interested parties in Q3 2018.
With so many individuals and organisations having been involved in the reform efforts, it is unlikely that any notice will be taken of this research. We will have to wait for the wheels to fall off for that to happen, and the proponents have conveniently (for them) plotted out a multiyear roadmap in which the proof of failure can be expected no earlier than 2024, at which point they will have tucked a further nice few years of salary, benefits and pension entitlements under their belts.
Our main recommendation is that the UK’s “pull” payments products – like cheques and direct debits – be pulled out from the New Payments Architecture project such that they do not become dependent upon it and they do not have to clear and settle as Faster Payments, a “push” payment product.
The only good thing that has happended recently is that the Financial Ombudsman Service found in favour of the consumer in a test case for payment fraud involving Faster Payments. This test case puts a line through Confirmation of Payee, the Contingent Reimbursement Model draft code and most of the rest of the PSR’s multi-year response to Authorised Push Payment Fraud in respect of one type of fraud perpetrated on consumers. The decision gives the customer a near-absolute – not a contingent – right of reimbursement, without their having to use Confirmation of Payee, and dependent only upon their bank being unable to prove they acted with gross negligence or similar. The burden of proof is on the bank, not the payer.
The decision brings the protection for the consumer under that type of fraud up to the same level as if they had used a card – a “payment instrument” – and into line with the intentions of Payment Services Directive 2, the UK transposition of this Directive have inexplicably failed to apply this level of protection to all types of payment that were in-scope of the Directive and to the benefit of all types of end-user.
It will take some time for the protection to be extended, through further test cases in front of the Financial Ombudsman Service, to the other important types of fraud committed on consumer customers, and further time still for it to be extended to business customers. Indeed, far from all business customers can make a claim to the Financial Ombudsman Service.
In the meantime we await the results of the PSR’s consultation on the rollout timing of Confirmation of Payee, and the results of the related consultation on the Contingent Reimbursement Model draft code, but without holding our breath. Banks are having to work on the same set of applications as would be affected by Confirmation of Payee to implement the European Banking Authority Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Communication and even if they were not, Confirmation of Payee is unproven in one vital respect.
No-one knows how many Confirmation of Payee requests will result in the “No match” or “Partial match” responses that negate the customer’s coverage under the Contingent Reimbursement Model draft code should the customer then choose to go ahead, make the payment and be defrauded. Since the Payee line in Faster Payments is limited to 18 characters, since many bank current account systems are antiquated and have their own routines for storing the name, and since business payees may use a variety of trading names that differ from the name on an account in the bank’s system, it is not beyond the realms of possibility that Confirmation of Payee requests will result in only 5% “Match” responses and 95% spread across the other two responses, including a large batch of “false negatives”: the account does actually belong to the correct entity but the naming does not match.
If that proves to be the case, Confirmation of Payee will be dead-in-the-water and the Contingent Reimbursement Model draft code a dead letter as a consequence.
Given the experience of the last five years, that result would come as no surprise at all.