New Payment System Operator (“NPSO”), the organisation charged with delivering the UK’s New Payments Architecture (“NPA”) and the “End User Needs” services dependent upon it, seems to be backing away from its sense of responsibility towards “Confirmation of Payee”, or “CoP” for short.
The CoP service is where a payer confirms that the payee they already stated in their payment order is the payee that should receive the money and not someone else entirely.
Leaving aside firstly the nonsense as to why the payer has to repeat part of their payment order and secondly the fact that CoP is a sticking plaster over an entrenched vulnerability within the Faster Payments system, CoP has been a core part of all the project stages since 2014 that led to NPSO’s creation, and has been endorsed by NPSO executives multiple times along the way, albeit wearing a series of hats as the project progressed.
NPSO’s stance bears out an intrinsic flaw in the “layered market model” of which NPA is an example: market actors can point at one another, in the same layer, or in other layers, to shift responsibility for failure. They can CoP-out of commitments which, if not explicitly made, were strongly inferred and – most important – were accepted by others as commitments.
CoP has been sold by the Payment Systems Regulator (“PSR”) to the Treasury Select Committee as a 2018 deliverable to solve Authorised Push Payment fraud (“APP fraud”). It is therefore unacceptable that NPSO take any other stance than that they must deliver it, soon, and as written.
This imperative is belied by the NPSO Board Meeting of 6th June 2017. It is recorded in the minutes under para 135, “End-User Council Report”, that the Board first noted the summary report and the minutes of the 16th May meeting of their End-User Advisory Council.
On CoP, Matthew Hunt – NPSO’s COO – then went on to say that the manner in which this regulatory initiative interacted with another regulatory initiative – called “the liability model” – was the root cause of some of the complexity around CoP. Then a portion was redacted on the grounds of commercial sensitivity. Finally there is a bald statement that “The Board agreed that a way forward was required but that it was not NPSO’s responsibility to come up with the solution, it could only create the standard on which the industry would build”.
It is unacceptable that NPSO should term CoP a “regulatory” initiative. This is the first element in the CoP-out. CoP was born and lived for 3 years as a commercial initiative, and has only become “regulatory” since November 2017 when the PSR quoted CoP as one of “their” initiatives on APP fraud, in apparent desperation to dredge up some credible response to the Which? super-complaint on this subject and to demonstrate that they had not been asleep at the switch.
Which? lodged their super-complaint in September 2016. The PSR’s first emission of substance came under a press release of 16th December 2016 which was misleadingly entitled “PSR kick-starts industry-wide effort to tackle payment scams”, as if the PSR had taken the first initiative.
The PSR laid out a programme of proposed work and then reported on it 11 months later. An action plan of 11 points was set out in a chart on p5 of its report published under a press release of 7th November 2017. CoP featured as one of the “Prevention” measures, and was labelled as “Starting 2018”.
The presentation of this list of actions inferred that they were both new actions and had been framed as a direct response to the Which? super-complaint. In fact the 11 actions were a compendium of pre-existing work undertaken for a variety of reasons, with just one or two actions specific to this topic. 6 out of the 11 streams – including CoP – had already been underway for some time within the Payment Strategy Forum (“PSF”) and were not directly triggered by the super-complaint. The PSR behaved much like Valerie Singleton when cooking for “Blue Peter”: “Here’s one I made earlier” and then “Here’s another one I made earlier”, followed by another and another.
One wonders whether the PSR seriously believed and believes that CoP will be “Starting 2018”. On 23rd January 2018 Hannah Nixon of the PSR gave oral evidence to the Treasury Select Committee in answer to Qu 35 from John Mann: “When will confirmation of payee be brought in?”.
The answer was: “The standards are being worked up as we speak. They should be in place by mid-year. We want to see banks starting to use that functionality later this year”, and John Mann said: “Later this year we should expect to see it and you will be taking action if that has not happened”.
Hannah Nixon’s statement would surely be taken by the committee members as meaning CoP would be in production in 2018, and yet this does not square with CoP being an “overlay service” on the back of NPA, as Hannah Nixon must have known: the PSF was the PSR’s creature and the PSF drafted NPA with this interdependency. NPA is a multi-year project and will probably not exist in stable production before 2021, only after which the “overlay services” like CoP can come into being.
The CoP timeline fits with this relationship between CoP and NPA.
NPSO has only just issued a “call for industry views” on the initial CoP logical Application Programming Interface specification. Note “initial”, not “final”, and “logical”, not “technical”. This is an early specification of the business model using Universal Modelling Language, one of the steps on the way to producing a final, technical specification in ISO20022 XML and a service rulebook.
It can take a year from this stage for the final technical specification and rulebook to be signed off, if we are only now looking at an initial logical specification. In fact a year would be quick, given previous experience in the Eurozone (on the Single Euro Payments Area project) which used the same methodology. Then the results have to go through development, testing, implementation, conversion, roll-out and post-conversion support at many market actors before the new service can be said to exist “in stable production”. In this case testing involving multiple market actors must be on the agenda, and not just testing by individual market actors within a closed testing environment. It is important that CoP be in place between all payment service providers who are reachable via Faster Payments. Otherwise the scammers will target the institutions not live on CoP and open accounts there: this is a service that is vulnerable to the lack of comprehensive coverage.
To roll CoP out comprehensively across the universe of the UK’s 1,400+ payment service providers (including credit unions and Open Banking intermediaries), we have to be considering a 3-year timeline from the point when the specifications are finalised, which would fit in with its being an “overlay service” on the back of NPA. Roll-out would then be in 2022.
So we are a ways away from having a service specification, and we are years away from being in production.
But it isn’t even this good: we are a ways away from having certainty that the service is even feasible from a legal and regulatory point of view.
The NPSO Board Minutes of 2nd May 2018 against point 97 contained a laundry list of issues of a legal/regulatory nature that stand in the way of CoP: “disclosure of personal data, fraud, PSD2, privacy and consumer protection”.
After 4 years of work on CoP, then, we do not know if the service is even feasible.
“…and it’s not our fault”, seems to be NPSO’s stance.
This does not hold water. CoP was conceived as part of the World Class Payments project run by Payments UK in 2014/15. There is a graphic on p10-11 of the project’s Initial Report and CoP appears on it.
The Programme Director of World Class Payments project was a Mr Timothy Yudin, who is now “NPA Lead” at NPSO. P19 of the project’s Initial Report states “We would like to thank all the following organisations for their invaluable input” and quotes Nationwide Building Society, where NPSO’s current CEO Paul Horlock was Head of Payments, the role he occupied then and while he was member of the Payment Strategy Forum, until he switched over to NPSO in October 2017.
Mr Yudin kept the CoP flame alive during Payment Strategy Forum Phase 1 “Strategy Setting”, as a member of the “End User Needs WG”. CoP appears as one of the recommendations of this WG on p15 in the draft strategy of July 2016 (under the name of “Assurance Data”), and it appears on p32-33 of the final strategy of November 2016 (named this time as “Assurance Data/Confirmation of Payee aspect”).
Under Payment Strategy Forum Phase 2 “Design and Implementation”, CoP was allocated into the “NPA Development Hub” stream, co-chaired by Paul Horlock, who was co-signatory of the NPA Project Initiation Document of May 2017. Point 3.2 on p8 makes the NPA project unequivocally responsible for the development of the rules and standards for CoP, up to and including transition but not after it.
The paper trail is completed by point 2.3 p32 of the NPA Blueprint that went out to consultation in July 2017, and finally by part 4 p38-59 of the “End User Requirements and Rules Blueprint” component of the final NPA Blueprint that was handed over by the “NPA Development Hub” to NPSO in December 2017 for implementation.
The co-chair of the “NPA Development Hub” by then also being CEO of NPSO, Mr Horlock could have saved time by just handing the documents to himself.
The chain of responsibility is clear: NPSO as owner of NPA must now deliver CoP, whether they regard it as a regulatory initiative or not. NPSO executives have framed CoP, nurtured it, recommended it, endorsed it, all the while within programmes that occupied the crease in UK payments landscape, and which – due to their wide apparent participation and claimed support – precluded any private initiatives from developing in the same market space.
Having squatted on the pitch for 4 years and queered it for others, they now have to go one step beyond framing, nurturing and so on. They have to deliver.
Washing one’s hands of responsibility for getting CoP to fly at this very late stage and making out it is the “industry” that has to deliver does not hold water. That is a prime example of a CoP-out.