Time to act on "Authorised Payment" Fraud

The ending of free Covid Tests and start of  campaigns to get House-holders to sign up to Direct Debits in order to “automatically” receive energy rebates will lead to another wave of attempts, via phone, text and e-mail, to get us to click on links to bank accounts pretending to be those used by Government Agencies and/or Local Authorities. Warnings and guidance like this, from Which, are welcome. But the problems are not confined to topical frauds on the back of public announcements. The problem is endemic from convincing exercises to intercept and re-route payments via solicitors for house purchases to job-frauds, where the new employer, who may or may not be genuine, wants the applicants bank details to supposedly “prove” their right to work in the UK and/or pay the new employee.

The time has come to extend the scam-checking services introduced by the UK’s largest banks last year and make them mandatory on all banks connected to the UK faster payment systems, not just the top six. This will not end the problem completely, but should reduce it by over 90%. Allied to other measures it will also make it very much easier to halt fraud and money-laundering in transit and trace those involved.

I am indebted to John Bertrand, a fellow liveryman of WCIT (who identified the potential for automatically blocking such frauds and identifying the bank accounts used by the culprits over a decade ago), for the proposal below. It is based on the recent recommendations  of the Payment System Regulator and has been submitted to Government via the Conservative Policy Forum  New Ideas Forum.  Hence the format.

Policy Title: Mandate Confirmation of Payee to halt the rise Authorised Payment Push Fraud

Statement of the Problem

The Payment Systems Regulator recorded £355 million of reported APP (authorised payment push fraud) in the first half of 2021. APP fraud, for the first time, exceeded Credit Card Fraud total of £262 million in the same period.  APP fraud grew by 70% while Credit Card fraud fell by 9%.

Given that APP fraud, is safer for the criminal, can be conducted at scale and the fraudster is not seen, it is not surprising burglary is in decline. In addition there is a 1 in 20 chance of burglary conviction compared to 1 in 500 for APP Fraud. By 2024 APP Fraud victims will exceed those of burglary, both crimes are deeply intrusive.

APP Fraud is the choice for criminals as they can perpetrate the crime without showing who they are, using fake emails, texts, phone numbers and adverts on social media platforms. The Police cannot touch them until the money has moved into the fraudsters’ accounts. By then, in seconds, the money has gone.

The one thing the fraudster must have is a bank account.

Without action, by 2023, APP Fraud is £2 billion yearly crime with 800,000 people (plus their love ones) feeling deep emotional and financial distress. At least 40% APP Frauds are not reported and missing in UK Finance figures

There are three stages to APP scams:
  1. Getting the victims attention
  2. Getting the victim to set up the fake company or person (the payee bank account) on their online banking app or ask the victim for access to that app
  3. The victim’s makes the payment from their (Payer) bank account to the fraudster (Payee) bank account by Authorised Payment Authorisation (APP). The payment is delivered in seconds. On arrival, the fraudster immediately uses faster payments to send monies to other UK bank accounts. Then internationally via IBANs (International Bank Accounts Numbers). IBAN also do not use CoP (Conformation of Payee).

Under current law it is only when the fraud has happened, when the money has moved into the payee bank account, can Police act.  That is too late. The money has already vanished and banks in the chain – the payer bank, the fraudster payee bank and the fraudster payer to another bank account – blame the customer.  

On Feb 20 2022 the Sunday Telegraph reported a scam of a student going to University (£6,000 stolen in an NHS Covid scam). The fraudster used one of the new digital banks, Revolut which, acting like a traditional ban, offered no reimbursement.

Proposal.

 The Payment System Regulator (PSR) recently reported on its consultation on Authorisation Payment Push (APP) Scams.  The PSR became operational in 2015. The year an Exeter Vet lost £47,000 after fraudsters, pretending to be his solicitor, changed the sort code and bank account details to their account but used the solicitor’s name.

This scam is very popular and money continues to go to fraudsters instead of HMRC, Amazon, NHS, etc. The banking payments industry, outside 6 banks (Barclays, HSBC, Lloyds, TSB, NatWest and Nationwide), does not currently validate ownership on the payee bank account, known as Confirmation of Payee (CoP).

With the continued advances of technology and COVID UK is now one of the largest users of online commerce. UK Government first introduced instant payments between UK bank accounts and is being copied globally with 70 countries expected to offer faster payments by 2025.

To improve the safety of the payee account, universal Confirmation of Payee (CoP), is needed. When CoP was introduced in the Netherlands, by banks, APP Fraud reduced by 90%.

Payment System Regulator (PSR) mandated 6 banks representing 85% of intra-UK payments to use CoP. Fraudsters reacted to this by opening bank accounts with banks not using CoP.

The 2022 PSR consultative paper suggests that 14 banks covering 95% payments be mandated, up from the current 6 banks. Fraudsters would then migrate to over a hundred non CoP banks, covering £125 billion in payments.

To stop APP Fraud in banking the following is recommended:
  1. Require all 36 Banks and Payment Service Providers acting as Faster Payments Direct Connects (DC) to use Confirmation of Payment. This would give 100% cover as all faster payments go through a DC. CoP Compliance would be part of the agency agreement.
  1. Mandate APP Fraud reimbursement, replacing the existing voluntary policy and target 90% APP Frauds under £10,000 to be reimbursed within 30 days
  1. Mandate the use of suitable third parties (e.g. via UK Finance or CIFAS) to analyse the ownership of fraudster bank accounts to identify who they are, where they operate from and their level of activity to enable bank investigators to stop the fraudsters

Most bank and Police fraud investigations target the biggest and most egregious amounts defrauded. The average APP Fraud is typically under the cost of an investigation by the bank or the Police. This makes the investigation of small frauds uneconomic, given the cost and low chance of monies recovered.

Objectives

The objective is to create a consistent approach by mandating compliance over what is required in having a bank account with faster payments. Banks, their customers and Police can then better work with each other against the online fraudsters.

The actual movement of the payment to the fraudster bank account is the pivotal step. A mandatory framework will enable Banks to better service and protect their customers and collaborate in catching the real culprit, the fraudster. By collectively compiling lists of probable criminals they can help intelligence-led policing to greatly reduce APP Fraud.

Potential Unintended Consequences

The rapid move to online banking accelerated by COVID has exposed underlying weaknesses in the banking and payment infrastructures. The rapid growth of APP Frauds saw UK Finance request Government help.  Failure to mandate action means those banks that do not act will continue to blame their clients and help facilitate the acceleration of APP Fraud. They will also become the banks of choice for fraudsters, increasing APP Fraud on the smaller banks customers instead of reducing it.

 Costs and costing rationale

Current data indicates that victims pay 60% and the banks 40% of the cost of APP Fraud.  In addition, with the cost of fraud investigation and prevention spread over 50 million bank accounts this costs the banking industry £16 per bank account.

In 2014 a working group hosted by the DPA (Digital Policy Alliance) working with faster payment data from six banks established that 75% of fraudulent payments could have been stopped in real time and many mule networks found.

To prevent real time scamming banks need to use cloud technologies with API interfaces for rapid installation alongside their legacy systems. These will enable the banking industry to prevent online fraud as it happens. Cloud technology, using existing off the shelf technology, could decrease APP Fraud by 90%.

Long-term impact

Reduce APP Fraud by 90% and UK becomes a world leader in how to handle APP Fraud. This expertise is very valuable to 70 countries installing instant payments .

Department Responsible

Treasury, Home Office and the Bank of England

Mechanism for Evaluation

UK Payments analyses of reported fraud. MORI and other analyses of trust in Banking, Government and Police

Accountability for Implementation

Payment Systems Regulator and Pay.UK (the UK retail payment regulator).

What criticism should we expect

Why has it taken the Government so long to support and/or mandate actions identified as necessary a decade ago. Meanwhile criminals have moved on-line, en mass and threaten confidence in the on-line world, which Government is actively pursuing.