Authorised Push Payment (APP) fraud is increasing in Australia;
The introduction of Open Banking and the development of APIs in Australia provides an opportunity to consider introducing an ‘account name checking service’;
While providing a potential solution that could reduce APP fraud, there are several challenges that industry needs to consider that are associated with implementing a ‘account name checking service’
POINT OF VIEW
Scamwatch data shows scams cost Australians half a billion dollars in 2018, a $149 million increase from the year before. At the Fraud in Banking meeting in March, financial institutions nominated the increase in losses from Authorised Push Payment (APP) Scams in particular as their most significant issue.
APP scams are characterised by people being tricked into authorising a payment to an account that they believe belongs to a legitimate payee – but is in-fact controlled by a scammer.
One of the reasons these scams are possible is because people currently have no mechanism to check if the BSB and Account numbers that they have been provided belong to the intended recipient.
UK research suggests people understand that there is a risk involved in making online payments and that it is not always easy to retrieve money which has been sent to the wrong place. However, that research also showed that some participants thought that the names that they enter were already being checked by the banks when sending payments. The banks are in-fact not currently able to check the name of the person or organisation a payer plans to send money to. Rather, they focus entirely on the BSB and account number.
There are a range of possible solutions to address APPs that industry could consider. One option that has gained some prominence is a service that checks whether the name entered by the payer matches the name registered against the account number that they intend to send money to. This is supposed to give payers greater assurance that they are sending their payments to the intended recipient.
There are various models of ‘account name checking services’, but they generally work by giving banks the ability to check the name on the account of the person or organisation being paid and then letting the payer know of the outcome of this check. The bank can then advise the payer on the best way forward.
For example, if a payer was intending to pay ‘Juan Smith’ and they entered this name against the BSB and account number they had been provided, there are three possible outcomes:
MATCH – the account name checking service has confirmed that the name and account details provided a match and the payment is safe to proceed by that measure;
CLOSE MATCH – If the system’s check detects that there is a partial match, it may display the actual name that is on the account to the payer. They will then be able to make a decision about whether or not to proceed with the payment or not. If the name plays back as ‘Juan P. Smith’, the payer may decide that this an account belonging to the person they expect. However, if it plays back ‘Jill Smith’, they may decide to double check with the intended recipient before proceeding.
NON-MATCH – The name entered does not match the name that is registered against the account details. This does not necessarily mean that an APP scam is being attempted; it is possible for example, that the intended payee has given a bank account that is registered under a company name instead of their personal name or the payer may have inputted incorrect account details. The payer will be informed of the non-match, and beyond that there are several options that different forms of this system could present. Some options include:
The bank may or may not play back the name that is in-fact registered against the bank details provided;
The bank may allow the payer to acknowledge that the details don’t match and provide the options to authorise the payment regardless;
The bank may choose to prevent a payment being made in the event of a non-match.
Account name checking services rely on the sharing of certain data between banks that hasn’t, until recently, been occurring.
The introduction of Open Banking in Australia provides an opportunity to consider introducing a ‘account name checking service’ here, potentially on an optional basis, without a significant infrastructure upgrade to any of the payments systems that could incorporate it, such as BECS and the New Payments Platform.
The United Kingdom is well advanced in their implementation of a version of ‘account name checking’ called Confirmation-of-Payee. Industry in Australia will be watching their experience closely. In particular the development of the voluntary Contingent Reimbursement Model Code for Authorised Push Payment Scams, which came into effect on 28 May 2019 in the UK, may influence regulators in Australia.
The UK’s experience is showing that there are some significant challenges for the payments industry to grapple with if an ‘account name checking service’ were to be successfully implemented in Australia.
Susan Allen, head of retail business banking at Santander UK has said that implementing the changes required under the confirmation of payee initiative is "a bit more complex than it sounds". Payment institutions have to make changes across all their customer channels, including online and mobile services, ensure that changes "link into the payment systems", and make further system alterations" to be able to receive messages in from the other banks and then present them back to the customers in whatever channel the customer chooses", Allen said.
Some of the other challenges associated with the implementation of any ‘account name checking service’ include:
One of the biggest barriers to implementation is the need to achieve agreement on a strict set of guidelines to ensure consistency.
For example, payers entering the same details for one payee – e.g. ‘J Smith’ instead of ‘Juan Smith’ must have the same outcome across banks. If there is inconsistency, it risks causing confusion and overall distrust in the service.
Reaching agreement on the wide-ranging potential variables that could be classified as ‘close match’ scenarios will be difficult. For example, Pay.UK’s research found that a typo of Toby vs. Tony was considered acceptable by some, and unacceptable by others. Joint accounts, maiden names, abbreviations, middle names, long and unusual names, common misspellings, and company names are just some of the details on which reasonable minds could differ.
PayUK’s research shows that there was agreement on the need for consistency, but they found no clear way to decide how close a match needs to be in order to be considered a ‘close’ match, and have a name played back to the user.
Challenges around consistency raise the question of the need for a centralised infrastructure - an approach that could reduce the chance of inconsistencies and variation between banks. It would also address concerns that banks have about individual implementation, which is seen as an extremely time-consuming and lengthy process, especially for smaller banks. This is important to avoid, as smaller banks lagging behind could lead to staggered launch dates and people who bank with multiple banks experiencing the system in an inconsistent way.
According to research, consumers are largely in agreement that they are to some extent liable if a payment is sent to the wrong account as a result of human error inputting the details. The introduction of a ‘account name checking service’ was felt to confuse matters over who is liable. The ability to check for a match led some to conclude that the bank would now be responsible in some of the outcomes, while others felt that the check more definitively shifted responsibility to the payer. Hence, liability must be agreed on, clearly defined, and users of the service must be well educated on where they stand.
Looming over this consideration in Australia will be the general tenor of the “Hayne report” (the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry), best summarised by the question: “notwithstanding minimum, formal legal and compliance requirements, what is the right thing to do, and how would it be perceived by customers and the wider community?”
There is a need to keep friction to a minimum for users and ensure real-time results; this was a key concern among participants in Pay.UK’s research. In the case of negative outcomes, there needs to be clear advice on what payers should do next, in particular advice on whether the payer should contact their bank or the intended payee to make a clarification.
There is also a chance that innocent close-matches or non-matches to which payments would have previously been smoothly made, could now result in a level of second-guessing and cumbersome checking. This may introduce a noticeable level of friction to the payments system in Australia disproportionate to the level of risk that an ‘account name checking’ solution is seeking to prevent.
Industry’s objective is to make a well-informed decision on a solution to address APPs and Mistaken Payments. This might be a Confirmation-of-Payee service, but there are other solutions that need to be considered.
In its current review of the e-Payments Code, ASIC proposes to consider whether the provisions in the Code for mistaken payments are simple and accessible enough, and whether ADI subscribers should have any role in mitigating or preventing such payments. This will present an opportunity for industry to consider ‘account name checking services’ such as Confirmation-of-Payee as a solution to APP fraud and canvass its challenges.