Banks delay implementing push-payment fraud checks when they are needed most
We are all navigating unchartered waters as business and society faces up to the impact of COVID-19. We very much hope you and your loved ones remain in good health.
Please be assured that Fieldfisher is continuing to work with clients to navigate COVID-19 related issues and on business as usual needs. Do get in touch with us if you would like to chat anything through.
As we noted in our January post (Fraud risk increasing during countdown to payee confirmation changes), there has been a significant increase in Authorised Push Payment (APP) frauds, where the client has authorised the payment, usually to what they thought was a genuine supplier or business partner, when in fact fraudsters masquerading as genuine counterparties have provided their own bank account details instead. In order to process electronic transfers only the account number and sort code are checked by a bank, and accordingly a mismatch with the account name does not mean the transfer will be identified as potentially fraudulent. In order to deal with this issue and counteract APP frauds, new checks are being introduced so that if there is a mismatch between the name of payee and bank account details in the UK, banks will notify the person making the payment and ensure they want to go ahead before the payment is made. These are known as confirmation of payee checks.
The UK’s six largest banking groups, covering around 90% of bank transfers, were required to fully implement confirmation of payee checks by 31 March 2020. However, due to coronavirus related disruption, the Payment Services Regulator (PSR) has now said that it will allow banks to delay implementation and will not take any action against them in relation to delays of a further 3 months in the introduction of the rules. Santander and TSB have indicated they will implement the new system by the summer, with Barclays and HSBC unable to confirm when they will do so. However, Lloyds and RBS have already started using the system, with Nationwide stating it will be doing so from mid-April. There is therefore a significant divergence between the banks offering this additional protection against fraud.
With a move to remote working and colleagues being physically apart from each other, the opportunities for fraudsters to take advantage are clear. The increased sole use of email to communicate has already allowed fraudsters to interpose themselves in email chains and/or convincingly mimic business contacts and genuine email addresses, giving convincing reasons, which are often accepted on face value, as to why bank details have changed. Payments are frequently made without question. In these uncertain times, the risk such activity increases must be a real one and therefore this delay to the full implementation of the new rules is concerning. Businesses are in a lottery depending on who they bank with.
The PSR has stated that it expects those banks which have not implemented the new checks by the end of March 2020 to "ensure customers who would have benefitted from the protections of Confirmation of Payee are not otherwise disadvantaged from any coronavirus-related delay, including refunding victims of fraud if Confirmation of Payee would have prevented it from happening". Although this may offer some comfort, in the difficult economic climate we now find ourselves in, businesses are not going to want, or indeed be able, to go through protracted claims processes with their banks to claw back funds transferred to fraudsters. The genuine recipient of the money will still need to be paid and this may cause significant difficulties where cashflow is tight.
Now would be a good time for all businesses to review policies and procedures, and authorisation processes, relating to payments. These may need to change in this new environment and employees should have clear instructions regarding what to do and when to make extra checks. The key message must be that if a counterparty provides new bank details, always pick up the phone to an existing contact at that business (using a known business phone number) before making the payment. Test payments followed by such a phone call are another way to ensure the correct recipient receives the payment. In these uncertain times it is more important than ever to be vigilant and follow procedures.