Skip to main content

POST Payments are the not problem, identity is

There's a huge amount of payment fraud going on in the UK at the moment. The fraudsters intercept legitimate requests to transfer money from one account to another, often from solicitors in relation to house purchases but also from tradespersons such as builders) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will monitor e-mails coming from a solicitor and when that solicitor sends an email to a customer asking for money (e.g., for a house purchase), the fraudsters replace solicitor's legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow. In the first half of this year there were about 20,000 such frauds with some £100m lost (and only £25m subsequently recovered). This is the second largest category of payment fraud behind card fraud (which is about six time larger) because the numbers are low but the average values involved are high.

Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before I go ahead and transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase. As Hannah Nixon, head of the UK’s Payment System Regulator (PSR), put it toward the end of last year, “tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”. Indeed they have. And, in fact, still are. 

An Essex couple have lost £120,000 after sending the money to what they thought was their solicitor’s bank account, but which instead went to an account in Kent that was systematically emptied of £20,000 in cash every day for the next six days.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This isn’t a payments problem, it’s an identity problem. So just whose fault is it when someone gets scammed in a sector with no effective identity infrastructure? The couple at the centre of this story sent the money via the Clearing House Automated Payments System (CHAPS) and the CHAPS regulations are unequivocal.

the bank “will make a payment solely on the basis of a unique identifier and will not execute it on the basis of the intended recipient’s name”.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

I’ll sure the couple have an e-mail or a piece of paper pointing this out, but it clearly didn’t help. As I wrote earlier in the year, fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure.

Meanwhile, the security or otherwise of Steed & Steed’s email system is also likely to be investigated. In December 2016, regulatory body the Solicitors Regulation Authority warned that email hacks of conveyancing transactions had become the most common cybercrime in the legal sector.

From ‘We lost £120,000 in an email scam but the banks won’t help get it back’ | Money | The Guardian

This reinforces my theory that solicitors who use e-mail to send important information to customers are, essentially, negligent. They should be using WhatsApp or Signal for this sort of thing. If it was the solicitor’s e-mail server that got hacked, then they should be responsible for compensating the customers, shouldn’t they? If I tell my bank to send £10,000 to the Nat West in Barnsley by mistake - whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever - and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?

Anyway, my reason for going over this old ground again is that the PSR response to the “super complaint” about this type of fraud came up in discussion at the Payment Strategy Forum. In addition to education, guidelines and that sort of thing, they were talking about three substantial initiatives to do something about what they called Authorised Push Payment (APP) fraud, but that I call Authorised Credit Transfer (ACT) fraud because I think “app” is a confusing sobriquet. These are:

  • KYC Sharing, to try to prevent fraudsters from opening accounts. The PSF's earlier consultation document on the "Blueprint for the Future of UK Payments" includes a detail discussion of this issue and also highlighted one of my pet peeves, which is the "poor customer experience for good actors". In other words, the UK’s stringent and expensive KYC procedures don’t stop criminals from opening accounts but do massively inconvenience honest working folk, your author included. The PSR has handed the baton over to the trade association on this one, so we’ll have to wait and see what they come up with.

    The Forum handed over to UK Finance the development of best practice guidelines for PSPs when verifying a user’s identity. The guidelines will also cover how identity verification is managed across different types of payments.

    My guess is what they won’t come up with is a comprehensive and cost-effective solution using some sort of “financial services passport”, much discussed here and elsewhere. (I was part of the techUK working group on this three years ago.)

  • Payee Confirmation, to try to prevent malicious redirection scams by matching the name as well as the sort code and account number. So the idea here is that when you set up David G.W. Birch as a payee, the destination bank will match the name against the name of the destination account (which is what they don’t currently do) and will reject the payment is they do not correspond. I have mixed feelings about this, because I would rather just scrap the use of sort codes and account numbers and use the directory services in the new National Payments Architecture (NPA) to replace them with e-maill addresses, mobile phone numbers or (my preferred solution) “paynames”. Instead of typing in meaningless numbers, you would just tell your bank to send the money to £dgwbirch or accounts@dgwbirch.com or whatever.

  • Contingent Reimbursement (this is what got the media attention) which would require PSPs to reimburse victims when they could not have reasonably prevented an ACT scam but either the customer's PSP or the destination PSP "has not met the required standards". The consultation notes that "there was very limited support from PSPs for a full chargeback-like process" (apart from anything else, this would cost a fair amount to run) so you can see why it's important to find an alternative. The proposed solution rather hinges on whether the victims of fraud took the "appropriate" level of care. For me, this would be sending a quid and checking it went to the right place before I send the other £499,999 of the house purchase.

xxx

Comments

Popular posts from this blog

Euro area card payments double in a decade

xxx "The number of card payments in the euro area have more than doubled in a decade as consumers increasingly dispense with the hassle of carrying notes and coins, according to the latest statistics from the European Central Bank. In 2018, card payments accounted for almost half of the total number of non-cash payments across the single-currency area. Credit transfers and direct debits were the second and third most common non-cash payment methods, accounting for approximately 23% each, while e-money and cheques together made up around seven percent. However, the relative popularity of each type of payment service still varies widely across euro area countries. In 2018 card payments accounted for just over 70% of all non‑cash payments in Portugal, compared with around 23% in Germany. The stats show that the number of card payments made by consumers and businesses has more than doubled in the last decade, with an average of 121 card payments per capita in 2018, compared with