top of page
Search

UK Confirmation of Payee checks – do they help stop scams and what can other countries learn?

office69370

Updated: Dec 27, 2024


 

 

By Jason Costain, December 2024

 

UK Confirmation of Payee (CoP) checks went live in March 2020.  


Since then, usage has expanded to now cover over 99%[1] of all UK domestic payments.  Over 2.5 billion CoP checks have been completed since 2020.


With such near-complete CoP coverage and other countries now looking to roll-out similar solutions, it’s worth taking a look at how much fraud prevention benefit a CoP programme can deliver.


Before we get into the numbers, I need to point out that measuring fraud prevented losses is a challenging task, for reasons that will become clear later.


Meanwhile, some surprisingly differing opinions on CoP benefits exist from respected industry institutions:   

 

Pay.UK say[2]  that “CoP has played a significant role in reducing fraud and misdirected payments"


A UK Finance poll[3] reported that “43 per cent of those surveyed felt that the value of using CoP to help tackle APP fraud had been neutral at best if not useless”

 


Unpacking CoP - what types of scams could it help prevent?


CoP is most likely to be effective against so-called “malicious redirection” scams, the largest of which are Invoice and Mandate frauds which most commonly affect Business Account customers. 


The most common Invoice and Mandate scams method is when a fraudster manages to trick a Business into changing the bank details of one of their regular suppliers.  The next time the Business pays their supplier, the funds go to the criminal’s account.  The payee’s name remains the same but the underlying bank account has been changed. 


In the early days, invoice redirection scams could be as simple as a criminal sending a “please note our new bank details” letter to their intended victim’s Finance team, pretending to be one of their suppliers.  


Such letters could be created by criminals using Microsoft word, pasting the logo that they’d copied from the supplier’s website.


10 years ago, this kind of thing was considered sophisticated, and the task of handling correspondence from a supplier was usually left to one of the more junior members of victim firms finance team.


Of course, if the fraudsters letter was acted upon, the payees name remained the same, but the underlying account number and sort code were changed.  All the criminal needed to do was wait for the next payment to be made.     


 

Poor Practice case study: £4m APP invoice redirection fraud


The unsuspecting CEO of a mining company authorised a £4m invoice to be paid to an engineering company he regularly dealt with, only to find a few days later that the funds had been maliciously misdirected to a different bank account.   


The receiving bank AML investigations team called the sending bank on the day they received the £4m payment to check things were in order.  The sending bank investigator confirmed the payment was normal for their customer, seemingly satisfying any concerns the receiving bank might have had about the “source of funds”.   The receiving bank noted this and went on to “fulfil its regulatory obligations” by filing a suspicious activity report to the National Crime Agency. 


Seemingly, neither investigator thought to mention what line of business their respective customer was in.


The Sending business account was a US owned mining company with £750m annual revenue. 


The Receiving account was a semi-dormant Hairdressers business based in suburban Leeds.  


By the time the fraud was noticed, no funds remained.  


The mining company lost £4m.



Reflecting on this old case, the £4m loss by a single Business would represent 10% of the total reported UK Invoice and Mandate scam losses in 2020.  I mention this not to suggest how loss values have changed over the years, but more to illustrate how much loss doesn’t get reported by businesses (corporate victims in particular).   


In any case, UK banks weren’t required to report APP fraud losses to their trade body UK Finance until 2018. As the saying goes “what gets measured gets managed”.


Collecting and publishing benchmark fraud data is an incredibly powerful tool for banks and regulators alike.

 

 

 

CoP impact - what does the data tell us?

 




As the above chart shows, something definitely put a dent in APP fraud losses in 2020, particularly in Invoice and Mandate scam losses - exactly the area you’d expect CoP to have had a positive impact. 


Invoice and Mandate scams fell 39% (£45m), from £114m in 2019 to £69m in 2020.


NB. A more complete explanation of the scam types referred to in this article can be found in one of the useful Annual Fraud Reports UK Finance[4] produces.  

 

 

Business Account customers benefitted most from CoP:  

 




Business Account Invoice and Mandate scam losses dropped 46%, from £82m (2,840 payments) in 2019 to £44m (1,818 payments) in 2020.  


In fact, 2020 was a good year pretty much across the board for Businesses and their APP losses fell 47%, from £139m to £73m.


Furthermore, the reduction in Invoice and Mandate scam losses seen in 2020 continued in the years that followed.  This is highly unusual – as any fraud manager will tell you - new solutions rarely kill fraud losses, they just pop up elsewhere in a what can feel like a perpetual game of whack-a-mole.  


In 2020, something fundamentally changed.


The picture for Personal Account customers in 2020 was, however, far less clear. 


Retail Account customers Invoice and Mandate scam losses (already relatively small) fell by 22% from £32m in 2019, to £25m in 2020.  They remain low four years later. 


Unlike Business accounts, most Personal Account scam types still increased in 2020. The slight deflection in upward loss trend seen below was eaten up by an explosion in Purchase and Crypto Investment scams in 2021, by which time it was business as usual for the fraudsters UK revenue streams. 


Whack-a-mole:





Estimating fraud prevention benefits when a new initiative is delivered is a perennial challenge for fraud managers. 


Fraud savings rarely fit into the neat ROI formula preferred by accountants…calculating multi-year benefits is even more difficult. 


There are simply too many variables, not least a fluctuating level of attack.

 

 

Caveats we need to acknowledge when assuming CoP benefits:

 

1) The COVID pandemic brought about huge changes, particularly in the world of fraud.  Fraudsters dynamically changed the way they worked, ramping up their efforts to commit online and technically enabled scams, playing on people’s fears and desires.  Opportunities to defraud exploded as consumer fears and trends changed; vaccination fees, government stimulus schemes, fake hot tubs/dog/vehicle sales.  As we moved into 2021, significant increases were seen in Investment, Romance and Purchase scams.

 

2) Invoice and Mandate scams awareness had massively improved amongst business owners.  By 2020, such scams were a recognised problem for businesses and their suppliers, not least because they were battening down their hatches to meet an expected COVID fraud wave.  Quite simply, criminals had fewer opportunities to aim at when it came to ripping off businesses, and those that remained were less likely to succeed.

 

3) Reporting of scams was, and remains, an inexact science.  The data UK Finance collects does not, for example, capture why a customer abandons their payment request at CoP stage.  It may simply be because the doorbell rang.  Why didn’t they log in later to complete the payment…perhaps they suspected a scam?  Nobody knows. You’d have to ask them.

 

4) Several innovative scam defence initiatives were beginning to appear across the industry in 2020.  Banks scrambled to reverse the trend of scam growth and respond to the heightened fraud threat with initiatives such as; Dynamic/tailored fraud warnings during payment journeys, reduced payment limits, consumer scam education, data mining.

 

5) By 2020, the CRM reimbursement code[5] was entering its first full year.  All of the UK’s larger banks had voluntarily agreed to accept greater liability for APP fraud.   The mission for CRM code signatories had become crystal clear – prevent more scams and refund more victims.  

 

6)    Even if refunding more scam victims didn’t quite sit well with some banks, by 2020 the Financial Ombudsman Service was finding in the victims favour in virtually every case they ruled on.  Ironically, it was having to refund more scam victims (an idea that some members of bank fraud teams had often the loudest vocal critics of) that effectively created a mandate for those same Fraud Teams to secure the internal cooperation and resources they’d previously lacked when tackling APP fraud. 

 

7) Losses dipped in 2020, but workload (case volume) didn’t. The relatively modest reduction in business account case volumes were offset by increases in Personal Customer Impersonation and Purchase scams.  CoP may have benefitted business customers, but it didn’t reduce workload for fraud teams:

 

 

 

 


CoP - so what?


2020 was dynamic - many factors affected scam losses. 


Any encouraging downward scam loss trends seen in Business Banking were offset by (often contra-indicating) increases in Personal Account losses in the years that followed.


Even so, some positive conclusions can be drawn about CoP in the UK:


A 10% (£45.4m) reduction in annual Invoice and Mandate scam losses was seen in the year CoP launched. Total savings up to the end of 2024 are likely to exceed £200m


CoP is a vital layer in scam defence that no bank’s fraud manager would be without

 

 

What can other countries learn from the UK's CoP experience?:

 

  • Expect criminals to easily be able to socially engineer a Personal Account victim into disregarding a CoP mismatch.  Unlike a Business, where making payments is part of the day-job, a personal victim will likely be unfamiliar with the payments process, won’t really know how impersonation/invoice scams work, and therefore find themselves being manipulated thorough fraud defence processes that are meant to save them.  Fraud teams need to ensure that CoP data (match, partial, non-match, Business beneficiary, Personal beneficiary) is being fed into their fraud defence rules engines so that the result can be risk scored.  Be prepared to block payments that are a CoP non-match.


  • Consider risk-scoring outgoing payments at a bank level.  Fact: some banks are more fraud prone than others.  UK PSR[6] data clearly shows that there is a vast range of differing performance when it comes to which payment processors receive more than their fair share of the proceeds of APP fraud.   Monitoring the “genuine:fraud payment turnover” of the banks your customers are sending money to can be a valuable risk indicator


  • Explicitly agree a risk appetite for how much APP fraud your firm will tolerate in payments going to other firms.  Many UK banks reduced the amount of money they allowed their customers to send to crypto exchanges, due to the level of APP fraud facilitated through those exchanges.  Banks that don’t get to grips with this type of conscious risk appetite decisioning risk swamping their fraud teams with payment referrals.  They could also find themselves accused of unwittingly (or worse, knowingly) facilitating the financial demise of their customers.   In 2022, nearly 1 in 5 payments sent to UK Payment Services firm Dzing Finance were found to be the proceeds of APP Fraud[7]. Dzing Finance later faced FCA enforcement action and can no longer accept new business[8].


  • Businesses are keen consumers of fraud prevention advice.  Simple messaging about how Invoice and Mandate scams work and how to defend against them; protecting against Business email compromise, and suggesting a review of basic procedures for finance team payment authorisation processes could save your customers millions.  


  • Be aware of what CoP may not deliver for Business Customers on day 1.  The batching of payments and batch authorisation of such files can create a technical challenge for Day1 CoP solutions.  It’s worth putting the question to your CoP project team.   Understand what you are getting.  Understand what you are NOT getting. Workaround this accordingly.  The UK has since extended its use of CoP to include Payer Name Verification services, aimed at commercial users, which allow beneficiary checking at the time the new payee is being set up or amended See: https://www.wearepay.uk/what-we-do/overlay-services/confirmation-of-payee/


  • Don’t forget intra-bank payments. Will an industry CoP solution work for payments that go to other accounts within your bank? If not, then what else do you need to do?


  • Review refund policies in light of the known vulnerability customers have to malicious redirection frauds.


  • Consider taking a ‘Kill Chain’ approach to APP fraud.  Try to identify all of the processes across your firm (and those beyond) that could enable APP fraud to succeed.  

 

 

Good practice case study:


Recognising that it had a mule problem, one bank carried out a kill chain analysis on APP fraud and identified that customer names were being changed on 10,000 bank accounts each year. 


Checks revealed that this process was being misused by criminals to defeat CoP checks at sending banks.  The process owner recognised the risk and worked with the fraud team to strengthen the customer authentication process.  The Fraud team implemented a daily manual exception report to flag any high-risk name changes for investigation. 


The gap was brought to the attention of the Financial Crime risk function so that the implications on Sanctions and High-Risk customer screening could be understood. 

 

 

 

Conclusion


  • CoP works and, as part of layered defence, could materially reduce scam losses

  • Even before CoP arrives, there are things individual banks can do to prevent malicious redirection frauds

 

For more ideas, go to Javloc.com

 

Jason Costain

 

Jason is the Director of Javloc.com and has worked in banking fraud prevention for 25 years, running fraud and financial crime defence teams at some of the UK’s best-known firms. 

 

Further resources at Javloc.com

 

 

 


 

 

 

 

117 views0 comments

Comments


bottom of page