Is CoP the solution to the rising bank fraud in the UK?
By Puja Sharma
More than 4.5 billion Bacs payments are made in the UK every year, representing roughly 90% of all regular monthly payments via direct debit transactions. With the rise in account-to-account (A2A) payments fraud, the nature of the fraudster is evolving and more work needs to be done by the banks to ensure the safety of its customer’s finances.
Until now, this vital payment system was not secured by Confirmation of Payee (CoP), a payment verification service that the UK first rolled out in 2020. The Founders of Ozone created the open banking standards that are now used around the world and developed the sandbox and a reference implementation for the UK Open Banking Implementation Entity (OBIE).
- During the first half of 2021, the losses caused by APP fraud soared by 71% to £355.5m – overtaking the amount of money stolen in card fraud.
- In 2020 alone, losses totaled £479m, with the actual figure likely to be much higher due to underreporting.
- Open Banking is a technology that a majority of us use daily without knowing what’s going on behind the scenes.
CoP for Bacs is a welcome upgrade, but it could go further
By the end of 2021, all the SD10 banks will offer CoP, which already protects CHAPS and Faster Payments. The addition of CoP to Bacs represents an important step in the industry’s battle against fraud and will provide more confidence during payment transactions.
However, in its current form, CoP is not yet the silver bullet that will defeat fraud. To realize the full potential of CoP requires further development to improve user experience and offer improved protection against crime.
Ozone API already offers a CoP solution that provides more information about a payee before a transaction than the standard CoP check. Ozone’s founders developed the Open Banking standards that are now used around the world and delivered the sandbox and reference implementation for the UK Open Banking Implementation Entity (OBIE).
It has now issued a call for the industry to expand CoP by incorporating different forms of identifying data and improving user experience.
“The addition of CoP to Bacs payment is a welcome move that will make life more difficult for criminals,” said Huw Davies, Chief Commercial Officer of Ozone. “However, the framework is rudimentary at this stage, meaning that the developing CoP is a long way from complete. CoP is supposed to add friction when risk is high and reduce friction during ‘safe’ transactions. Yet the way that CoP has been implemented by some banks is confusing and cumbersome, sometimes showing dramatic fraud warnings even after the payee’s details have been verified, causing the player to worry that their payment will be misdirected, or worse, lead to apathy about the messages.” he added.
The continued evolution of CoP and extension of its use cases are good to see. But we’re still at the beginning of this journey and must continue to think about how to move forward with its development.
The evolution of fraud
Fraud prevention is one of the areas in which CoP plays an important role. Criminals are changing their tactics, sparking a huge rise in authorized push payment (APP) scams in which fraudsters trick victims into transferring money directly into their accounts.
During the first half of 2021, the losses caused by APP fraud soared by 71% to £355.3m—overtaking the amount of money stolen in card fraud. In 2020 alone, losses totaled £479m, with the actual figure likely to be much higher due to underreporting.
Earlier in 2021, the Payment Systems Regulator (PSR) reported that SD10 banks and other PSPs had confirmed that CoP has “improved security and strengthened customer confidence when making a payment to a new payee”. Its data also showed a reduction in the number of APP scams experienced by CoP-enabled PSPs.
“With regards to APP fraud, CoP has likely prevented what would otherwise have been a larger increase in scams,” the PSR wrote. There is cause for optimism in the PSR’s statistics, but the fact that APP is still growing shows that further action is needed.
Chris Michael, Ozone’s Chief Executive Officer, said: “CoP has the potential to combat APP fraud and offer businesses and consumers the reassurance they need when making payments. Unfortunately, the current framework is not complete yet. We need CoP to be much more than just a simple algorithm. The extension of CoP to Bacs is a good move that points to a better, more secure future of payments. But there is still a long road ahead.”
The state of CoP
COP was initially mandated for six banks, but optional for others when introduced in 2020. However, earlier this year, the SD10 firms (a group of major banks made up of Lloyds Banking Group, Bank of Scotland, Barclays, HSBC, NatWest, Nationwide, and coP Santander) wrote to the PSR to offer a commitment to deliver a new Confirmation of Payee role profile by the end of 2021.
Phase 2 is “aimed at broadening participation in CoP to all account-holding PSPs, not just those that operate accounts with a unique sort code and account number”, according to the PSR. In the first phase, a PSP offering COP was required to be enrolled on the Open Banking Directory, which then allowed them to identify each other and send CoP messages.
The second phase will allow PSPs that do not have a full Open Banking membership to access the Open Banking Directory, allowing a wider range of organizations to offer COP as well as offering reduced set-up and running costs.
Phase 2 also includes technical enhancements that will allow PSPs to send and receive Secondary Reference Data (SRD), which is more information than a sort code and account number that allows for account identification.
Freddi Gyara, Ozone’s Chief Technology Officer, said: “CoP can be improved by adding further capabilities to the Open Banking frameworks which provide additional information when a payment request is made. Ozone’s API solution already allows banks and businesses to draw on a wider range of data, offering greater certainty during a payment transaction.
The evolution of CoP is only beginning. In the future, it will use much more than just a payee’s name, sort code, and account number–reducing the risks of fraud. External validation data from other data sources (such as Companies House or social media profiles) could more accurately help to verify the identity of a payee. Other methods of verification could include biometrics or phone number matching.
“When the framework is complete, it will be a powerful weapon against fraud and remove unnecessary fear or friction from payments.” He added.
The cutting edge of Open Banking
Ozone has been involved in the development of Open Banking standards from the very beginning, so it understood where the real complexity is and how to make it work for all parties: the bank, the third parties, and most importantly the end-user.
It started by developing the sandbox and a reference implementation for the UK Open Banking Implementation Entity (OBIE) – essentially the model example of how to build to the standard. From there, it created an API platform that helps banks and financial institutions deliver great, standards-based open APIs which handle the complexity of open banking and open finance.
The Ozone API software allows banks to support Open Banking standards in markets around the world, including CoP. Ozone can enhance any account provider’s existing technology, enabling regulatory compliance and providing them with the right tools for growth. Ozone software is powering the open banking implementations of over 50 banks across the world, with a strong footprint in the UK, Europe, Latam, and the Middle East and clients that include Tide and Monese.
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage