How open banking can help fight the UK’s £1 billion fraud problem

In 2020, UK consumers suffered over £1 billion of financial fraud, made up of unauthorised card payments (£574.2m) and authorised push payment (APP) scams (£479m).  

Unauthorised payment fraud happens when money is taken from a person’s account without their authorisation. For example, their card details are stolen and used by someone else.

Authorised payment fraud is where a person is tricked into sending money from their account to an account controlled by the fraudster under false pretences. 

In this blog we explore how open banking payments, designed with online security in mind, can address both these types of fraud. 

What makes open banking payments safe?

Open banking payments have four characteristics which make them inherently safe:

1. Every payment uses strong customer authentication (SCA)

2. No sensitive details are shared

3. Payment instructions are pre-populated

4. Open banking providers onboard and carry out due diligence with merchants

Let's look at these in more detail.

Open banking always uses strong customer authentication

When a customer makes a payment using open banking, they are always sent to their bank’s app to strongly authenticate, usually with biometrics. This means their bank checks that they are who they say they are by checking a combination of: 

• possession eg that they are paying from a phone or computer registered with their bank 

• inherence eg their fingerprint, or facial features 

• knowledge eg a password previously issued by their bank 

  

Efforts to introduce strong customer authentication for cards have been delayed a number of times, only coming into force in the UK in March 2022.

The lack of SCA in cards has led to card-not-present (CNP) fraud, where stolen card details are used by fraudsters to make payments. Unauthorised card transactions including CNP fraud amounted to £574.2m in 2020.

While card issuers and merchants are now addressing this with SCA, there are still exemptions applicable to cards that could leave the door open to unauthorised payments. 

No card details are shared in open banking 

The prevalence of CNP fraud is due to the way card payments work – where customers are asked to share their ‘long card number’ and three digit ‘CVV’ with the business they are paying.

These details alone are enough to make a card payment, but they can be stolen, intercepted, or leaked (if stored incorrectly), and then used by fraudsters. 

With open banking payments, no sensitive details are shared with the merchant – there is nothing to intercept, steal or leak that could lead to unauthorised payments. 

Instead, open banking providers securely communicate with the customer’s bank to pass on payment instructions in the background and initiate the payment. 

Payment instructions are pre-populated in open banking 

Sometimes customers are asked to pay businesses by ‘manual bank’  transfer. This means noting down a sort code, account number and reference, and manually inputting all these details into online banking. 

Manual bank transfers are vulnerable to: 

• Scams – where a customer is tricked into inputting the payee details of a fraudster instead of their intended recipient. There were £479m worth of these so called  ‘authorised push payment’ (APP) scams in 2020

• Misdirected payments – where a customer mistypes the payee details and the money goes to the wrong place. Misdirected payments have long been an issue, with the UK Financial Ombudsman signalling its concerns back in 2014. 

When customers choose to pay a business using open banking, no payee details need to be entered by the customer. 

This removes human error, and the risk of customers being tricked into sending the money to a fraudster. The open banking provider controls where the money goes. 

Open banking providers onboard and carry out due diligence with merchants

When an open banking provider enables payments for a merchant or other business, they enter into a commercial contract with that business, and undertake due diligence on the business as part of that. This reduces the likelihood that bad actor merchants would use open banking to commit fraud. 

The way open banking payments are set up also means the open banking provider has a relationship with the consumer and obligations towards them, such as responding to any complaints, or payment issues that are raised. 

Cards work differently because a card issuer will have no relationship with the merchant accepting a card. They rely on merchant acquirers to do due diligence on merchants – and there needs to be a scheme (like Visa and Mastercard) to reconcile issues between issuers, acquirers and merchants. 

Safer by design  

The features of open banking payments discussed above collectively protect the consumer against both unauthorised payments and fraud relating to authorised payments (APP scams).

Open banking provides an opportunity to fight fraud with its secure design features: 

• embedded SCA

• no card detail sharing 

• pre-population of payment fields

• merchant onboarding

These features have been built into open banking from the beginning, and are not all standard across other online payment methods such as cards or manual bank transfers. 

The more businesses choose open banking to enable payments, the safer consumers will be when paying online.