The Payment Systems Regulator (PSR) plans to direct more providers to implement Confirmation of Payee (CoP) for online bank payments, to prevent fraud and stop payments being misdirected.
In this blog post, we take a look at what CoP is, what risks it seeks to reduce and how the inherent safety features of open banking payments address those same risks.
What is Confirmation of Payee (CoP)?
CoP is designed to help stop fraud and payments being accidentally misdirected by checking whether the name of a payee’s account matches the name and account details provided by a payer.
There are four possible outcomes of a CoP check, which are displayed to the payer before they proceed with the payment:
Yes – the account name matches
No – the account name does not match
Partial match – the account name is a close match but not exact
Data is unavailable (eg the payer's bank isn't part of CoP)
What risks does CoP reduce?
By matching against the name of the recipient before a payment is made, and alerting the customer to a positive match or a failure to match, CoP seeks to mitigate two types of risks that lead to payments being sent to the wrong place.
If a customer has made a mistake and input the wrong account details, failure to match a name between the intended recipient and actual account information should highlight the mistake.
If a customer is being scammed and thinks they are paying a legitimate payee such as a business, but is instead being encouraged to send the payment to a fraudster’s account, the discrepancy will be highlighted and the customer warned.
These risks are also mitigated by open banking
Increasingly, open banking payments are used to enable businesses to accept instant, account-to-account transfers (instead of cards). When used to pay businesses, they have a number of features which mitigate the risks that CoP seeks to address:
Payment instructions are pre-populated
When customers choose to pay a business using open banking, the customer doesn't need to enter any payee details. This removes human error and the risk of customers being tricked into sending the money to a fraudster. The open banking provider controls where the money goes.
Open banking providers onboard and carry out due diligence with merchants
When an open banking provider enables payments for a business, they enter into a commercial contract with that business, undertaking due diligence on them. This reduces the likelihood that bad actor merchants would use open banking to commit fraud or scams.
The Open Banking Implementation Entity (OBIE) has also looked at the application of CoP in open banking. They concluded that:
Where open banking providers onboard and carry out due diligence with the payee before taking payments for them, this has the equivalent effect of CoP . It's even reasonable to conclude that this approach is significantly more effective as it doesn't rely on the customer to act on CoP mismatch interventions.
Where open banking providers pre-populate payment instructions, the customer is unable to amend payee details, which is an effective countermeasure to any risk of malicious misdirection, since the fraud is entirely dependent on the fraudster convincing the customer to change the payee details.
The research also notes that there are unintended consequences associated with the overuse or inappropriate use of warnings on a payment journey. As people become accustomed to seeing warnings, the overall effectiveness of such warnings decreases – similar to the way cookies on websites have become no more than a button to click through without any real engagement, for most people.
What types of open banking payment can benefit from CoP?
Any payment method which requires a customer to input recipient account details carries the risk of human error or scammers manipulating customers.
Some open banking providers enable the payer to transfer funds to an account of their choosing, either belonging to themselves (‘me-to-me’ payments) or to someone else.
The payer can either enter the recipient's account details directly into the open banking payment app or select an existing account from a stored list on the app. This type of open banking payment is generally used for transfers between accounts rather than purchases – and can benefit from CoP.
Here, CoP allows the customer to check if they are sending the funds to the account they intend on paying. A mismatch of CoP in this scenario means the customer is alerted to any mistakes they may have made in inputting data.
A targeted approach to CoP is needed
When open banking is used for payments to businesses in the example described earlier in this article, the risks that CoP seeks to address don't apply. That's because the open banking provider has an established relationship with the recipient of the payment and ensures the payment goes to the right place.
CoP can be relevant for some open banking payments where a payer needs to input the recipient’s account details.
It's important to have a targeted, risk-based approach to using CoP. Applying it inappropriately can create unnecessary friction that could confuse customers and dissuade them from using open banking. It can also drive apathy towards CoP warnings, reducing their effectiveness in the long run.