The impending implementation of the Payment Systems Regulator’s (PSR) new reimbursement requirement in 2024 has made it critical for financial institutions to bolster their fraud prevention strategies.
As payment companies become mandated to reimburse scam victims, the industry’s cost of fraud is expected to increase by 66%. They need to develop new ways to protect themselves, and digital identity verification offers a compelling way forward.
Authorised Push Payment fraud (APP fraud) happens when someone is tricked into sending money to a fraudster posing as a genuine payee.
The sums of money lost in APP scams can be life-changing for individuals, and the lack of customer protection in the Faster Payments System is both out of sync with other schemes and a barrier to its adoption.
The UK’s Payment Systems Regulator (PSR) is therefore strengthening the rules in 2024 to introduce two key changes.
This will require all banks and payment firms to:
By adopting robust digital identity solutions which draw on bank-verified Know Your Customer (KYC) onboarding processes, the payments industry can greatly reduce the occurrence and cost of fraud.
As fraudsters become increasingly sophisticated, banks and their business customers need to keep pace by using multiple layers of protection, including identity verification, to ensure they know who they are dealing with online and protect themselves and their customers.
This paper describes how the new reimbursement requirement will affect payment companies and their customers and explains how digital identity verification can help in the fight against online fraud.
The lack of identity checks online has led to the proliferation of APP fraud across a wide range of fields – from investment to dating, from invoice to advance fee payments.
Recent UK Finance research shows that 78% of APP fraud starts online and only 18% via telecom channels.
Fraudsters are using increasingly sophisticated tools, including AI, to create synthetic identities for illicit purposes. We can’t be certain of who we are interacting with online, as most online platforms perform little or no identity verification on account creation.
We believe that more rigorous fraud prevention methods must happen upstream of the payment itself to stop fraud before it reaches the payment rails. Prevention is better than detection.
Indeed the UK Government’s recent Fraud Strategy emphasises that we need to focus on stopping fraud at source and that:
“it is other industries, especially online technology giants, who should do more to stop criminals exploiting their services.”
This is one reason why the government is working on the Online Safety Bill, a new set of laws to protect children and adults online, which will make social media companies more responsible for their users’ safety on their platforms. The Online Safety Bill will require social media companies to remove scam adverts from their platforms and work harder to close down opportunities for fraudsters to abuse their systems.
Big Tech has been slow to adopt new identity tools to protect users, and this new regulation is a welcome driver for this adoption, but it will take time. The financial services sector has more incentive to lead the way and demonstrate safety best practices by authentication of both parties in a transaction.
The PSR is proposing to introduce new rules from 2024 that will require firms to:
Provide additional protections for vulnerable customers.
The new reimbursement requirement will apply to all banks and payment companies that use the Faster Payments System, whether as sending or receiving payment organisations.
The PSR focuses on increasing protections for Faster Payments as 97% of APP fraud occurs in the Faster Payments System
The new reimbursement requirement will give banks and payment companies a strong reason to innovate and develop new tools for effective, data-driven interventions to change customer behaviour, for example, adopting a risk-based approach to payments.
Firms can then make better decisions on when to intervene, hold or stop a payment to protect themselves and their customers from payment fraud.
APP fraud cost UK customers and banks £485 million in 2022, with banks refunding £285 million (59%) to their customers under a voluntary industry code (and customers, therefore, losing £200 million).
Cost to the industry if PSR's new regulations were applied in 2022
| Customer cost | Industry cost | Sending bank cost | Receiving bank cost | |
| Actual costs | £200m (41%) | £285m | £285m (59%) | £0 |
| Costs with new rules | £9.7m (2%) | £475m (66%) | 238m (49%) | £238m (49%) |
If the rules were applied to 2022 APP fraud, costs to the industry would be 66% higher (£475 million vs. £285 million), mostly borne by receiving banks, who would pay a new £238 million cost.
The rising cost of APP fraud is being highlighted as a new key risk to bank balance sheets. Adopting better digital identity verification tools will help to mitigate this business risk.
This can be achieved by enabling the sending bank to verify the payee’s identity before the payment is initiated, by adding a low-friction identity check into a new beneficiary set-up process. Bank-led digital identity services are the simplest way of doing this, and it is already being used widely in the Nordic countries, with a solution known as BankID. The solution has reduced the cost of fraud in Norway to a tiny fraction.
This would make it harder for fraudsters to prove who they are when impersonating someone and dissuade them from the journey, as they would need to be able to complete Strong Customer Authentication (SCA), which increasingly uses biometrics. Fraudsters will not want to disclose their real identity; burglars don’t like leaving fingerprints.
Click here to download the full report as a PDF to read later.
The PSR recognises that “good” friction can be a valuable tool in preventing fraud. Similarly, the Financial Conduct Authority’s new Consumer Duty, which is coming into force in July 2023, stipulates that firms should consider building “positive friction” into processes to deliver good outcomes.
The FCA suggests that additional steps in the customer journey designed to prevent fraud “would not amount to an unreasonable barrier”, and would instil consumer confidence helping them prevent poor decisions. Bank-verified digital identity is a compelling example of “good” friction, which is easy to implement and quick to use, being completed with just a few clicks by the user.
Currently, fraudsters collect money into their accounts without any interaction with anyone. Banks could require payees to confirm their identity via a bank-verified digital identity as part of the beneficiary set-up process to accept certain payments into their bank account. This would provide an additional check on beneficiaries and help to prevent impersonation fraud.
Deciding at what value or in what circumstances a bank would require this additional authentication by a payee could be a risk-based decision by the bank, offering them considerable flexibility as to how and when they apply this control; for example, high-value payments into unknown accounts.
Payees could also be asked to confirm that the payment is for a legitimate purpose; any fraudster would be unlikely to want to provide such a confirmation against their own identity. This will be a significant deterrent to fraudsters receiving payments into their accounts.
If the receiving account is still under the owner’s control acting as a money mule, warning screens can also be presented to deter them from accepting payments for which they could be prosecuted.
The requirement for SCA of customers initiating payments came into force in March 2022, adding an extra layer of security in the fight against fraud. SCA rules require all payment providers to use multi-factor authentication (MFA) for higher-value and higher-risk online transactions.
Unfortunately, to circumvent SCA protections, criminals are increasingly using social engineering techniques to trick customers into divulging their one-time passwords (OTPs) so they can initiate fraudulent online card transactions.
Bank-verified digital identity complements and adds an additional layer of defence to SCA by intervening upstream of the payment, i.e. before the payer authorises the payment. Adding a step to verify the payee with a bank ID that includes SCA enables mutual authentication of both parties in the payment before it is triggered.
On the payer side, instead of the customer having to key their personal information into web forms onto the e-commerce website or platform, they can use bank-verified digital identity to share these details with the retailer securely. The payer SCA can cover both sharing of data and payment initiation.
Click here to download the full report as a PDF to take with you.
Confirmation of Payee (CoP), the name-checking service designed to help prevent APP scams and misdirected payments, introduced a new layer of payment protection when it became mandatory for the six largest UK banking groups in 2020.
With CoP, customers can check if the name on a new payee’s account matches what they expect for that sort code and account number when setting up a new payee or changing the details of an existing payee. This control helps prevent payments from going to the wrong account.
CoP has helped to reduce fraud, but unfortunately, fraudsters sometimes succeed in persuading scam victims to click through the CoP warning screens and make the payment, even when the banking app warns them there is no match.
The bank-verified digital identity of the payee provides an additional layer of protection by providing the true identity of the payee’s. The payee ID details (name, address, date of birth, account, etc.) can be fed into the sending bank’s fraud engine to advise the customer on a better payment decision, in line with the new Consumer Duty requirement of better outcomes.
Digital identity can add a new security step in the new beneficiary set-up process. When setting up a new payee on their banking app, a message is sent to the payee asking them to authenticate via SCA with their own bank and consent to share their ID data with the payer’s bank securely and in real-time. This provides an additional and powerful layer of defence against the risk of fraud as the sending bank then has the SCA of both parties.
To understand how bank-verified digital identity can reduce fraud, imagine an individual purchasing an item online.
The person sees a £1,000 set of golf clubs advertised for £75 on Facebook (along with a garden shed, set of patio furniture and the latest Xbox, each for the same bargain price of £75 – unusual, but this is too good a deal to miss!).
They decide to buy and message ‘John Smith’ to place an order. ‘John Smith’ messages back with a sort code and account number to pay the £75 into (which could be their own account or a money mule), along with a message to say ‘my account name is Jonathan, so ignore the CoP warnings about name not matching’.
Without a digital identity check, the payer will make the payment and lose the money, with the banks picking up the cost of reimbursement, not Facebook. £67 million was lost to purchase scams in 2022.
The sending bank could add a digital identity check to the new beneficiary set-up process; ‘John Smith’ is sent a message requesting that he authenticates with his bank and shares his real name, address and date of birth with the bank. If the person is a fraudster, they will be reluctant to do this from their own account.
If it’s a money mule account, the fraudster has to set up the fake Facebook page in the money mules’ real name (which will deter money mules).
If the fraudster does share details, this information can be checked against known fraud databases, and as soon as one fraud gets reported, the account is flagged to prevent further fraud.
Fraudsters, therefore, ‘burn’ accounts faster than today and have to go to more trouble to set up new accounts and make them look authentic.
Direct debits are a core part of the UK payments system, allowing many types of businesses to collect recurring payments, such as fees, subscriptions and utility payments. Yet the onboarding process is often clunky and vulnerable to fraud.
One way to reinforce this process is to use bank-verified digital identity to facilitate three-way authentication at the point of sale, between the customer, their bank and the service provider, such as a utility. Using digital identity cuts the risk of identity theft and subscription fraud. At the same time, real-time bank-verified digital identity checking would help tackle SIM swap and Mobile Number Porting fraud.
Using bank-verified digital identity means that in a few clicks, the onboarding process can be completed without online form filling or, worse still, completing direct debit mandates on paper. Removing form-filling also removes any opportunity for fraudsters to input stolen account details into the mandate, preventing direct debit fraud.
Using bank-verified digital identity to authorise a direct debit mandate also helps banks and corporates provide enhanced evidence to any customer who tries to claim under the direct debit guarantee that they did not approve the direct debit mandate.
The bank has a strong digital audit trail, instead of relying on old paper mandates or unverified web forms, giving it and its corporate customers better protection against direct debit refund claims.
As an example of how this works, picture an individual who wants to sign up for a mobile telephone contract and set up a direct debit.
As the telco has implemented a bank-verified digital identity solution to protect itself and its customers, its website has a clearly marked button which the new customer uses to connect with their bank via their banking app and provide consent for the bank to authenticate their identity to the telco and share their bank account details. This happens in a few clicks, and the data is transferred to the telco in real-time via a secure channel.
As a result of this data transfer, not only is the new customer’s identity authenticated by their bank, but all the fields required to set up the direct data are automatically populated, thereby avoiding the risk of incorrect bank account details being keyed manually by the new customer, or stolen data being used.
This innovative approach to signing up for a new service and creating a direct debit provides an irrefutable record for the telco and the bank that the new customer is who they say they are and that they have given their authorisation to set up the direct debit.
The PSR’s new reimbursement requirement is a significant step to drive better fraud prevention and focus payment firms on protecting consumers and businesses. The UK is the first country in the world to implement consistent standards requiring sending and receiving banks to share 50:50 the cost of reimbursing victims of APP fraud.
Other jurisdictions are watching closely. It is the stated objective of the PSR that this measure will incentivise banks and payment firms to develop innovative new ways to protect customers from fraud.
By enabling bank-verified digital identity services, there is now a viable way for banks, businesses and the government to protect their customers from fraud in multiple scenarios by providing strong authentication of the identity of both the payer and the payee and sharing account data securely with only the parties that need it. This innovative approach is a compelling way to deliver on the payment industry’s objectives to develop new ways of preventing fraud.
Click here to download the full report as a PDF.
In the digital age, identity verification has evolved from cumbersome physical processes based on scanni...
Aaron’s Department, a leading provider of Disclosure & Barring Service (DBS) checks for organisation...
As promised in my last blog recapping our webinar, 'Modernising KYC: Why Innovators are Adopting Digital...
OneID®’s latest white paper, launched at Pay360, points the financial services and payments industry to ...
