Written evidence submitted by Pay.UK
Pay.UK welcomes the Treasury Committee’s inquiry into Economic Crime and the opportunity to provide evidence to the Committee on items of relevance to Pay.UK. Pay.UK is the Recognised Payment System Operator for the Bacs Payment System and the Faster Payment System (FPS). Our evidence will update the Committee on those items included within Pay.UK’s response to the final report of the previous Parliament’s inquiry. We have provided this response in Appendix A.
There is a broad range of public policy activity underway in the consumer protections space. As well as the HMT landscape review Call for Evidence we are aware of work by the Open Banking Implementation Entity (OBIE)/Payments Systems Regulator (PSR); the PSR as part of its strategy work; the Lending Standards Board (LSB); Stop Scams UK (sponsored by the Financial Conduct Authority (FCA) and Ofcom); UK Finance’s Payments Futures work; and the Pay.UK consumer protections working group.
Public policy makers should be mindful of this and ensure their work is coordinated, including with other industry work. Our view is that there is a need for more effective central leadership and coordination of the policy consideration of these issues and we feel that this would be an appropriate role for a regulator. We understand that the PSR will be publishing a paper on consumer protections before the end of the year which may help in this regard, and which we are keen to contribute to.
Through the pieces of work above, we think it important to recognise that there are distinct consumer protections issues related to interbank payments, of which two are currently most topical:
The first is on Authorised Push Payment (APP) scams where the Contingent Reimbursement Model Code of Practice (CRM) has been put in place and a review of its effectiveness is underway.
The second is on broader interbank[1] consumer protections, with a specific focus on Faster Payments. The particular focus in this area is on what protections might be necessary to support the wider adoption of consumer to business payments via interbank transfers. Traditionally, Faster Payments is used for person to person bank transfer, for example sending money to a friend or a family member. However, this method of payment is being used more for retail purposes of the purchase of goods and services, for example purchasing goods over the internet. This will become more prevalent through the introduction of Payment Initiation Service Providers (PISPs) which make such a payment smoother for the customer.
Pay.UK is currently undertaking a project looking at consumer-to-business Faster Payments. We have undertaken research into this area[2], and are starting a policy project to explore if, and how, Pay.UK’s rules and standards can provide consumer protections in this space.
APP scams can be a particularly devastating form of fraud and present a current detriment to consumers, and we would also like to see the increased use of consumer to business payments in FPS. However, we must stress the distinction between these issues – which we think are increasingly being spoken about under the general consumer protection banner. It is important to be clear about the distinctions and the drivers for a policy response in each area.
About Pay.UK
Pay.UK was formed in July 2017 (initially under the name New Payment System Operator or NPSO). We are a not for profit company, with independent governance. Pay.UK is the Recognised Payment System Operator for the Bacs Payment System and the Faster Payment System, which are recognised under the Banking Act 2009, and are therefore subject to macroprudential regulation by the Bank of England’s Financial Market Infrastructure Directorate. In addition, Pay.UK’s operation of Bacs, FPS and the cheque Image Clearing System is subject to economic regulation by the PSR as designated systems under FSBRA 2013.
As well as operating these three key payment systems, Pay.UK also delivers a variety of other services relating to payments and is responsible for designing the New Payments Architecture – which will upgrade and enhance the UK’s retail interbank payment systems.
Pay.UK also delivers a range of ‘managed services’ which offer capabilities to enhance the payments systems, such as Paym and the Current Account Switch Service.
As the system operator of the UK’s retail payments services and given our position at the heart of the payments ecosystem, we wanted to respond with our insight on some of the points in the report.
Background to our response
The role of Pay.UK as a Recognised Payment System Operator is not at the front line of the relationship with the customer, but to ensure safety, resilience and reliability of the payment systems. However, trust and end-user outcomes remain important to Pay.UK, are a part of our strategic objectives and we want to support the delivery of appropriate end-user outcomes. A good example of how Pay.UK has done this so far is the delivery of Confirmation of Payee (CoP), and our on-going delivery of the New Payments Architecture.
Our written evidence follows below. It explains:
Thank you for the opportunity to input into this inquiry. I would be pleased to further discuss any of the points we raise in our evidence.
Kind regards,
Matthew Hunt
Interim CEO
Pay.UK written evidence
Progress on Confirmation of Payee
Confirmation of Payee (CoP) is an account name checking service provided by participating banks and building societies for its customers. When setting up a new payment, a customer will be able to check the name of the person or organisation they want to pay, against the actual name held on the account that the payment is being made to. This will help payers prevent misdirected payments and avoid certain types of Authorised Push Payment fraud. Whilst CoP will not eradicate fraud, it will help payers avoid making mistakes and misdirecting their payments in error. Certain types of Authorised Push Payment fraud can also be addressed through the use of CoP, where the fraudster impersonates another person or entity as the CoP check would not match. For the avoidance of doubt, there are certain types of fraud that CoP is not a solution for, where a fraudster is not impersonating another person.
Pay.UK has developed and delivered the rules, standards and relevant documentation for the first phase of CoP. This phase enables all UK Sort Code-owning payments service providers (PSPs) that are able to enrol in the Open Banking directory, to participate in Confirmation of Payee, and will allow them to incorporate Confirmation of Payee into existing and new payment services.
Following a direction from the PSR, the six largest banking groups have successfully implemented CoP alongside a number of other PSPs. As such, over 90% of FPS transaction can now benefit from the application of CoP. These current Phase 1 Participants will have a better perspective on how well CoP is working to prevent scams for customers. At the end of July 2020, approximately 8.2 million CoP requests per week were being reported (up to 9.8 million if ‘on-us’ transactions are included).
Early indicators suggested CoP has been successful, which generated an increased market interest with many other PSPs and relevant solution providers now actively reviewing their plans and expressing an interest in implementing a CoP solution for their customers and banking clients. However, we would note that not all PSPs are eligible to participate today. Further work is underway to develop the wider and ubiquitous capability for all PSPs to participate should they want to. We expect to create this capability during 2021.
Pay.UK is now further developing CoP through a second phase of activity to create the capability for all account holding PSPs to participate should they want to. This capability was not provided through the first phase of the activity as the growing threat of APP fraud meant that the industry defined an expedient route to implement the CoP capability at speed, enabling the critical initial coverage, and avoiding an extended development period with no solution at all.
It is important to remember that the full delivery of this second phase of work is dependent on the migration of Phase 1 Participants into the new Phase 2 capability. If Participant discretionary development budgets are reduced in the current Covid-19 environment, this constraint could delay the ubiquitous adoption of CoP across the industry, with either Phase 1 participants delaying transitioning to the new environment or new joiners delaying their build work altogether.
Our views on the CRM Code and making the Code mandatory
APP scams can be a particularly devastating form of fraud and present a real detriment at this point in time to consumers, which the industry has begun to address through existing voluntary measures.
The creation and adoption of the CRM Code has been a positive step, and the Committee will be aware that there is currently a review of the Code being conducted by LSB. We have responded to this consultation, and we await the outcome of that review, which may identify areas where further improvements can be made. In addition, we feel there are good arguments for finding a way to require complete adoption of the code so that it would apply to all PSPs and across all relevant payment channels. We believe that legislation is the most effective way of ensuring consistent adoption of the APP CRM Code (this is discussed further below).
In our response to the 2019 Treasury Committee report on Economic Crime: Consumer View, we referred to the decision following our Call for Information[3] on a change request to introduce a requirement into the FPS Rules for Participants to pay a Contingent Reimbursement Model (CRM) Fee. The evidence that we gathered through the public call for information raised a number of issues, and our independent Board concluded that it was not possible to progress the change request for a number of reasons:
It is the view of Pay.UK – based on feedback we received to that CRM Fee consultation - that the current Code does not reflect, and therefore is not suitable for, all the different types of business and operating models of different institutions, particularly smaller and/or more specialised firms. Amending the Code to be inclusive of a wider range of firms would support increased adoption of the Code across the industry to ensure consistent treatment and outcomes of customers who are victims of APP Scams.
Evidence from our CRM Fee Call for Information (CfI) demonstrates that one barrier to some firms signing up to the Code is the current no-blame funding arrangement. As noted in the recommendations of our decision document, responses to our CfI indicated that the inclusion of self-funding model in the Code – as well as some modification to the Code for different PSP business models – would open up the opportunity for more PSPs to want to join the Code. Evidence suggests that many parties that are currently signatories support the self-funding approach. In light of this, we expected more parties would be able to commit to joining the Code under these circumstances.
Taking these issues into account, feedback and discussions with participants and end-users via the Pay.UK End User Advisory Council, including through an Advisory Note[4], have led us to believe that public policy intervention is needed to provide comprehensive coverage (across both payment channel and payment provider).
Considerations in finding a mandatory mechanism to provide comprehensive and consistent outcomes for consumers who are victims of APP scams.
As noted above, we believe that public policy intervention is needed to provide comprehensive and consistent consumer protection against APP scams. We are of the view that there is a need to go beyond the voluntary CRM Code, which does not currently provide comprehensive coverage – as many PSPs have yet to sign up to the voluntary code. We also understand that primary legislation would need to change in order for regulations to be introduced to require such comprehensive coverage.
In its Payment Landscape Review Call for Evidence HMT has asked for views on whether Payment System rules might be a way to assign liability when a payment goes wrong. They have noted that this could include using the Faster Payment System rules to assign liability in cases of APP fraud.
We look forward to the Government’s response to the Payment Landscape Review and working with public policy makers and the industry to consider the broad question of liability when payments go wrong. However, on the question of APP scams we think it is important to consider carefully how and where any regulatory rule would apply to ensure that comprehensive and consistent consumer protection against APP scams is achieved. We are not yet convinced that changes to payment system rules alone could deliver the optimum outcome for consumers in this case. Furthermore, if rule changes can be designed in such a way that they do address the consumer deficit, there remain a number of challenges and barriers in implementing and enforcing such rule changes which we think are relevant to be understood and considered in the round. We briefly expand on these points for the Committee below.
First, it is worth emphasising that FPS rules only apply to the participants in the FPS system, and therefore the customers of these participants, and for the purpose of transactions executed over the FPS system. As such they cannot help where an issue impacts other systems, like APP scams where transactions executed over CHAPS and “on-us[5]. Our rules could therefore not be used to implement a holistic solution to the problem (for example they would not capture transaction executed over CHAPS or “on-us” transactions). We think it is important for public policy makers to explore an all-encompassing solution, and not one solely focused on losses incurred via the Faster Payment System, so that all consumers get the same protection regardless of who they bank with or what payment system they use, as fraudsters typically move to exploit issues in other systems.
Pay.UK has a responsibility for confidence in the UK retail payments network and so it wants to support the development of effective and appropriate consumer protections. If the scheme were to play an enhanced role in in the future payments landscape, for example in relation to consumer protections, however the current scope of Pay.UK powers would limit our ability to introduce rules in this area without support from the Government or regulators. In brief, it is within Pay.UK's regulatory powers as a payment system operator (PSO) to introduce measures to monitor, manage and mitigate risks that have a direct impact upon Pay.UK, upon participation in FPS or otherwise upon the safe and efficient operation of FPS. Legal limitations would make it difficult for Pay.UK to implement changes designed to manage and mitigate operational and other risks which occur at the payment service provider (PSP) – payment service user (PSU) level, and not risks arising at the PSO-PSP level.
Any changes to FPS rules would need to be made by Pay.UK in the proper performance of its functions as the operator of FPS. There could be legal difficulties for Pay.UK in introducing a rule change that was designed to assist FPS participants to manage the risks arising from their provision of payment services to their customers, rather than risks that arise out of the operation of FPS or participation in it by the PSPs, and if those risks do not directly threaten the safe and efficient operation of FPS. Similarly, for the same reasons, Pay.UK does not have the ability to enforce such as rule which was outside of its PSO role. Whilst the Financial Ombudsman Service may be able to resolve disputes from consumers, Pay.UK would not have the ability to take action against a Participant who consistently did not apply a rule.
The analysis completed in late 2019 in relation to the Change Request for a CRM Fee provided Pay.UK with a good understanding of the potential limitations on its ability to impose rule changes of this nature on its participants. In particular, it is not certain that Pay.UK can make a rule of this type (i.e. at the PSP-PSU level) without the agreement of all FPS participants, especially where a change requires both the amendment of the FPS Rules and the participant agreements.
Central leadership and coordination of policy considerations
In addition, there is a broad range of public policy activity underway in these areas. As well as the HMT landscape review Call for Evidence we are aware of work by OBIE/PSR; the PSR as part of its strategy work; the LSB; Stop Scams UK (sponsored by the FCA and Ofcom); UK Finance’s Payments Futures work; and Pay.UK consumer protections working group. Our view is that there is a need for more effective central leadership and coordination of the policy consideration of these issues and we feel that this would be an appropriate role for a regulator.
We understand that the PSR will be publishing a paper on APP scams early next year which may help in this regard. This is a positive piece of work for the PSR to undertake, which we are keen to contribute to, and will be an important piece of work for the industry to focus upon in ensure consumer are protected against APP scams.
New Payments Architecture and financial crime
In 2017, the PSR and the Payment Strategy Forum undertook work to identify detriments that existed in the payments value chain and to identify new solutions and services to be developed to meet the needs of users. Since then, Pay.UK and the rest of the payments industry have been working to address these detriments. A number of these have already been addressed, and will contribute to competition in the payments landscape and to better outcomes for users
The payments industry has tactically delivered competitive solutions to address financial crime detriments, with banks continually investing in their own solutions. As well as CoP Pay.UK has successfully delivered ‘Mule Insights Tactical Solution’ (known as MITS) for FPS and Bacs via Vocalink. We have also set out a vision for how enhanced data, powered by the next generation UK retail payments standards, can further improve industry and end user outcomes in the face of crime detriments.
Current activity is focused on the determination of how Pay.UK can support the implementation of future financial crime capabilities under the NPA. Pay.UK is building on the lessons learned from the on-going Transaction Data Analytics project and industry feedback.
The development and delivery of the New Payments Architecture remains a key programme. It will enable the adoption of the next generation UK retail payments, based on global standards on which a wider set of services can be enabled and to promote competition. Setting common standards to achieve clear public sector outcomes would help to ensure various payments market actors in the private sector to prevent and mitigate financial crime through greater industry collaboration.
Pay.UK response – Treasury Committee report on Economic Crime: Consumer View |
Pay.UK welcomes Treasury Committee’s report ‘Economic Crime: Consumer View’ published on 1 November 2019. We are especially supportive of the view that the Contingent Reimbursement Model (CRM) Code should be underpinned in legislation, in particular giving public policy makers and regulators the ability to put in place market-wide rules to protect the interests of victims of fraud is something that we strongly support.
Pay.UK is an independent, not-for-profit company, created following a key recommendation in the Payments Strategy Forum’s (PSF) 2016 Strategy. The PSF, which was established by the Payment Systems Regulator, recommended that the governance of the Bacs, Faster Payments and cheque clearing payment systems operators should be consolidated into a single payment systems operator – now called Pay.UK.
As well as operating these three key payment systems, Pay.UK also delivers a variety of other services relating to payments and is responsible for designing the New Payments Architecture – which will upgrade and enhance the UK’s retail interbank payment systems.
As the system operator of the UK’s retail payments services and given our position at the heart of the payments ecosystem, we wanted to respond with our insight on some of the points in the report.
Confirmation of payee
Pay.UK has developed and delivered the rules, standards and relevant documentation for the first phase of confirmation of payee. This phase enables all UK Sort Code-owning payments service providers (PSPs) that are able to enrol in the Open Banking directory, to participate in confirmation of payee, and will allow them to incorporate confirmation of payee into existing and new payment services. It is now the responsibility of those PSPs to build their capabilities and solutions to incorporate confirmation of payee to help prevent payment misdirection, some of which may be caused by fraud. The first confirmation of payee implementations are expected by the end of March 2020.
Paragraph 42 sets out a recommendation that “The Payment Systems Regulator should therefore ensure that all relevant firms can implement Confirmation of Payee by the end of 2020”.
Pay.UK, as the owner of the rules and standards for confirmation of payee which were established in the first phase, is now considering a second phase of activity towards enabling a confirmation of payee capability that all account-holding PSPs can implement. As part of this, Pay.UK will look to enable the following additional propositions so that all relevant firms can participate in confirmation of payee should they choose to:
The second phase activity has just commenced and we will continue to work with the industry through 2020 to define the rules and standards.
Paragraph 43 sets out a recommendation that “spelling mistakes are flagged within the new Confirmation of Payee System”.
The capability to identify and flag simple spelling mistakes is built into the confirmation of payee rules and standards. When a typographical error is identified by the payee PSP (the bank receiving the confirmation of payee request), it will respond to the payer PSP (the bank sending the confirmation of payee request) in one of two ways:
It is important to note that whilst the rules account for typographical errors, the processes are very reliant on the quality of data input by customers. Education of customers will be critical both before a transaction is made and at the moment of input. We see a great opportunity for participating firms to learn from the experiences gained in the implementations that are about to commence.
Contingent Reimbursement Model
In paragraph 114, it is stated that “the code should now be made compulsory through legislation” as the first year review of the Code is approaching.
Pay.UK welcomes Treasury Committee’s recommendation to make the Code mandatory via legislation. We believe that this would lead to improved consumer outcomes across all payment channels, not just Faster Payments[6].
Pay.UK recently announced a decision following our Call for Information on introducing a requirement into the FPS Rules for Participants to pay a Contingent Reimbursement Model (CRM) Fee[7]. The proposal was for the fee to raise money to fund a central pot to reimburse no blame victims of APP Fraud (with the Code defining when a no blame scenario has taken place as well as introducing minimum standards of fraud controls). This came as a result of Pay.UK receiving a change request from UK Finance on behalf of seven Faster Payment Scheme (FPS) Direct Participants: Barclays; HSBC; Lloyds Banking Group; Metro Bank; Nationwide; RBS; and Santander.
The evidence that we gathered through the public call for information raised a number of issues, and our independent Board concluded that it was not possible to progress the change request for a number of reasons:
Through our call for information, Pay.UK was pleased to find that payment providers were clear that they believed that innocent victims of fraud should be reimbursed in a ‘no consumer or no PSP blame’ scenario, with many PSPs supporting a “self-funding approach” as opposed to a centralised fund. The PSPs are now deciding how to take the question of funding forward. The power to compensate individual customers is, and always has been, in the hands of the payment service providers should they wish to do so.
Delaying Faster Payments
In paragraph 50, a recommendation is made that there should be “a mandatory 24-hour delay on all initial or first-time payments”.
Faster Payments are set up to be near real-time and execute immediately on receipt from a PSP of customer present payments or on the future date confirmed by the payer. As Pay.UK would not have the information to administer any such delay, our assumption is that such an obligation could only be placed on PSPs, who would be in a position to assess whether and when a delay is warranted.
I would be happy to discuss any of the above points raised in this response with you.
Paul Horlock
CC: Chris Hemsley, Managing Director, The Payment Systems Regulator
[1] A payment where the money is transferred between one bank account to another bank account in a different bank.
[2] https://www.wearepay.uk/consumer-protections-in-payments-summary-paper/
[3] https://www.wearepay.uk/wp-content/uploads/2019/11/Overview-of-Pay.UK-Decision-Document-15-Nov-2019.pdf
[4] https://www.wearepay.uk/advice-note-from-the-pay-uk-end-user-advisory-council-to-the-pay-uk-board/
[5] A payment where money is transfer to one bank account, to another bank account within the same bank (and therefore the money does not leave the bank)
[6] APP Fraud can happen over the Faster Payments Scheme, CHAPS and via on-us transactions (a transaction between two customers who use the same bank). Pay.UK is responsible for only the Faster Payments Scheme in the above.
[7] https://www.wearepay.uk/wp-content/uploads/2019/11/Overview-of-Pay.UK-Decision-Document-15-Nov-2019.pdf