The Payment System Regulator (PSR) has just announced that the UK’s six largest banks must check whether the name of the recipient of a transfer matches what the sender thinks. This new feature should help address a security loophole in online payments: the name of the recipient of transfers is ignored, contrary to expectations and unlike cheques. This improved security should make some fraud more difficult, but banks must be prevented from exploiting the change to unfairly shift the liability of the remaining crime to the victims.
The PSR’s target is for checks to be fully implemented by March 2020, somewhat later than their initial promise to Parliament of September 2018 and subsequent target of July 2019. The new proposal, known as Confirmation of Payee, also only covers the six largest banking groups, but this should cover 90% of transfers. Its goal is to defend against criminals who trick victims into transferring funds under the false pretence that the money is going to the victim’s new account, whereas it is really going to the criminal. The losses from such fraud, known as push payment scams, are often life-changing, resulting in misery for the victims.
Checks on the recipient name will make this particular scam harder, so while unlikely to prevent all types of push payment scams they will hopefully force criminals to adopt strategies that are easier to prevent. The risk that consumer representatives and regulators will need to watch out for is that these new security measures could result in victims being unfairly held liable. This scenario is, unfortunately, likely because the voluntary consumer protection code for push payment scams excuses the bank from liability if they show the customer a Confirmation of Payee warning.
Warning fatigue and misaligned incentives
In my response to the consultation over this consumer protection code, I raised the issue of “warning fatigue” – that customers will be shown many irrelevant warnings while they do online banking and this reduces the likelihood that customers will notice important ones. Even Confirmation of Payee warnings will frequently be wrong, such as if the recipient’s bank account is under a different name to what the sender expects. If the two names are very dissimilar, the sender won’t be given more details but if the name entered is close to the name in bank records the sender should be told what the correct one is and asked to compare.
I also noted that the shift of liability from bank to victim when a Confirmation of Payee warning is displayed creates the wrong incentives for banks. Asking the customer to verify the name of the recipient is just one of many security measures that the bank can apply. For example, they could detect transactions that are out of character for the customer and block them, or they could look for unusual patterns of transfers to the recipient account. Banks should be incentivised to deploy every fraud prevention scheme at their disposal, but with the code as written, as soon as banks have shown a Confirmation of Payee warning, they can shift liability to the victim without doing anything more.
In conclusion, I argued that the standard of care that customers are expected to apply to protect themselves from push payment fraud should be as the Payment Services Directive requires for other types of fraud: that they do not act with gross negligence. That is, the bank can only shift the liability of fraud to the victim if they demonstrate that a customer has acted with “a conscious and voluntary disregard of the need to use reasonable care, which is likely to cause foreseeable grave injury or harm to persons, property, or both”. If a customer doesn’t act on a Confirmation of Payee warning, then this could contribute towards an argument that they have been grossly negligent, but it would not be in itself sufficient. For example, the effects of warning fatigue, the state of mind of the customer, and sophistication of the criminal could show that nevertheless, the customer acted reasonably.
In general, if fraud is being caused by banks or other institutions failing in their duty of care to prevent it, then new security measures that are exploited to shift liability to victims will make the situation worse, not better. Institutions are no more likely to act competently and could even be incentivised to do worse. This happened with Chip and PIN, seems likely to occur for push payment fraud, and could easily happen again in the future unless regulators act promptly.