CoP Rollout - Plain sailing or high and dry for a year?
We set up the CoP Network to inform all interested parties of progress in this vital fraud prevention service. We try to answer your questions.
Now, we have some questions to ask of YOU!
CoP is being rolled out in two Phases. Phase 1 is the basic service, Phase 2 enables Building Societies to join.
Phase 1 of CoP started last year, and the main Banks (the so-called PSR6) have implemented it, under mandate from the Payment Systems Regulator. Fraud rates for the main Banks reduced, but fraudsters now concentrate their effort onto the smaller Banks. According to one analysis 40% of APP fraud now occurs in the 15% of traffic handled by those small Banks.
Phase 2 of CoP is ultimately designed to broaden the scope of CoP to include a wider range of Banks and Building Societies, many of which use 'Roll Numbers' rather than Account Numbers. Phase 2 is intended to be live and available from the PSR6 by the end of this year, with registrations of interest accepted from July.
Therefore at some point Phase 1 would be closed, to be replaced by Phase 2. But therein lies the concern - closing Phase 1 before Phase 2 is completely available creates a time gap during which no new participants can join.
We are concerned about the likelihood that the PSR6 shall deliver full Phase 2 in time. The CoP Network have seen virtually no evidence of the PSR6 actually making preparations for Phase 2. In fact, we have been told in confidence that most have no plans, no funding, or no intention. Because it is not mandated, and this gives them a competitive advantage, we fear they may be ready to just sit and wait it out.
Are they trying to pull the wool over Pay.UK's eyes?
Big Banks typically take at least 6 months to make any change. If they can sit it out until the end of this year when the current requirement expires, then we won't be seeing any real Phase 2 capability until at least the middle of 2022.
At the same time we understand Pay.UK have plans to close Phase 1 to new participants some time in June. Some have even suggested Phase 1 applicant processing is already being wound down. If so, this would be a little surprising, if not disappointing. To be fair, it's difficult to understand why they should do this. Our own relations with key Pay.UK representatives have always been good - although of course we are outside the NDA thus limiting the scope of discussion. In a way, the NDA can be a victim of its own success - where public facts are not available, rumour fills the gap. We would like to replace rumour with detail.
If both these statements are true - June 2021 Phase 1 closure to entrants and mid-2022 for Phase 2 availability - the vast majority of Banks shall be locked out for at least a year. They shall be unable to provide this valuable service to their increasingly vulnerable customers. And fraud shall continue. Millions of customers shall be at risk, and many shall lose money - in general only about 40% of money lost by fraud is repaid to the victim.
The CoP Network is not bound by the NDA, but of course that also means we may be wrong - we are almost as blind-sided as the ordinary public. But we strongly feel that more information should be made publicly available so that Banks can make better informed decisions and the public is reassured the Financial Services industry is doing its best to protect them. Hence our questions!
- What is the reality of Phase 2 CoP delivery? We'd like to be wrong, and discover it's all good. Banks, please let us know how you are doing. We would be delighted to publish good news.
- What is the overall plan for transition from Phases 1 to 2? Some public clarity on plans would be welcome, and again we would be more than happy to support all contributors.
- If YOU have any observations or input on any of the points in this article we would love to hear from you!
Every day, some innocent victims are being defrauded and most never get it back. Let's all do our best for them.
What is Confirmation of Payee (CoP)?
When you make an online payment, you give the sort code, account number and payee’s name. Until recently, and contrary to many people’s expectations, the payment validation ignores the payee’s name – it only uses sort code and account number. This leaves the door open to accidentally paying the wrong person and ‘Authorised Push Payment Fraud’, in which a payer is led to pay into the wrong account.
An initiative led by Pay.UK is changing that, and over the last months the largest 6 Banks in the UK have also started checking the Account Name. If the Account Name you give does not match the name of account identified by the Sort Code and Account Number then you shall be asked to confirm it is the correct name.
Now that the largest 6 Banks have enabled it, over the next year or two every other payment service provider is expected to follow suit. Anecdotally, 6 participants coordinating was found to be just about manageable – the participants collaborated commendably well. However the approach is unlikely to be scalable to meet the needs of perhaps up to 100 participants each enabling their service.
What is this Website for?
CoP Implementation is likely to be undertaken by virtually every Payment Organisation over the next year or so, in a phased approach as indicated by Pay.UK. Complexities can arise as a consequence of the numbers of participants, and some of those are identified here.
The aim is to understand more of these issues and by working with all interested parties derive community-based approaches to mitigate issues.
The website can act as an information hub for all participants involved in the delivery of Confirmation of Payee.
An essential point implicit in all this is that without a degree of coordination CoP ecosystem growth may be relatively inefficient and expensive for participants to implement, and contain significant duplication of effort across participants.
We are independent of all participants, and solution/approach agnostic, happy to support all equally. The aim is to create an impartial, informal hub for communications and information to smooth the path towards implementation and delivery of this excellent initiative.
The website is currently sponsored by Non Functional Testing Ltd, and has been created by Anthony Evans. Until June 2020, Anthony was a Senior Consultant to the Open Banking Implementation Entity during which (amongst other roles) he was on the Open Banking CoP Working Group.
Initial website launched and White Paper released on LinkedIn.
The initiative arose as a consequence of conversations on LinkedIn around CoP with a wide variety of participants including:
- Banks who had implemented CoP
- Some who were planning to
- Third Party providers of CoP services
CoP Challenges - White Paper
This White Paper highlights the types of issue that can arise in complex ecosystems such as CoP, in which many individual participants need to cooperate in order to provide this essential service. Based on original research with early CoP implementers and years of experience with the very similar Open Banking ecosystem, this paper presents probably the most comprehensive statement yet compiled about the potential challenges of implementing CoP.
Next Steps? - YOU!
We need you! A community is only as good as the people in it. Implementation and delivery of CoP can be hugely facilitated by communication between participants, and the aim of this site is to support that.
Following registration you shall then be able to access the member's area and take part in CoP community activities.
- A public information source, collating currently published information on CoP
- A Blog and/or Slack Channel for participants.
- MS Teams conference calls for participants.
- Proposed community-based mitigation around the potential challenges raised in the White Paper.