An intro to Confirmation of Payee and what it means for you

The introduction of the Contingent Reimbursement Model (CRM) in May 2019 by the Payment System Regulator (PSR) and Confirmation of Payee (CoP) in February 2020 by Pay.UK and were hailed as the latest and most effective weapons against the rising tide of Authorised Push Payment fraud.

Whilst it is acknowledged that banks could, and should, do more (the PSR has already signalled its intent to significantly improve customer protection and is seeking feedback on two consultations [1]), there is a growing pressure on banks to implement CoP now (with even the main-steam-media now naming and shaming banks who don’t support CoP).

Despite obvious problems with the CRM, CoP remains the highest-profile technical solution available to banks to avoid financial liability whilst at the same time potentially improving the customer experience & protection (which after all, is what this is all about).

Most recently, at the end of April 2021, UK Finance announced a policy of autonomy for banks to reimburse their customers, thereby removing the central pot delivered by the CRM completely.

However, due to the way CoP was implemented in phases by Pay.UK, introducing some technical complexity, access to and take-up of CoP has been limited in terms of the numbers of banks participating.

So is it an opportunity or a headache?

To begin with, a quick intro to Phase 1 and 2 of Confirmation of Payee.

In August 2019, the PSR used its regulatory powers (in the form of ‘Specific Direction 10’). In August 2019, the PSR used its regulatory powers (in the form of ‘Specific Direction 10’) to require members of the UK’s six largest banking groups to implement CoP, by the end of March 2020 [2].

Like any industry-led change, whether mandated or voluntary, there are first movers, early adopters and then mass followers. Where CoP is concerned, this can have real-world consequences both from a liability perspective but also customer acquisition, experience and retention. Apart from the PSR-mandated group, however, only a handful of banks took the plunge and participated in CoP phase 1.

• You are an Account Servicing Payment Service Provider (ASPSP)
• You have a sort code allocated to you with your own bank code in the EISCD
• You are an FCA registered entity
• You are registered with Open Banking 

• Organisations whose customers are addressed via a secondary reference (i.e. an agency PSP that does not have a sort code allocated to them with their own bank code in the EISCD)
• Organisations not registered with FCA
• Non-ASPSPs e.g. Third Party Providers (TPPs) / Payment Initiation Service Providers (PISPs)/Account Information Service Providers (AISPs)

From a technical point of view, the well-trailed phase 2 (designed to extend the benefits of CoP to the wider audience excluded under phase 1) is going to be delivered via a different technical solution. Whilst this might help to remove some of the technical barriers to entry to encourage participation, phase 2 is not compatible with phase 1 and so all phase 1 participants are obliged to migrate to phase 2. This mandated migration has led to a ‘wait and see’ approach from many banks and FIs who may have been eligible for phase 1.

Their customers require and demand protection and the PSR is wielding a big stick in the shape of CRM or more proposed draconian measures and yet any work undertaken now is likely to be throw-away as phase 1 makes way for phase 2.

CoP is a look-up and validation service to enable payers to check the account name registered against a payee’s sort code and account number at a 3rd party bank (referred to as the ‘Account Servicing Payment Service Provider’ (‘ASPSP’). On request of their Customer trying to set-up a new beneficiary (i.e. their Customer is the ‘payer’ here), the payer’s bank will send a request to the payee’s bank (we’ll call this COP-OUT) which the payee’s bank receives (as a COP-IN request).
The request asks for the payee’s bank to check the account name registered against a specific sort code and account number. The payee’s bank responds to the COP-IN look-up request by matching the name in the COP-IN request with the account name registered on their database. The CoP rules allow for the following responses:

1. A Full Match
2. A Close Match
3. No Match

Once the match is completed and the result identified, a response is sent back to the payer’s bank who will inform the customer via their own particular UX. And here is where a major problem occurs. The UX is controlled by the payer’s bank and therefore different banks give different outcomes and options. Some banks may not allow payments to be made where a ‘Close Match’ is given and may ask you to retry. Others might let it slide and some may let some go through depending on a ‘score’

When it comes to not being able to check because the ASPSP is not a participant in CoP, the decision becomes a difficult one. Do you stop your customer from making payments to that account because they can’t check it? Do you let it slide because you have no way of checking and therefore the payee’s bank (who’s not connected to CoP) will be liable for any losses or do you create another process by which a customer can check that account or make that payment which adds cost and time and introduces friction?

Whatever happens, not having more banks on CoP causes problems for everyone – the customer, and both payer and payee banks.

So, whilst Phase 2 does provide some simplification in that the service that can be provided to a wider group of financial institutions, and opens the directory up to a wider vendor playing field, the question that really needs to be asked is ‘Is waiting for the end of Phase 1 worth the risk and will phase 2 change this?

In my humble opinion, the answer is no. With a recent article by The Guardian stating, “Millions of UK bank customers miss out on security checks” [3], it appears that patience is wearing thin…

Put simply, Confirmation of Payee has posed quite a problem for many banks and FI’s to implement. Despite the concept itself being quite straightforward, legacy architecture and infrastructure within existing bank payment estates, coupled with a phased scheme approach (with no backwards compatibility), is hampering the rapid rollout of CoP and other innovations meaning customers of those banks are left without the service and eventual safety nets it provides.

The above-mentioned article goes so far as to name and shame some specific organisations and my message to those businesses, as well as any others who’ve not yet addressed COP.

Let’s talk, Confirmation of Payee needn’t be the headache you anticipate.

Form3 is leading the way to help banks and financial institutions access CoP technology and we urge you to get in touch to see how we can help you with CoP wherever you are on your journey.

Form3 have built a COP solution for Phase 1 that covers both Responder & end-point look-Up services and the Service is live, in production, with some of the biggest names in the world of banking and payments. For Phase 2, we will be operating a full inbound and outbound solution for sending and receiving CoP requests.

Both services run on the same award-winning cloud-native infrastructure on which we run our market-leading payment solutions (including a significant double-digit percentage of all UK Faster Payments traffic by 2022). See the diagrams above for a high-level view of our API-based CoP solution.

As a fully managed payments technology provider, we’ll ensure a seamless migration between Phase 1 and 2 at the relevant point in time.

If Confirmation of Payee is still presenting a challenge for you, send me a note and let’s have a conversation about where we can help - callum.hay@form3.tech

[1] https://www.psr.org.uk/publications/consultations/

[2] Bank of Scotland plc, Barclays Bank UK plc, Barclays Bank plc, HSBC Bank plc, HSBC UK Bank plc, Lloyds Bank plc, National Westminster Bank plc, Nationwide Building Society, Royal Bank of Scotland plc, Santander UK plc and Ulster Bank Limited

[3] https://www.theguardian.com/money/2021/mar/20/uk-bank-customers-security-checks-confirmation-of-payee

[4] https://www.wearepay.uk/programmes/end-user-deliverables/confirmation-of-payee/