Where does Confirmation of Payee (CoP) come from, beyond being a very logical control to have in place? Is it effective against fraud and scams? How about privacy? To understand all this, it is worth taking a look into the historical origin of CoP as that is where we can find several clues to its effectiveness and the privacy issues surrounding it.
Earliest History of Confirmation of Payee: The Name Number Check
It was around the 1960s that automation ushered in a new era in the financial industry, making banking available to the masses, including the possibility to perform transfers. These transfers had to be checked for errors and fraud, and where possible automated. That was quite challenging as the mainframes at that time had less computing power than a low-end mobile phone nowadays. For instance, the signature had to be checked manually, as image processing was unheard of.
Transfers were handled on paper, to be entered manually by the bank staff so the mainframe could process them. This meant there were two steps with a possibility for error:
- The customer writing down the transfer.
- The bank’s staff entering in the transfer in the system, typically a punch card.
In the Netherlands, where the current CoP originates from, there were two distinct methods to check the account number:
- Use a machine-checkable account number. All but the governmental banks used 9-digit numbers with a mathematical check, the eleven-proof (Dutch), that prevented two typos in one account number. It was simple math, so it could easily be checked by the mainframe.
- The governmental banks had simply started with account number 1 and used consecutive numbers. This meant they needed some other check and that became the “naam nummer controle” or name number check. Where a human can do a name check almost without thinking, fuzzy matching was far beyond the capabilities of the mainframe, which meant that the checks had to be done manually.
Automated Name Number Check (Early CoP)
The number of transfers grew rapidly and so did the number of required manual checks. It will not surprise anybody that these were gradually reduced, due to the operational costs of this process. Signature checks were done for higher amounts and at random. The then government-owned banks had been merged into the Postbank in the Netherlands, which also cut down on the name number checks that had to be processed.
A great opportunity presented itself around the start of the millennium with the introduction of online banking. When internet banking started some 25 years ago, the name number check was automated: the moment you entered the account number, the system would show the name of the account holder. There was just one tiny issue: banks only know the account holders of their own accounts. This meant that transfers from the Postbank to other banks couldn’t be checked, but that didn’t cause issues as any typo in the account number would lead to an invalid account number. Problem solved for the Postbank, or was it?
In 2009, a customer of the SNS Bank sued ING Bank (the successor of the Postbank) as the account holder made a typo in the ING account number that he was sending €43.000 to. It ended up in the wrong account and the funds were lost. This demonstrated that ING wasn’t performing this check at all, it left it to the customers. Other banks couldn’t check transfers to the former Postbank accounts, as they didn’t have any information on the account holder either.
At the same time, the name number check provided fraudsters the opportunity to check for valid accounts and the associated account holder. To perform this check, all that was required was an ING online banking account and entering a number. In 2011, a fraudster that used this great opportunity was convicted of fraud. Together with more and more privacy concerns, the pressure on ING to stop the name number check was cumulating in a need to change course.
In August 2014, the IBAN number was introduced in the Netherlands, together with its two check digits, so the issue was resolved. ING was rid of its problem and stopped showing the name of the account holder when entering a transaction.
Pressure from Consumer Organisations for the Return of the Name Number Check (CoP)
You’ll notice how much you are missing something when it’s gone. Consumer organisations started asking for the name number check shortly after this was removed. You know that thing that didn’t work and had privacy and fraud issues. The perception among consumers was that this had always been done by all banks. They wondered why you had to enter a beneficiary name if it was not used for verification.
Rabobank Picks Up the Gauntlet and Sets Up SurePay
In September 2017 Rabobank introduced the IBAN-Naam Check as it is called in the Netherlands. In May 2018, after 9 months they reported a 70% drop in invoice fraud and 50% less transfers to the wrong account. Later in 2018 most other Dutch banks followed.
IBAN-Name Check was later introduced in the UK as Confirmation of Payee (CoP) and Rabobank spun off the company executing it: SurePay. Today, SurePay is a global leader in CoP and provides its solution to banks in a growing number of countries.
In October 2022, the European Commission announced that CoP will be part of the legislation for Instant Payments, including the use for batch payments. In the UK, France, Italy and of course the Netherlands, it is already implemented in the vast majority of banks.
CoP’s Effectiveness Against Fraud and the Privacy Issue Neatly Solved
The question now is: how effective is CoP against fraud? It absolutely does help, figures from SurePay and banks confirm this. Even years after its introduction, it still prevents against fraud types like invoice fraud, and it can prevent simple mistakes in payment routing from occurring. Lloyds Banking Group reported it reduced bank transfer scams by over 30% in only a few months after introduction.
The decision by the European Commission to mandate this control also confirms that there is lasting added value to this validation. CoP’s strength is that it is easily understandable for both consumers and business users. If this approach was rolled out all over the world, it would improve accuracy in payment delivery, making sending money to new payees more reliable.
Further, the privacy issue has been resolved if the beneficiary account is held by a business, as the organization’s name is displayed. Otherwise, as a sender you will get a response that the destination is a private account, and confirmation that the name you entered matches the destination account. If there is a discrepancy, perhaps there is one character off, you may be asked “Did you mean _____”, and the name of the account holder is displayed. In some countries, you are warned that you are proceeding at your own risk if there isn’t a match.
Not that Effective Against Scams
The effectiveness against the vast growing problem of scams is unfortunately lower. Fraudsters have recognized this can be exploited and discuss the ways to take advantage of this loophole. I once had the pleasure to chat with my son, sorry, a fraudster over WhatsApp. He just gave the right name of the account to transfer the €4.000 to, with an explanation that fitted his story. With scams like bank and law enforcement Impersonation, CEO fraud, etc, it is the same. The scammer knows exactly what to say to prevent the victim from becoming suspicious.
The problem with scams is that most legacy fraud detection solutions cannot effectively detect them, as it is the legitimate customer performing the transaction. What does work is looking at the user’s behaviour, specifically their behavioural biometrics. With this technology, scams are now identifiable as the following elements can be picked up as irregular:
- The amount and account being dictated by a third party
- The customer being coerced and hesitating when authorising the amount
- On mobile, an active call and the physical movement of the mobile device from ear to face and back, the x,y,z coordinates of the device signaling a changing of orientation
- On a PC, aimless mouse motion as the fraudster needs time to enchant, coerce and guide its victim, or the victim needs to maintain the live session before an automated logoff stops a session or a screen saver takes over
Conclusion
CoP is very effective against mistakes and invoice fraud, making it a worthwhile preventive measure. Not only to banks, but also for large institutions doing payments. Privacy issues have been neatly resolved.
The high expectations of some that it will also be effective against scams like bank and law enforcement impersonation do not prove true unfortunately. Effective measures against these scams require more advanced detection methods, where focusing on human behaviour has proven to be the most effective one.
Additional Resources
Discover how behavioral biometrics is being used by financial institutions to protect their customers from falling victim to impersonation scams and other types of payment fraud in the white paper: Spot the Impostor: Tackling the Rise in Social Engineering Scams.