Requiring the payee’s exact name for bank transfers


(Alex Sherwood) #1

Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK.

One area that the Forum has been examining is ‘Confirmation of Payee’. Currently, when you make a payment to someone the bank will check that the account number and sort code you provide matches the ones on the account you wish to pay.

From here.

Obviously I don’t know the stats that show whether this is a good idea or not & Monzo does (or can at least A / B test it) but I’m really hoping that Monzo doesn’t implement this.

I find it hard to believe that the amount of hassle it will cause - people sending you the wrong name by accident or because they forget what it is + mistyping the name - is worth the benefit in terms of increased security :grimacing:

Edit - it’s also really useful to be able to include extra info in the recipient’s name field as a reference (e.g. when transferring money to yourself, if you have several bank accounts) :wink: but that’s not my main concern.


(Sufi) #2

Oh I really hope they think a bit more about implementation. I have no problem with a system which can protect people but exact names are always easy to remember or note.

Article says;

If the transfer is to a person, the confirmation system will check to verify if the details are a match or not. If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

I think they could do it another way around so that when someone enters an Account number and Sort Code for a transfer they get a confirmation screen showing person/business name and other details which you can then confirm.


(Sufi) #3

Also, I hope Monzo don’t implement their Selfie :selfie: ID Video security thing for this or anything other than initial account opening :stuck_out_tongue_winking_eye:

This is a deliberate quip. Sorry!


(Alex Sherwood) #4

That’s one for a separate topic - but, spoiler: they’re going to :slight_smile:


#5

Oh, this is gonna be fun for all those people who don’t use their “legal name”:

Or those people who have names that are longer than the recipient fields?

This is going to be a nightmare!

Because I always know the registration number and registered address of every company that I pay …
And I’m sure everyone that pays their British Gas bills will know that the company is in fact called “Centrica”, and not be surprised at all to see this coming up in the confirmation screen…


(Sufi) #6

But you could easily confirm that for a business use companies house or google and for a person if you can’t be sure then just ask them.

I have always done this :slight_smile: In recipient field for transfers to my other accounts I usually enter other bank’s name with my first name.


#7

True. But who does that? Who even knows that you can search Companies House for free online (these sort of things are designed to protect “the vulnerable”, not “the savvy”, because the latter usually already know how to do their due diligence)? And how reliable are your sources? E.g. it’s trivial to register a business in the UK. I register a business with a name sufficiently similar to the one I’m trying to impersonate, do some good old fashioned social engineering, and convince someone I’m actually company X. Registering the company isn’t the difficult part here…

And once I’m trained to expect a different name than the trading name I’m used to, I’m likely to just accept whatever the system throws at me. Trading names are so common, that only the most paranoid will be searching companies house for every single unexpected result.

This discussion has been had in the contect of “EV Certificates” for HTTPS websites, where the owner must confirm they are indeed a business by the name, and it’s supposed to help stop phishing. But it doesn’t, because it’s way too complex. A different discussion, but the point is that these things don’t help at all.


#8

Many banks only have fields for the Recipient Name and the Reference sent to the recipient. If you will no longer be able to show the Recipient Name the way you want so you can identify it on your statement then they should be forced to include a second reference field so the sender has fields for the reference the recipient sees and a reference that you see.


(Sufi) #9

I am not sure making system more complicated is the answer though.

I purposed what seemed simple to me :raised_hands: but I do take your point it’s not perfect for everyone, We need to remember to apply some common sense as well though no one should be transferring to a business or person they are not sure about.

What you think would be a better solution? Do you agree with what is said in article Alex shared?


(Daniel Chatfield) #10

I’m interested to see where this goes. I think it might be challenging to strike a balance between being able to stop fraud and too many false positives (which will mean it is ignored).


#11

I wholeheartedly agree.

No, I don’t think I agree with what’s said there. Obviously every bit of security will always come at the expense of ease of use, but I think in this particular case the benefit is way too small to justify the expense.

As to what I think would be a better solution: I think you gave the answer yourself:

When I transferred the deposit for our house I did ring up (not email) my lawyer to confirm the bank details on the phone that they had previously sent me through the mail. She was really surprised (and quite a bit annoyed I think, considering it a waste of time), which in turn surprised (and annoyed) me, but I really didn’t want to just transfer 10s of 1000s of pounds across, just because I had received a letter …

I think the onus here should be on the payer, not on the bank, to confirm payment details, and NOT to transfer money to an account of someone who just emailed / phoned you. These confirmation screens will only offer a false sense of security.


(Sufi) #12

The only thing I would add that perhaps Bank could do a little bit more to educate people about the system and why they should check and re-check before making a transfer. Banks have a role to play, after all, they are supposed to look after our money.


#13

That’s very true! Education is always the best prevention.

I might add that Santander is actually pretty good at that. They give you this warning every time you set up a new Payee:

image

It might be a bit too technial (“independently validating”) but you always need to strike the balance in these cases between being too wordy so that noone reads you, and I think on balance they’ve done a pretty good job here.


(Hugh Wells) #14

I think one, easier solution to this, might be to make it very clear to users when the make an FPS transaction that this is permanent and pretty much like handing over hard cash - it is very difficult, in practice, for a bank to recover funds that have been sent to the wrong account.

Maybe if people were more aware of this, they would take more care when filling in the details?


#15

Very true indeed, and by memory, I think Santander actually shows that warning on the next screen.


(Change Works) #16

That would certainly help. However, most of the fraud which I have seen reported involves genuine, but hacked, emails with incorrect bank details. Although the number of frauds may be small, the individual sums can be huge and life changing.

A system I would like to see is one where I input the account details for the transfer, but without a payee name, and the bank adds the payee name before I click ‘send.’

I’m probably asking too much, I know. But it’s nearly Christmas, and I can be demanding at this time of year if I want to. :grinning:


#17

That’s exactly what they are suggesting:

If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

But, as I said before, the problem is:

  • If you are paying British Gas (just a random example), and insert their bank details, it will most likely come back as “Centrica”, as that’s what the company is called.
  • If I wanted to defraud you, I’d simply register a company called “Unicorn Ltd” and tell my victims to expect that. This will work, because British Gas now has to tell customes to expect “Centrica”, and why is the latter more believable than the former? Once the consumer has been trained to expect discrepancies, it doesn’t matter what the discrepancy is.
  • Or, even better, I register a company called “Britsh Gas”, and give you the details for that account. Now you enter my bank details, and get back “Britsh Gas” as company name. Maybe you’ll notice the missing letter, maybe you won’t. Maybe you’ll even know that it should be called “Centrica”. Good on you. But I doubt a significant percentage of people will.
  • The example of the gardener on the Which? website: If I’m thinking of a sole trader, they may also have a company name that I have never heard of, because I only know my gardener as “John” (or whatever)

This really only stops the lazy fraudsters, and the savvy would-be victims. But it does nothing for vulnerable victims who, particularly after the experience that very often the company name coming back has nothing at all to do with the name that they recognise, will just proceed anyway.


(knows someone who knows Tom quite well) #18

But that would essentially be a name lookup from account number system - there are privacy implications.


#19

Not if it’s for businesses, I’d argue.


(Jamie 🏳️‍🌈) #20

Paym does this. You enter a number, and it shows you the name. And Paym is, in most cases, already verified to the sender because they already have the number of the person they wish to pay stored in their phone.