Imagine you walk into a store, hand over your card and wait for your goods and then … nothing. Everyone ignores you. You shout a bit and wave your arms but eventually go home in a very bad mood and phone your bank. Who basically shrug their shoulders and suggest you be more careful about who you give your money to next time. End of story.
Wouldn’t happen … right?
Well, in a way it’s exactly what is happening with advanced push payment fraud where accountholders are being manipulated into sending their money to the accounts of fraudsters. Let’s face it, we all have to go through a bunch of onerous identity checks whenever we sign up for an account so when we send money to a fraudster, and we want it back the receiving bank should know who they are. And, of course, they do, but that’s about as far as it goes.
In card payments the scenario above doesn’t happen because of a combination of regulation and card scheme governance. If a cardholder isn’t satisfied with the service they’ve received they can complain to their bank who complains, via the card scheme, to the merchant’s acquirer. If the dispute is found in the cardholder’s favor then the merchant has to repay. If they don’t then the acquirer can withhold funds to make the refund and if that doesn’t work the acquirer themselves is on the hook for the refund.
In a similar situation in account-to-account payments the “merchant” is a fraud because the receiving bank hasn’t managed its risk correctly and the receiving bank isn’t generally liable to refund the money – or have any means of reclaiming it from the fraudster. The UK has now introduced some very heavyweight regulation to make it the sending and receiving banks’ joint responsibility to refund the money but have completely ignored the underlying issue, which is the lack of an underlying scheme equivalent to (say) Visa or Mastercard and any dispute and refund process.
Of course, the traditional response to this is that the people paying the fraudsters are idiots and need to be educated to stop them doing this. Unfortunately there’s a long trail of research that says that financial education doesn’t work and that people will continue to send fraudsters their money and then look around for someone else to blame. Human nature.
We don’t allow this in card payments, we shouldn’t allow it in account-to-account payments. The solution is straightforward – anyone can pay out of their account but only people or businesses who’ve been through an enhanced KYC process can receive payments in. The receiving bank is on the hook for fraudsters, so they will be incentivised – heavily – to make sure that people are genuine. This should all come with a proper dispute resolution service and the ability of receiving banks to control the risk of incoming payments in the same way that card acquirers do – they should charge accounts for receiving payments, have the ability to withhold payments if they’re uncertain about their authenticity and be able to demand deposits if they’re worried about the risk.
The obvious way to implement this is through Open Banking. It enables enhanced KYC processes anyway, via Account Information. Allowing people to go into their bank accounts and pay anyone they want, whenever they want, still be allowed – for free. But they shouldn’t be protected if they do that. If they go through Open Banking interfaces they should be – which is why we need a scheme, with proper governance and a proper dispute resolution process.
Sure, this would be annoying and painful to start with. I want to send money to my kids whenever I want to or pay my share of the meal with my friends. But none of that’s impossible, you just need businesses smart enough to design the services to make that work. I can pay the service, the service can pay my kids or my friends. Of course, that’ s not free but, you know what, payments aren’t free except in the world of regulators and politicians. Or, alternatively, I can just send the money to #scamyourgranny and let them get on with it.
