Posted: 23rd March 2017
Following fourteen months of intensive effort, a new strategy for the UK payments industry was published by the Payment Strategy Forum at the end of last November.
Entitled ‘A Payments Strategy for the 21st Century’, and spanning nearly eighty pages (plus backing documentation), no fewer than twenty areas have been identified for significant change across the payment industry, all of which are due to be implemented over the next four years.
The strategy groups these together into four broad areas:
- Responding to end user needs
- Improving trust in payments
- Simplifying access to promote competition
- A new architecture for payments
Whilst the strategy carries a sub-title of ‘putting the needs of users first’, it is not immediately apparent on reading the text how this is carried across into the strategy.
However, on closer examination, it is clear that a number of the proposed changes are squarely aimed at reducing financial crime, and thereby designed to counter the increasing concern that both consumers and businesses have around the UK’s existing and new fintech-based payment mechanisms (such as online banking and contactless payments).
So how will the strategy help combat financial crime and what challenges will implementation create for the industry?
The need for action
A look at the latest payment fraud figures provides some substance to this strategic focus. Figures published by Financial Fraud Action UK in March 2017 and October 2016 highlight that:
- In the first half of 2016 there were more than a million cases of fraud. For the year as a whole, the UK lost £2 million each day as a result of financial fraud
- Total financial fraud losses across payment cards, remote banking and cheques were almost £400 million in the first half of 2016; a 25% increase on the same period in 2015
- Losses on payment cards – which includes remote purchase fraud, lost and stolen cards, card not received, counterfeit card and card ID theft – stood at £322 million, compared to £245 million in the first half of 2015; an increase of 31%. Of this, remote purchase fraud increased from £171m to £224m
As a further reinforcement of these figures, the Office for National Statistics crime figures published in January 2017 highlight that existing measures only stop £6 out of every £10 of attempted fraud.
So what are the key measures the new payments strategy proposes to introduce to address this growing problem?
- Assurance data - this is a “package of information” including real-time balance information, the intended time of the transaction completion, “confirmation of payee” and confirmation of receipt. This will provide end-users with assurance before and after a payment is sent that the intended recipient has received the funds sent by the end user
- Enhanced data - this enables payment service providers (PSPs) to have the capacity to include more data in a payment message to allow a recipient to easily identify what the payment relates to
- Guidelines for identity verification, authentication and risk assessment - the development of a published, non-compulsory guideline (“as an assessable benchmark”) to determine how the identity of a payment service user is established, verified, used and subsequently relied upon by other PSPs. This would be complementary to other legislation and regulation (for example, the Fourth Anti-Money Laundering Directive, or 4AMLD)
- Payment transaction data sharing and data analytics - the strategy proposes the introduction of transaction data sharing between the payment system operators (PSOs) and PSPs who own the data, and data analytics capabilities to apply to the data and extract insights relating to priority financial crime use cases
- Financial crime intelligence sharing - to establish and operate a capability for PSPs to share data and intelligence on financial crime, underpinned by the necessary processes and rules, legal permissions, and security. It will be backed by a formal, strict legal agreement, security code of conduct and appropriate data protection dispensations
- Trusted know your customer (KYC) data sharing - the strategy proposes a mechanism for sharing KYC data between PSPs and potentially other participants, focusing on business customers, which enables anti-money laundering (AML) and KYC checks to be more accurate in identifying “bad actors” while also requiring less resource-intensive internal processes for many PSPs. The proposal will support the collection and classification of KYC data according to an agreed set of standards
- Enhancement of sanctions data quality - for the UK payments industry to work closely with the Foreign and Commonwealth Office (FCO) and the Treasury’s Office of Financial Sanctions Implementation (OFSI) to deliver improved data and processes for collecting and managing data for sanctions screening
- Customer awareness and education - the strategy proposes a joined-up approach to consumer awareness and education, and stresses the need for a clear and consistent message to avoid lack of understanding by consumers on how they can protect themselves
The implementation challenge
As noted above, the strategy will be implemented over four years. For some elements (customer awareness, sanctions data enhancement and guidelines around identity verification), work can begin almost immediately. However, it is questionable how much impact these steps will have when fraud figures are rising at such a rate. At best, they may result in the rate of increase diminishing, but that will still mean the total amount of financial crime will continue to grow.
Most of the proposals to address financial crime are dependent upon the introduction of technical change (e.g. the movement of the industry to a new ISO 20022-backed messaging standard) and therefore tie in with some of the more ‘functional’ elements of the strategy not listed above.
For banks and other PSPs, the implementation timeline also coincides with a period of development associated with the mandatory implementation of the 2nd EU Payment Services Directive (in particular, those elements relating to third party access to customer accounts), 4AMLD and, for the largest UK clearing banks, the requirements to ring-fence their retail activities.
Further, non-crime related elements of the strategy involve the creation of a new payment instrument (“request to pay”) and the building of a new payment architecture to replace the existing underlying payments infrastructure – both of which will also necessitate technical change within the banks.
As such, it must be questionable whether all of these proposals can be accommodated in a four year timescale given this time period also coincides with the backdrop of Brexit and, for the banks themselves, the increasing tide of fintech-based competition. Even if it is achieved, the scale of fraud and financial crime by that time could be significantly higher if the current trends continue. As such, it is clear that, between now and then, additional actions will need to be taken by the banks, the rest of the financial industry and corporates and SMEs over and above the non-technical proposals outlined in the strategy.
Some of this will require enhanced coordination between the financial industry, the law-enforcement agencies and other associations. However, firms proactively refining their existing risk management approach to financial crime effectively can move ahead of their peers and achieve long-term commercial advantages.
Huntswood has released a report on financial crime risk assessments. Based on research with a cross section of firms, the report offers guidance, outlines good practice and highlights practical steps that firms can take to embed a proportionate, pragmatic and dynamic approach.