2018-10-19

Getting bank details right

Whilst this is an area about which I have ranted before, it seems that things are changing soon. This BBC article covers the new system that will come in to place next summer.

In essence it will mean that, to send money, you will have to enter not only sort code, and account number correctly but also the payee name. If it is correct, all is well. If close, then you are promoted with the correct name. If wrong, you cannot send money.

The aim is simple, to reduce the significant amount of fraud where people are duped in to sending money to the wrong place. This is a good aim, I agree.

Of course, with any new system like this, there is the trade off of increased inconvenience caused by the new system, verses the reduced fraud. The trick is getting these well balanced and ideally not failing in one or both of these objectives.

We find it very difficult to get people to type the right reference on payments, and that is basically a letter and some numbers. As such, I have concerns :-)

Privacy

The most obvious concern when this was all mooted a while ago is that having a means to find someone's name from their bank details is a privacy issue. If you could just get a name from account details you could easily use that information.

For example, if you are calling what you think is your bank, they ask for bank details, and come back and say, "And can you confirm that is Mr John Smith?", you are immediately re-assured the they must in fact be your bank.

Thankfully the article does address this - the name will only be given if the name you tried is similar. But the devil will be in the detail - what is similar? Too broad, and you have the same privacy issue, e.g. "And can you confirm your surname?"... "Smith"... "And that is Mr John R Smith is it?"... Again, an issue. Of course, if too narrow, you have inconvenience, see below.

Inconvenience

We find it hard to get people to type a reference in correctly. I imagine we will have problems getting people to type "ANDREWS&ARNOLD LTD" correctly, and that is not that hard. Note the lack of spaces around the & so that it fits in an 18 character BACS reference, but we do have a space before Ltd. Yeh, that will be fun.

I am sure if your name is "JOHN SMITH" all will be well, but what if your name is "QuvenzhanĂ© Wallis" and you want someone to send you money? Good luck getting someone to type that on a phone keypad and even hit the "similar name" logic. Indeed, I know people that are known by their middle name not their first, and people that have names which are spelt differently if you don't have accented characters available.

Update: As per one of the comments, this gets even more complex if you are known by more than one name - I do hope banks will allow other names to be recorded for verification.

I can see some horror stories coming out of this whole system.

Trading names

A lot of businesses have different trading names. Heck, even we do, as we use "AAISP" a lot. So that will not match. Hopefully banks will allow trading names to be registered for this as well - though that then opens things up for scammers to register a trading name.

Of course, this will have side effects. If you are expecting to pay, say "Red Dwarf Building Contractors" you may be told "you need to put 'Kryton Ltd' as the payee name as that is our parent company".

Once people get used to that happening, scammers can easily just tell people what to type. They tell them the sort code and account number now, they'll just tell them the payee name to type. They'll also make it nice and simple to type correctly.

Of course the banks will be happy as the customer will have told the bank who to pay, and the bank will have done as they were told. The fact it is not who the customer actually wanted to pay will be the customer's fault again. Yay!?!!

Businesses

The focus is on consumers being defrauded, but I have seen many cases of businesses being defrauded, and for much larger amounts (hundreds of thousands).

This system is almost certainly not going to impact any business using BACS files to send money, as a lot of larger companies do (even we do). BACS two day payments are still used for payroll and paying suppliers by a lot of companies. Unlike the on-line and mobile banking, these systems don't have the same interactive process - a file is submitted with some specific fields, and maybe a day later any errors are reported in a file. If payee name checks happened on BACS files, then suddenly a lot of outgoing payments (perhaps even payroll payments) would start failing and being delayed, so I seriously doubt this will impact BACS.

So businesses will still be vulnerable, and maybe fraudsters will move their focus to businesses. Before people start saying businesses can look after themselves, remember, a lot of businesses are quite small and could easily go bust as a result of a fraud like that - causing hardship for employees and business owners.

Fraudsters

Fraudsters will simply adapt, sorry.

This system will help massively with silly typing errors on sort code and account numbers. It will however add inconvenience when people cannot type the right payee reference, more so for people with harder names.

But fraudsters will simply create accounts (after creating Ltd company) with a "similar name" to the one supposedly being paid, or register a trading name matching, or more likely tell you "Put XYZ as the payee name as that is our parent company" and people will just fall for it.

So I predict it to help a bit in the short term, to inconvenience a bit long term, and ultimately not help.

Does that make it not worth doing? - hard to say - it is all down to a trade off of inconvenience vs security, and that is always a tricky call.

Banks

P.S. The problem here is that the banks have not been doing anything wrong. Yes, I know it is odd my saying that. For a long time there was call to allow faster / instant payments and banks did that. Now, when people ask a bank to send money to somewhere, and the bank does that, the bank has done exactly what it was told. It is one of those occasions where it is not the bank being defrauded. So I can see why the banks have taken time to "do anything" as it is not actually them that has the "problem" here, but under pressure, they are now doing something, so well done. What this will do is again make it 100% clear it is not the bank's fault - when someone pays someone thinking they are paying one person but actually (for whatever reason) they confirm they are paying someone else (maybe as instructed by fraudster) the bank can be even whiter than white and say that they did as they were told and paid the right person not just by sort code and account number, but by name.

16 comments:

  1. The issue you have with customers not typing references correctly may partially be down to bank trying to be "helpful". I have a Santander account, and I want to pay a payee that I have previously paid, the bank "helpfully" does not allow editing of the account number, sort code, or reference. I have to delete the payee and re-add in order to change the reference number. They don't make it easy!

    ReplyDelete
    Replies
    1. We have same reference for each subsequent payment, to help with that :-)

      Delete
  2. I monitor and report bacs fraud scams aimed at consumers. This change _will_ massively reduce the number of victims. I am, too, interested in what changes the scammers will be making to try to mitigate the new checks.
    Almost all of the destination accounts are normal consumer/end user genuine and usually long standing accounts that have been usurped for use in the scam.

    If it requires the scammers to open bank accounts in the fake company names it still adds a huge overhead to their operation reducing its effectiveness.

    This change will help. The inconvenience vs. the potential victims saved is worth it. Tens of thousands of pounds stolen per week will be prevented in just the scam I monitor alone!
    I welcome the change.

    ReplyDelete
  3. I think it will all be much simpler when we can just send bitcoins to each other via easy to remember addresses such as Dqcw6o5x1HU5GNn4xqX1F1tAazXrCNLbtM. No programming skills required.

    ReplyDelete
  4. Um. What jolly fun! I have several payees in the list my bank maintains for me, and most of them are made up names (e.g. 2 different accounts for my daughter) for my convenience. Now, suddenly, a lot of my payee list is going to become invalid?

    ReplyDelete
    Replies
    1. I doubt existing payees will become invalid, and I wonder if banks will allow a separate payee name and "name you know the payee entry by". At present they are the same thing as payee name is not checked.

      Delete
  5. We don't have a name registration in the UK - I could call myself Ptang Ptang Olay Biscuit Barrel and if enough people called me that it would be my name. If someone wants to pay £100 to 'Mr Barrel' they should be able to.

    This mostly works.. most organisations just take your name as whatever you say it is with a bit of verification in public records.

    However some banks (well, Monzo) - apparently due to new AML rules - are changing accounts into the name on your birth certificate, which for lots of people (including me) isn't the name I'm known by (or in my case, ever have been known by, which hasn't been an issue for 49 years until suddenly the new rules came in). The CEO of the company I work for uses his middle name.. a couple of the employees are known by names they've called themselves since childhood.

    So you get a conflict. The names on the accounts are wrong. The other names may be unknown to the person paying. What happens then?

    ReplyDelete
    Replies
    1. Oh, I quite agree. I should do a whole blog on names in UK. We should, perhaps, have more of a campaign on that. The birth certificate one is really daft as a lot of people change surname when they marry. I am known by a *lot* of people as RevK. I am known by far fewer as Adrian. Yeh Monzo refuse to put RevK on my card. With the proposed system it could easily allow multiple names (business trading names and personal names) on one account, so maybe banks need to cater for that.

      Delete
  6. For transfers into UK-registered limited company/partnership accounts, where does the company number come into the picture? Afaict, it currently doesn't, even though company numbers are a core part of UK company law and accounting processes and...

    Would it be something useful to check as part of the account setup process, and to verify at the time payments are made?

    The company number is required by UK law to be widely available on signage, stationaery, letters, websites, etc.

    Anyone not publishing their company number, or misusung it, would surely be fairly readily identifiable?

    Someone help me out here.

    Name & Registered Office:
    ANDREWS & ARNOLD LIMITED
    ENTERPRISE COURT
    DOWNMILL ROAD
    BRACKNELL
    BERKSHIRE
    RG12 1QS


    https://beta.companieshouse.gov.uk/company/08921585

    https://beta.companieshouse.gov.uk/company/03342760


    ReplyDelete
    Replies
    1. Oooh, I like the idea that the verification could match company number. We should suggest that.

      And yes, I owned Openreach Ltd for a while :-)

      Delete
    2. But any number of companies are Something Ltd trading as Completely Different Name...

      Delete
  7. "I like the idea that the verification could match company number. We should suggest that"

    :)

    Thank you, glad to be of service. I am confident the retail banking instutions will find many reasons to object and/or delay, but pretty much all the useful information is published and freely available anyway given a little effort. How can they *not* do something along these lines given their alleged interest in preventing fraud, identity theft, etc.

    In years gone by it might have been easier for them to argue against. Right now, all it needs is a lot of motivation, publicity, and a bit of code.

    ReplyDelete
  8. The banks are not blameless. You tell your bank to pay Fred Bloggs, they carelessly choose not to check the name, and they end up paying Johnny Fraudster, contrary to your instruction.

    The answer is to mirror the principle used by Calling Line Identification, where there is the 'real' number of the calling line and a 'presentation' number to which calls may be returned.

    The banks allow two names to be associated with an account. You tell your bank to pay Elton John, but the money goes straight into Reginald Dwight's account without any quibble. Simples !

    ReplyDelete
    Replies
    1. As I am sure banked explained, they pay a sort code and account number. Any name is simply to show on your statement and not something that is checked. Anyone thinking they checked the name was mistaken.

      However, that is changing, and it will be interesting to see how well or badly it works!

      Delete
  9. I worked on a Faster Payments implementation a while ago and it will be interesting to see where this name data is obtained from at the point of entry of the payment details (i.e, there will need to be some way of obtaining it quickly from the recipient's bank). I made a payment a week ago via phone and actually was told that the name on the account didn't match what I had given them, and this was to a different bank, so either they have a way of quickly checking already or they have the name cached in their own records somehow.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.