Confirmation of Payee

UK banks have been rolling out a new confirmation of payee system recently.

The idea is relatively simple - when paying someone using your bank app or web site, you put not only the sort code and account number, but also payee name (the name of the person or business you are paying). The system can then advise if you have that right, or a "close match" which can then let you confirm the exact name.

As I have said before I think this is problematic at best - banks usually have shortened (18 characters) names for accounts, but companies and people have longer names, trading names, may use initials, or have joint accounts, and so on. It means a match may not work.

It may help typos, but then that is what check digits are for, but what concerns me even more is that scammers will simply change their tactics - telling their marks a different payee name, perhaps justifying as the holding or parent company, etc. That will then match. Indeed, I expect scammers to be slick and make paying them really easy, but normal businesses and individuals to run in to problems.

Just to highlight how stupid this is - I sent a payment from Barclays to Monzo, and Barclays set the payer name in that case to KENNARD AJ. I then sent payment back on Monzo, and it went through confirmation of payee on the (pre-filled) details, and Barclays failed to validate KENNARD AJ as my account name, not even a suggested alternative, even though it is what they sent!!!

This type of stupidity, where you have pre-filled or known correct details totally failing, will get people just doing "click through" of errors and warnings as a matter of course, just like cookie warnings. Some people will have so much trouble they tell payers "just ignore any errors". However, the fraudsters will know exactly how to make it work perfectly and what to tell people. This almost makes it worse than before!

Of course, as you may know, my company is Andrews & Arnold Limited, and like other companies with an ampersand in the company name, we have the occasional issue. Some times it is silly things like a delivery address on a parcel saying Andrews & Arnold Ltd or some such, but some times it is more severe, such as BTs back end systems simply not working for us initially as they forgot to escape the ampersand in XML.

I should not have been surprised, obviously, that the new confirmation of payee system would have issues. I am however shocked at quite how bad it is, and how it seems that several different banks are broken in different ways.

First off, the good guys - Lloyds bank. The app allows me to enter Andrews & Arnold Ltd as the company name, and confirms it is correct - yay!

 

Well done Lloyds, but other banks are more of a challenge!

Barclays web page was OK, but the app does not allow you to even type an ampersand in the name. This is crazy as an ampersand is not some new fangled unicode emoji, but something that is valid in ASCII, BACS, Fast Payments, even old fashioned mechanical typewriters. Apparently it dates back to the 1st century AD!

It seems Nat West mobile app allows an ampersand but then does not match, and we have reports of the same from Co-op bank.

The other odd issue is that when the account does not match, in some cases, the actual account name is advised, and you can pick that. The problem is that what gets advised is ANDREWS ARNOLD LIMITED,ANDREWS ARNOLD LTD



Of course, this long string with something like our name (missing ampersand) twice, does not then match even though it is what was suggested.

The solution?

Update1: By the end of the day of reporting this, Monzo had made a change that helps. The suggested name is now just ANDREWS ARNOLD LIMITED, and using the suggested name now works. This should stop customers having problems as they don't have to ignore the warning now.

Monzo are still working on the ampersand in the suggested name.
Barclays have not said any more, but obviously they need to allow ampersand to be typed.

P.S. It will be fun if ever Companies House allow unicode... Andrews ⅋ Arnold, anyone?

What are N26 bank up to?

N26 (www.n26.com) are a new/challenger bank much like Starling or Monzo (both of which are great).

So I got an account, mainly because of the cool see-through card. They have a Master Card and a UK sort code and account number which is great.

But they are a bit odd as they handle Fast Payments but not BACS which is very strange having allocated a proper account number.

What was a problem is that they were unable to change my email address, and failed to do so in one month even when I made a formal request as per GDPR to correct my personal information. However, after some months, they finally fixed their system and change the email address. Well done.

The other issue I have is their support are terrible. When I had a longer email address they were frequently unable to "validate" me at all, and would just hang up the chat. Indeed, hanging up the chat in a style of "slamming the phone down" seems to be "their thing". Very annoying!

I was waiting to see how they would do - maybe get BACS working, and what else. It has been interesting seeing how Monzo and Starling have progressed and I was hoping for good things from N26. But they are pretty quiet to be honest.

Anyway, out of the blue today I get an email saying my account is being terminated in May. No explanation whatsoever. Really? Would be nice to say why, at the least. I could understand if because I have not used it for a couple of months, etc, and indeed, if that is the case I may start using it. But nothing, and it says their support people won't be able to tell me why - cryptic.

So first off, simple things, I asked support if the email was genuine. A reasonable question as it could have been scammy. It is not like they PGP sign their emails or email to say check the on-line banking for a message, or anything sane like that - just a plain text (well text and html) email. Again, not very good for a bank/

Once again, not impressed by support, it seems that "if I have received such email, that must be the case".

That is unbelievably bad advice from a bank. I am shocked!

It gets worse, I asked if he could actually confirm it was the case, and went though "validation" (which now works) and then I get hung up on with a most unhelpful message to check the email. The email says nothing but the termination date!

I already replied to the email and had nothing back. So, I tried again, and got the same!

So this time I started with a GDPR request and then went though validation... Minor typos, grr.

I went through validation and the guy takes a long time but tells me to email them. I pointed out that (as far as I know) GDPR does not allow them to mandate a specific form for such a request, but he hangs up on me! So I have emailed anyway.

This is appalling customer service. It is not just because they are terminating the account for some reason, they are appalling at the best of times from my experience, but this is just special, and not very GDPR compliant.

So, hopefully they will comply, and that should mean I find out why they are terminating my account. We'll see.

It is certainly something to think about if you are considering N26 as your main bank account. At this point I would not take them seriously at all.

Update: May be related https://www.finextra.com/newsarticle/29004/number26-closed-accounts-because-customers-made-too-many-atm-withdrawals

Getting bank details right

Whilst this is an area about which I have ranted before, it seems that things are changing soon. This BBC article covers the new system that will come in to place next summer.

In essence it will mean that, to send money, you will have to enter not only sort code, and account number correctly but also the payee name. If it is correct, all is well. If close, then you are promoted with the correct name. If wrong, you cannot send money.

The aim is simple, to reduce the significant amount of fraud where people are duped in to sending money to the wrong place. This is a good aim, I agree.

Of course, with any new system like this, there is the trade off of increased inconvenience caused by the new system, verses the reduced fraud. The trick is getting these well balanced and ideally not failing in one or both of these objectives.

We find it very difficult to get people to type the right reference on payments, and that is basically a letter and some numbers. As such, I have concerns :-)

Privacy

The most obvious concern when this was all mooted a while ago is that having a means to find someone's name from their bank details is a privacy issue. If you could just get a name from account details you could easily use that information.

For example, if you are calling what you think is your bank, they ask for bank details, and come back and say, "And can you confirm that is Mr John Smith?", you are immediately re-assured the they must in fact be your bank.

Thankfully the article does address this - the name will only be given if the name you tried is similar. But the devil will be in the detail - what is similar? Too broad, and you have the same privacy issue, e.g. "And can you confirm your surname?"... "Smith"... "And that is Mr John R Smith is it?"... Again, an issue. Of course, if too narrow, you have inconvenience, see below.

Inconvenience

We find it hard to get people to type a reference in correctly. I imagine we will have problems getting people to type "ANDREWS&ARNOLD LTD" correctly, and that is not that hard. Note the lack of spaces around the & so that it fits in an 18 character BACS reference, but we do have a space before Ltd. Yeh, that will be fun.

I am sure if your name is "JOHN SMITH" all will be well, but what if your name is "Quvenzhané Wallis" and you want someone to send you money? Good luck getting someone to type that on a phone keypad and even hit the "similar name" logic. Indeed, I know people that are known by their middle name not their first, and people that have names which are spelt differently if you don't have accented characters available.

Update: As per one of the comments, this gets even more complex if you are known by more than one name - I do hope banks will allow other names to be recorded for verification.

I can see some horror stories coming out of this whole system.

Trading names

A lot of businesses have different trading names. Heck, even we do, as we use "AAISP" a lot. So that will not match. Hopefully banks will allow trading names to be registered for this as well - though that then opens things up for scammers to register a trading name.

Of course, this will have side effects. If you are expecting to pay, say "Red Dwarf Building Contractors" you may be told "you need to put 'Kryton Ltd' as the payee name as that is our parent company".

Once people get used to that happening, scammers can easily just tell people what to type. They tell them the sort code and account number now, they'll just tell them the payee name to type. They'll also make it nice and simple to type correctly.

Of course the banks will be happy as the customer will have told the bank who to pay, and the bank will have done as they were told. The fact it is not who the customer actually wanted to pay will be the customer's fault again. Yay!?!!

Businesses

The focus is on consumers being defrauded, but I have seen many cases of businesses being defrauded, and for much larger amounts (hundreds of thousands).

This system is almost certainly not going to impact any business using BACS files to send money, as a lot of larger companies do (even we do). BACS two day payments are still used for payroll and paying suppliers by a lot of companies. Unlike the on-line and mobile banking, these systems don't have the same interactive process - a file is submitted with some specific fields, and maybe a day later any errors are reported in a file. If payee name checks happened on BACS files, then suddenly a lot of outgoing payments (perhaps even payroll payments) would start failing and being delayed, so I seriously doubt this will impact BACS.

So businesses will still be vulnerable, and maybe fraudsters will move their focus to businesses. Before people start saying businesses can look after themselves, remember, a lot of businesses are quite small and could easily go bust as a result of a fraud like that - causing hardship for employees and business owners.

Fraudsters

Fraudsters will simply adapt, sorry.

This system will help massively with silly typing errors on sort code and account numbers. It will however add inconvenience when people cannot type the right payee reference, more so for people with harder names.

But fraudsters will simply create accounts (after creating Ltd company) with a "similar name" to the one supposedly being paid, or register a trading name matching, or more likely tell you "Put XYZ as the payee name as that is our parent company" and people will just fall for it.

So I predict it to help a bit in the short term, to inconvenience a bit long term, and ultimately not help.

Does that make it not worth doing? - hard to say - it is all down to a trade off of inconvenience vs security, and that is always a tricky call.

Banks

P.S. The problem here is that the banks have not been doing anything wrong. Yes, I know it is odd my saying that. For a long time there was call to allow faster / instant payments and banks did that. Now, when people ask a bank to send money to somewhere, and the bank does that, the bank has done exactly what it was told. It is one of those occasions where it is not the bank being defrauded. So I can see why the banks have taken time to "do anything" as it is not actually them that has the "problem" here, but under pressure, they are now doing something, so well done. What this will do is again make it 100% clear it is not the bank's fault - when someone pays someone thinking they are paying one person but actually (for whatever reason) they confirm they are paying someone else (maybe as instructed by fraudster) the bank can be even whiter than white and say that they did as they were told and paid the right person not just by sort code and account number, but by name.

Working with Starling Bank?

As some of you know, I have embraced Monzo, and was a beta tester (my son an alpha tester). It has been an interesting ride. They work, they are good, all my kids have Monzo, and relatives are signing up. Yay!

I am only looking to others because we need a business account that is more forward looking than Barclays, and Monzo are not offering business accounts. So Starling Bank are in there saying they plan to do business accounts.

So my next step is trying to work with Starling Bank. Let's get the business side up and running with APIs we can link in to the accounts.

I have to say, some aspects of Starling are bloody good. I was impressed how easy it was to create an account, literally :-

• Download app
• Follow step by step instructions (small video, and picture of ID)
• Instantly get sort code and account number and working Apple Pay - wow!
• A day later an overdraft offered
• A day later than that and a physical card

This is good. To be honest, I do not know if Monzo are as slick - they may be. As a longer standing Monzo customer I cannot tell. Only difference at this point is Apple Pay which works on Starling and not on Monzo (yet).

It is the way forward, and the way banking is going. I am impressed.

I was less impressed as perhaps an unusual customer wanting to move more than £10k around in order to buy a car. That was messy, but I hope they sort it. I'll bear with them for now on that. It was less hassle than Barclays, to be fair. They do need to cater for people that have that sort of money occasionally though, surely?

The next step is the business side, as we want something very simple. We know it is possible - a web hook for incoming faster payments. That is all. I can do it on Monzo now with sender sort code and account number but not as a business account. On Starling that data is lacking, so close, but not quite. For business this is useful, even essential, and something we lack from Barclays right now.

So, let's see how Starling Bank cope shall we... I'll invest some time on working with them.

P.S. ref code FFWZETD2 gets me "hearts" apparently, whoop!