Despite the banking industry’s excellent level of cybersecurity protections for itself, the UK public, media and Parliament appear unaware of the security weaknesses in the UK’s payments architecture which has encouraged a new push button fraud trend. Banks claim that solutions are imminent, but meanwhile do little to protect customers. Manned help desks could easily be provided.
A combination of factors has resulted in this state of affairs. On one level this is a variant on the too big to manage diagnosis of root problems of the global financial crisis – banks are giant businesses often comprised of an array of legacy systems which are not well understood by regulators or even their managers.
At another level, there is the cost issue. Better to suppress the concerns in public today whilst a huge and publicly funded overhaul of the architecture takes place than risk making interim changes to systems and protocols which could saddle banks with liability for fraud losses which they are presently successfully imposing on innocent retail customers.
Statements made by banks and their regulators on all aspects of this security issue are unreliable. How has this come to pass? The relationships between the key stakeholders and the regulator are simply too close and stakeholder banks are in control of all aspects.
This paper will focus on payment security in the UK and likely consequences for Europe in the context of cybersecurity. The banking industry is highly advanced in terms of cybersecurity. Especially in the recent decade, banks have striven to show themselves alive to these risks and conservative in their approaches. Banks are keen to be seen to be co-operating closely with authorities.
A new cybersecurity concern is the planned overhaul of the UK’s non-card payments architecture ostensibly to facilitate new technological developments in payments, part of the “Fintech” branch of new technology, and to comply with new European data rules, as explained in next section.
However, these changes will phase out traditional slow payment methods – cheques and credit transfers, to be replaced with online initiated, relatively instant, payments. The effect will be to encourage greater use by customers of precisely the type of push button online payment mechanism at the core of the fastest growing area of retail banking fraud in the UK today.
Banks in the guise of the Payments Service Providers (PSPs) – and the UK’s Payment Services Regulator (PSR) are aware of this and claim that planned new protections will address this problem, but unfortunately, such claims are hopelessly optimistic.
Meanwhile, the small cartel of banks tasked with managing the overhaul is more focused on the careful design of new customer reimbursement rules likely to leave the bulk of losses from these frauds with retail and small business customers.1
2018 – GDPR, Open Banking, and Embarrassing UK Bank Data Breaches
Two major legislative initiatives imposed on banks this year, GDPR2 an EU law passed in 2016, and Open Banking3, have been designed to give bank customers greater control of their data and obtain hopefully better terms from their banks.
GDPR rules aim to “protect…natural persons with regard to the processing of personal data and on the free movement of such data”. Open Banking aims to expose established banks to competition from new Fintech enterprises primarily in the area of mobile and online payments. The UK has sought to lead Europe and from early in 2018 the nine largest banks4 have been required to share data in standardized formats, provided that customers consent.
Despite the intense focus on cybersecurity in the context of new GDPR and Open Banking rules, UK banks continue to experience mass data breaches. These are management issues rather than technological weaknesses.
As Emma Rumney and Lawrence White mentioned in their September 21, 2018 Reuters article, UK banks have since 2014 experienced a raft of embarrassing and well-publicized security breaches ranging from outages/ shutdowns at RBS, Barclays and Co-Operative Bank to April’s botched migration of customer data by TSB to its new system. This resulted in the mass exposure of its customers’ data and account details. TSB was switching from a system operated by TSB’s former owner, Lloyds Banking Group, to one operated by its 2017 buyer – Sabadell of Spain.
It seems obvious that the system was not properly tested, that a pilot – say 5% – of customers should have been migrated first, but this did not happen, and chaos ensued. Many customers who logged in online found themselves in a different customer’s account. One third of customer’s accounts were affected. Customers were unable to make or receive payments for up to six weeks, many saw sums being taken out of their accounts. 370 received letters saying they were dead. Frustratingly few could get through on the phone, many waiting for up to nine hours in queues.
Unsurprisingly, this situation was exploited by fraudsters who pretended to be TSB employees and robbed at least 1,300 customers.
Criminals managed to drain the accounts of 1300 innocent customers during this meltdown by exploiting new automated communication methods, as admitted by TSB chief executive Pester to the UK Parliament Treasury Select Committee. One method used was spoof text messages.
Because TSB’s data blunder revealed swathes of customer phone numbers, multiple groups of criminals sent texts purporting to be from the bank. Because of the way that modern smartphones group text messages, and the criminals’ ability to copy the format and style of genuine bank texts, the spoof text would be grouped along with genuine ones.
Typically, the message would falsely state that a third-party payment of say GBP 1,000 was about to be made and invite the customer to call a number if she had not in fact authorised this payment. In this way, the customer was tricked into calling the fraudster who, pretending to be TSB, sought to identify the customer by asking for her user ID, full name and date of birth.
With this information, the fraudster would reset the password and empty the account. Seventy times the usual level of frauds occurred during this turbulent period and the Bank of England’s conduct unit is expected to issue a damning report within a few months.
The TSB story implies a failure of technology. However, even with some of the best cybersecurity technology in place – which TSB clearly possessed – this disaster still happened. This case is best thought of as a data breach rather than a fundamental failure of cybersecurity, but here is the point at which the lines become blurred and customers think that the bank’s cybersecurity has failed, whereas the problems really stem from business management.
Sadly, in the area of online and mobile payments, we anticipate a rising tide of such problems, because the direction of travel in the payments industry, fully encouraged by the regulators, is to encourage users to migrate away from old-fashioned cheque and card payments in favour of eBanking: online and mobile payments. But eBanking is a nirvana for fraudsters because of a fundamental flaw in the payments architecture which has opened wide the door to a new type of fraud – Automated Push Payments.
Automated Push Payment Fraud and Online Banking
Just as the dust began to settle on the TSB story there was a renewed focus in the UK media and Parliament on a relatively new, but rapidly growing, type of fraud – Automated Push Payment (APP). Data published by two trade associations UK Finance, and Financial Fraud Action UK, showed that APP fraud in H1 2018 was £145 million, up 44% on H12017. Although these gross numbers are small, the average loss per customer (GBP 4,000) is much larger than for card fraud (GBP 300).
There are many APP variants. A common example is where the criminal induces the bank customer to send a typically quite large payment—for example, a deposit to purchase an apartment—to a bank account controlled by the criminal. Property purchase deposits are a typical use case. The customer is excited about buying his home, there is time pressure, he has not previously made an online payment to his solicitor (many solicitors are today provided free by mortgage lenders) so when he receives an email purporting to emanate from the lawyer in identical font and format to what he is used to, correctly identifying the apartment, the date the payment is due and stating the correct amount he is easily persuaded to press the button on a transfer of say GBP 25,000.
Consumer groups are worried, particularly because unlike card fraud, where the loss is usually borne by the bank, the significance of this rapidly growing APP fraud is that the loss is typically not reimbursed to the customer. Bob Lyddon (2018a) provides the latest detailed evidence. When a customer disclaims liability for a card transaction in the UK and most of Europe, the bank must demonstrate on the balance of probabilities that the customer has been reckless with his PIN number and stewardship of the card. If it cannot, the bank bears the loss.
However, the cybersecurity measures and rules which banks have established regarding online payments concentrate on the physical hardware. As a result, if a device (laptop/ phone) which has been accredited by the customer as his own is used during an APP scam or spoof, the customer will usually bear the loss.
Easy Solution to APP Fraud – Confirmation of Payee
The central flaw in the present online payment system is the lack of a name check in the messaging system which is at the heart of the UK’s online payments system known as Faster Payments.5 How was this allowed to happen? This absence can be viewed as a side door to the system which was opened when the present Europewide Point of Sale (PoS) payments architecture was established some 20 years ago.
For PoS to work, the payments system had to generate a fast and accurate response from the purchasing customer’s bank as to whether a) she had enough funds in her account to pay for the item; b) whether the debit / credit card was valid and not reported lost or stolen.
Authentication was initially based on a visual check of the signature strip which later was replaced by Personal Identification Numbers. These cards based PoS purchases were the first payment processes requiring the payer’s bank to receive a message and respond to it within a few seconds. The payee’s identification information was never required to be captured by such a messaging system since that information was contained in the PoS device which initiated the message/ payment request.
As each new iteration of payments technology was adopted, the payments architecture was further constructed, but around this side door flaw. Today the Faster Payments architecture uses the IS08583 data protocol, the same as for card payments, throughout Europe.
In Europe, and a few countries beyond Europe’s borders, a similar fast payments architecture is in place, known as SEPA INST. This is an instant credit transfer system, in any major currency, which can be conducted using just an IBAN number, so again the payee’s name is not required and the side door to APP fraud is wide open.
The obvious solution to APP fraud is for the system not to make the payment unless the payee’s account details match the payee’s name which the customer types into her tablet or another device.
The payments industry has been talking about implementing such Confirmation of Payee (CoP) protection for years, and in January 2018 the UK’s regulator (The Payment Systems Regulator Limited – PSR) assured the UK Parliament’s Treasury Select Committee that CoP would likely be in place by the end of 2018. This was a remarkable assertion given that there is little chance of a working CoP protocol being established before 2023-25, if at all because the UK is at the start of a project to completely overhaul the non-card payments infrastructure. The project is labelled the New Payments Architecture (NPA) and aims to rip out and replace this infrastructure.
The new architecture will facilitate the replacement of the old, slow, costly (to banks) payment methods such as cheques and encourage retail customers to make greater use of irreversible online payment tools which are beloved of APP fraudsters.
New Payments Architecture and likely Confirmation of Payee Protection Delays
The NPA project is to be overseen by an entity called Pay.UK. This entity is the merger of the three underlying UK payments systems: Bankers Automated Clearing Services (BACS) – a typical method of making regular payments such as utility bills; Cheque and Credit – the ordinary system for manually signed paper cheques; and Faster Payments, the main online/ ebanking payments protocol discussed above.
All these three payment systems are owned by more or less the same group of major UK banks. Pay.UK was formed in July 2017 for the purpose of procuring the NPA, as announced on its We are Pay.UK website. Pay.UK is formally under the supervision of the Bank of England, but in practice, the PSR provides its main oversight.
Because the Confirmation of Payee (CoP) protection function has always been presented as overlaying on this new architecture, it was inconceivable that it could have been up and running this calendar year. But the subject is pithy, technical, and riddled with computer language and the Parliamentary Committee were easily fobbed off in January.
There are two reasons why the NPA project is likely to take a long time to implement. Firstly, the banks behind Pay.UK have little financial incentive; the banks are comfortable with the present payments architecture. The regulator’s NPA vision is to open retail banking to further Fintech competition, but this runs counter to banks’ incentives.
Secondly, the procurement model envisages the NPA tendering companies swallowing substantial costs to be recouped, together with hoped for profits, only when the NPA is deployed and then over five years. This is called a Cost Recovery Model. Of course, bank customers (the public) will ultimately foot the bill. But the costs to be absorbed by successful tenderers will likely run into the hundreds of millions, so high in fact that only giant US companies such as Amazon, IBM and Microsoft are expected to tender.
A tendering process was begun in 2017 by the Faster Payments scheme company, which was envisaged as involving the building of NPA, but that process has been stopped by Pay.UK after Pay.UK’s assessment of the NPA Blueprint, as explained on the We Are Pay.UK website (2018b). Now Pay.UK will start a new tendering process and from square one.
Latest versions show a scope creep, the danger that the project grows beyond providing the basic system rails to incorporating features, ownership of which payment services providers would wish to retain. The Bank of England is known to be concerned that the project’s design is likely to entrust the bulk of the work and financing to US technology giants. For all the above reasons, implementation by 2023–5 appears optimistic.
Pay.UK is now very careful with the language of its assurances as to NPA timing but is under political pressure for a CoP solution now. For this to happen, the Faster Payments messaging system will need to be reprogrammed to enable the individual payment service providers to communicate such information between each other.
The banks (Payment Service Providers – PSPs) using Faster Payments appear disinclined to spend the estimated GBP 200 million on this work, and as a result Pay.UK has redefined its role into that of a rule designer and publisher of standards and protocols, and seeks to pass responsibility for implementation back to the PSPs themselves. A CoP launch event took place in October, and the APP Scams Steering Group – a creature of the PSR – has duly published the resulting proposed customer compensation rules for consultation and feedback.
These rules set out the conditions for customers to be compensated when they avail themselves of the putative CoP. Payments expert Bob Lyddon (2018b) has reviewed the documentation and observes:
“The result is a carte blanche for the banks to give the victims the brush-off. Victims have to have taken numerous steps, show they have educated themselves, and in the process become semi-experts on matters for which the bank has a duty of care to them and not the other way round. The banks are allowed to be judge and jury on the matter and are permitted to apply numerous tests of reasonableness about their own behavior.”
One remarkable exclusion from the scope of compensation is SMEs. Of the non-personal users, only charities and micro entities will qualify for compensation. To recap, the subtext is rather concerning. Insiders know that CoP is highly unlikely to be deployed on the existing architecture.
However, Pay.UK and the regulator (PSR) maintain the pretence that it might, whilst their main focus is on designing customer compensation rules which heavily favour the banks in their guise as PSPs. Meanwhile, the PSR has published a consultation on the proposed Confirmation of Payee service.
Not only does the regulator appear to condone this abnegation of responsibility by PSPs, but such concerns are compounded by the regulator appearing to ignore that every instance of APP fraud involves two major breaches of key banking laws.
Firstly, there has been a failure of bank due diligence in every case where a criminal has managed to open and maintain the account into which the stolen funds are transferred; secondly, by permitting the fraudster to draw down the funds, each bank in every case is offending Europe wide laws proscribing the facilitation of the handling of the proceeds of crime. Nor does the regulator demand a relatively simple and quick solution to APP Fraud – the establishment of manned telephone help desks, which could assure the customer that the name and account details of the payee match the proposed push button details and are valid.
Our Explanation; New APP Fraud Rules and Payments Standards are a Thin Political Market
Both the APP fraud resolution effort and the NPA project are essentially political markets which banks appear to have easily captured. Each envisages protocols, standards and new rules. Karthik Ramanna (2015) has analysed how US banks captured various aspects of bank accounting standards in a similar way. He coins the phrase thin political market to explain how. Political markets are distinguished from political processes.
In the latter, for example, national public healthcare systems and the financing thereof, the general public is incentivised to participate.
However, for accounting rules or payment standards and protocols, in contrast, the general public feels no such incentive. Further, in thin political markets, the required expertise can only be obtained experientially, by being a practitioner, an insider. Outsiders are dismissed as obviously incompetent. In thin political markets, there is no role for independent experts. Here, independence correlates with a lack of the required experience. The term political applies because the results of the rules will encourage certain behavior which will benefit certain classes of society at the expense of others.
Ramanna defines a thin political market as one in which an area of rule-making or regulation where corporate managers succeed in capturing the standard setting, system changing or rule-making process. Three characteristics are observable in a thin political market (Ibid., 20):
a) The managers clearly possess the technical expertise necessary for assuming the role of rule designers;
b) They have strong economic vested interests in the outcome of the rule(s);
c) They face little political opposition from the general public or general interest.
Further, as with the NPA project where the banks stand to gain little benefit, Pay.UK (2018c) presents itself as performing a charitable and noble public service duty, as technocratic rather than an unelected policymaker:
“We will do this by driving more participation and involvement in payments, so payment service providers are competing and innovating solutions which respond to customer needs, driving better service and value for end users. Our goal is to be the leading retail payments authority by delivering best in class infrastructure and standards for the benefit of people everywhere. We will be the guardians and pioneers of payments, modernising the payments ecosystem and ensuring that companies and individuals participate in payments according to the standards and rules which we will set.”
Implications and Lessons for the Future
At the wholesale level, bank cybersecurity is so effective that banks are almost immune to the risk of hacks and data thefts. Interbank payments rarely if ever go astray. Banks could quite easily fund the messaging upgrades to the Faster Payments protocol required to provide a Confirmation of Payee (CoP) layer of protection. Rather than do so, they produce (via Pay.UK) unrealistic estimates of when such protection will be in place and focus their efforts on designing a compensation regime (Contingent Reimbursement Model) which will minimize losses imposed on banks and maximize those suffered by retail and business customers.
How is it possible that banks with such strong cybersecurity can expose their customers to growing levels of payment fraud? We conclude that cybersecurity should not be seen principally as a technical matter but rather as a business management one, and the usual incentives apply. We set out concerns that the regulator is neither sufficiently independent from the PSP cartels nor seemingly knowledgeable enough about how deep the problems lie.
Perhaps the pithy, detailed, and frankly rather boring complexity underlying the existing payments architecture and the planned enormous overhaul, is too tough or turgid for the scrutineers. This has in effect deterred the PSR and other public bodies from delivering on their January promise to Parliament to take any effective action to address APP fraud.
How should policymakers adjust their supervision of matters such as payments systems mergers to protect the public good element of such services? The 2018 focus on security with the onset of GDPR and Open Banking, has made it easy for the incumbents to seize control of these processes. By implication, nobody else is capable. A good place to start would be to address the factors contributing to such thin political markets.
Regulators could start by imposing simple and logical rules; for example, victims of APP fraud should be treated in the same way as victims of card fraud; unless the bank (PSP) can demonstrate gross negligence on the part of the customer, banks should bear the loss. Were this rule implemented, it is likely that the cartel of large UK banks would quickly agree to share the estimated GBP 200 million costs of the necessary upgrade to the Faster Payments messaging system. In addition, regulators should enforce anti-money laundering and due diligence (account set up) laws.
Lyddon, Robert. 2018a. Our response to the PSR consultation on their Contingent Reimbursement Model draft code, aimed at Authorised Push Payments Fraud. http://www.lyddonconsulting.com/our-response-to-the-psr-consultation-on-their-contingent-reimbursement-model-draft-code-aimed-at-authorised-push-payments-fraud/.
———. 2018b. Vendorcom Event Deck. http://www.lyddonconsulting.com/wp-content/uploads/2018/11/Vendorcom-event-deck-08nov18.pd.
Ramanna, Karthik. 2015. Political Standards. University of Chicago Press.
Rumney, Emma, and Lawrence White. 2018. “MPs criticise RBS and Barclays for online banking outages.” Reuters, September 21. https://uk.reuters.com/article/uk-natwest-outages/mps-criticise-rbs-and-barclays-for-online-banking-outages-idUKKCN1M10NN.
The Payment Systems Regulator Limited (PSR). 2018. “Consultation on the proposed Confirmation of Payee Service”. https://www.psr.org.uk/psr-publications/consultations/cp-18-4-consultation-general-directions-implementing-cop.
UK Finance. 2018. Criminals steal £500m through fraud and scams in the first half of 2018. http://www.ukfinance.org.uk/criminals-steal-500m-through-fraud-and-scams-in-the-first-half-of-2018/.
UK Parliament Treasury Select Committee. 2018. Oral evidence: Service Disruption at TSB, HC 1009. http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/treasury-committee/service-disruption-at-tsb/oral/84824.pdf.
Pay.UK. 2018a. Introducing the New Payments Architecture. https://www.wearepay.uk/what-we-do/.
———. 2018b. NPA – Procuring the Core Infrastructure. https://www.wearepay.uk/new-payments-architecture-core/.
———. 2018c. Who We Are. https://www.wearepay.uk/who-we-are/.
1 I am indebted to Bob Lyddon of Lyddon Consulting (www.lyddonconsulting.com) for his detailed research work on the efforts of the Payment Systems Regulator to tackle payments fraud, and on the development of the “Confirmation of Payee” service aimed at mitigating Authorised Push Payments Fraud, and on the “Contingent Reimbursement Model” code for compensating victims of such frauds in certain circumstances.
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, https://eur-lex.europa.eu/eli/reg/2016/679/oj.
3 Open Banking Europe is an initiative developed by PRETA, EBA Clearing’s subsidiary created in 2013 to develop and innovate market competitive services in digital payment and identity solutions, https://www.openbankingeurope.eu.
4 Allied Irish Bank, Bank of Ireland, Barclays, Danske, HSBC, Lloyds Banking Group, Nationwide, RBS Group and Santander.
5 APP fraud can also occur in one of the UK’s other main payments system called BACS. This supports cheque clearing and customer-initiated payments over the slower, paper form-based system called CHAPS. For brevity we will consider only Faster Payments here.