The Changing UK Payments Infrastructure and Implications for Fraud
December 12th, 2019
We often use the analogy of payments being a little like plumbing – it tends to be hidden away out of sight, and as long as water comes out of the tap, then we generally don’t think about the pipes themselves. Yet as anyone who has bought an old house knows, even pipes have to be replaced occasionally, and given that they’re embedded in walls and under floors, replacing them is not simple.
Here is where the analogy perhaps breaks down. Replacing payment pipes is far harder – turning off the water and moving out for a few weeks isn’t an option. Even turning off the systems for a few seconds has all sorts of implications for the industry and the economy as a whole.
The UK Payment systems aren’t really that old either, compared to houses. Faster Payments is only just over a decade old, and the technology underpinning the BACS system is around 15 years old. However, with growing volumes, changing needs and expectations of the industry and users, there needs to be an overhaul of the infrastructure. Just think about the technology we have witnessed in those 15 years – now everything has touch screen technology and internet speeds on our mobile devices are considerably faster than even the most advanced business had then!
The planned new infrastructure is known as the New Payments Architecture (NPA), and is aiming to redesign the heart of the UK payment systems. The design will handle both real-time and bulk messages on a single, highly-scalable platform, and will process more than £6.7 trillion worth of payments every year. It’s not just about scale, but will introduce new features like Confirmation of Payee and Request to Pay. It will also move the messages to ISO20022, meaning greater levels of data will be sent with each payment. All these changes are designed to support greater levels of innovation, and faster adoption of them. One such example starting to emerge is the use of instant payments at the point of sale, enabled by Open Banking.
What does this mean for a bank, and in particular, fraud?
Banks are moving away from thinking about fraud on a payment rail by payment rail basis, to customers and accounts. This is for two reasons. First, if there is now just a single underlying rail at the heart of the infrastructure, to separate them out within the bank begins to make less sense. While the use cases for what rail is used for what purpose will continue to persist, they will begin to change over time. Second, as payments migrate to real-time payments from other payment types, a more holistic view is required, especially as the migration is likely to be unpredictable and over a long period time.
Next, the tools need to evolve to ensure that they can cope with increasing demands placed upon them. These demands are in many different dimensions, from availability to speed, to recognising new patterns of behaviour which the migration may create. This will be key. Given how many changes await and the many unknowns, the ability to adapt and evolve in an agile way will be critical.
Third, with so many changes taking place, internal and external education is required. When something is new or unfamiliar, it may not always be obvious as to whether something is wrong. One hopes that the industry tackles this, but that shouldn’t stop a bank going that extra mile to protect its customers.
Finally, banks need to understand the implications of the broader changes and then figure out what they might mean. For example, take the move from card to real-time. In reality, it isn’t as simple as just moving from one rail to another. Previously, (and this is highly simplified!) the card transaction would be initiated by a merchant, who had an agreement with a limited set of acquirers, who are vetted by the card schemes.
Going forward, any third-party processor (TPP) could initiate that transaction at any merchant, and in any country, and the bank has to trust them as if they were a peer. The barrier to entry to becoming a TPP is lower than becoming an acquirer, and the rules vary country by country. Each transaction is also a multitude of API calls, from authentication to authorisation to initiation. In the paradigm, attacks are likely to start at the API level, especially as increasingly sophisticated systems automate the attempts, and of course, the APIs are publicly available. Equally, it’s easy to imagine a simple coding error resulting in something that looks quite similar!
To go back to the initial analogy – we may upgrade our plumbing to the latest standardised, push-fit plastic piping – but we still need to make sure they’re securely connected. While the new payment systems will also strive for the highest levels of security, no one expects fraud to stand still – it has always developed, probing new areas and showing increasing levels of sophistication. There is no reason to think that this will change going forward.