There are two payee details that you enter when making a bank payment:
"Payee name" is a required field, but it's not verified.
So the payment will be sent to the payee account number that you enter, even if that account number belongs to someone completely different.
This vulnerability is exploited by scammers.
With an investment scam, the scammer will typically convince a person to make a payment to a bank account number that's controlled by the scammer, and instruct the person to enter a (counterfeit) payee name such as "Citibank Investments".
The bank doesn't check whether Citibank Investments is actually the holder of that payee bank account, so the payment may be processed.
With an invoice scam, the scammer will typically send a counterfeit invoice from a legitimate business like Watercare. The invoice will request payment to a bank account number that's controlled by the scammer.
Again, the bank doesn't check whether Watercare is actually the holder of that payee bank account, so the payment may be processed.
Many of these scams can be avoided through a "confirmation of payee" service. Here's how it works.
Confirmation of payee services are already established in other countries, so there's a blueprint that we can follow in New Zealand.
Akahu has built a confirmation of payee service that has taken inspiration from these services in the UK and Nordic countries.
Dolla is the first payment provider in New Zealand to implement confirmation of payee functionality.
In the example below, the person is trying to pay Spark. They enter "Spark" as the payee name, and enter the bank account number on the invoice.
Dolla sends an API request to Akahu's confirmation of payee service, and we check whether the bank account number is held by Spark. In this case, it's a match, so we send back a "match" result and Dolla displays a green tick.
Now let's look at a scam example.
In the example below, the person is trying to pay Citibank Investments. They enter "Citibank Investments" as the payee name, and enter the bank account number they've been instructed to pay.
Dolla sends an API request to Akahu's confirmation of payee service, and we check whether the bank account number is held by Citibank Investments. In this case, there's no match, so we send back a "no match" result and Dolla displays a red cross. In these scenarios, Dolla does not allow the payment to be made.
To get broad coverage in New Zealand, all banks need to participate. Each bank has two roles to play:
Banks have been under pressure to deliver a confirmation of payee service.
The New Zealand Bankers Association has recently stated that the banks will deliver this functionality, and the banks are working together to coordinate the response.
We've had one New Zealand bank begin a trial with Akahu's confirmation of payee service, and are offering to work with other banks that want to get started quickly. As a first phase, the "match", "close match", or "no match" results can be used internally by fraud teams to help prevent customer harm. Once the implementation is working well internally, the bank can start to display the results to customers.
Outside of the banks, Akahu will continue rolling out our confirmation of payee service to apps that provide payment functionality via Akahu.
It will take some time for payee verification to roll out across New Zealand. In the meantime, please pause and take extra care when paying any new payee.