Why payment links are the weakest link in digital bill payments

The COVID-19 pandemic has accelerated a move to digital payments

It’s broadly acknowledged that the pandemic has acted as a catalyst for the increased uptake of digital technologies with Deloitte reporting that ‘35% of customers have increased their online banking usage during COVID-19’. With this increased customer demand many banks and payment providers are taking a fresh look at their products and services making remote payment experiences a prominent focus area.

Some banks have moved early to adopt ‘Pay by Link’ services. This term describes the process where your supplier sends out an invoice by SMS or e-mail that includes a link that, when clicked, takes you to a checkout web page operated by the bank. The ubiquitous availability of SMS and e-mail ensures that a supplier can reach a broad spectrum of their customer base with the click of a button making this technology a low-cost option.

Scammers have cashed in on the feeding frenzy to serve consumers with poorly devised ‘pay by mobile’ solutions

These benefits haven’t been lost on fraudsters who are firmly in the early adopter’s camp.  

In this type of scam, a criminal through the anonymous nature of e-mail and SMS will impersonate a delivery company or government department for example to con people into sending them money. The Royal Mail has been a victim of this brand exploitation through a series of headline inducing scams, including the infamous ‘a parcel is waiting for delivery. Please confirm the settlement of 2.99 (GBP) via a link’.

Regulators are stepping in to stem the tide towards pay by link

Given the eye-watering fraud, it seems odd that some banks would choose to ask customers to click on links received on emails and SMS.  It is exactly because of this emerging trend that some regulators are taking action starting with the Monetary Authority of Singapore that as reported by The Paypers have moved to unilaterally ban the sending of clickable payment links in emails or text messages to retail customers, which has already been successfully implemented by their banks. To put this into context, if this legislation were to be applied to the UK, services such from some of our prominent high street banks would be outlawed. 

Not resting on their laurels the Monetary Authority of Singapore has now gone further to address fraud liability with the issuance of a new framework. This will include laying out the responsibilities of the key parties in the ecosystem including customers who have been issued with clear instructions including:

‘Transact only on the bank’s official website, or through the bank’s official mobile application’.

A better way for banks to service customer demand for remote digital payments in a secure manner 

Pay.UK and The European Payments Council believe they have a secure alternative in the shape of Request to Pay. A message overlay service, Request to Pay enables a biller to initiate a Request from their banking interface. A would-be payer then receives that message in their bank app. This app-to-app security is in line with recommendations from the Monetary Authority of Singapore and presents a vast improvement over SMS and e-mail because:

1. Each bank app/interface has to be onboarded as a certified member of the scheme providing confidence that the originator of the request is who they say they are;  
2. A payer pre-approves only those suppliers that they wish to receive requests from preventing spam messaging;
3. In the case of a bad actor, they can easily be disconnected from the scheme and prevented from initiating more requests.  

The big obstacle for Request to Pay is ubiquity

SMS and email are convenient because everyone has access to them. Most people also have a bank app however not every bank app has Request to Pay enabled yet. With the introduction of anti-fraud legislation tackling email/SMS scams, we could see this change. Already a survey of Banks and PSPs by Icon solutions found that 71% of banks are interested in the service with adoption being limited according to 54% by the existing banking technology and systems. With the rise of technology service providers to help banks join the ecosystem, there is an increasing sense that the link is dead, long live Request to Pay.

Peter Cornforth is Commercial Director at Answer Pay the UK's leading Request to Pay provider. He specialises in digital payments innovation with 15 years experience that includes roles with Vodafone, Santander and Amazon.

About Answer Pay

Answer Pay enables secure bill payments in banking apps. We connect banks to Request to Pay.  Placing financial institutions at the centre of the bill payment experience ensures end to end bank grade security, however, it isn't always easy for banks to bring differentiated services to market. Our API based access removes the technology challenges so banks can maximise their revenue opportunity.  Find out more at www.answerpay.uk.