Recipient Confirmation as a New Challenge for Smart Systems: What's New?
Fast money transfers in a matter of seconds are slowly becoming the new standard—a clear benefit for both payers and those needing to get paid. However, it also creates more opportunities for fraudsters to manipulate victims into unwanted transfers. To ensure speed remains a benefit for bank clients, the European regulator (European Commission) has added a new requirement to the revised text of the payment legislation, known as the PSD (Payment Service Directive). This requirement, known to professionals as Recipient Confirmation (Confirmation of Payee) or IBAN and Account Name Check (IBAN-Name check), is gaining attention.
Before executing a transfer within the European Economic Area, banks will now have to verify whether the recipient's unique account number (IBAN) and its name actually match. In practice, the payer's bank sends the given details (IBAN and name) to the recipient's bank, which checks and confirms whether these two pieces of information match their records for the account. The result is then reported back to the payer’s bank and consequently to the paying client. Ideally, a 100% match is confirmed and the payer can complete the transfer with peace of mind. If there's only a partial match or a situation where the IBAN and name do not match, the bank must notify its client. It is then up to the payer to decide whether to proceed with the payment or not.
Does this new obligation seem superfluous to you? Experience shows that this control and interaction with the client before the actual sending of the payment order significantly reduces potential fraud and incorrectly entered payment orders. Examples include existing recipient verification processes in the Netherlands, France, or the United Kingdom. For several years, banks in these countries have had the ability to communicate with each other directly or through a global integrator. Results show a significant reduction in incorrectly entered payment orders, hence a benefit for all parties.
Up to this point, we might get the impression that this will be a very simple and obvious procedure. However, before banks can offer their clients account number and recipient name verification at the European level, they will have to solve several tricky issues and manage a technologically demanding implementation. From the outset, there are debates about how to ensure this process. And so far, the regulator hasn’t been much help. The forthcoming regulation does not define a technological framework for communication between EU banks or a unified standard for evaluating text strings. Who then decides what constitutes a complete or partial match, or that the evaluated string does not match internal data? The responsibility will be on the recipient's bank, which is already known today. But due to the lack of standards, it will be able to determine the sensitivity level of the match evaluation on its own.
What algorithms and methods will banks use?
This is a question we at Trask have asked ourselves, and we are ready to work with banks to find a solution that will meet both the potential amendments in the European Commission's regulations and their business and security requirements.
Several methods based on approximate matching of two strings are available, each with its pros and cons:
- Levenshtein Distance – This is a very popular method for finding the closest text string, measuring how far apart two words or names are in terms of the number of editing operations needed to convert one name to another. These operations include insertion, deletion, or substitution of letters. For example, if a user enters the name "Johnn" and we have "John" in the database, the Levenshtein distance helps us determine that these are very similar names and suggest "John" as the closest option with a value of one (1), because only the extra letter "n" needs to be removed.
- N-grams – This is a good method for cases where parts of the name can be interchanged. It splits the name into parts, i.e., into N parts, and finds names that contain the most similar parts. For example, if we have the name "Tuan Ho Tran" and a user enters "Tran Tuan Ho," n-gram analysis will help us recognize that it is the same name, just in a different order.
- Jaro-Winkler Distance – This is another method based on string comparison at the individual letter level. However, this method is more suitable for cases where we compare texts with a common prefix, which is useful, for example, in comparing surnames with gender-specific endings - the addition of the suffix -a or -ová for females.
In practice, it is often best to use a combination of these methods, which is mathematically possible and even a recommended variant. Each method has its strengths and weaknesses, so using multiple methods allows for better results. Even more significant success could be achieved if there were an opportunity to learn from the successes and failures of payment order execution. Feedback on whether or not the payment order was confirmed by the payer and its subsequent processing at the recipient's bank would be another important piece of information to fine-tune the evaluation methods and algorithms.
We have simply introduced mathematical methods that can address typos, omissions in multi-word names or titles, or local specifics of surname inflection ("-a", "-ová"). It will be important to test these methods and experiment to some extent so that we can achieve excellent results in the future, leading to increased safety and reduced error rates in entering payment orders.
Are you interested in learning more about this issue, or do you want to help with payment solutions in your company? Do not hesitate to contact us.
Author
Janka Vavrinkova
Project Manager, Payments
jvavrinkova@thetrask.com
Michal Sustr
Business Consultant, Transformation & Governance
msustr@thetrask.com