In the immortal words of Salt‘n’Pepper  we have all been living in a world where we ‘push it, push it real good’ when it comes to payments...(if you were too young in the mid 90s to know who Salt’n’Pepper are, immediately go and look them up and then return to appreciate that last sentence).

It’s normal to create a send a payment from your bank account using someone’s bank account details. It’s not even just for sending money to our friends and family, we also find it perfectly normal to see bank account details at the bottom of invoices, on rental agreements, on services agreements, etc. No wonder we are so prone to blindly sending money out of our account to scammers and fraudsters, we perform the same actions for legitimate business all the time. No difference- normal behavior.

But it shouldn’t be.

Businesses (and the banks that support them) should be doing a lot more to de-normalize push payments but I am not sure that ‘we’ (the collective industry ‘we’) have really asked them to.

It's a well discussed fact that the scourge of Push Payment Fraud is exploding around the world. There are efforts to try and combat this in many countries – in Australia there is the National Anti-Scam Centre – a task force that includes representatives from banks, regulators, law enforcement and telcos, in the UK the Payment System Regulator has introduced ‘mandatory reimbursement’ which effectively makes your bank liable to make you whole again if you lose money to a scam (I would argue this doesn’t really prevent the issue but treat the resultant problem... it’s contentious) and in the US, NACHA¹ (the body that makes the rules for the ACH system) has updated the rules this week to try and address the rising tide of Push Payment Fraud. The new rules essentially empower a receiving bank to hold or send back a payment that has entered their account base that seems erroneous whilst also allowing a sending bank to easily recall a payment for any reason.  

The commonality of all this (beyond the fact that push payments fraud is a terrible problem) is that there is a prevailing sentiment that ‘everyone plays a role’ in preventing push payment scams and fraud. It’s true. Children and payments ‘require a village’ to look after them - there are many stakeholders involved in ‘doing a payment’.  

I don’t think that we are looking closely enough at how normal these payments are. Nor do I think that businesses understand what role they can play in changing behavior away from dangerous, nasty ‘traditional’ push payments and towards safer waters.  

The rationale being that if it becomes less normal to have someone ask us to do one of these ‘bank account’ payments, the less likely we will be to simply send a payment to a malicious party.  

We do have great initiatives such as addressing services over real-time payments (like PayID in Australia) and confirmation of payee services, but, these are a thin line of defense against behavior rooted in habit.

How should businesses saddle up and join the fight against Push Payment Fraud? Quite simply, stop asking people to pay you via your bank details!! (imagine an exasperated not-quite-shouting-but-almost tone as you read that please). Not only will this protect you and your customers, but it will also, if done well, give a business a huge efficiency boost. Hurrah.

Banks, pay attention, as the vanguard of demanding action on scams (and being on the hook to reimburse lost funds in some cases), you can and should be supporting your business clients to end their dependance on push payments, thereby helping them and contributing to a better world. Hurrah for you too.

Brace yourselves, this next part does contain some shameless promotion of Paypa Plane’s Smart Payment Agreements™, but only because they are good and can genuinely help in the campaign to de-normalize push payments. There are also some solid non-promotional bits too, I promise.

There needs to be loads of compelling reasons for businesses to shift behavior and for them to ask their payers to shift behavior. I think we have them so here we go:

• Indecent Exposure: Push payments expose businesses and consumers to a higher chance of having a payment sent to the incorrect account - either by entering incorrect account details by mistake or by malicious scams or fraud. Email comprises, invoice switching, and business impersonation all mean that payers might simply pay a fraudster instead of the business. It’s wild how frequently this occurs. These things can be mitigated by using a Smart Payment Agreement to protect business and consumers. A Smart Payment Agreement is protected by measures including OAuth, MFA, user authentication, micro-consent capture and masking payment details from the payer and payee. No switching, invoice comprise or mistaken payments possible.
• Easing in changes: Push payments will reach a time of transition - and in many cases they already have - where 'old school’ direct credit defaults to real-time rails. This makes the fraud, scam and mistaken payment issue even more problematic - there is no stoppage or recall on a real time payment (just ask the UK where they are thinking about slowing them back down). Considering how best to leverage new payment types and processes is made much simpler for business and consumer if the experience before the transaction remains consistent. A Smart Payment Agreement™ will go through the same steps for the payer and the payee, no matter what the ultimate transaction choice is. If we lift our thinking above the transaction and consistently capture and authenticate payer, payee, context of the payment and log this in event-based system, we have the freedom to move between transaction rails without gaps for scams opening. Banks will also be able to better manage and run quality control on disputes because of the rather magic agreement-based contextual meta-data attached to every transaction.
• Reconciliation Issues: whilst a payment may be expected by a business because it is 'due', with a push payment, there is no control over when, how much and what the reference will be when that payment lands in the business's bank account. The business is exposed to payments that have no expected reference points. At best, this is a manual burden for administration, at worst, this could even expose the business to AML/KYC issues if they cannot match the sender and the reason for the payment. This is uncomfortable for a small business and head-achingly worrying at a larger scale.  
• Control and transparency: push payments clearly have intrinsic disadvantages for businesses and consumers but, payers revert to them because they are so normal, and habits are habits. Plus, there is a feeling of control and transparency that is associated with push payments. This association is reasonable considering the dated processes of direct debit and even card-on-file pull payments. These things are inherently opaque and remove the consumer from the process after they provide the payment details. Everyone knows someone who has battled with trying to cancel a card-on-file or direct debit. These are the horror stories that push payments proponents thrive on.  Smart Payment Agreements™ redress this balance by ensuring that consumers remain involved and informed, that all agreements are transparent, that any transaction initiated is within the parameters of the agreement and that there are management capabilities provided to them (within the scope of the business's ruleset). Essentially giving pull payments the ‘comfy feeling’ of push payments. Like putting lovely cozy slippers on them.
• Pushing the Smart: whilst there will be circumstances where a consumer still wishes to have the option for a push payment, keeping the activities before the we get to the transaction instructions consistent with other methods will help to ‘de-normalize’ the concept of just send a payment to bank details that a business (or a scammer) provides. In context - leveraging the construct of Smart Payment Agreements™ with a push payment option (such as BPAY or bill payment or an addressing solution) alleviates the risk of having bank details switched or mistaken (and prevents scammers from being able to communicate their details with the payer) and will help move consumers away from thinking it is normal to just get bank details to send a payment to. It might also encourage them away from Push altogether and into some of the pull-based options.

We need to stop Pushing It. The way we pay legitimate businesses frames the behavior and ‘normal’ payment habits that scammers take advantage of. We need to de-normalize bank account push payments so that when someone asks us to send money to their bank details, it’s so jarringly weird that the wizard behind the curtain is revealed.  

‍