Open banking payments

By Ordo
Share on facebook
Share on twitter
Share on linkedin
Share on email
After twenty years of progressively complex security fixes being applied to card and bank payments, making life more expensive and complex for both businesses and their customers, new open banking payments regulation and technology has allowed innovative regulated payments institutions like Ordo to start again from scratch. They now offer new open banking enabled payments options for businesses that are not only easy to use, but inherently more safe and secure for both the business and their customers.
Table of Contents

Open banking payments – Reengineering security back into payments

After twenty years of progressively complex security fixes being applied to card and bank payments, making life more expensive and complex for both businesses and their customers, new open banking payments regulation and technology has allowed innovative regulated payments institutions like Ordo to start again from scratch. They now offer new open banking enabled payments options for businesses that are not only easy to use, but inherently more safe and secure for both the business and their customers.

  • As bank and card payments have evolved over many years, new security gaps have been exposed, and increasingly onerous security overlays for businesses and their customers have been developed to try and protect payments. While generally effective, these security overlays are making payments more difficult, adding expense to businesses and significant complexity to the consumer payments experience.
  • Open banking regulation and new technology fundamentally changes this, allowing new regulated payment providers like Ordo to design in security and ease of use for payments processes from the start: frustrating fraudsters by eliminating the collection and sharing of payments information and security details between customer and supplier and letting customers deal directly with their trusted bank to approve payments securely set up for them.
  • In this new world, businesses can be sure that every payment they receive is legitimate and irrevocable, and their customers can be sure they know exactly who they are paying and that only the payments they directly authorise with their bank will get paid.

Securing Card and Bank-to-Bank Payments is getting harder for everyone

Bringing card and bank payments online over the last twenty years has delivered huge benefits to businesses and their customers. Without these innovations we would either still be shopping exclusively on the high street or handing over cash to delivery drivers every time we ordered something online. As far as bill payments go, we could still be sending cheques through the post every time we brought the plumber in to fix a leaking tap.

But the growth in telephone and e-commerce card payments as well as real time bank to bank payments via Faster Payments (see box: Faster Payments) has exposed businesses with cards and consumers with bank-to-bank payments to new and growing payments risks and costs; such as PCI compliance.

Taking card payments remotely (whether by phone or online) exposes businesses to fraud which through chargebacks they end up paying for, and consumers making a payment to account details that have been intercepted and changed by a cyber-criminal cost them the lost funds with very little chance of recovery (see box: Push Payments Fraud).

The regulators and industry haven’t just sat back and let this happen, they’ve introduced security overlays to try and mitigate these risks. For example, for bank-to-bank payments the introduction of some Confirmation of Payee/Account Name Checking services by some banks can give consumers greater confidence that they are paying the right business. Much more broadly, the much-delayed introduction of Strong Customer Authentication (SCA) for card payments in 2021 should significantly reduce the risks of card fraud to businesses (see box: Strong Customer Authentication).

But these security overlays don’t come without significant costs and complexity, as well as not dealing with security problems from a root-cause perspective. A common theme with these security fixes is increases in payment process friction for consumers caused by additional consumer actions needed to complete a payment. For every new bank to bank payment consumers now have to enter an accurate business name if their payment is to go through without additional checks and sometimes alarming liability warnings (see box: Confirmation of Payee). Once fully rolled out this year, all but the smallest value online card payments will require the consumer to additionally use their mobile phone to independently validate their identity and confirm they really want to make each card payment. And for the lower value payments, it will still be the selling business that carries the risk.

Open banking regulation and technologies allows us to start again from the bottom up

New open banking FCA regulated payment institutions like Ordo are able to exploit the features of open banking to start again from scratch and engineer ease of use and security together into their new payment solutions (see box: Open Banking Payments).
By way of example Ordo’s innovative open banking request for payment and e-commerce payment solutions take a radically different approach:

  • With Ordo’s solutions neither the paying customer or the collecting business ever needs to be asked to provide Ordo with any card or bank details, eliminating an important vector for fraud.

  • When a customer is asked to make a payment by Ordo, the receiving business’s account and payment details are passed directly to the paying customer’s nominated bank using the open banking regulated bank-to-bank-grade security protocols, removing the possibility of any interception and change by third party fraudsters. Not only is this more secure, but it also saves the customer the time, and the risk of error, of entering these details themselves – an increasingly big issue now that consumers are also expected to enter the account title of the person or organisation they are paying if they want to make a safe payment. If the customer makes a mistake doing this, the money may be unrecoverable.

  • When it comes to making the payment, the customer talks directly and securely with their bank using their normal mobile or online banking app. In their app, they are told exactly who they are going to pay, and they authorise their bank directly, in the normal way, for example by fingerprint or face-id, to make the payment. All these identity and security credentials are kept between the bank and their customer, never shared with Ordo or the business they are paying, just as they should be.

These changes are not about adding ever more sophisticated cyber and information security protections to otherwise exposed processes, they are about fundamentally redesigning how payments happen so that there is nothing to be stolen in the first place. A significant side effect of Ordo’s approach to design is that both businesses and consumers can be sure that they are not sharing any private or sensitive information with each other or third parties that is not absolutely essential to carrying out their instructions. Not just security by design, but privacy too.

There are now better payments solutions for businesses and their customers

With new services like Ordo’s open banking request for payment and e-commerce solutions everyone wins:

  • Businesses can be confident that the payments they receive are legitimate and irrevocable. With Faster Payments as the underlying payment delivery mechanism businesses are informed in real time by Ordo when payment has been made and can guarantee that not only will the amount they expect be sitting in their bank account, but that the cash is theirs and cannot be charged back or reversed, and incidentally that not only will they have received the amount they asked for, but that their bank payment will be accompanied by whatever payment reference they specified when they started the request or e-commerce journey, eliminating the growing administrative burden of payments reconciliation.

  • Consumers will not only know exactly who they are paying but will see every detail of the payment presented to them directly by their own bank. They won’t have to enter any additional information, just authenticate themselves with their bank, knowing that they don’t need to trust any third party, even the business they are paying, to look after their personal and sensitive information. This leaves the consumer in control, both of when they pay, but also of all their private information.

  • With Ordo the banks win as well. They don’t need to go through complex verification processes with their customer to make sure they know who they are going to pay, trying to ask for and match account numbers and account names for each new payment. There is no doubt that the customer has been fully informed about the payment and is making an active decision to pay, and therefore there is no uncertainty about liabilities.

  • And finally, the economy wins. Re-engineering payments for ease of use and security, exploiting the incredibly cost-efficient Faster Payments service, and preventing criminal losses from growing payments frauds drives improved productivity into our economy, allowing more to be done for less, and constraining the arms race of attack and defence between financial criminals, businesses, banks and their customers.

About Ordo

Ordo was founded by the former executive management team of the Faster Payments Scheme in 2018 to use open banking payments to create new, more cost-effective and secure payments solutions for businesses small and large and their customers and launched its first payments solutions in 2020.

Ordo is an FCA authorised payments institution (Firm Reference Number 836070 on the Financial Conduct Authority register).

Ordo is backed by Nationwide Building Society Ventures, CGI (The global technology provider) and private investors.

To learn more about Ordo, and what its solutions could do for you and your business go to www.ordohq.com. For a demonstration email enquiries@ordopay.com or to see for yourself what we do, signup as a personal or business user at www.myordo.com or download the Ordo app from the Apple App Store.

Faster Payments

The Faster Payments Service, launched in 2008, provides all UK consumers and businesses with real time, 24×7, irrevocable payments between all UK bank accounts. The service is widely used to pay invoices, settle card bills and make person to person payments. In 2020 Faster Payments processed 2.9 billion payments between bank accounts moving over £2.1 trillion.

To make a Faster Payment the payer (who is sending the payment) needs to provide the Bank Sort Code and Account Number of the account they wish to pay (the payee’s account). Increasingly, payers also need to know the account name of the account they wish to pay, although this is not used by the core Faster Payments Service. The payer, normally at the request of the payee, can also add an optional 18 character payment reference, to help reconciliation of payments that arrive in the payee’s bank account.

When the payer makes the payment, mainly on their mobile banking or internet banking app, their bank will confirm to them in real time that not only has the money been sent, but it has been acknowledged and received by the payee’s bank and normally immediately applied to the payee’s bank account. This process is completed by the Faster Payments System and the two involved banks in a matter of milliseconds.

From the payee’s perspective, as soon as the payer has made the payment, the money is credited to their bank account. Not only does this happen in real time, 24×7, but the payment is irrevocable. This means that unless the payee agrees in a subsequent discussion with their bank that a payment has been made to them in error, the payment cannot be reversed or charged back in anyway.

The Faster Payments Service is the underlying payment technology used by open banking payments services like Ordo.

Push Payments Fraud

Push Payments Frauds are frauds against the senders of payments, usually sent through the Faster Payments Service, where a payer has been persuaded, tricked or misled into either sending a payment for a fraudulent service, or a legitimate payment to a fraudster’s account. In the first half of 2020 reported losses associated with these Authorised Push Payments Frauds were £207.8m. Only £73.1m of these losses were returned to customers by their banks, the remaining loss of £134.7m had to be absorbed by the impacted consumers and small businesses themselves.

Many of these frauds involve the interception and changing of the Bank Sort Code and Bank Account Number that has been sent by the payee to the payer. A consumer might have a computer virus on their PC that checks each incoming email for invoices and bank details, replacing them with a fraudster’s account. Many of these receiving accounts are known as ‘mule’ accounts where potentially vulnerable consumers have been persuaded to make their bank account available to the fraudster, typically for a slice of the payment as reward. The ability of the fraudsters to quickly move payments around the UK banking systems from mule account to account makes them hard to catch.

The introduction of Confirmation of Payee services is making this form of fraud harder, as the payer will need to know the name of the receiving account. The payer may be alerted if this is different from the name of the person they thought they were paying, but social engineering, where a fraudster may suggest that the unusual name of the account is actually a security feature, means this is not a perfect protection.

Although the risk of this type of fraud sits legally with the paying customer, when these events hit the business trying to collect payment is also indirectly impacted by the loss to their customer, delaying the payment they were due to get, and negatively impacting customer relationships.

Once hit by such a fraud, this often drives understandable protective behaviour from payers, like calling up a business to validate payment details, or even making a small test payment and then calling up the business, that drives further cost and inefficiency on to the business trying to get paid.

By protecting the payee’s bank details from any interception, open banking payments services like Ordo can prevent many of these types of fraud.

Strong Customer Authentication

Strong Customer Authentication (SCA) is being progressively introduced by banks and other financial institutions to better secure bank and card payments. The requirement was introduced into the EU’s Second Payment Services Directive (PSD2) and has been incorporated into UK law.

SCA is required when most telephone or online bank payments and card transactions are being made by a consumer. SCA is typically implemented by asking a consumer to validate each payment they make through a banking app, or by quoting a one-time code sent to them by SMS or email, whenever they make a payment. While there are some exemptions for very low value payments, and beneficiaries the consumer nominates as ‘trusted’, as SCA is fully implemented in early 2021, more and more e-commerce payments will require more complex additional steps by the customer if they are to go through.

SCA requires the customer to use two factor authentication (2FA) of payments, providing two of something they know (like a password), something they have (like a smartphone or credit card), or something they are (like a fingerprint) for every payment they authorise.

This complexity, while protecting everyone from fraud, will almost certainly increase drop out and abandonment rates for e-commerce transactions.

One area where SCA works quite well however is in payments authorisation for Faster Payments and open banking payments in mobile banking apps. The much more secure operating environment of smart phones and their carefully engineered use of fingerprint and face-id means that full SCA authorisation of a payment can be achieved with minimum impact on the paying customer.

In payments made with open banking payments services like Ordo, SCA is used in the simplest and most secure way for consumers. Consumers only authenticate directly with their bank via mobile banking or internet banking apps, delivering the security of SCA in a simple user experience.

Confirmation of Payee

Confirmation of Payee (CoP) has been introduced by the UK’s largest banks following regulatory action by the Payments Systems Regulator (PSR). This regulation requires the largest banks to ask their paying customers for the account title of any payment they are planning to make through Faster Payments before a payment can be made.

The bank asks the payer to enter the destination account title as part of the payment set up. The bank then checks with the destination bank to see if the title is correct. If the destination bank is participating in CoP they will either confirm a match, suggest a close match and play back the correct title, or deny a match.

Once this result is passed back to the payer, unless there is a full match, they can only proceed with the payment at their own risk.

While CoP is improving the security of payments, it is also making them much harder to set up for consumers and does not have wide coverage beyond the UK’s largest banks. Getting the account title correct is also harder than you might expect with many banks only accepting as valid one of a variety of account titles they use in different situations internally in the bank. It’s often the case that the title on a cheque book differs to that on a debit card, and also differs from the title used in payments or bank statements. Where the payee goes by a different name (e.g., Mike rather than Michael) this can result in failed matching – leading the payer to doubt the validity of the transaction.

The Ordo open banking payments services deliver an easier to use and more secure experience than CoP. When a consumer is presented with a payment to authorise, Ordo shows the payer the account title they are going to pay in advance. They don’t need to have entered it themselves, and the title shown is collected directly from the payee’s bank using a secure open banking transaction meaning there is no opportunity for corruption or interception.

Open Banking Payments

In 2016, following an enquiry into competition in retail banking, the Competition and Markets Authority (CMA), placed a number of regulatory requirements on the UK’s nine largest banks to open up banking to new competitors. One of these requirements was break down the banks’ monopoly on payments by adopting open banking. Over the same period the EU Second Payments Services Directive (PSD2) was introduced into UK law. PSD2, going beyond the CMA 9 largest banks, requires all UK payment account providing institutions to open up their payments as well.

The CMA established the Open Banking Implementation Entity (OBIE) to build the standards and common technology to enable these payments, and the Financial Conduct Authority (FCA) as the UK’s financial regulator, set up an authorisation process for businesses that wished to become regulated providers of these services (Payment Initiation Service Providers – PISPs).

Appropriately authorised PISPs, like Ordo, are now able to set up payments directly with their customer’s selected banks, where the customer can then authorise the payment to be made in real time, directly from their bank account to another bank account via Faster Payments. In 2020 over 3 million open banking payments were made.

Ordo, as a PISP has direct secure connections to over 40 UK banks where it can set up payments for its customers.

In Ordo, payment initiation works as follows:

  • Ordo presents the payment to be made (as a result of a business’s request for payment, or an e-commerce payment) to the customer.

    ⦁   If they are happy to pay, they select the bank they wish to use from Ordo’s list of 40+ consumer and small business banks.

  • Ordo securely communicates all the payment details to the selected bank and opens up the consumer’s mobile banking app or internet banking service on their phone or PC.

  • The consumer’s bank validates the identity of the consumer in the normal way (e.g., fingerprint, face-id or password) and asks their approval to make the payment.

  • Provided approval is given, the bank then executes the payment from the consumer’s selected account to the payee account securely set up by the payee with Ordo.

  • The bank then informs Ordo that the payment has completed successfully, and Ordo informs the paying consumer and the payee business, that raised the request, that payment has been completed.

As a regulated entity, using open banking payments initiation, Ordo delivers secure by design and easy to use by design payments services to its business customers, and their end customers.

Open banking payments – Finally, a real alternative to cards for e-commerce and contact centre payments

As businesses have digitised, going from predominantly face to face to online and contact centre interactions, payment have had to follow suit. Realistically, the only option for taking these remote payments has been with credit and debit cards. But cards are expensive and increasingly complex to support operationally. New open banking payments regulation and technology has allowed innovative regulated payments institutions like Ordo to deliver attractive new alternatives. These services allow businesses to collect payments for only a small, fixed fee, and without the customer experience difficulties of cards.

  • When taking payments online or over the phone, the only practical option to date has been debit or credit card. But card payments are costly (businesses pay a percentage of value and have the growing overhead of card data security protections), not guaranteed (fraudulent card use means businesses don’t always get paid), take time to arrive in a business’s bank account, and are getting harder for end customers to use with the roll out of Strong Customer Authentication.

  • New open banking regulations and technology is changing this, allowing a new generation of regulated payments providers like Ordo to let businesses collect these types of payments cost effectively, securely and easily directly from their customers without the use of cards.

  • Services like Ordo’s e-commerce and request for payment solutions charge a small flat fee per payment, allow money to flow irrevocably, in real time, directly from the customer’s bank account into the business’s account with no exchange of bank or card details and the customer authorising their payment directly with their own bank. All the customer needs is access to their mobile or internet banking channel. There’s no registration or app download needed. There is no information for the customer to enter, either about who they need to pay, or how they need to pay them, just a simple authorisation with their bank using their fingerprint, face-id or password.

For e-commerce and contact centre payments, cards have been the only payment option but are costly to businesses and increasingly difficult to use for consumers.

Over the last twenty years businesses have digitised and moved many of their customer interactions from face to face to contact centre and online. In parallel with this move, their payments have gone from predominantly ‘card holder present’, where the customer can simply pass over their payment details securely embedded in their payment card and authenticate their payment via chip & pin to ‘cardholder not present’ where the customer has to type in or read out their card details, name, expiry date etc., and then authenticate the transaction as best they can with their CVV2 number from the back of their card.

With limited other viable digital payment options available to businesses these ‘cardholder not present’ transactions have been the only game in town. Given this limited choice its unsurprising that using card payment in these circumstances feels like a poor solution:

  • Taking any card payments is expensive, costing anywhere between 0.5 and 2.5 percent of the transaction value as a direct fee, and given the security risks of taking these payments remotely, the card fees can be even higher.

  • The indirect costs to businesses of taking and securing these card payments has continued to grow. The costs to businesses of complying with the Payment Card Industry Data Security Standard (PCI DSS) continue to grow as fraudsters have developed and enhanced their ability to harvest stored card details via business data breeches and security infrastructure or process weaknesses. Also, the costs of failure, fines imposed by data protection and privacy watchdogs, have also become eye-watering for large companies that have failed to properly secure their systems

  • Day to day operational costs have also increased, particularly in the contact centre environment where, to preserve internal staff security, customer’s card details can no longer be handled by agents and need to be captured via Interactive Voice Response (IVR)/DTMF systems that require a customer to enter card details over the phone without the agent hearing them. Most recently, with the mass migration to home working from Covid lockdowns, the technicalities of this requirement have acted as significant barriers to effective contact centre working from home.

  • Because of the inherent security weakness of these remote transactions, the risk of fraudulent card transactions remains. This is a cost that is ultimately born by the business concerned through chargebacks and potentially higher card fees. Often linked to this problem is the delay in receipt of cash as card companies normally settle payments to their merchants a number of days after the card transaction has been authorised or charge a premium fee for quicker settlement

  • Remote card transactions, whether on-line, or via a contact centre DTMF solution are also harder for the end customer. There are significant barriers to transaction completion for end customers who have to enter all their card details and more to for every transaction. With the final implementation of Strong Customer Authentication (SCA) regulations in 2021 these hurdles will grow even higher, causing increased purchase abandonment and customer dissatisfaction, even when card details have been held-on-file by a merchant from a previous transaction – each subsequent payment transaction triggered by a customer action (for example an insurance mid-contract amendment or ad hoc purchase, rather than a regular subscription) will still need to be authenticated by the customer using SCA (see box: Strong Customer Authentication).

Given this combination of direct and indirect costs, poor customer experience and purchase abandonment, there has to be a better solution for businesses to collect remote payments. While there is a substantially more cost-effective way of collecting payments, the Faster Payments Service, its limited feature set and growing security concerns, makes its use on a standalone basis a non-starter for e-commerce and contact centre payments (see boxes: Faster Payments & Push Payments Fraud).

Open banking regulation and technologies has created new options for businesses

New open banking FCA regulated payment institutions, like Ordo, are using open banking and the Faster Payments Service to finally deliver an alternative to card payments for e-commerce and contact centres that massively reduces direct and indirect costs and risks to businesses, as well as providing an easy to use and safer experience for their customers than current card-based solutions (see box: Open Banking Payments).

Ordo’s innovative e-commerce and real time request for payment (contact centre) solutions have been built to exploit the following key features of open banking enabled Faster Payments:

  • The underlying low cost base of the Faster Payments Service, which, unlike the global card schemes, charges banks only a small fixed fee per transaction irrespective of the value of that transaction.

    ⦁    The potentially much reduced flow of account details between parties in the open banking payments journey. Only the paying customer’s bank sees all account details, the receiving account information being provided securely from the open banking payments institution (e.g. Ordo) and the source account being selected directly and securely by the paying customer within their own bank’s mobile or internet banking app.

  • The irrevocability of Faster Payments meaning that once a payer’s bank authorises and makes a payment, there is no mechanism for reversing or clawing back the payment, eliminating the risks of fraudulent payments for the collecting business.

  • The security and privacy led end-to-end designs of the Ordo open banking payments solutions, ensuring that both the business’s and end-customer’s payments information is kept secure, allowing all the benefits of speed, low cost and irrevocability of Faster Payments without any of the fraud risks associated with its normal day to day use.

There are now better payments solutions for businesses and their customers

Exploiting the regulation and technology of open banking, new regulated businesses like Ordo are now delivering businesses e-commerce and request for payment (contact centre) solutions that outperform card payments for them and their customers in every dimension:

  • Rather than a percentage of transaction fee that rises with transaction value, Ordo charges businesses only a simple flat fee per payment (never more than 20p) irrespective of the transaction value. Ordo can do this because as a regulated Payments Initiation Service Provider (PISP) it initiates Faster Payments from the end customer’s bank account directly to the requesting business’s bank account to deliver funds, never handling them itself. All consumers and many businesses also get the underlying Faster Payments at zero cost, or as a maximum, as a small fixed per payment fee from their bank.

  • With Ordo, indirect costs are all but eliminated. As there is no exchange of payment card or account details between the business, their end customers or even Ordo there is no customer payments data to secure, no requirement for PCI DSS compliance and no risk of fines following a data breach for these transactions. The Ordo solutions also enable the collecting business to provide an indelible transaction or customer reference passes with the underlying Faster Payment to support automatic payment reconciliation on receipt into their bank account.

  • This open banking enabled payments solution can also reduce business operating costs. For example, in the contact centre environment, an agent can trigger the generation of a request for payment that is sent directly to their customer. The customer simply opens the message, selects their own bank and authorises the real time payment to the business already set up by Ordo from their mobile or internet banking app. As soon as the payment has been made the agent is informed and the customer call can be completed knowing that irrevocable funds have been received.

  • Payments fraud risks to businesses are also eliminated. They know definitively whether payment has been made or not. Ordo informs the business in real time that payment has been made so the business can be absolutely confident that the money is in their bank account and that there are no circumstances under which the money can be clawed-back, or the payment reversed.

  • Finally, and potentially most importantly, the end customer’s payments experience has been radically simplified. With the open banking enabled Ordo solution, the end customer does not enter any card or bank account details. They simply follow a secure and personalised, single use, link from the business’s e-commerce site or from a payment request message sent by the business. The link takes them to the Ordo web environment where they choose their bank from one of the forty plus UK banks supported by Ordo. Ordo then automatically opens the customer’s mobile or internet banking app and passes all the information required to make the payment to the customer’s bank using the open banking security protocols. Provided the customer is happy to proceed they authorise payment directly with their bank using their normal security credentials (like fingerprint or face-id), and the payment is made directly to the requesting business.

About Ordo

Ordo was founded by the former executive management team of the Faster Payments Scheme in 2018 to use open banking payments to create new, more cost-effective and secure payments solutions for businesses small and large and their customers and launched its first payments solutions in 2020.

Ordo is an FCA authorised payments institution (Firm Reference Number 836070 on the Financial Conduct Authority register).

Ordo is backed by Nationwide Building Society Ventures, CGI (The global technology provider) and private investors.

To learn more about Ordo, and what its solutions could do for you and your business go to www.ordohq.com. For a demonstration email enquiries@ordopay.com or to see for yourself what we do, signup as a personal or business user at www.myordo.com or download the Ordo app from the Apple App Store.

Faster Payments

The Faster Payments Service, launched in 2008, provides all UK consumers and businesses with real time, 24×7, irrevocable payments between all UK bank accounts. The service is widely used to pay invoices, settle card bills and make person to person payments. In 2020 Faster Payments processed 2.9 billion payments between bank accounts moving over £2.1 trillion.

To make a Faster Payment the payer (who is sending the payment) needs to provide the Bank Sort Code and Account Number of the account they wish to pay (the payee’s account). Increasingly, payers also need to know the account name of the account they wish to pay, although this is not used by the core Faster Payments Service. The payer, normally at the request of the payee, can also add an optional 18 character payment reference, to help reconciliation of payments that arrive in the payee’s bank account.

When the payer makes the payment, mainly on their mobile banking or internet banking app, their bank will confirm to them in real time that not only has the money been sent, but it has been acknowledged and received by the payee’s bank and normally immediately applied to the payee’s bank account. This process is completed by the Faster Payments System and the two involved banks in a matter of milliseconds.

From the payee’s perspective, as soon as the payer has made the payment, the money is credited to their bank account. Not only does this happen in real time, 24×7, but the payment is irrevocable. This means that unless the payee agrees in a subsequent discussion with their bank that a payment has been made to them in error, the payment cannot be reversed or charged back in anyway.

The Faster Payments Service is the underlying payment technology used by open banking payments services like Ordo.

Push Payments Fraud

Push Payments Frauds are frauds against the senders of payments, usually sent through the Faster Payments Service, where a payer has been persuaded, tricked or misled into either sending a payment for a fraudulent service, or a legitimate payment to a fraudster’s account. In the first half of 2020 reported losses associated with these Authorised Push Payments Frauds were £207.8m. Only £73.1m of these losses were returned to customers by their banks, the remaining loss of £134.7m had to be absorbed by the impacted consumers and small businesses themselves.

Many of these frauds involve the interception and changing of the Bank Sort Code and Bank Account Number that has been sent by the payee to the payer. A consumer might have a computer virus on their PC that checks each incoming email for invoices and bank details, replacing them with a fraudster’s account. Many of these receiving accounts are known as ‘mule’ accounts where potentially vulnerable consumers have been persuaded to make their bank account available to the fraudster, typically for a slice of the payment as reward. The ability of the fraudsters to quickly move payments around the UK banking systems from mule account to account makes them hard to catch.

The introduction of Confirmation of Payee services is making this form of fraud harder, as the payer will need to know the name of the receiving account. The payer may be alerted if this is different from the name of the person they thought they were paying, but social engineering, where a fraudster may suggest that the unusual name of the account is actually a security feature, means this is not a perfect protection.

Although the risk of this type of fraud sits legally with the paying customer, when these events hit the business trying to collect payment is also indirectly impacted by the loss to their customer, delaying the payment they were due to get, and negatively impacting customer relationships.

Once hit by such a fraud, this often drives understandable protective behaviour from payers, like calling up a business to validate payment details, or even making a small test payment and then calling up the business, that drives further cost and inefficiency on to the business trying to get paid.

By protecting the payee’s bank details from any interception, open banking payments services like Ordo can prevent many of these types of fraud.

Strong Customer Authentication

Strong Customer Authentication (SCA) is being progressively introduced by banks and other financial institutions to better secure bank and card payments. The requirement was introduced into the EU’s Second Payment Services Directive (PSD2) and has been incorporated into UK law.

SCA is required when most telephone or online bank payments and card transactions are being made by a consumer. SCA is typically implemented by asking a consumer to validate each payment they make through a banking app, or by quoting a one-time code sent to them by SMS or email, whenever they make a payment. While there are some exemptions for very low value payments, and beneficiaries the consumer nominates as ‘trusted’, as SCA is fully implemented in early 2021, more and more e-commerce payments will require more complex additional steps by the customer if they are to go through.

SCA requires the customer to use two factor authentication (2FA) of payments, providing two of something they know (like a password), something they have (like a smartphone or credit card), or something they are (like a fingerprint) for every payment they authorise.

This complexity, while protecting everyone from fraud, will almost certainly increase drop out and abandonment rates for e-commerce transactions.

One area where SCA works quite well however is in payments authorisation for Faster Payments and open banking payments in mobile banking apps. The much more secure operating environment of smart phones and their carefully engineered use of fingerprint and face-id means that full SCA authorisation of a payment can be achieved with minimum impact on the paying customer.

In payments made with open banking payments services like Ordo, SCA is used in the simplest and most secure way for consumers. Consumers only authenticate directly with their bank via mobile banking or internet banking apps, delivering the security of SCA in a simple user experience.

Open Banking Payments

In 2016, following an enquiry into competition in retail banking, the Competition and Markets Authority (CMA), placed a number of regulatory requirements on the UK’s nine largest banks to open up banking to new competitors. One of these requirements was break down the banks’ monopoly on payments by adopting open banking. Over the same period the EU Second Payments Services Directive (PSD2) was introduced into UK law. PSD2, going beyond the CMA 9 largest banks, requires all UK payment account providing institutions to open up their payments as well.

The CMA established the Open Banking Implementation Entity (OBIE) to build the standards and common technology to enable these payments, and the Financial Conduct Authority (FCA) as the UK’s financial regulator, set up an authorisation process for businesses that wished to become regulated providers of these services (Payment Initiation Service Providers – PISPs).

Appropriately authorised PISPs, like Ordo, are now able to set up payments directly with their customer’s selected banks, where the customer can then authorise the payment to be made in real time, directly from their bank account to another bank account via Faster Payments. In 2020 over 3 million open banking payments were made.

Ordo, as a PISP has direct secure connections to over 40 UK banks where it can set up payments for its customers.

In Ordo, payment initiation works as follows:

  • Ordo presents the payment to be made (as a result of a business’s request for payment, or an e-commerce payment) to the customer.

    ⦁   If they are happy to pay, they select the bank they wish to use from Ordo’s list of 40+ consumer and small business banks.

  • Ordo securely communicates all the payment details to the selected bank and opens up the consumer’s mobile banking app or internet banking service on their phone or PC.

  • The consumer’s bank validates the identity of the consumer in the normal way (e.g., fingerprint, face-id or password) and asks their approval to make the payment.

  • Provided approval is given, the bank then executes the payment from the consumer’s selected account to the payee account securely set up by the payee with Ordo.

  • The bank then informs Ordo that the payment has completed successfully, and Ordo informs the paying consumer and the payee business, that raised the request, that payment has been completed.

As a regulated entity, using open banking payments initiation, Ordo delivers secure by design and easy to use by design payments services to its business customers, and their end customers.

Open banking and QR Codes – 2 + 2 can be a lot more than 4!

Two very different technologies, from very different stables, open banking enabled account to account payments and smartphone read QR codes are coming together to revolutionise the way we pay on-line, in store and face to face. New open banking enabled QR code payment solutions, like Ordo’s, offer low cost, easy to use and secure ways for businesses to collect payment from their customers breaking the long-held monopoly of the global card schemes.

  • New FCA regulated open banking payments initiation businesses like Ordo, have created innovative request for payment services that provide businesses with individualised secure digital payments tokens that they can pass to their customers when they need payment. These tokens can sit behind a payment button for e-commerce or be embedded in an email or text message for requests for invoice payment. Just by clicking on the token, their customer is taken to the Ordo platform who securely set up the specific payment required to be made with the customer’s own bank. All the customer needs to do is authorise their bank to make the payment using their mobile or internet banking app, and the payment happens in real time

  • Smartphone readable QR codes now offer a third delivery option for the payment token by embedding it within a QR code. The customer just reads the QR code with their phone, and then simply needs to confirm payment in their mobile or internet app banking app which will have been opened and configured for the payment by Ordo. All friction removed.

  • It’s hard to imagine a simpler or safer use case. All the business has to do is enter the amount to be paid, show the automatically generated QR code to their customer, and in seconds see on their own phone or Point of Sale device that payment has been made and is in their own bank account. For the customer, it also couldn’t be simpler, they just scan the code with their phone camera, select their bank from Ordo’s list of 40 UK banks, and then authorise the payment that has been automatically set up in their banking app in the normal way, e.g. using their fingerprint. That’s it done, there is no entry of amounts, references or card details or receiving account numbers, that’s all done securely between Ordo and their bank. For businesses, open banking QR code payment services like Ordo means expensive cards are no longer the only option for point of sale and face to face payments.

Open banking has enabled innovative new e-commerce and request for payment services

New FCA authorised open banking payment institutions, like Ordo, are using open banking and the Faster Payments service to deliver an alternative to card payments for e-commerce and request for invoice payment situations that massively reduces direct and indirect costs and risks to businesses, as well as providing an easy to use and safer experience for their customers than current card-based solutions (see boxes: Faster Payments and Open Banking Payments).

Solutions like Ordo’s innovative e-commerce and real time request for invoice payment services exploit key features of open banking enabled Faster Payments:

  • The underlying low cost base of the Faster Payments Service, which, unlike the global card schemes, charges only a small fixed fee per transaction irrespective of the value of that payment.

  • The much reduced flow of account details between parties in the open banking payments journey. Only the paying customer’s bank sees all account details, the receiving account information being provided securely from the open banking payments institution (e.g. Ordo) and the source account being selected directly and securely by the paying customer within their own bank’s mobile or internet banking app.

  • The irrevocability of Faster Payments meaning that once a payer’s bank authorises and makes a payment, there is no mechanism for reversing or clawing back the payment, eliminating the risks of fraudulent claims for the collecting business.

  • The security and privacy led end-to-end designs of the Ordo open banking payments solutions, ensuring that both the business’s and end-customer’s payments information is kept secure. Allowing all the benefits of speed, low cost and irrevocability of Faster Payments without any of the fraud risks or friction associated with its normal day to day use.

At its heart, the Ordo service creates secure payment tokens. These are unique, personalised URLs that are passed by the billing business to their end-customer, either via a payment button on their e-commerce site or embedded in a message. Following the link, their end customer is able to make the specific payment required directly from their own bank account using open banking and their mobile or internet banking service. They do all this without the exchange or entry of any of their payments data, it’s all handled securely by Ordo and their bank. Not only is there no data entry by the end-customer, but there is also no need for them to register with Ordo or even download an app to make their payment.

With end-to-end designed solutions like Ordo’s, not only is each secure token locked to a particular business, a particular payment amount and a particular payment reference, but the token knows when it has been paid, meaning end customers can tell if they have paid or not, and there is no risk of them paying twice for the same thing. There is also no way a third party can intercept, unpick or amend a secure token to change its purpose or effect.

QR Codes and smartphone camera readers have come of age at just the right time

Quick Response Codes (QR Codes) were invented in 1994 as a new type of matrix bar code. One that could contain much larger amounts of information than normal supermarket barcodes which are limited to a single 10 to 15 digit product number each.

In more recent years a couple of additional developments have started to bring QR codes out of the lab and into our day to day lives. The first was the recognition that a QR Code could be used to encode an internet URL. In its simplest form the QR Code could encode a website address making it easier for a consumer to go to a site with a complex address. In more complex situations the URL could tell you not only where to go to in the internet, but what to do when you got there, for example in ticketing use cases. Until recently it was this latter use that gained most traction, because for a consumer to read a code, they needed to have their own QR Code reader.

While downloadable smartphone QR Code reader apps have been available for many years, the breakthrough in consumer use has only come in the last couple of years as smartphone suppliers have started to build readers as standard in their smartphone cameras. Now, for most modern smartphones, just point your phone camera at a QR Code and your phone will immediately follow the link. Regrettably, in 2020 this has become even more common place as we have learned to check into locations with our Covid tracking apps.

So, what if the QR Code, which you can easily read with your smartphone camera, contains not a ticket, but an Ordo secure open banking payment token provided to you by a business you are transacting with?

Taken together, open banking and QR codes are revolutionising the way we take payments

Ordo has done exactly that, embedding its open banking secure payment tokens within QR Codes. How do they work when a business has their customer standing in front of them?

  • In its simplest form, for a business using the Ordo app on a smartphone or web service on a tablet or PC the business enters the amount to be paid and any reference into Ordo. Ordo immediately generates a QR Code on the business’s device that contains the secure open banking payment request. The business shows this code to their customer.

  • The end-customer reads this QR Code with their own smartphone camera and is immediately taken to the Ordo service and shown the amount and reference for the payment. They select the bank they wish use from Ordo’s list of 40+ UK banks, and Ordo automatically opens their mobile or internet banking app on their phone.

  • In their banking app, Ordo will have securely set up all the information for a payment to be made, including the name of the business they will be paying. The end-customer enters nothing, but simply authorises the payment in the normal way, for example using their fingerprint or face-id. Their bank makes the payment in real time using Faster Payments, and then Ordo tells the customer that payment has been made.

  • Simultaneously, Ordo informs the business that payment has been made and the customer’s payment is already be in the business’s own bank account thanks to the speed, 24 x 7 coverage and irrevocability of Faster Payments.

Not only is it simple and safe for both the business and their end-customer to use, but it’s also radically cheaper than using a card, contactless or otherwise. Typical card services charge 20p per payment plus anything from 0.5 to 2.5% of the transaction value in fees, pay several days later, and are also subject to chargebacks and reverses if any fraud has been involved. With Ordo, a single flat fee of not more than 20p is charged, money is received immediately and directly into the business’s bank and its received irrevocably. There are no circumstances under which the payment can be reversed, even if the end-customer’s bank has let a fraudster make a payment. The liability stays with the bank, not the merchant

Although the case above has been written from the perspective of a very small business, the whole process can be equally well applied to a large business where Ordo is integrated in to Point of Sale equipment via its APIs and the QR Code is displayed on a till screen. In the future Ordo’s secure payment token could even be embedded into an RFID transmitter making the whole experience akin to a contactless phone payment.

About Ordo

Ordo was founded by the former executive management team of the Faster Payments Scheme in 2018 to use open banking payments to create new, more cost-effective and secure payments solutions for businesses small and large and their customers and launched its first payments solutions in 2020.

Ordo is an FCA authorised payments institution (Firm Reference Number 836070 on the Financial Conduct Authority register).

Ordo is backed by Nationwide Building Society Ventures, CGI (The global technology provider) and private investors.

To learn more about Ordo, and what its solutions could do for you and your business go to www.ordohq.com. For a demonstration email enquiries@ordopay.com or to see for yourself what we do, signup as a personal or business user at www.myordo.com or download the Ordo app from the Apple App Store.

Faster Payments

The Faster Payments Service, launched in 2008, provides all UK consumers and businesses with real time, 24×7, irrevocable payments between all UK bank accounts. The service is widely used to pay invoices, settle card bills and make person to person payments. In 2020 Faster Payments processed 2.9 billion payments between bank accounts moving over £2.1 trillion.

To make a Faster Payment the payer (who is sending the payment) needs to provide the Bank Sort Code and Account Number of the account they wish to pay (the payee’s account). Increasingly, payers also need to know the account name of the account they wish to pay, although this is not used by the core Faster Payments Service. The payer, normally at the request of the payee, can also add an optional 18 character payment reference, to help reconciliation of payments that arrive in the payee’s bank account.

When the payer makes the payment, mainly on their mobile banking or internet banking app, their bank will confirm to them in real time that not only has the money been sent, but it has been acknowledged and received by the payee’s bank and normally immediately applied to the payee’s bank account. This process is completed by the Faster Payments System and the two involved banks in a matter of milliseconds.

From the payee’s perspective, as soon as the payer has made the payment, the money is credited to their bank account. Not only does this happen in real time, 24×7, but the payment is irrevocable. This means that unless the payee agrees in a subsequent discussion with their bank that a payment has been made to them in error, the payment cannot be reversed or charged back in anyway.

The Faster Payments Service is the underlying payment technology used by open banking payments services like Ordo.

Open Banking Payments

In 2016, following an enquiry into competition in retail banking, the Competition and Markets Authority (CMA), placed a number of regulatory requirements on the UK’s nine largest banks to open up banking to new competitors. One of these requirements was break down the banks’ monopoly on payments by adopting open banking. Over the same period the EU Second Payments Services Directive (PSD2) was introduced into UK law. PSD2, going beyond the CMA 9 largest banks, requires all UK payment account providing institutions to open up their payments as well.

The CMA established the Open Banking Implementation Entity (OBIE) to build the standards and common technology to enable these payments, and the Financial Conduct Authority (FCA) as the UK’s financial regulator, set up an authorisation process for businesses that wished to become regulated providers of these services (Payment Initiation Service Providers – PISPs).

Appropriately authorised PISPs, like Ordo, are now able to set up payments directly with their customer’s selected banks, where the customer can then authorise the payment to be made in real time, directly from their bank account to another bank account via Faster Payments. In 2020 over 3 million open banking payments were made.

Ordo, as a PISP has direct secure connections to over 40 UK banks where it can set up payments for its customers.

In Ordo, payment initiation works as follows:

  • Ordo presents the payment to be made (as a result of a business’s request for payment, or an e-commerce payment) to the customer.

    ⦁   If they are happy to pay, they select the bank they wish to use from Ordo’s list of 40+ consumer and small business banks.

  • Ordo securely communicates all the payment details to the selected bank and opens up the consumer’s mobile banking app or internet banking service on their phone or PC.

  • The consumer’s bank validates the identity of the consumer in the normal way (e.g., fingerprint, face-id or password) and asks their approval to make the payment.

  • Provided approval is given, the bank then executes the payment from the consumer’s selected account to the payee account securely set up by the payee with Ordo.

  • The bank then informs Ordo that the payment has completed successfully, and Ordo informs the paying consumer and the payee business, that raised the request, that payment has been completed.

As a regulated entity, using open banking payments initiation, Ordo delivers secure by design and easy to use by design payments services to its business customers, and their end customers.

Try for yourself

Just show this QR Code to your smart phone camera and follow the link. Unless you’re the first to try you will find its already been paid, but you will get a sense of how easy this is.